June 2018 - keycloak-dev - Jboss List Archives

Wildcard for Valid Redirect URI Hostname

by Josh Cain

Per KEYCLOAK-3585: <https://issues.jboss.org/browse/KEYCLOAK-3585> Currently, valid redirect URI hostnames allow for wildcards at the end like so: http://www.redhat.com/* I'm managing several environments where clients need 'n' number of available redirect URI's with different hostnames, I.E. http://developer1.env.redhat.com http://developer2.env.redhat.com http://developer3.env.redhat.com Would really help to have the ability to wildcard hostnames too, I.E.: http://*.env.redhat.com I've submitted #3241 <https://github.com/keycloak/keycloak/pull/3241> to address this issue, but there seem to be some concerns about allowing wildcards in other parts of the URL. See the PR for a more fleshed out discussion, but wanted to start a thread here on the mailing list. Particularly with respect to: - Does anyone have need of this feature or would find it useful? - Should this kind of wildcard be allowed as a configuration option by Keycloak? Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 256-452-0150

6 years

5
13
0 / 0

Improved CSP support

by Johannes Knutsen

Hi, I am currently looking at improvements in the Content Security Policy (CSP) support. In our deployment, we have security requirements stating that a CSP header should be used and inline scripts, styles and resources should be blocked. For example by setting a CSP value like default-src 'self';. Such a policy breaks Keycloak's manipulation of the browser history implemented in the BrowserHistoryHelper, since the JavascriptHistoryReplace injects an inline JavaScript. The simplest workaround is to also inject a nonce value or SHA hash of the script to the existing CSP header. However, while implementing this, I found that a CSP nonce in general would be nice to have available in any template context. This will also make it easier to migrate the default Keycloak theme to support stricter security policies. An example implementation can be found here: https://github.com/knutz3n/keycloak/commit/c6cfb3efa2942d7569066c0e4bd90a... Would you be interested in merging a change like the one above? If not, what is your view on how to allow stricter content security policies? Tests and documentation is currently missing, but I will add both if this is something you would consider merging. As a note, I have also done some work on supporting a strict CSP value for the default theme. But there are some issues with included 3rd party scripts which must/should be resolved. Let me know if you want more details regarding this. Best regards, Johannes Knutsen

6 years, 2 months

2
4
0 / 0

Keycloak Proxy Rename

by Bruno Oliveira

Good afternoon, We are considering to transfer or fork the keycloak-proxy[1] to Keycloak organization. In order to accomplish that, I've been working with Rohith updating some of its dependencies[2]. While discussing with our team, we reached the conclusion that call it a proxy could potentially increase the scope of the project and also give people the wrong idea. Because would be expected things like load balancing, rate limiting, and other features. That's not what we want right now. I would like to gather some feedback from the community before we move forward. So please vote on the following Doodle: https://doodle.com/poll/gux626ktscgpr96t Also, feel free to suggest other names and it will be included. [1] - https://github.com/gambol99/keycloak-proxy [2] - https://issues.jboss.org/browse/KEYCLOAK-7265 -- abstractj

6 years, 4 months

3
3
0 / 0

Outage Issue

by gambol

Hiya I was wondering if anyone has come across this before. We have Keycloak running in a kubernetes cluster, a mysql RDS, and standalone-ha setup using two gossip servers, each running behind a kube service and passed in via environment variables <protocol type="TCPGOSSIP"> <property name="initial_hosts">${env.GOSSIP_ROUTER_HOST}</property> </protocol> Cluster appears to work fine, a new node added makes a change to topology and so forth. We do however out of the blue get the following error on occasion, every couple of weeks... Shortly after the rest of the replicas become affected, the health check on the /auth fails and or login attempts begin to timeout .. At present the only solution is to completely cycle the cluster. 13:07:52,451 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012108: CheckedAction::check - atomic action 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:47876e aborting with 1 threads active! 13:07:52,451 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4] 13:07:52,451 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:47876e 13:07:55,475 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:4787b9 in state RUN 13:07:55,476 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort of action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:4787b9 invoked while multiple threads active within it. 13:07:55,480 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381: Action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:4787b9 completed with multiple threads - thread default task-64 was in progress with sun.misc.Unsafe.park(Native Method) java.util.concurrent.locks.LockSupport.park(LockSupport.java:175) java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039) org.apache.http.pool.PoolEntryFuture.await(PoolEntryFuture.java:138) org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:306) org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:64) org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:192) org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:185) org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:107) org.apache.http.impl.conn.PoolingHttpClientConnectionManager.leaseConnection(PoolingHttpClientConnectionManager.java:276) org.apache.http.impl.conn.PoolingHttpClientConnectionManager$1.get(PoolingHttpClientConnectionManager.java:263) org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:190) org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:185) org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:154) org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:146) org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:397) sun.reflect.GeneratedMethodAccessor994.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:790) io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1243/578097420.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) Repeating over and over ... Just before is 11:26:08,882 WARN [org.keycloak.events] (default task-166) type=CODE_TO_TOKEN_ERROR, realmId=XXX, clientId=XXXX, userId=null, ipAddress=XXXXXXXXXX , error=invalid_code, grant_type=authorization_code, code_id=XXXXXXXX , client_auth_method=client-secret 11:30:04,172 WARN [org.keycloak.services.managers.AuthenticationManager] (default task-100) Some clients have been not been logged out for user XXXXXXXXXXXXXXXXXXX in hod-ci realm: XXXXX 11:30:04,203 WARN [org.keycloak.events] (default task-92) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=HOD-CI, clientId=null, userId=null, ipAddress=213.251.23.186, error=expired_code, identity_provider=O365, restart_after_timeout=true 11:38:13,851 WARN [org.keycloak.forms.login.freemarker.model.ProfileBean] (default task-88) There are more values for attribute 'group' of user 'XXXX\XXXXXX' . Will display just first value 11:43:37,370 WARN [org.keycloak.events] (default task-36) type=LOGIN_ERROR, realmId=lev, clientId=lev-web, userId=null, ipAddress=XXXXXXXX, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://lev.homeoffice.gov.uk/oauth/callback, code_id=5a08f532-1051-4805-8dd6-d71362303521, username=XXXXXXXXX 11:47:01,018 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:46efe0 in state RUN 11:47:01,019 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort of action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:46efe0 invoked while multiple threads active within it. 11:47:01,022 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381: Action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:46efe0 completed with multiple threads - thread default task-165 was in progress with sun.misc.Unsafe.park(Native Method) java.util.concurrent.locks.LockSupport.park(LockSupport.java:175) java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039) org.apache.http.pool.PoolEntryFuture.await(PoolEntryFuture.java:138) org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:306) org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:64) org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:192) org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:185) org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:107) org.apache.http.impl.conn.PoolingHttpClientConnectionManager.leaseConnection(PoolingHttpClientConnectionManager.java:276) org.apache.http.impl.conn.PoolingHttpClientConnectionManager$1.get(PoolingHttpClientConnectionManager.java:263) org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:190) org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:185) org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:154) org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:146) org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:397) sun.reflect.GeneratedMethodAccessor994.invoke(Unknown Source) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) javax.servlet.http.HttpServlet.service(HttpServlet.java:790) io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1243/578097420.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown Source) io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) java.lang.Thread.run(Thread.java:748) Rohith

6 years, 5 months

2
4
0 / 0

Keycloak with Oracle IDCS as Parent IDP

by Aznidin Zainuddin

Hi, I’ve been using keycloak to secure the company’s webpage for a while. There’s a new requirement that I use Oracle IDCS IDP. Because the IDP doesn’t support user access level/authorization, I’m forced to use the IDP as Keycloak’s parent IDP. The IDCS supports OpenID Connect 1.0 and so I tried to add it as an external IDP using two of the possible methods i.e. OpenID Connect 1.0 and Keycloak OpenId Connect. Both methods failed at the point where an eccess token was requested with the following stack trace: 09:56:33,923 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-15) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server. at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:443) at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:345) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:407) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 09:56:33,948 WARN [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=onesys, clientId=null, userId=null, ipAddress=10.255.0.2, error=identity_provider_login_failure ------------------------------------- I’m not really a Keycloak expert but it seems to me that the protocol breaks because Keycloak and IDCS ‘talks’ different dialects. Could it be that there’s some way to configure it in Keycloak to make it work? Oracle came back with the following, I quote: · IDCS OIDC discovery endpoint says this: "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_jwt" ], · It seems that when Keycloak is an OIDC RP, it might be ignoring this directive and sending the client_secret in POST body anyways. Please check with Keycloak team if there is a way to configure Keycloak to use one of the IDCS supported ways. This is something that is not our skillset and people with Keycloak knowledge will be more effective in helping you with this. · If Keycloak doesn’t support one of these two ways, you will need to raise a ticket with them to provide support for at least one of these ways of client_authentication. · On the other hand, IDCS doesn’t yet support “client_secret_post”. There is already an internal bug filed against IDCS for this - BUG 27981356 - TOKEN EXCHANGE SHOULD ACCEPT CLIENT_ID AND CLIENT_SECRET IN POST PAYLOAD. However, it doesn’t seem that the scheduled delivery of this feature will meet your timelines.

6 years, 5 months

2
1
0 / 0

Accessing Token Endpoint with a User access token to get Permissions

by Mark McGuigan

Hi, Apologies if this email is incorrectly posted. I'm using the newly released Keycloak 4 and I've been able to successfully get an access token for a user from an access code posted back to my application. This doesn't contain any permissions on the token (Rightly so, only roles) I'm now trying to get an RPT with permissions from the of client application that reflect what the User is allowed to do. My request looks something like: POST /auth/realms/MyRealm/protocol/openid-connect/token HTTP/1.1 Host: localhost:8080 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5c ... Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache Postman-Token: 4054feaf-a9d7-48e2-99b6-eabc86bf8da5 grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Auma-ticket&audience=MyClient&permission=Default+Resource Where the Bearer is the generated access_token. However I'me getting a response of : 500 Internal Server Error { "error": "server_error", "error_description": "Unexpected error while evaluating permissions" } And a stack trace of: Unexpected error while evaluating permissions: java.lang.RuntimeException: Error while reading attributes from security token. at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:139) at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:68) at org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:124) at org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:311) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:161) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1124) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190) ..... Caused by: java.lang.NullPointerException at org.keycloak.services.util.DefaultClientSessionContext.fromClientSessionScopeParameter(DefaultClientSessionContext.java:64) at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:123) Any Ideas what I may be doing wrong? Any help appreciated. Regards, Mark

6 years, 5 months

2
5
0 / 0

Wildfly 13 upgrade

by Marek Posolda

The PR for Wildfly 13 upgrade is finally ready to review - https://github.com/keycloak/keycloak/pull/5293 . Few things to highlight for this PR: - Dependencies of undertow, infinispan, resteasy and aesh and some others were updated to use the versions used by Wildfly. - Some configuration changes are needed in infinispan Wildfly subsystem (Removed jndi-name from cache-container element, Replaced "eviction" element by "objects" element in the configuration of caches, ...). This is all documented and described in migration guide. Also migration scripts were updated to reflect all of this and automatically update configurations of standalone and domain configuration files. Server-config-migration-tests is passing - For Cross-DC, infinispan-server used is now infinispan-server 9.2.4.Final (same infinispan version like Wildfly 13 is using) and JDG 7.2. It was a bit of pain, but finally cross-dc tests are passing fine with both infinispan-server-9.2.4 and JDG 7.2. The PR contains some changes especially in the keycloak-model-infinispan part as updating infinispan wasn't so straightforward. Few things to note: -- Some API changes and deprecated methods in infinispan, which we need to adapt too -- For cross-dc, we don't use JDG '___script_cache' anymore for preloading sessions. It caused some issues in the past related to security. Also there seem to be a bug in JDG 7.2, which prevent it to work correctly. We know use "remoteCache.retrieveEntries", which was improved in infinispan 9 and allows great performance and preloading sessions in parallel. Was trying to test preloading with million sessions in JDG and it took just around a minute on my laptop - There is still the issue that keycloak-admin-cli and keycloak-client-registration-cli use the old aesh. I've created https://issues.jboss.org/browse/KEYCLOAK-7737 . Fortunately old aesh is not needed as Wildfly module, because the "fat" jars "keycloak-admin-cli" and "keycloak-client-registration-cli" just contains it's classes (as well as the other dependencies) contained in itself. IMO this is not a blocker to upgrade master to Wildfly 13 now and it can be addressed later. But will be good to address this (EG. if there are security and other issues in old aesh, we won't be able to rely on Wildfly support etc). WDYT? - I've sent the PR for documentation last week https://github.com/keycloak/keycloak-documentation/pull/410 . But this one is not yet ready for review. I need to update it based on feedback from Matthew. Also need to update a bit the content as well. Hopefully will be ready for review later today. Marek

6 years, 5 months

1
0
0 / 0

Re: [keycloak-dev] JWS signatures using PS256 or ES256 algorithms for signing

by 乗松隆志 / NORIMATSU，TAKASHI

Hello, Thank you for your comments. I think it might be better to determine which kind of Token Signature Provider be used by not parsing JWS, for example, looking up Client or Realm settings. This PR might have impacts on keycloak's performance because it has parsed JWS to determine it every time keycloak receives JWS Token. As for existing Key Provider, I've already implemented ECDSA Key Provider (for only signing) in this PR. Therefore, I could contribute it. As for Token Signature SPI, I agree with you. I hope I would like to implement this SPI's provider for ES256 at first and PS256 in the future. I think it is the best way that keycloak's core committers design and implement this Token Signature SPI. However, if they do not have yet such a plan to do that at this time and in the future, I would like to give some ideas on Token Signature SPI. How do you think about that? Best regards, Takashi Norimatsu Hitachi Ltd., From: Stian Thorgersen <sthorger(a)redhat.com> Sent: Tuesday, May 29, 2018 4:40 PM To: 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws(a)hitachi.com> Cc: keycloak-dev(a)lists.jboss.org Subject: [!]Re: [keycloak-dev] JWS signatures using PS256 or ES256 algorithms for signing Hi, I haven't had time to look at your PR in detail yet, but the way it should work is: * We need to add a Token Signature SPI that can sign and validate token signatures * RSA signing should be refactored into a Token Signature provider * Realm should have a default signing algorithm. Admin console should allow admins to select from any supported algorithm by listing TokenSignatureSPI providers * Clients should be able to override the signing algorithm * When verifying signatures in the Keycloak server we should check what the method is for the client (or realm if client doesn't override) and only allow that specific algorithm and nothing else * We may want to consider adding an option to client adapters to specify the expected signing algorithm as well * We also need additional key providers. It looks like you've already added this * We need to make sure that keys are only used for the correct purpose (correct algorithm and if it's for signing or encrypting). I think this is already covered though On 25 May 2018 at 05:26, 乗松隆志 / NORIMATSU，TAKASHI <mailto:takashi.norimatsu.ws@hitachi.com> wrote: I'd like to use more secure JWS signature algorithm in the environment where the high security level is required such as the financial industry. According to the following RFCs, RSASSA-PSS to which PS256 follows is recommended on behalf of RSASSA-PKCS1-v1_5 to which RS256 follows. https://clicktime.symantec.com/a/1/fIIShrle28DIlWvWduZOOVGDLk3xC_-rnn6V7E... However, according to the following RFC, ES256 is "Recommended+" while PS256 is "Optional". https://clicktime.symantec.com/a/1/s_2w8zdHH2DoCkMCU7h9NMxUrcVZyNjiGxV6Me... Moreover, it is said that Elliptic Curve based algorithms have an advantage against RSA base algorithms in volume of its computation. Therefore, I've tried to make keycloak support ES256 JWS signature along with existing RS256 one. I've found that it seemed to be relatively easy to implement software components for ES256 JWS signature such as Signature Provider and Key Provider. However, it seemed to be difficult to implement codes actually calling these providers. The reasons is as follows. * a lot of places have called these singing and verifying providers. * such the places have been hard-coded in RSA algorithm specific. To deal with them, the following ideas have hit on me 1. replace RSA algorithm specific codes with signature algorithm independent codes. 2. re-design JWS signing and verifying scheme on high level. I'm not familiar with keycloak internals, so I've implemented ES256 JWS signature support on #1 basis experimentally. I'm not sure whether this way is appropriate or not. I'm very happy if keycloak specialists consider #2 or review my implementation based on #1. I've issued PR as WIP. Please refer to the following in detail. https://clicktime.symantec.com/a/1/G-XuERmswRIcQ_MQA72oK1EJuT0Y48iac1Lbbs... Best regards, Takashi Norimatsu Hitachi Ltd., _______________________________________________ keycloak-dev mailing list mailto:keycloak-dev@lists.jboss.org https://clicktime.symantec.com/a/1/LBlgE63-JxZCbiegUCPqUTy7Oeq2A8tzZfOiWv...

6 years, 5 months

3
7
0 / 0

Re: [keycloak-dev] Decoupled channel authentication (Google Push Authn)

by James Holland

I've added the feature request https://issues.jboss.org/browse/KEYCLOAK-7675 for this.

6 years, 5 months

2
4
0 / 0

Admin API: Delete session id

by Eivind Larsen

Hi Keycloak Devs! In the admin API there is a call to delete a session by ID: DELETE /{realm}/sessions/{session_id} This works for user (online) sessions, but when given the session ID of an offline session, it gives 404 error and nothing is deleted. Seeing as this is the only way to delete a given as session by id, I would expect the call to work for offline sessions as well, ideally deleting both the user session and the offline session by this id. What do you think? Is there an alternative way to delete an offline session by id? I think it would be more useful if this call was scoped per user. Currently you have to load all user sessions, verify that this session ID is indeed owned by the user, then call delete. Scoping per user would make it impossible to delete a wrong user's session, and it would reduce requests to the keycloak instance. Best Regards, Eivind Larsen

6 years, 6 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev June 2018