Keycloak servlet filter adapter on OSGi, first impressions
by Dmitry Telegin
Hi,
We are working on integrating Apache Sling with Keycloak (see my
posting from June 12). It was suggested that we'd stick to servlet
filter adapter as the most generic one (unlike Keycloak OSGi
adapter which is more of a JBoss Fuse adapter).
The first step was to convert keycloak-servlet-filter-adapter and
required keycloak-servlet-adapter-spi to OSGi bundles. This went OK,
I've just added OSGi bundling to the respective POMs. However there
were two major issues when deploying and running the code:
1. Bogus dependency on org.apache.http.*
Several Keycloak modules the adapter depends on, namely keycloak-authz-client and keycloak-adapter-core, declare bogus "Import-Package: org.apache.http.*;version=4.5.2" dependency.
This comes from the following lines in the POM:
<keycloak.osgi.import>
org.keycloak.*;version="${project.version}",
org.apache.http.*;version=${apache.httpcomponents.version},
...
</keycloak.osgi.import>
org.apache.http.* is exported by org.apache.httpcomponents:httpcore-osgi, which uses its own versioning scheme (4.4.9 is the latest version ATM). Thus, deploying the bundle to OSGi runtime fails due to unsatisfied dependency.
Later, I've discovered there's keycloak-osgi-thirdparty bundle that provides required dependencies (however, they don't become less bogus because of that).
I'm OK with this workaround, but generally speaking, is keycloak-osgi-thirdparty still needed?
I've got an impression it was created at a time when not every dependency was available as OSGi bundle.
Current version of keycloak-osgi-thirdparty contains merged httpclient and httpcore, which are available as org.apache.httpcomponents:httpclient-osgi and org.apache.httpcomponents:httpcore-osgi, respectively.
So to me it seems like a candidate for deprecation and removal. If so, the bogus dependency issue, obviously, should be tackled with first.
2. Split package org.keycloak.adapters.servlet
> In standard Java programming, packages are generally treated as
> split; the Java class path approach merges all packages from
> different JAR files on the class path into one big soup. This is
> anathema to OSGi’s modularization model, where packages are treated
> as atomic (that is, they can’t be split).
http://web.ist.utl.pt/ist162500/?p=65
In Keycloak, the package org.keycloak.adapters.servlet is split between
keycloak-servlet-adapter-spi and keycloak-servlet-filter-adapter. This
leads to seemingly inexplicable NoClassDefFoundError's, when e.g.
KeycloakOIDCFilter cannot find its neighbor OIDCServletHttpFacade. The
recipe provided by the above article (create dummy bundle, prohibit
direct imports etc.) is rather cumbersome, so I've just created
org.keycloak.adapters.servlet.spi package and moved there the two
classes from keycloak-servlet-adapter-spi.
After that, I was finally able to wire Keycloak filter to a test
servlet, and it worked pretty well. There was a redirect to Keycloak's
login screen, then redirect back, and the servlet was able to obtain
valid KeycloakPrincipal with JWT token.
To sum up, I'm eager to contribute changes required to make Keycloak
servlet filter adapter a valid and working OSGi bundle. That would
include OSGi bundling for two modules and split package refactoring.
The first issue (bogus deps) IMO should require further discussion.
Let me know what you think,
Dmitry Telegin
CTO, Acutus s.r.o.
6 years
Any reason why the DefaultBruteForceProtector success() method is private?
by Eric B
Hi.
I'm looking at producing an extended implementation of the
DefaultBruteForceProtector implementation, but for some reason the
success() method in the class is the only private method which is
prohibiting me of simply extending the DefaultBruteForceProtector class and
adding some additional logic to the methods.
Is there a particular reason why the visibility for these methods are as
follows?
- public void failure()
- private void success()
Why is success() private, whereas failure is public()? Was this just an
oversight? Can sucess() be changed to public?
Thanks,
Eric
6 years
Token revocation support
by Thomas Darimont
Hello Keycloak Team,
whilst comparing the output of googles .well-known/openid-configuration
with that of Keycloak
I noticed that the .well-known/openid-configuration endpoint in Keycloak
does not expose a "revocation_endpoint".
See below...
I just stumbled upon the old keycloak-dev ML thread where this was
mentioned already.
http://lists.jboss.org/pipermail/keycloak-dev/2016-April/007054.html
Are there any plans to support token revocation with a
`revocation_endpoint`?
RFC7009 mentions that an implementation MUST provide token revocation for
refresh_tokens
and SHOULD provide support for access_tokens, perhaps only supporting
refresh_tokens would be a good start.
It seems that token revocation is currently handled by updating the
"notBefore" timestamp
of a realm and ensuring that only tokens with issuedAt timestamp >
notBefore are considered valid.
A naive way of supporting the revocation_endpoint could just be to update
the realms notBefore timestamp.
However I think this might be a bit too coarse-grained since it might
invalidate a bunch of tokens at once,
which could potentially require many/all clients/users to request new
tokens.
A more fine-grained approach could be to record the hash of a revoked
refresh_token value in a
database table like revoked_tokens (id, token_hash, issued_at, token_type).
When a new token is requested with a refresh_token, then one could try to
lookup an entry in the
revoked_tokens table with the token_hash of the current token.
If nothing was found then the token was not revoked and can be used.
Otherwise, the token was revoked and no new
tokens should be issued with the given refresh_token, which means that the
user / client must reauthenticate again.
Table entries could be cleared once the associated refresh tokens have
timed out.
OAuth2 Token Revocation Overview:
https://connect2id.com/blog/token-revocation
OAuth2 Token Revocation RFC: https://tools.ietf.org/html/rfc7009
Cheers,
Thomas
This is the output of googles .well-known/openid-configuration endpoint:
https://accounts.google.com/.well-known/openid-configuration
{
"issuer": "https://accounts.google.com",
"authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth
",
"token_endpoint": "https://www.googleapis.com/oauth2/v4/token",
"userinfo_endpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
"revocation_endpoint": "https://accounts.google.com/o/oauth2/revoke",
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
]
}
This is the output of Keycloaks .well-known/openid-configuration endpoint
(Keycloak 4.1.0.Final)
http://iam.tdlabs.local:8080/auth/realms/concourseci/.well-known/openid-c...
{
"issuer": "http://iam.tdlabs.local:8080/auth/realms/concourseci",
"authorization_endpoint": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/protocol/openid-conn...
",
"token_endpoint": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/protocol/openid-conn...
",
"token_introspection_endpoint": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/protocol/openid-conn...
",
"userinfo_endpoint": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/protocol/openid-conn...
",
"end_session_endpoint": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/protocol/openid-conn...
",
"jwks_uri": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/protocol/openid-conn...
",
"check_session_iframe": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/protocol/openid-conn...
",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"subject_types_supported": [
"public",
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"userinfo_signing_alg_values_supported": [
"RS256"
],
"request_object_signing_alg_values_supported": [
"none",
"RS256"
],
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"registration_endpoint": "
http://iam.tdlabs.local:8080/auth/realms/concourseci/clients-registration...
",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"RS256"
],
"claims_supported": [
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"scopes_supported": [
"openid",
"address",
"concourse.main",
"email",
"offline_access",
"phone",
"profile",
"read"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"code_challenge_methods_supported": [
"plain",
"S256"
],
"tls_client_certificate_bound_access_tokens": true
}
6 years
Some feature suggestions for Identity Provider support
by Thomas Darimont
Hello Keycloak-Team,
for a integration scenario with a big german internet provider I needed to
implement
a custom OAuth2 based IdentityProvider.
It worked out quite well but I encountered some things which currently
require
custom coding that could be provided out of the box.
- Default roles for users that come via Identity Provider
I need to assign some realm- / client-roles to users that come via that IdP.
Users that come via that IdP should be able to access certain client
applications by default.
Of course one could programmatically add appropriate roles to newly created
broker users,
but it would be nicer to be able to configure a set of default roles on IdP
level, like roles / scopes
for Clients / Service Accounts.
- Allow multiple IdP definitions of the same type with different names
(google-test, google-staging)
At the moment it seems that one can only have one IdP per IdP-type (e.g.
just one google, one twitter etc.).
However for testing it would be handy to be able to define multiple IdP
definitions of the same type
with different identifiers.
A workaround for this would be to use different realms for this but if one
needs to work with multiple
testing / staging environments this becomes complicated quickly.
WDYT?
Cheers,
Thomas
6 years
KEYCLOAK_IDENTITY encoding choose between HMAC and RSA
by Christian Battaglia
"encodeToken" method from
"services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
" specifically uses hmac256 for its encoding and I get that this is done
for speed but I would argue that this should be a choice in the
configuration.
So my use case sort of breaks outside the walls of Keycloak but I think
this would be a great point to extend. I would like to make use of this JWT
on the NGINX network layer to cryptographically verify against the RSA
public key found at
"/auth/realms/<realm-name>/.well-known/openid-configuration".
This would be sort of a broad level scope authentication used for things
like CDN assets.
I get this looks kind of nasty as far as security concerns but how else
could I include a cookie for a specific client purpose and at a specific
subdomain without first adding in a minimal client frontend with the
Keycloak js iframe check that then adds a cookie for that domain and then
redirects them back to the URL? It seems kind of dumb this couldn't be done
on a realm wide level.
Thoughts?
- Christian
6 years
New feature implementation: Namespace support for LDAP group mapper by storing the groups synced from LDAP provider within a customizable path
by Jürgeleit Torsten
Hi Keycloak Team,
we’re using MSAD group memberships for provisioning roles in different applications (JIRA, SonarQube, GitLab, …). The required information (application, project, role) is encoded in the MSAD group name via patterns like “<prefix>_<app>_<project>_<role>”, e.g. “G_APPL_JIRA_PR1_Developer”. Currently in every application the corresponding MSAD group memberships are retrieved via an LDAP query (with filter using the application-specific prefix) and stored the application’s internal user access management system.
Now we would like to introduce Keycloak as the central IdP for these applications. But currently Keycloak only supports syncing groups from LDAP federation provider as top-level KC groups. This approach has some limitations:
If using multiple group mappers then there’s no way to isolate the KC groups synched by each group mapper.
If the option "Drop non-existing groups during sync” is activated then all KC groups (including the manually created ones) are deleted.
There’s no way to inherit roles from a parent KC group.
Therefore I would like to propose adding some kind of namespace support to GroupLDAPStorageMapper. This could be implemented by an additional config property for a Keycloak group path where the groups synched from LDAP provider are stored (defaults to “/“ for top-level groups).
An implementation of this approach can be found in commit baa76c6 <https://github.com/tjuerge/keycloak/commit/baa76c6d591a0be1b16612470030f6...> of my fork. To test this implementation modified copies of existing integration tests are used (here the groups are stored within the path "/Applications/App1” instead of “/“).
WDYT?
Cheers,
Torsten
6 years
Outage Issue
by gambol
Hiya
I was wondering if anyone has come across this before. We have Keycloak
running in a kubernetes cluster, a mysql RDS, and standalone-ha setup using
two gossip servers, each running behind a kube service and passed in via
environment variables
<protocol type="TCPGOSSIP">
<property name="initial_hosts">${env.GOSSIP_ROUTER_HOST}</property>
</protocol>
Cluster appears to work fine, a new node added makes a change to topology
and so forth. We do however out of the blue get the following error on
occasion, every couple of weeks... Shortly after the rest of the replicas
become affected, the health check on the /auth fails and or login attempts
begin to timeout .. At present the only solution is to completely cycle the
cluster.
13:07:52,451 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012108: CheckedAction::check - atomic action
0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:47876e aborting with 1 threads active!
13:07:52,451 WARN
[org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl]
(Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called
by a background thread; delaying afterCompletion processing until the
original thread can handle it. [status=4]
13:07:52,451 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction
Reaper Worker 0,5,main] successfully canceled TX
0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:47876e
13:07:55,475 WARN [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:4787b9 in state RUN
13:07:55,476 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012095: Abort of action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:4787b9
invoked while multiple threads active within it.
13:07:55,480 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012381: Action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:4787b9 completed
with multiple threads - thread default task-64 was in progress with
sun.misc.Unsafe.park(Native Method)
java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
org.apache.http.pool.PoolEntryFuture.await(PoolEntryFuture.java:138)
org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:306)
org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:64)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:192)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:185)
org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:107)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.leaseConnection(PoolingHttpClientConnectionManager.java:276)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager$1.get(PoolingHttpClientConnectionManager.java:263)
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:190)
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:185)
org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:154)
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:146)
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:397)
sun.reflect.GeneratedMethodAccessor994.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1243/578097420.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
Repeating over and over ... Just before is
11:26:08,882 WARN [org.keycloak.events] (default task-166)
type=CODE_TO_TOKEN_ERROR, realmId=XXX, clientId=XXXX, userId=null,
ipAddress=XXXXXXXXXX , error=invalid_code, grant_type=authorization_code,
code_id=XXXXXXXX , client_auth_method=client-secret
11:30:04,172 WARN [org.keycloak.services.managers.AuthenticationManager]
(default task-100) Some clients have been not been logged out for user
XXXXXXXXXXXXXXXXXXX in hod-ci realm: XXXXX
11:30:04,203 WARN [org.keycloak.events] (default task-92)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=HOD-CI, clientId=null,
userId=null, ipAddress=213.251.23.186, error=expired_code,
identity_provider=O365, restart_after_timeout=true
11:38:13,851 WARN [org.keycloak.forms.login.freemarker.model.ProfileBean]
(default task-88) There are more values for attribute 'group' of user
'XXXX\XXXXXX' . Will display just first value
11:43:37,370 WARN [org.keycloak.events] (default task-36)
type=LOGIN_ERROR, realmId=lev, clientId=lev-web, userId=null,
ipAddress=XXXXXXXX, error=user_not_found, auth_method=openid-connect,
auth_type=code, redirect_uri=https://lev.homeoffice.gov.uk/oauth/callback,
code_id=5a08f532-1051-4805-8dd6-d71362303521, username=XXXXXXXXX
11:47:01,018 WARN [com.arjuna.ats.arjuna] (Transaction Reaper)
ARJUNA012117: TransactionReaper::check timeout for TX
0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:46efe0 in state RUN
11:47:01,019 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012095: Abort of action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:46efe0
invoked while multiple threads active within it.
11:47:01,022 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0)
ARJUNA012381: Action id 0:ffff0a0a8b0a:-6d4f7aec:5b0ef057:46efe0 completed
with multiple threads - thread default task-165 was in progress with
sun.misc.Unsafe.park(Native Method)
java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.java:2039)
org.apache.http.pool.PoolEntryFuture.await(PoolEntryFuture.java:138)
org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:306)
org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:64)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:192)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:185)
org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:107)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.leaseConnection(PoolingHttpClientConnectionManager.java:276)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager$1.get(PoolingHttpClientConnectionManager.java:263)
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:190)
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:185)
org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:154)
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:146)
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:397)
sun.reflect.GeneratedMethodAccessor994.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:498)
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1243/578097420.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1244/197032188.call(Unknown
Source)
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
Rohith
6 years
