February 2019 - keycloak-dev - Jboss List Archives

User TLS client certificate authentication - inconsistent DN string representation with LDAP

by Peck, Michael A

Hello, I’ve configured Keycloak to authenticate users using TLS client certificate authentication. I’ve also configured Keycloak to synchronize users with my LDAP server. I’d like to match the TLS client certificate’s Subject DN to the Subject DNs synchronized from my LDAP server (which are stored by Keycloak in each user’s LDAP_ENTRY_DN attribute). I’ve set that up, but am running into an issue that Keycloak appears to have inconsistent string representations of DNs between those two methods - so the Subject DNs from the TLS client certificate and the LDAP server aren’t matching as I was expecting. The TLS client certificate DNs look like this: CN=Peck Michael, OU=People, DC=test, DC=net While the LDAP_ENTRY_DN attribute is formatted like this: cn=Peck Michael,ou=People,dc=test,dc=net It looks to me that the TLS client certificate DN string representation is coming from the standard Java X500Principal class used by calls to X509Certificate.getSubjectDN().getName() in keycloak/services/src/main/java/org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.java and the LDAP_ENTRY_DN string representation is coming from the toString method in keycloak/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java. I modified the LDAPDn class’s toString method to follow the same format as used in the TLS client certificate DNs, and authentication works for me now. Would the Keycloak project consider accepting a pull request to change the way LDAPDn formats DNs as strings? (However I have not checked if this would impact other uses of the LDAPDn class within Keycloak or cause problems with upgrading existing deployments?) The suggested change follows: diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java b/federation/ldap/src/main/ index 39e7d97..2f8c805 100644 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/model/LDAPDn.java @@ -87,9 +87,9 @@ public class LDAPDn { if (first) { first = false; } else { - builder.append(","); + builder.append(", "); } - builder.append(rdn.attrName).append("=").append(rdn.attrValue); + builder.append(rdn.attrName.toUpperCase()).append("=").append(rdn.attrValue); } return builder.toString(); Thank you, Michael Peck The MITRE Corporation

6 years, 3 months

6
10
0 / 0

Re: [keycloak-dev] [keycloak-user] Remove realm in HA environment throw org.keycloak.models.ModelException: javax.persistence.OptimisticLockException

by Sebastian Laskawiec

Dropping the Keycloak User mailing list. @Marek - so do we want to do something with it? Have you heard any more complains about this? On Tue, Feb 5, 2019 at 2:31 PM Sebastian Laskawiec <slaskawi(a)redhat.com> wrote: > So perhaps you can slightly modify your performance test to do steps 1..3 > multiple times and then just wipe out all the realms that were created? > > On Mon, Feb 4, 2019 at 2:47 PM madhura nishshanka < > madhura.nishshanka(a)gmail.com> wrote: > >> I was invoking following 1,2,and 3 steps sequentially in one thread and >> then the 4th step in a seperate thread. The whole test was done with >> multiple theads in parallel. >> >> 1) Create realm with a user >> 2) Create another user on the same realm >> 3) Delete orginal user >> 4) Delete the new realm. >> >> On Mon, Feb 4, 2019, 6:10 PM Sebastian Laskawiec <slaskawi(a)redhat.com >> wrote: >> >>> Let me add +Marek Posolda <mposolda(a)redhat.com>, maybe he'll have >>> better idea, what might be causing this... >>> >>> The error happened here [1]. Hibernate wanted to remove a >>> given RoleEntity object but between `em.remove(roleEntity)` and >>> `em.flush()`, some other transaction had removed that object from the >>> database. >>> >>> One of the things that could result in such a behavior is deleting >>> multiple realms at the same time. Could you please tell us more about your >>> test? How it works, does it perform operations in sequential order or in >>> parallel? >>> >>> One improvement we could do on our side is to swap flushing the >>> EntityManager and publishing events. That could also potentially solve your >>> problem. Marek, what do you think about this? >>> >>> Thanks, >>> Sebastian >>> >>> [1] >>> https://github.com/keycloak/keycloak/blob/7d85ce93bbf33eb11981a6c118abc48... >>> >>> On Fri, Feb 1, 2019 at 5:12 AM madhura nishshanka < >>> madhura.nishshanka(a)gmail.com> wrote: >>> >>>> Hi All, >>>> >>>> I am getting "org.keycloak.models.ModelException: >>>> javax.persistence.OptimisticLockException: Batch update returned >>>> unexpected >>>> row count from update [0]; actual row count: 0; expected: 1" When a >>>> realm >>>> is delte from keycloak java admin client. This occurs in a HA >>>> environment >>>> when we do a performance test. Can someone please help me on this? >>>> >>>> I am using keycloak 4.8.1 final. >>>> >>>> Full exception >>>> 11:56:25,452 ERROR [org.keycloak.services.error.KeycloakErrorHandler] >>>> (default task-2) Uncaught server error: >>>> org.keycloak.models.ModelException: >>>> javax.persistence.OptimisticLockException: Batch update returned >>>> unexpected >>>> row count from update [0]; actual row count: 0; expected: 1 >>>> at >>>> >>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) >>>> at >>>> >>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) >>>> at com.sun.proxy.$Proxy99.flush(Unknown Source) >>>> at >>>> >>>> org.keycloak.models.jpa.JpaRealmProvider.removeRole(JpaRealmProvider.java:320) >>>> at >>>> >>>> org.keycloak.models.jpa.JpaRealmProvider.removeClient(JpaRealmProvider.java:567) >>>> at >>>> >>>> *org.keycloak.models.jpa.JpaRealmProvider.removeRealm(JpaRealmProvider.java:153)* >>>> at >>>> >>>> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRealm(RealmCacheSession.java:486) >>>> at >>>> >>>> org.keycloak.services.managers.RealmManager.removeRealm(RealmManager.java:248) >>>> at >>>> >>>> org.keycloak.services.resources.admin.RealmAdminResource.deleteRealm(RealmAdminResource.java:453) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>>> at >>>> >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> at >>>> >>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) >>>> at >>>> >>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) >>>> at >>>> >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) >>>> at >>>> >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) >>>> at >>>> >>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) >>>> at >>>> >>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) >>>> at >>>> >>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) >>>> at >>>> >>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) >>>> at >>>> >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) >>>> at >>>> >>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) >>>> at >>>> >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) >>>> at >>>> >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) >>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) >>>> at >>>> >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) >>>> at >>>> >>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) >>>> at >>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) >>>> at >>>> >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) >>>> at >>>> >>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) >>>> at >>>> >>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >>>> at >>>> >>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>>> at >>>> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> >>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) >>>> at >>>> >>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>>> at >>>> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> >>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >>>> at >>>> >>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >>>> at >>>> >>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >>>> at >>>> >>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>>> at >>>> >>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >>>> at >>>> >>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >>>> at >>>> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> >>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >>>> at >>>> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> >>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) >>>> at >>>> >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) >>>> at >>>> >>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) >>>> at >>>> >>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >>>> at >>>> >>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >>>> at >>>> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>>> at >>>> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>>> at >>>> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>>> at >>>> >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >>>> at >>>> >>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) >>>> at >>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) >>>> at >>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) >>>> at >>>> >>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) >>>> at >>>> >>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) >>>> at >>>> >>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) >>>> at >>>> >>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) >>>> at java.lang.Thread.run(Thread.java:748) >>>> Caused by: javax.persistence.OptimisticLockException: Batch update >>>> returned >>>> unexpected row count from update [0]; actual row count: 0; expected: 1 >>>> at >>>> >>>> org.hibernate.internal.ExceptionConverterImpl.wrapStaleStateException(ExceptionConverterImpl.java:238) >>>> at >>>> >>>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:93) >>>> at >>>> >>>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:181) >>>> at >>>> >>>> org.hibernate.internal.ExceptionConverterImpl.convert(ExceptionConverterImpl.java:188) >>>> at >>>> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1460) >>>> at >>>> org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1440) >>>> at sun.reflect.GeneratedMethodAccessor483.invoke(Unknown Source) >>>> at >>>> >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>> at java.lang.reflect.Method.invoke(Method.java:498) >>>> at >>>> >>>> org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) >>>> ... 78 more >>>> Caused by: org.hibernate.StaleStateException: Batch update returned >>>> unexpected row count from update [0]; actual row count: 0; expected: 1 >>>> at >>>> >>>> org.hibernate.jdbc.Expectations$BasicExpectation.checkBatched(Expectations.java:67) >>>> at >>>> >>>> org.hibernate.jdbc.Expectations$BasicExpectation.verifyOutcome(Expectations.java:54) >>>> at >>>> >>>> org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:46) >>>> at >>>> >>>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3478) >>>> at >>>> >>>> org.hibernate.persister.entity.AbstractEntityPersister.delete(AbstractEntityPersister.java:3735) >>>> at >>>> >>>> org.hibernate.action.internal.EntityDeleteAction.execute(EntityDeleteAction.java:99) >>>> at >>>> >>>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:604) >>>> at >>>> >>>> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:478) >>>> at >>>> >>>> org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:356) >>>> at >>>> >>>> org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) >>>> at >>>> org.hibernate.internal.SessionImpl.doFlush(SessionImpl.java:1454) >>>> ... 83 more >>>> >>>> Thanks >>>> Madhura >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>

6 years, 3 months

2
2
0 / 0

Keycloak Support for testcontainers-java

by Thomas Darimont

Hello Keycloak Team, I've seen that Keycloak uses testcontainers-java for Keycloak integration tests but doesn't seem to expose a Keycloak testcontainer that can be used outside of the Keycloak build. I've been working on adding dedicated support for Keycloak to the testcontainers-java project. The idea is to be able to parameterize Keycloak containers based on standard or custom images and provide an API to interact with Keycloak. Current API would allow to manage Keycloak users in an integration test and import an existing realm definition. This can be used to test Keycloak integrations during integration tests with a local Keycloak. An example for this can be found here: https://github.com/thomasdarimont/testcontainers-java/blob/feature/keyclo... What do you think about that? Cheers, Thomas

6 years, 3 months

1
0
0 / 0

OAuth2 with SAML Authentication

by Maurício Giacomini Penteado

Hi folks I am working with some legacy systems that rely on an identity server based on SAML tokens. Therefore, I do not have the excellent features provided by the OAuth2, OpenID, and UMA specifications on these systems. I am looking for some documents to help me activate Keycloak as an identity server that works with OAuth2, but using SAML tokens for authentication. It would help a lot if such configurations were possible. Please, if anyone knows documents to help me, let me know. Kind regards, Mauricio.

6 years, 3 months

2
1
0 / 0

Re: [keycloak-dev] Authentication SPI - Pinning the IDP

by Alexis Almeida

> We have a requirement to pin a > keycloak client to a specific group of > login options i.e. they can only login via > a social provider and not a local > username/password, BUT we also > wish to allow certain users the ability > to override the behavior. ----------- Hi Rohith, I think you could solve this problem putting an alternative authenticator provider between the "Identity Provider Redirector" and the "User and password form" authenticator in browser flow. In your provider you can implement all of the rules to check if you must or not accept login with local user/password. If the user bypass social login you can catch it in your provider and force a fail If itsn't allowed. I've done something like that using a provider that only requires OTP in some applications. Regards Alexis

6 years, 3 months

1
0
0 / 0

Re: [keycloak-dev] [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

by Alexis Almeida

> I originally asked this on the user list but I'm making a change to Federation. > I had asked on the dev list earlier about this on the dev as I started to see how this would work > I got the Kerberos Ticket and serialized it to a Base 64 string. it deserializes to a GSSCredential > Now I have to put the Base 64 token into the access token > Any guidance? ------------------ Hi Chris, I hope this help you some way. In a similar situation I created a service provider endpoint that get Access Token as input and, after validation, generate a new bearer token with custom claims. In that claim I put additional parameters. This generated bearer token isn't associated to user session so I put into this new token a new claim with the jti of the original Access Token.

6 years, 3 months

1
0
0 / 0

Testsuite broken?

by Stan Silvert

Trying to run tests locally. I did a clean build from master. Anyone know what is wrong? java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:166) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2757) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:363) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:276) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:88) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:583) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:554) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:596) at org.jboss.resteasy.plugins.server.undertow.UndertowJaxrsServer.deploy(UndertowJaxrsServer.java:270) at org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow.start(KeycloakOnUndertow.java:204) at org.jboss.arquillian.container.impl.ContainerImpl.start(ContainerImpl.java:179) at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:137) at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController$8.perform(ContainerLifecycleController.java:133) at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController.forContainer(ContainerLifecycleController.java:208) at org.jboss.arquillian.container.impl.client.container.ContainerLifecycleController.startContainer(ContainerLifecycleController.java:133) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90) at org.jboss.arquillian.container.impl.client.ContainerDeploymentContextHandler.createContainerContext(ContainerDeploymentContextHandler.java:54) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105) at org.jboss.arquillian.core.impl.EventImpl.fire(EventImpl.java:62) at org.keycloak.testsuite.arquillian.AuthServerTestEnricher.startAuthContainer(AuthServerTestEnricher.java:321) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105) at org.jboss.arquillian.core.impl.EventImpl.fire(EventImpl.java:62) at org.jboss.arquillian.container.test.impl.client.ContainerEventController.execute(ContainerEventController.java:83) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:103) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:90) at org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:69) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:86) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:95) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:133) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:105) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.beforeSuite(EventTestRunnerAdaptor.java:70) at org.jboss.arquillian.junit.AdaptorManager.initializeAdaptor(AdaptorManager.java:23) at org.jboss.arquillian.junit.AdaptorManagerWithNotifier.initializeAdaptor(AdaptorManagerWithNotifier.java:19) at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:109) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367) at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161) at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121) Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:382) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:154) ... 77 more Caused by: java.lang.ClassNotFoundException: at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:378) ... 89 more

6 years, 3 months

4
7
0 / 0

Keycloak and Webseal (IBM Identity provider) integration

by Maurício Giacomini Penteado

Hi folks, The systems on which I am currently working, have used Webseal (an IBM's Identity provider) for about 10 years. It providing SAML tokens. I had some experience on my last job with Keycloak, OAuth, OpenID and UMA. On my point of view these technologies work a lot better then only a SAML token identity manager. Please, I would like to know if somebody has expertise on Webseal, if it is possible to have both Webseal and Keycloak managing Identity tokens or some idea about how to migrate from Webseal to Keycloak. Kind regards, Mauricio.

6 years, 3 months

1
0
0 / 0

Authentication SPI - Pinning the IDP

by gambol

Hiya Hopefully someone know's a way around this .. We have a requirement to pin a keycloak client to a specific group of login options i.e. they can only login via a social provider and not a local username/password, BUT we also wish to allow certain users the ability to override the behavior. I mocked up authenticator which used the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME checked it against the a configurable list for the authenticator and also looked for a user override attribute. Now on first login that works fine, but as the access token comes up for refresh the IdentityProviderSpi.IDENTITY_PROVIDER_SPI_NAME is not retained (i guess because it's now a sso session refresh and not a login) and so the authenticator throws the error message. Is it possible to hook into login only? .. Anyone think of another way around it? :-) .. I tried using SetClientNotes / SetAuthNote to retain the logged in provider, but that doesn't appear to work either. Disclaimer: I know the official stance would be the IDP provides authentication only with authorization handled by the application end, but in many case's third party applications can't support this .. so was hoping we could control it at source. Rohith

6 years, 3 months

2
2
0 / 0

Re: [keycloak-dev] [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

by Chris Smith

I originally asked this on the user list but I'm making a change to Federation. I had asked on the dev list earlier about this on the dev as I started to see how this would work I got the Kerberos Ticket and serialized it to a Base 64 string. it deserializes to a GSSCredential Now I have to put the Base 64 token into the access token Any guidance? -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith Sent: Thursday, February 7, 2019 2:17 AM To: Marek Posolda <mposolda(a)redhat.com>; Dmitry Telegin <dt(a)acutus.pro>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain So I made a small addition and stepped through the authenticate method public Subject authenticateSubject(String username, String password) throws LoginException { String principal = getKerberosPrincipal(username); logger.debug("Validating password of principal: " + principal); loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password), createJaasConfiguration()); loginContext.login(); logger.debug("Principal " + principal + " authenticated succesfully"); ** Subject subject = loginContext.getSubject(); ** for (KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class)) { ** System.out.println(ticket.getClient().getName()); ** } return loginContext.getSubject(); } The subject that is gotten from the loginContext has one KerberosTicket private credential Googling has not given me any insight on where I go from here. Do you have any suggestions? -----Original Message----- From: Marek Posolda <mposolda(a)redhat.com> Sent: Tuesday, January 29, 2019 4:07 AM To: Dmitry Telegin <dt(a)acutus.pro>; Chris Smith <chris.smith(a)cmfirstgroup.com>; keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain +1 GSSCredential is used just during SPNEGO authentication. You may possibly change the built-in authentication flows or userStorage provider, so that after verification with username/password, the GSSCredential will be somehow obtained from the JAAS Subject used for the authentication (See class KerberosUsernamePasswordAuthenticator for the details). However I am not sure if this is really possible and it will require some more deep-dive into the Keycloak codebase and Kerberos implementation in JDK... Just a hint... Marek On 28/01/2019 07:21, Dmitry Telegin wrote: > Hello Chris, > > AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication. > > Cheers, > Dmitry > > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote: >> Does anyone have feedback about getting a delegated GSSCredential? >> >> -----Original Message----- >>> From: keycloak-user-bounces(a)lists.jboss.org >>> <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith >> Sent: Wednesday, January 23, 2019 10:12 PM >> To: keycloak-user(a)lists.jboss.org >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is >> not in Active Directory domain >> >> Here is a Diagram of what I'm trying to do >> >> From: Chris Smith >> Sent: Wednesday, January 23, 2019 8:08 AM >>>> To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org> >> Subject: Get a GSSCredential when user browser is not in Active >> Directory domain >> >> I have setup my servlet to authenticate a user my web app using >> Keycloak Active Directory ldap user federation >> >> I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain. >> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet. >> >> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping). >> >> Less than 1% of the users will be using browsers on workstations in the Active Directory domain. >> >> Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser? >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

6 years, 3 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev February 2019