HttpClientBuilder and timeouts
by Thomas Raehalme
Hi!
We have had a couple of strange issues where the HTTP connection pool for
the HttpClient used by ServerRequest has been exhausted. Strange thing is,
the thread dump on the JVM reports many threads waiting for a connection,
but none actually using them.
"http-apr-8080-exec-1" #33 daemon prio=5 os_prio=0 tid=0x00007f5c3400b000
nid=0x723a waiting on condition [0x00007f5bff7f6000]
java.lang.Thread.State: WAITING (parking)
at sun.misc.Unsafe.park(Native Method)
- parking to wait for <0x00000000eb3edac0> (a
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject)
at java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
at
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
at
org.apache.http.impl.conn.tsccm.WaitingThread.await(WaitingThread.java:159)
at
org.apache.http.impl.conn.tsccm.ConnPoolByRoute.getEntryBlocking(ConnPoolByRoute.java:398)
at
org.apache.http.impl.conn.tsccm.ConnPoolByRoute$1.getPoolEntry(ConnPoolByRoute.java:298)
at
org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager$1.getConnection(ThreadSafeClientConnManager.java:238)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:423)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at
org.keycloak.adapters.ServerRequest.invokeRefresh(ServerRequest.java:149)
at
org.keycloak.adapters.RefreshableKeycloakSecurityContext.refreshExpiredToken(RefreshableKeycloakSecurityContext.java:113)
I'm still trying to figure out what's going on here, but while digging
around I noticed that the HttpClientBuilder[1] does not set a timeout for
obtaining a connection from the pool. Wouldn't it be a good idea to set
one? Maybe 30s or so, just to avoid waiting indefinitely. The same applies
to socket timeout as well.
[1]
https://github.com/keycloak/keycloak/blob/1.9.4.Final/services/src/main/j...
Best regards,
Thomas
8 years, 7 months
Direct Grant API for Confidential Clients
by Lance Ball
Hi All
I've been updating the keycloak-nodejs-auth-utils module to keep up with
recent changes in Keycloak, and one thing I've noticed seems to contradict
what's written in the documentation. Can anyone provide clarity on this for
me?
In the docs for Direct Access Grants[1] it says, "For confidential
client's, you must create a Basic Auth Authorization header that contains
the client_id and client secret. And pass in the form parameters for
username and for each user credential. For example:"
POST /auth/realms/demo/protocol/openid-connect/token
Authorization: Basic atasdf023l2312023
Content-Type: application/x-www-form-urlencoded
username=bburke&password=geheim&grant_type=password
(That's copied and pasted into GMail. I hope the formatting is OK).
But in the keycloak-nodejs-auth-utils module, I am able to obtain a grant
without including the username and password. Additionally, I must specify
'client_credentials' as the grant_type [2].
Do I misunderstand what is going on here or is the documentation out of
date?
Thanks
Lance
[1]
http://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acce...
[2]
https://github.com/keycloak/keycloak-nodejs-auth-utils/blob/master/lib/gr...
8 years, 7 months
Helping accessing user Oauth tokens
by Brooks Isoldi
Hi all,
I'm having trouble getting access to the oauth tokens that should be
returned from the user authenticating with Twitter via the Keycloak
login page.
FYI, this is cross-posted on SO
(http://stackoverflow.com/questions/37257623/accessing-user-oauth-tokens-r...).
-----
I have a Keycloak (standalone) v1.9.4.Final install setup using Wildfly
10 on an AWS instance and am trying to use keycloak (via keycloak's
login page) and Twitter4j to authenticate a user with Twitter and then
obviously have my application authenticate and view the users timeline, etc.
I have configured the Identity Provider (Twitter), the realm and my
client application.
I also have a Twitter application setup at apps.twitter.com and the keys
put into my twitter4j.properties file.
So far, I am able to:
1. Go to my application's JSF webpage and get redirected to Keycloak's
/auth login page
2. Click the Twitter logo and login with my Twitter account (separate
account from the account that owns the Twitter application)
3. Complete the user information that Keycloak asks for
4. After completing the user information, Keycloak successfully directs
the user back to the client application (in this case, a JSF page).
The problem is, I can't figure out how to get access to the users OAuth
AccessToken and AccessTokenSecret to combine with the Twitter
application's ConsumerKey and ConsumerKeySecret.
I'm trying to get the tokens from the FacesContext, but I suspect that
context would not have it.
|HttpSessionhttpSession
=(HttpSession)facesContext.getExternalContext().getSession(false);KeycloakSecurityContextkeycloakContext
=(RefreshableKeycloakSecurityContext)httpSession.getAttribute(KeycloakSecurityContext.class.getName());-------
|
Taking a page from the twitter broker demo, we used the
KeyCloakSecurityContext held in the FacesContext's HTTPSession to get
the Bearer token, dropped the demo's TwitterOAuthResponse class into our
project and made a REST call to the realm's twitter token endpoint using
the, but then we got a permission denied saying the client did not have
access to the identity providers token.
Any help would be greatly appreciated!
--
Brooks Isoldi, Software Developer
Traversed
7164 Columbia Gateway Drive, Suite 120A
Columbia, MD 21046
8 years, 7 months
Re: [keycloak-dev] Keycloak impersonate programmatically
by Scott Rossillo
Adding back mailing list. See below.
> On May 12, 2016, at 1:39 PM, Scott Rossillo <srossillo(a)smartling.com> wrote:
>
> We have a way to do in on our fork. It relies on a hard coded role to determine who can impersonate but the rest of the code is probably reusable.
>
> https://github.com/Smartling/keycloak/commit/06ac25bf24110061d3cb66ee8c62... <https://github.com/Smartling/keycloak/commit/06ac25bf24110061d3cb66ee8c62...>
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo(a)smartling.com
>
>> On May 12, 2016, at 11:20 AM, Bill Burke <bburke(a)redhat.com> wrote:
>>
>> You can't impersonate progammatically at the moment.
>>
>> On 5/12/16 1:24 AM, Anshul Malpani wrote:
>>> Hi,
>>>
>>> I am trying to use impersonate feature using my java client. When I call impersonate api using admin access grant. I get back the cookies. How can I get the access token for the impersonate user.
>>>
>>>
>>>
>>> HttpPost post = new HttpPost(
>>> KeycloakUriBuilder.fromUri(authServerUrl).path(“/admin/realms/{realm}/users/{id}/impersonation").build(realm, accountKeycloakId));
>>>
>>> This is returning me cookies. In next step I would like to get the access token of impersonate user.
>>>
>>> Thanks
>>>
>>> On Wed, May 11, 2016 at 3:25 PM, Anshul Malpani <anshulm(a)stytch.com <mailto:anshulm@stytch.com>> wrote:
>>> Hi,
>>>
>>> I am trying to use impersonate feature using my java client. When I call impersonate api using admin access grant. I get back the cookies. How can I get the access token for the impersonate user.
>>>
>>>
>>>
>>> HttpPost post = new HttpPost(
>>> KeycloakUriBuilder.fromUri(authServerUrl).path(“/admin/realms/{realm}/users/{id}/impersonation").build(realm, accountKeycloakId));
>>>
>>> This is returning me cookies. In next step I would like to get the access token of impersonate user.
>>>
>>> Thanks
>>> A
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
8 years, 7 months
Keycloak custom authenticator
by Tech @ PSYND
Dear experts,
I'm working with keycloak 1.9.4.
We ran some customization with the Authenticators: we implemented a
couple of authenticators in sequence, like provide an OTP token, provide
an additional information etc.
We are facing several issues:
1) we create our custom Flow from the Authentication interface
2) we add our 4 form (Add Execution)
3) from the Flows Module we select the order in which they should be
selected
4) we define in the binding sour flow as Browser Flow
5) we register and enable our executions from the Required Actions
module.
About point 3): even if we change the order of the flows using the
priorities arrows, the forms doesn't show up in order.
We tried to delete and to re-create, but we don't understand if we
should do something else to impose the order that we need?
Could you please support?
Thanks
8 years, 7 months
Re: [keycloak-dev] Keycloak impersonate programmatically
by Anshul Malpani
Hi,
I am trying to use impersonate feature using my java client. When I call
impersonate api using admin access grant. I get back the cookies. How can I
get the access token for the impersonate user.
HttpPost post = new HttpPost(
KeycloakUriBuilder.fromUri(authServerUrl).path(“
/admin/realms/{realm}/users/{id}/impersonation").build(realm,
accountKeycloakId));
This is returning me cookies. In next step I would like to get the access
token of impersonate user.
Thanks
On Wed, May 11, 2016 at 3:25 PM, Anshul Malpani <anshulm(a)stytch.com> wrote:
> Hi,
>
> I am trying to use impersonate feature using my java client. When I call
> impersonate api using admin access grant. I get back the cookies. How can I
> get the access token for the impersonate user.
>
>
>
> HttpPost post = new HttpPost(
> KeycloakUriBuilder.fromUri(authServerUrl).path(“
> /admin/realms/{realm}/users/{id}/impersonation").build(realm,
> accountKeycloakId));
>
> This is returning me cookies. In next step I would like to get the access
> token of impersonate user.
>
> Thanks
> A
>
>
>
8 years, 7 months
Failing integration-arquillian tests when using -Pauth-server-wildfly
by Marko Strukelj
There are currently many tests failing when running:
mvn clean install -Pdistribution -DskipTests
cd testsuite/integration-arquillian
mvn clean install -Pauth-server-wildfly
Failed tests:
ProvidersTest.testClientAuthenticatorProviders:85->compareProviders:178
Providers count expected:<3> but was:<2>
ProvidersTest.testInitialAuthenticationProviders:130->compareProviders:178
Providers count expected:<20> but was:<18>
ProvidersTest.testPerClientConfigDescriptions:93 null
CustomFlowTest.clientAuthTest:209->grantAccessToken:235 expected:<200>
but was:<400>
CustomFlowTest.grantTest:202->grantAccessToken:235 expected:<200> but
was:<400>
RefreshTokenTest.refreshTokenRequest:154
Expected: (a value equal to or greater than <1799> and a value less than or
equal to <1800>)
but: a value equal to or greater than <1799> <1798> was less than
<1799>
RefreshTokenTest.refreshTokenReuseTokenWithRefreshTokensRevoked:261
expected:<400> but was:<200>
RefreshTokenTest.refreshTokenUserSessionMaxLifespan:456 expected:<400>
but was:<200>
RefreshTokenTest.testUserSessionRefreshAndIdle:398 Values should be
different. Actual: 1462968567
Tests in error:
CustomFlowTest.loginSuccess:193 » IllegalArgument No enum constant
org.keycloa...
CustomRegistrationFlowTest.registerUserSuccess:98 » IllegalArgument No
enum co...
ResetPasswordTest.resetPasswordExpiredCode:386 » NotAuthorized HTTP 401
Unauth...
ResetPasswordTest.resetPasswordExpiredCodeShort:430 » NotAuthorized HTTP
401 U...
ResetPasswordTest.resetPasswordWithPasswordHisoryPolicy:575->resetPassword:267
» NotAuthorized
OfflineTokenTest.offlineTokenAllowedWithCompositeRole:428->offlineTokenDirectGrantFlow:290
» Runtime
OfflineTokenTest.offlineTokenBrowserFlow:210 » Runtime Failed to verify
token
OfflineTokenTest.offlineTokenDirectGrantFlow:311->testRefreshWithOfflineToken:255
» Runtime
OfflineTokenTest.offlineTokenDirectGrantFlowWithRefreshTokensRevoked:325
» Runtime
OfflineTokenTest.offlineTokenServiceAccountFlow:371 » Runtime Failed to
verify...
Tests run: 480, Failures: 9, Errors: 10, Skipped: 3
It's probably just server-side changes that require maintenance in the
tests themselves.
We should maybe configure Travis CI with -Pauth-server-wildfly option so
that we detect these right away.
8 years, 7 months
SpringBoot : Multi-tenant Example
by Stephen Merchant
Hello,
I would really appreciate advice on how to implement Multi-tenant SSO in a Spring Boot application.
The "User Guide" Spring Boot Adapter section mentions that the keycloak.json settings are maintained in the Spring Boot configuration file.
Comparing this approach to a non-Spring Boot application (such as that provided in the Examples) using KeycloakConfigResolver,I would like to know how I can simulate this approach with a Spring Boot configuration file, rather than appropriately named JSON files (such as tenant1-realm.json and tenant1-realm.json).
Any help gratefully received.
Thanks,
Stephen Merchant
Developer
Gandlake Limited
Crown Commercial Service Supplier
BSI ISO/IEC 27001 certification number IS 585161
Gandlake Limited, a Limited Liability Company registered in England and Wales under number 4667925. Registered Office: Gandlake House, London Road, Newbury, Berkshire. RG14 1LA. VAT Registration Number 809 7164 11
8 years, 7 months
