Always redirected to login form
by Marko Radinovic
Hi,
When I try to login to master realm, I’am redirected back to login page.
I’m using:
Wildfly 8.2.0.Final
Keycloak version 1.1.0-Beta2
Apache2 as proxy server.
Here is my apache configuration
IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName accounts.e-karton.net <http://accounts.e-karton.net/>
ErrorLog ${APACHE_LOG_DIR}/accounts.e-karton.net <http://accounts.e-karton.net/>-error.log
CustomLog ${APACHE_LOG_DIR}/accounts.e-karton.net <http://accounts.e-karton.net/>-access.log combined
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
…SSL stuff omitted
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|ico|png)$ \ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ \no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/htmles
# Turn off support for true Proxy behaviour as we are acting as
# a transparent proxy
ProxyRequests Off
# Turn off VIA header as we know where the requests are proxied
ProxyVia Off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine on
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass / ajp://192.168.5.17:8009/ <ajp://192.168.5.17:8009/>
ProxyPassReverse / ajp://192.168.5.17:8009/ <ajp://192.168.5.17:8009/>
</VirtualHost>
</IfModule>
Wildfly configuration:
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<buffer-cache name="default"/>
<server name="default-server">
<ajp-listener name="ajp" scheme="https" socket-binding="ajp"/>
<http-listener name="default" certificate-forwarding="true" socket-binding="http" proxy-address-forwarding="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
<host name="accounts" alias="accounts.e-karton.net <http://accounts.e-karton.net/>" default-web-module="auth-server.war"/>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
</subsystem>
Keycloak jboss-web.xml
<?xml version="1.0"?>
<!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd <http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd>">
<jboss-web>
<context-root>/</context-root>
<virtual-host>accounts</virtual-host>
</jboss-web>
Can anyone help me with this?
10 years, 11 months
Dev server weird error
by Alexander Chriztopher
Hi Guys,
Here and then we are getting this error on a server that used to work
nicely and without any apparent reason :
14:33:58,380 ERROR [io.undertow.request] [handleFirstRequest] (default
task-2) UT005022: Exception generating error page /error.cv:
java.lang.RuntimeException: java.lang.RuntimeException: Unable to resolve
realm public key remotely, status = 500
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:408)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:319)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:263)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_11]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_11]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_11]
Caused by: java.lang.RuntimeException: Unable to resolve realm public key
remotely, status = 500
at
org.keycloak.adapters.AdapterDeploymentContext.resolveRealmKey(AdapterDeploymentContext.java:107)
[keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1]
at
org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:82)
[keycloak-adapter-core-1.1.0.Beta1.jar:1.1.0.Beta1]
at
org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:61)
[keycloak-undertow-adapter-1.1.0.Beta1.jar:1.1.0.Beta1]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:229)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath(ServletInitialHandler.java:172)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.spec.RequestDispatcherImpl.error(RequestDispatcherImpl.java:402)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
This happens on dev servers and we don't know what is causing this as it
happens very rarely and the only workout found till now is to restart with
a fresh install.
We are using Wildfly with keycloak war.
Thanks for any help.
10 years, 11 months
Delegated SAML authentication?
by Guy Davis
Good day,
With the upcoming Keycloak 1.10, I see SAML support has been added to
KeyCloak. Will it be possible to have Keycloak delegate to another IDP such
as MS Azure ADFS or OneLogin? Ideally, I'd like to use KeyCloak by
default for our JBoss deployments, but in certain cases, customers are
asking for integration with the MS Azure cloud authentication mechanisms.
Thanks in advance,
Guy
10 years, 11 months
pre configured keycloak on wildfly with war distribution suddenly requesting https for admin console
by Hernan Dario Metaute Sarmiento
Hi, I'm new to keycloak and I recently installed the war distribution on my
local machine.
For this I had to tweak some configurations on wildfly and
*when I finally got it working I zipped the server and copied it to an
amazon instance. I logged in to the console and fired up the server with
standalone.*
*Then I accessed http://<amazon instance url>:8080/auth and clicked the
Admin console link.*
*The server then threw an exception:*
We're *sorry* ...
HTTPS required
On my local machine I never set up https and I have been looking through
the configuration files both of keycloak and the standalone.xml and see no
configuration regarding ssl anywere.
The only difference between both installations is that I have the amazon
instance pointing to an empty Mongo repo and my local config has a mongo
connection to other server already populated with keycloak collections.
Could this be the problem?
Should I migrate the local mongo database to my amazon instance for
keycloak admin console to stop needing ssl?
Thanks in advance
10 years, 11 months
Keycloak server securing wildfly in docker containers
by Jorge Morales Pou
Hi,
I have an scenario for Keycloak that I'm not able to solve in an easy way,
so any help will be more than appreciated.
In apiman (http://www.apiman.io) we are using Keycloak for securing the
apiman rest endpoints. We are in the process of creating some demos with
docker and for that one of the demos is having keycloak as a separate
server to which the wildfly instances holding the apiman rest endpoint will
redirect for authentication.
So far, I've configured in this wildfly instances the auth-server-url to be
the keycloakserver. Internal communication to this server is resolved by
name, as it is docker links providing the accesibility, but this is an
"internal ip to docker"
The problem comes when I try to log into the escured resource, and I get a
redirection to this "internal" ip, which my browser can not access, so I
get an error.
Is there a way to:
a) Use a different URL for browser redirection as for internal redirection?
b) Use a different redirection strategy?
c) do it in any other way?
Thanks for any help you can provide on this.
10 years, 11 months
Hook for user login
by Alexander Chriztopher
Hi all,
We are using keycloak with our own user provider and are looking for a way
to hook user's login.
The idea is to log each user login into the database for later reports.
Any idea about the best place to handle/hook each login ?
Thanks for your help.
10 years, 11 months
Unattended OAuth sessions
by robinfernandes .
Hi,
I was just curious to know if there is a way to have an unattended session
using OAuth, like CLI sessions, without prompting for the credentials
(username/password)?
This is just a general OAuth related question. I just wanted to know if
anyone has come across this use case before.
Thanks,
Robin
10 years, 11 months
Signing Keys in a cluster
by prab rrrr
Hi,
I am in the process of setting up a cluster of keycloak instances, all of which are accessible by a single url (fronted by a reverse proxy or an alias). So when a client application communicates with the single url using either SAML or Openid Connect, how do we ensure that all the keycloak instances use the same set of certificates/keys to sign/encrypt the SAML/OpenID Connect response?
Noticed that we can generate a new set of keys for each realm within Keycloak instance but they are different across different instances. Is there a way of using the same certificate/keys across all the instances?
Appreciate any input.
Thanks,Raghu
10 years, 11 months
Same global logout
by Raghuram
Hi,
I tried out the Saml feature in 1.1beta2 using Spring Saml 1.0 as service provider. While the overall flow worked like a charm, had a problem with the global logout. While I was logged out by Keycloak, the Saml xml that was returned by Keycloak did not have "context issuer" and it failed validation done at SP.
Any pointers on how to resolve it?
Thanks
Raghu
Sent from my iPhone
10 years, 11 months
