custom locale not loaded from theme module
by Mark Hayen
Hi,
We're upgrading to 2.2.1.Final and run into a problem with our locale 'nl'.
Together with a new theme we've added dutch translations. We use this as
a module.
now the dutch locale isn't loaded when following the instructions on
keycloak.org about the theme.properties etc.
after trying out a lot of combinations I could only get it to work when
I also added my locale to the theme.properties
of the base themes login, email and account like this
"locales=nl,ca,de,en,es,fr,it,ja,lt,no,pt-BR,ru".
this used not to be neccesary, at least not in 1.8.1.Final.
Can you confirm this?
Thank you
Mark Hayen
First8 B.V.
8 years, 2 months
User cannot be imported from LDAP - ModelDuplicateException - although userStorage does not contain any users yet
by Daniela.Weil@itzbund.de
Dear All,
I installed keycloak 2.2.1 Final, added a new realm with an openLDAP federation provider with Kerberos integration.
The "username LDAP attribute" I set to the ldap attribute (bfvNovellLogin) that contains the Kerberos username. The "UUID LDAP attribute" is set to the "uid" attribute.
Kerberos auth succeeded:
2016-10-12 10:23:42,363 DEBUG [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-3) SPNEGO Security context accepted with token: oRQwEqADCgEAoQsGCSqGSIb3EgECAg==, established: true, credDelegState: false, mutualAuthState: false, lifetime: 2147483647, confState: true, integState: true, ....
2016-10-12 10:23:42,364 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getUserByUsername: WeiDayq
The LDAP object could be created:
2016-10-12 10:23:42,515 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-3) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=dweil,ou=mitarbeiter,ou=personen,dc=bfinv,dc=de , uuid: dweil, attributes: {uid=[dweil], bfvNovellLogin=[WeiDayq], mail=[daniela.weil(a)zivit.de], bfvDstnr=[1481], sn=[Weil], cn=[Daniela Weil], modifyTimestamp=[20130308075833Z], createTimestamp=[20070704114832Z]}, readOnly attribute names: [sn, bfvdstnr, bfvnovelllogin, mail, uid, modifytimestamp, cn, createtimestamp] ]
So far no users are in the keycloak datastore.
On mapping the email attribute the user "dweil" is not recognized as the formerly by Kerberos authenticated user "weidayq":
2016-10-12 10:23:42,765 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=DStNummer, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=bfvDstnr, is.mandatory.in.ldap=false, user.model.attribute=DstNr} } during import user from LDAP
2016-10-12 10:23:42,769 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=email, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=mail, is.mandatory.in.ldap=false, user.model.attribute=email} } during import user from LDAP
2016-10-12 10:23:42,806 DEBUG [org.keycloak.services] (default task-3) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelDuplicateException: Can't import user 'weidayq' from LDAP because email 'daniela.weil(a)zivit.de' already exists in Keycloak. Existing user with this email is 'dweil'
at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.checkDuplicateEmail(UserAttributeLDAPFederationMapper.java:168)
at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:100)
at org.keycloak.federation.ldap.mappers.LDAPFederationMapperBridge.onImportUserFromLDAP(LDAPFederationMapperBridge.java:61)
at org.keycloak.federation.ldap.LDAPFederationProvider.importUserFromLDAP(LDAPFederationProvider.java:327)
at org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:310)
at org.keycloak.federation.ldap.LDAPFederationProvider.findOrCreateAuthenticatedUser(LDAPFederationProvider.java:499)
at org.keycloak.federation.ldap.LDAPFederationProvider.validCredentials(LDAPFederationProvider.java:443)
at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:595)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89).....
Why does keycloak assume that my one and only user is two different users (having a different Id)?
Kind Regards,
Daniela Weil
8 years, 2 months
Keycloak cannot change LDAP user password
by Thomas Barcia
After fighting thru getting Keycloak able to create users, I'm now trying to change an LDAP user's password but the only message I get is on the screen that says "Could not modify attribute for DN" and there are no messages in the logs nor on the console output or in "Events" in the UI. Can anyone suggest what I may need to change to be able to change LDAP passwords?
Thank you.
*** This communication has been sent from World Fuel Services
Corporation or its subsidiaries or its affiliates for the intended recipient
only and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, any review, disclosure, copying,
use, or distribution of the information included in this communication
and any attachments is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to this
communication and delete the communication, including any
attachments, from your computer. Electronic communications sent to or
from World Fuel Services Corporation or its subsidiaries or its affiliates
may be monitored for quality assurance and compliance purposes.***
8 years, 2 months
jboss 6.1.Final - OpenID Connect
by lbecarelli_imap
Hello ,
I installed Keycloak 2.2.1 Final , all is fine if i use it with wildfly
10 and relative Adapter , more applications secured with keycloak in two
different servers .
My problem is that i have also an old application on jboss 6.1.Final
that use seam 2.2.2 Final .
What is the best approach for secure it, or at least be able to know who
is the logged user?
Kind Regards,
Luca Becarelli
8 years, 2 months
jboss 6.1.Final - OpenID Connect
by lbecarelli_imap
Hello ,
I installed Keycloak 2.2.1 Final , all is fine if i use it with wildfly
10 and relative Adapter , more applications secured with keycloak in two
different servers .
My problem is that i have also an old application on jboss 6.1.Final
that use seam 2.2.2 Final .
What is the best approach for secure it, or at least be able to know who
is the logged user?
Kind Regards,
Luca Becarelli
8 years, 2 months
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
by KASALA Štefan
Hello all,
We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server. I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part:
2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate()
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth
2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server
2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/
2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-conne...
ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid
2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-...
UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a
2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate()
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth
2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code
2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie
2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67]
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1]
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]
Our keycloak adapter config:
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<realm name="governance">
<realm-public-key>public key string...</realm-public-key>
<auth-server-url>${keycloak.auth.url:/auth}</auth-server-url>
<principal-attribute>preferred_username</principal-attribute>
<disable-trust-manager>true</disable-trust-manager>
<allow-any-hostname>true</allow-any-hostname>
</realm>
<secure-deployment name="overlord-rtgov-ui.war">
<realm>governance</realm>
<resource>rtgov-ui</resource>
<credential name="secret">password</credential>
</secure-deployment>
<secure-deployment name="overlord-rtgov.war">
<realm>governance</realm>
<resource>overlord-rtgov</resource>
<enable-basic-auth>true</enable-basic-auth>
<credential name="secret">password</credential>
</secure-deployment>
</subsystem>
Could you please help us, how can we fix this? Thanks a log.
Stefan Kasala.
________________________________
Táto správa je určená iba pre uvedeného príjemcu a môže obsahovať dôverné alebo interné informácie. Ak ste ju omylom obdržali, upovedomte o tom prosím odosielateľa a vymažte ju. Akýkoľvek iný spôsob použitia tohto e-mailu je zakázaný.
This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited.
8 years, 2 months
AbstractUserAdapterFederatedStorage & Roles
by Harold Campbell
I'm using the new user storage provider stuff to federate users from an
existing database. It's mostly working, but I'm having trouble with
role updates propogating.
My UserAdapter extends AbstractUserAdapterFederatedStorage.
If I do not override grantRole(), deleteRoleMapping(), and
getFederatedRoleMappings(), KC's view of the users roles is only set
the first time the user is loaded. Neither adding nor removing roles
changes the list.
If I *do* override those methods, then at least adding a role updates
the list. Removing them still does not.
I'm using UserAdapter#grantRole() to add the roles I've tried all of
UserAdapter#deleteRoleMapping()
UserAdapter#getRealmRoleMappings()#remove()
UserAdapter#getRoleMappings()#remove()
to remove roles to no avail.
What am I missing? KC 2.1.1.Final
--
Harold Campbell <hcamp(a)muerte.net>
we just switched to Sprint.
8 years, 2 months
