User TLS client certificate authentication - inconsistent DN string representation with LDAP
by Peck, Michael A
Hello,
I’ve configured Keycloak to authenticate users using TLS client certificate authentication.
I’ve also configured Keycloak to synchronize users with my LDAP server.
I’d like to match the TLS client certificate’s Subject DN to the Subject DNs synchronized from my LDAP server (which are stored by Keycloak in each user’s LDAP_ENTRY_DN attribute).
I’ve set that up, but am running into an issue that Keycloak appears to have inconsistent string representations of DNs between those two methods - so the Subject DNs from the TLS client certificate and the LDAP server aren’t matching as I was expecting.
The TLS client certificate DNs look like this:
CN=Peck Michael, OU=People, DC=test, DC=net
While the LDAP_ENTRY_DN attribute is formatted like this:
cn=Peck Michael,ou=People,dc=test,dc=net
It looks to me that the TLS client certificate DN string representation is coming from the standard Java X500Principal class used by calls to X509Certificate.getSubjectDN().getName() in keycloak/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java and the LDAP_ENTRY_DN string representation is coming from the toString method in keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java.
I modified the LDAPDn class’s toString method to follow the same format as used in the TLS client certificate DNs, and authentication works for me now.
Would the Keycloak project consider accepting a pull request to change the way LDAPDn formats DNs as strings?
(However I have not checked if this would impact other uses of the LDAPDn class within Keycloak or cause problems with upgrading existing deployments?)
The suggested change follows:
diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java b/federation/ldap/src/main/
index 39e7d97..2f8c805 100644
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java
@@ -87,9 +87,9 @@ public class LDAPDn {
if (first) {
first = false;
} else {
- builder.append(",");
+ builder.append(", ");
}
- builder.append(rdn.attrName).append("=").append(rdn.attrValue);
+ builder.append(rdn.attrName.toUpperCase()).append("=").append(rdn.attrValue);
}
return builder.toString();
Thank you,
Michael Peck
The MITRE Corporation
5 years, 2 months
Re: [keycloak-dev] [keycloak-user] Remove realm in HA environment throw org.keycloak.models.ModelException: javax.persistence.OptimisticLockException
by Sebastian Laskawiec
Dropping the Keycloak User mailing list.
@Marek - so do we want to do something with it? Have you heard any more
complains about this?
On Tue, Feb 5, 2019 at 2:31 PM Sebastian Laskawiec <slaskawi(a)redhat.com>
wrote:
> So perhaps you can slightly modify your performance test to do steps 1..3
> multiple times and then just wipe out all the realms that were created?
>
> On Mon, Feb 4, 2019 at 2:47 PM madhura nishshanka <
> madhura.nishshanka(a)gmail.com> wrote:
>
>> I was invoking following 1,2,and 3 steps sequentially in one thread and
>> then the 4th step in a seperate thread. The whole test was done with
>> multiple theads in parallel.
>>
>> 1) Create realm with a user
>> 2) Create another user on the same realm
>> 3) Delete orginal user
>> 4) Delete the new realm.
>>
>> On Mon, Feb 4, 2019, 6:10 PM Sebastian Laskawiec <slaskawi(a)redhat.com
>> wrote:
>>
>>> Let me add +Marek Posolda <mposolda(a)redhat.com>, maybe he'll have
>>> better idea, what might be causing this...
>>>
>>> The error happened here [1]. Hibernate wanted to remove a
>>> given RoleEntity object but between `em.remove(roleEntity)` and
>>> `em.flush()`, some other transaction had removed that object from the
>>> database.
>>>
>>> One of the things that could result in such a behavior is deleting
>>> multiple realms at the same time. Could you please tell us more about your
>>> test? How it works, does it perform operations in sequential order or in
>>> parallel?
>>>
>>> One improvement we could do on our side is to swap flushing the
>>> EntityManager and publishing events. That could also potentially solve your
>>> problem. Marek, what do you think about this?
>>>
>>> Thanks,
>>> Sebastian
>>>
>>> [1]
>>> https://github.com/keycloak/keycloak/blob/7d85ce93bbf33eb11981a6c118abc48...
>>>
>>> On Fri, Feb 1, 2019 at 5:12 AM madhura nishshanka <
>>> madhura.nishshanka(a)gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I am getting "org.keycloak.models.ModelException:
>>>> javax.persistence.OptimisticLockException: Batch update returned
>>>> unexpected
>>>> row count from update [0]; actual row count: 0; expected: 1" When a
>>>> realm
>>>> is delte from keycloak java admin client. This occurs in a HA
>>>> environment
>>>> when we do a performance test. Can someone please help me on this?
>>>>
>>>> I am using keycloak 4.8.1 final.
>>>>
>>>> Full exception
>>>> 11:56:25,452 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>>>> (default task-2) Uncaught server error:
>>>> org.keycloak.models.ModelException:
>>>> javax.persistence.OptimisticLockException: Batch update returned
>>>> unexpected
>>>> row count from update [0]; actual row count: 0; expected: 1
>>>> at
>>>>
>>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61)
>>>> at
>>>>
>>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51)
>>>> at com.sun.proxy.$Proxy99.flush(Unknown Source)
>>>> at
>>>>
>>>> org.keycloak.models.jpa.JpaRealmProvider.removeRole(JpaRealmProvider.java:320)
>>>> at
>>>>
>>>> org.keycloak.models.jpa.JpaRealmProvider.removeClient(JpaRealmProvider.java:567)
>>>> at
>>>>
>>>> *org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:153)*
>>>> at
>>>>
>>>> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRealm(RealmCacheSession.java:486)
>>>> at
>>>>
>>>> org.keycloak.services.managers.RealmManager.removeRealm(RealmManager.java:248)
>>>> at
>>>>
>>>> org.keycloak.services.resources.admin.RealmAdminResource.deleteRealm(RealmAdminResource.java:453)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at
>>>>
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>> at
>>>>
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>>> at
>>>>
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>>> at
>>>>
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>>> at
>>>>
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> at
>>>>
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> at
>>>>
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>> at
>>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>> at
>>>>
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>> at
>>>>
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>> at
>>>>
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> at
>>>>
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>> at
>>>>
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>> at
>>>>
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> at
>>>>
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>>> at
>>>>
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>>> at
>>>>
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>> at
>>>>
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> at
>>>>
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> at
>>>>
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>>> at
>>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>>> at
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>>> at
>>>>
>>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>>> at
>>>>
>>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>>> at
>>>>
>>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>>> at
>>>>
>>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>>> at java.lang.Thread.run(Thread.java:748)
>>>> Caused by: javax.persistence.OptimisticLockException: Batch update
>>>> returned
>>>> unexpected row count from update [0]; actual row count: 0; expected: 1
>>>> at
>>>>
>>>> org.hibernate.internal.ExceptionConverterImpl.wrapStaleStateException(ExceptionConverterImpl.java:238)
>>>> at
>>>>
>>>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:93)
>>>> at
>>>>
>>>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181)
>>>> at
>>>>
>>>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188)
>>>> at
>>>> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460)
>>>> at
>>>> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1440)
>>>> at sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source)
>>>> at
>>>>
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>> at
>>>>
>>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49)
>>>> ... 78 more
>>>> Caused by: org.hibernate.StaleStateException: Batch update returned
>>>> unexpected row count from update [0]; actual row count: 0; expected: 1
>>>> at
>>>>
>>>> org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67)
>>>> at
>>>>
>>>> org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:54)
>>>> at
>>>>
>>>> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:46)
>>>> at
>>>>
>>>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3478)
>>>> at
>>>>
>>>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3735)
>>>> at
>>>>
>>>> org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:99)
>>>> at
>>>>
>>>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:604)
>>>> at
>>>>
>>>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:478)
>>>> at
>>>>
>>>> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:356)
>>>> at
>>>>
>>>> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39)
>>>> at
>>>> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1454)
>>>> ... 83 more
>>>>
>>>> Thanks
>>>> Madhura
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
5 years, 2 months
Keycloak Support for testcontainers-java
by Thomas Darimont
Hello Keycloak Team,
I've seen that Keycloak uses testcontainers-java for Keycloak integration
tests but doesn't seem to expose a Keycloak testcontainer that can be used
outside of the Keycloak build.
I've been working on adding dedicated support for Keycloak to the
testcontainers-java project.
The idea is to be able to parameterize Keycloak containers based on
standard or custom images and provide an API to interact with Keycloak.
Current API would allow to manage Keycloak users in an integration test and
import an existing realm definition. This can be used to test Keycloak
integrations during integration tests with a local Keycloak.
An example for this can be found here:
https://github.com/thomasdarimont/testcontainers-java/blob/feature/keyclo...
What do you think about that?
Cheers,
Thomas
5 years, 2 months
OAuth2 with SAML Authentication
by Maurício Giacomini Penteado
Hi folks
I am working with some legacy systems that rely on an identity server based on SAML tokens.
Therefore, I do not have the excellent features provided by the OAuth2, OpenID, and UMA specifications on these systems.
I am looking for some documents to help me activate Keycloak as an identity server that works with OAuth2, but using SAML tokens for authentication.
It would help a lot if such configurations were possible. Please, if anyone knows documents to help me, let me know.
Kind regards,
Mauricio.
5 years, 3 months
Re: [keycloak-dev] Authentication SPI - Pinning the IDP
by Alexis Almeida
> We have a requirement to pin a
> keycloak client to a specific group of
> login options i.e. they can only login via
> a social provider and not a local
> username/password, BUT we also
> wish to allow certain users the ability
> to override the behavior.
-----------
Hi Rohith,
I think you could solve this problem putting an alternative authenticator
provider between the "Identity Provider Redirector" and the "User and
password form" authenticator in browser flow.
In your provider you can implement all of the rules to check if you must or
not accept login with local user/password.
If the user bypass social login you can catch it in your provider and force
a fail If itsn't allowed.
I've done something like that using a provider that only requires OTP in
some applications.
Regards
Alexis
5 years, 3 months
Re: [keycloak-dev] [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
by Alexis Almeida
> I originally asked this on the user list but I'm making a change to
Federation.
> I had asked on the dev list earlier about this on the dev as I started to
see how this would work
> I got the Kerberos Ticket and serialized it to a Base 64 string. it
deserializes to a GSSCredential
> Now I have to put the Base 64 token into the access token
> Any guidance?
------------------
Hi Chris,
I hope this help you some way.
In a similar situation I created a service provider endpoint that get
Access Token as input and, after validation, generate a new bearer token
with custom claims. In that claim I put additional parameters.
This generated bearer token isn't associated to user session so I put into
this new token a new claim with the jti of the original Access Token.
5 years, 3 months
Testsuite broken?
by Stan Silvert
Trying to run tests locally. I did a clean build from master. Anyone
know what is wrong?
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:166)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2757)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:363)
at
org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:276)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:88)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140)
at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:583)
at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:554)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596)
at
org.jboss.resteasy.plugins.server.undertow.UndertowJaxrsServer.deploy(UndertowJaxrsServer.java:270)
at
org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow.start(KeycloakOnUndertow.java:204)
at
org.jboss.arquillian.container.impl.ContainerImpl.start(ContainerImpl.java:179)
at
org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:137)
at
org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:133)
at
org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController.forContainer(ContainerLifecycleController.java:208)
at
org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController.startContainer(ContainerLifecycleController.java:133)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
at
org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103)
at
org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90)
at
org.jboss.arquillian.container.impl.client.ContainerDeploymentContextHandler.createContainerContext(ContainerDeploymentContextHandler.java:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
at
org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
at
org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133)
at
org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105)
at org.jboss.arquillian.core.impl.EventImpl.fire(EventImpl.java:62)
at
org.keycloak.testsuite.arquillian.AuthServerTestEnricher.startAuthContainer(AuthServerTestEnricher.java:321)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
at
org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103)
at
org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90)
at
org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133)
at
org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105)
at org.jboss.arquillian.core.impl.EventImpl.fire(EventImpl.java:62)
at
org.jboss.arquillian.container.test.impl.client.ContainerEventController.execute(ContainerEventController.java:83)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
at
org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103)
at
org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90)
at
org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:69)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86)
at
org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95)
at
org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133)
at
org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105)
at
org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.beforeSuite(EventTestRunnerAdaptor.java:70)
at
org.jboss.arquillian.junit.AdaptorManager.initializeAdaptor(AdaptorManager.java:23)
at
org.jboss.arquillian.junit.AdaptorManagerWithNotifier.initializeAdaptor(AdaptorManagerWithNotifier.java:19)
at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:109)
at
org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367)
at
org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274)
at
org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
at
org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161)
at
org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290)
at
org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242)
at
org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121)
Caused by: java.lang.RuntimeException: Failed to connect to database
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97)
at
org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:154)
... 77 more
Caused by: java.lang.ClassNotFoundException:
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:378)
... 89 more
5 years, 3 months
Keycloak and Webseal (IBM Identity provider) integration
by Maurício Giacomini Penteado
Hi folks,
The systems on which I am currently working, have used Webseal (an IBM's Identity provider) for about 10 years. It providing SAML tokens.
I had some experience on my last job with Keycloak, OAuth, OpenID and UMA. On my point of view these technologies work a lot better then only a SAML token identity manager.
Please, I would like to know if somebody has expertise on Webseal, if it is possible to have both Webseal and Keycloak managing Identity tokens or some idea about how to migrate from Webseal to Keycloak.
Kind regards,
Mauricio.
5 years, 3 months
Authentication SPI - Pinning the IDP
by gambol
Hiya
Hopefully someone know's a way around this ..
We have a requirement to pin a keycloak client to a specific group of login
options i.e. they can only login via a social provider and not a local
username/password, BUT we also wish to allow certain users the ability to
override the behavior. I mocked up authenticator which used the
IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a
configurable list for the authenticator and also looked for a user override
attribute. Now on first login that works fine, but as the access token
comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME is
not retained (i guess because it's now a sso session refresh and not a
login) and so the authenticator throws the error message.
Is it possible to hook into login only? .. Anyone think of another way
around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain the
logged in provider, but that doesn't appear to work either.
Disclaimer: I know the official stance would be the IDP provides
authentication only with authorization handled by the application end, but
in many case's third party applications can't support this .. so was hoping
we could control it at source.
Rohith
5 years, 3 months
Re: [keycloak-dev] [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
by Chris Smith
I originally asked this on the user list but I'm making a change to Federation.
I had asked on the dev list earlier about this on the dev as I started to see how this would work
I got the Kerberos Ticket and serialized it to a Base 64 string. it deserializes to a GSSCredential
Now I have to put the Base 64 token into the access token
Any guidance?
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
Sent: Thursday, February 7, 2019 2:17 AM
To: Marek Posolda <mposolda(a)redhat.com>; Dmitry Telegin <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
So I made a small addition and stepped through the authenticate method
public Subject authenticateSubject(String username, String password) throws LoginException {
String principal = getKerberosPrincipal(username);
logger.debug("Validating password of principal: " + principal);
loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password),
createJaasConfiguration());
loginContext.login();
logger.debug("Principal " + principal + " authenticated succesfully");
** Subject subject = loginContext.getSubject();
** for (KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class)) {
** System.out.println(ticket.getClient().getName());
** }
return loginContext.getSubject();
}
The subject that is gotten from the loginContext has one KerberosTicket private credential
Googling has not given me any insight on where I go from here.
Do you have any suggestions?
-----Original Message-----
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Tuesday, January 29, 2019 4:07 AM
To: Dmitry Telegin <dt(a)acutus.pro>; Chris Smith <chris.smith(a)cmfirstgroup.com>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain
+1
GSSCredential is used just during SPNEGO authentication. You may possibly change the built-in authentication flows or userStorage provider, so that after verification with username/password, the GSSCredential will be somehow obtained from the JAAS Subject used for the authentication (See class KerberosUsernamePasswordAuthenticator for the details).
However I am not sure if this is really possible and it will require some more deep-dive into the Keycloak codebase and Kerberos implementation in JDK... Just a hint...
Marek
On 28/01/2019 07:21, Dmitry Telegin wrote:
> Hello Chris,
>
> AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.
>
> Cheers,
> Dmitry
>
> On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> Does anyone have feedback about getting a delegated GSSCredential?
>>
>> -----Original Message-----
>>> From: keycloak-user-bounces(a)lists.jboss.org
>>> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith
>> Sent: Wednesday, January 23, 2019 10:12 PM
>> To: keycloak-user(a)lists.jboss.org
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is
>> not in Active Directory domain
>>
>> Here is a Diagram of what I'm trying to do
>>
>> From: Chris Smith
>> Sent: Wednesday, January 23, 2019 8:08 AM
>>>> To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
>> Subject: Get a GSSCredential when user browser is not in Active
>> Directory domain
>>
>> I have setup my servlet to authenticate a user my web app using
>> Keycloak Active Directory ldap user federation
>>
>> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain.
>> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
>>
>> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>>
>> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
>>
>> Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years, 3 months