Exception thrown when deleting user through API (when Keycloak servers are highly available)
by Lohitha Chiranjeewa
Hi,
We're running into a bit of a problem when trying to delete users through
the API. The error returned is of HTML format with 500 error code:
<html><head><title>Error</title></head><body>Internal Server
Error</body></html>
Please note:
- We're using Infinispan for userSessions, realmCache and userCache. Rest
of the data is in MySQL.
- Issue only occurs when Keycloak servers are highly available (2 servers
in our case). Works fine when only one server is up.
Logs reveal that this is possibly a serialization issue related to
Infinispan:
[2015-06-12 04:56:54.0303], ERROR,
org.infinispan.interceptors.InvocationContextInterceptor default task-11 -
ISPN000136: Execution error: org.infinispan.commons.CacheException:
java.lang.RuntimeException: Failure to marshal argument(s)
at
org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:176)
at
org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:521)
at
org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processSingleCall(CommandAwareRpcDispatcher.java:352)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommand(CommandAwareRpcDispatcher.java:167)
... 94 more
Caused by: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
Caused by: an exception which occurred:
in object
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey@f42bdd72
-> toString =
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey@f42bdd72
in object org.infinispan.commands.write.RemoveCommand@914fd0ce
-> toString =
RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey@f42bdd72,
value=null, flags=null, valueMatcher=MATCH_ALWAYS}
in object org.infinispan.commands.remote.SingleRpcCommand@bfee4c5c
-> toString = SingleRpcCommand{cacheName='loginFailures',
command=RemoveCommand{key=org.keycloak.models.sessions.infinispan.entities.LoginFailureKey@f42bdd72,
value=null, flags=null, valueMatcher=MATCH_ALWAYS}}
Also there's a DEBUG log as follows:
[2015-06-12 04:56:54.0301], DEBUG,
org.infinispan.marshall.core.VersionAwareMarshaller default task-11 -
Object is not serializable: java.io.NotSerializableException:
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
at
org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:860)
at
org.jboss.marshalling.AbstractObjectOutput.writeObject(AbstractObjectOutput.java:58)
at
org.jboss.marshalling.AbstractMarshaller.writeObject(AbstractMarshaller.java:111)
at
org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeCommandParameters(ReplicableCommandExternalizer.java:57)
at
org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:42)
at
org.infinispan.marshall.exts.ReplicableCommandExternalizer.writeObject(ReplicableCommandExternalizer.java:30)
at
org.infinispan.marshall.core.ExternalizerTable$ExternalizerAdapter.writeObject(ExternalizerTable.java:395)
at
org.jboss.marshalling.river.RiverMarshaller.doWriteObject(RiverMarshaller.java:138)
Our Keycloak HA system works fine except for this issue. Please advise on
how tackle this.
Regards,
Lohitha.
10 years, 5 months
Help us understand integration options that would allow us easy future upgrades
by George Leon
Good Morning everybody,
We need to send / propagate in real time some user data ( user_name
and email for example ) when a new user registers via Keycloak
registration form
to our operations database that is in Couchbase . I like to explore
what would be the best solution as to allow us easy future upgrades.
Our scenario is to use JBoss Keycloak with Mysql DB and have our
application frontend a Javascript client that hits the Restful API
backend on Wildfly that talks to Couchbase database. Our Frontend app
will use the JBoss Keycloak login / registration to allow users to get
token and then use the restful API that is based on RestEasy and is
under Keycloak security. Now as Couchbase is high performance we
need to minimize the mysql exposure .
Totally exteranlly to JBoss Keycloak
1) one way I see this is if we can do at the Database layer with a
table trigger on the user table to run a external java program .
2) with a process running and checking and syncing the data
,but they do not seem natural and as programmers we might do better.
With minimal intervention in front end
3) Overriding some code in the JBoss Keycloak front-end registration
page ( can't seen to find it however is it a JSP? where might i find
it ? )
With intervention in JBoss Keycloak if it is supported some how
4) Hook in to JBoss Keyclock some where to run our custom java code
when user registration happens ?
5) Also I see that the admin API has create, update delete user
endpoints but we would really like to use JBoss Keycloak
for login and registration etc to get the added features you provide.
6) Does Keycloak have a work flow engine for user registration that we
could add pragmatically a custom java action to it ?
Basically we need help on understanding integration options that
would allow us easy future upgrades.
Thanks in advanced
George Leon
10 years, 5 months
Import External IDP Config
by Henk Laracker
Hi,
>From two different customers I received a idp config xml file. Both files I can import without a error, but nothing is filled in the fields. From security reasons I can not send the files. What is input you need to solve this problem? Is it possible to change the log level of the keycloak server. We are running it on openshift (private)
Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement,
Henk Laracker
10 years, 5 months
keycloak and angular
by Juan Diego
Hi,
I was looking at the angular product app in the demos. And I am trying
having some issues, if you use it with angular 1.3 it says that
responseInterceptors are deprecated, but I got around that.
I am not using
angular.element(document).ready() and
keycloakAuth.init({ onLoad: 'login-required' })
like in the example because I want my users to click on a login
button. So I have a function like this
var login = function () {
keycloakAuth.login();
}
I also have a init() function that is like this:
var init = function(){
auth.loggedIn = false;
keycloakAuth.init().success(function(authenticated) {
if(authenticated ){
auth.loggedIn = true;
//auth.authz = keycloakAuth;
}else{
auth.loggedIn = false;
}
console.log('Init Autenticado ' +auth.loggedIn );
}).error(function() {
console.log('failed to initialize');
auth.loggedIn = false;
});
}
And I call it on my script at the end.
And it seems to work. But I am trying to do 2 things, save the token
and use angular. I know javascript but I am just starting with
angular.
So here I have some questions.
In the angular example is the 'authInterceptor' supposed to replace
onAuthSuccess callback. Or am I wrong.
Using angular how should I talk the callback listeners
Second part, is that in the "authInterceptor" I am getting
Auth.authz.token as undefined, but in my console.log I can see it.
So apparently console.log gets executed after a while, so that is why
i can see the token on console.log, but authz.token is undefined
aparently.
Maybe I am wrong with my logic, so here is what I think are the basic
parts of using keycloak.js.
Should I use document ready and remove ng-app on my page for keycloak to work
thanks,
Juan Diego
10 years, 5 months
Re: [keycloak-user] Keycloak Oracle WebLogic Adapter
by Marek Posolda
CCing keycloak-user mailing list (Please write rather to this ML instead
of personally).
We don't have Oracle WebLogic adapter and I am not sure if there is plan
to have one. Maybe it's possible to use jaspic (
https://jaspic-spec.java.net/ ) and write some generic jaspic adapter,
which can be reused for more servers (Weblogic, Websphere, Glassfish,
...), but I am not sure. If you want to investigate and contribute the
adapter, it will be great. I would suggest to look at source code of
existing adapters as you're already doing and inspire here.
Cheers,
Marek
On 11.6.2015 00:30, Monis Khan wrote:
>
> Good afternoon Bill and Marek,
>
> Recently we (Quintiles) have been evaluating Keycloak as a SSO
> solution for various web apps. Keycloak’s large feature set is
> impressive and meets our requirements.
>
> However, our apps are deployed on Oracle WebLogic servers, and thus we
> require an adapter to interface with Keycloak. Are there any current
> or future plans to write such an adapter? If there are not any plans
> to develop such an adapter, could you point me to some documentation
> or source code that would help me write one myself? I have begun to
> review Keycloak’s Tomcat and Jetty adapter source code to get an idea
> of what is required.
>
> Any help that you can provide is greatly appreciated.
>
> Kind regards,
>
> Monis Khan
>
> ********************** IMPORTANT--PLEASE READ ************************
> This electronic message, including its attachments, is COMPANY
> CONFIDENTIAL and may contain PROPRIETARY or LEGALLY PRIVILEGED
> information. If you are not the intended recipient, you are hereby
> notified that any use, disclosure, copying, or distribution of this
> message or any of the information included in it is unauthorized and
> strictly prohibited. If you have received this message in error,
> please immediately notify the sender by reply e-mail and permanently
> delete this message and its attachments, along with any copies
> thereof. Thank you.
> ************************************************************************
10 years, 5 months
Re: [keycloak-user] Mixing https/http schemes with sslRequired == all
by Orestis Tsakiridis
Indeed. I've already switched my application to https.
The reason i'm asking this is because before switching i got blank (no
content) responses from the application's endpoints. HTTP status code was
200 but there was no content returned. At the same time the following
warning appeared in the logs.
12:21:55,085 WARN [org.keycloak.adapters.RequestAuthenticator]
(http-/192.168.1.39:8080-4) SSL is required to authenticate
On Wed, Jun 10, 2015 at 10:14 AM, Stian Thorgersen <stian(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Orestis Tsakiridis" <orestis.tsakiridis(a)telestax.com>
> > To: keycloak-user(a)lists.jboss.org
> > Sent: Wednesday, 10 June, 2015 8:57:01 AM
> > Subject: [keycloak-user] Mixing https/http schemes with sslRequired ==
> all
> >
> > Hello,
> >
> > Can keycloak operate on HTTPS while the REST application it protects
> runs on
> > HTTP?
> >
> > I've also set "Require SSL" to "all requests"
>
> Keycloak only deals with request made to the Keycloak Server and doesn't
> put any restriction on the request to your rest endpoints. However, as you
> are passing the token in requests to your rest endpoints it wouldn't be the
> best idea to not use ssl. Although the risk can be mitigated slightly by
> having short lifespan on access tokens.
>
> >
> >
> > Regards
> >
> > Orestis
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
10 years, 5 months
