initialising docker
by Tim Dudgeon
I've been struggling with a clean way to initialize the keycloak docker
container.
I need to import a realm definition, and the only way I can find is it
start the image with the import options, wait for this to complete so
that the database is populated and then to Ctrl-C out and to restart the
container proper, which is hardly automatable.
With 1.8 this also needs to include defining the admin user.
Is there a cleaner way of achieving this?
For instance, with the postgres docker images you just put any
initialisation *.sql or *.sh scripts in a specific directory and they
get executed first time the server starts.
Tim
8 years, 10 months
Quick clarification about Offline tokens
by robinfernandes .
Hi Everyone,
So the scenario that I am trying to understand is as follows:
1. I get an offline token and I try to refresh my token pair
(access,refresh) using this offline token.
2. Will I get a new offline token? Or will Keycloak see that you passed in
an offline token so it will return the same offline token back?
The tests that I performed I saw it returning a new offline token each
time. Is that a correct understanding?
Is there any parameter I can pass to the token refresh call so that it
gives me the same offline token back?
Thanks,
Robin
8 years, 10 months
Re: [keycloak-user] Extending Themes via SPI
by Jesse Chahal
So I'm also in a similar situation here where our front-end team will not
even consider looking into FTL theme engine that was used in keycloak. They
will reject keycloak as a good solution unless we can reimplement the login
screen in an entirely different technology. I'm still trying to convince
people that using the current theming engine is a better choice but I don't
think we'll even be able to get there unless I can help them do a
comparison of the two implementations. We don't currently care about
registration, social auth, password reset, etc... through the login screen.
Most of this will be done through the keycloak admin client by an
administrator in our cases. This means I need a way to actually use the
Login SPI to able to redirect to a login page hosted on a different server.
Are there any suggestions of places where I could start looking at in order
to implement a custom Login page hosted on a different server. The reason I
specify different server (same tld domain) is I'm also a bit worried about
CORS issues (hopefully we'll be fine).
Thanks,
Jesse
On Fri, Feb 12, 2016 at 1:43 AM, <keycloak-user-request(a)lists.jboss.org>
wrote:
> Send keycloak-user mailing list submissions to
> keycloak-user(a)lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request(a)lists.jboss.org
>
> You can reach the person managing the list at
> keycloak-user-owner(a)lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Re: Extending Themes via SPI (Stian Thorgersen)
> 2. Re: Failed to make identity provider oauth callback:
> javax.net.ssl.SSLHandshakeException (Marko Strukelj)
> 3. Re: Failed to make identity provider oauth callback:
> javax.net.ssl.SSLHandshakeException (Stian Thorgersen)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 12 Feb 2016 09:53:56 +0100
> From: Stian Thorgersen <sthorger(a)redhat.com>
> Subject: Re: [keycloak-user] Extending Themes via SPI
> To: Sarp Kaya <akaya(a)expedia.com>
> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <
> CAJgngAfBrCv2B_A81Yc3sbBQbWz8O6JrXEa6SUWh8xG91EDDPg(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> No, you can create a theme that contains stylesheets and freemarker
> templates (if you need to change those) and deploy it to Keycloak. Please
> read
> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html
> and take a look at the themes examples in our examples download.
>
> On 12 February 2016 at 09:47, Sarp Kaya <akaya(a)expedia.com> wrote:
>
> > Okay but what you are saying is done directly on the Keycloak source code
> > which is then built and deployed, rather than extending classes and then
> > deploying directly to a Keycloak instance?
> >
> > From: Stian Thorgersen <sthorger(a)redhat.com>
> > Reply-To: "stian(a)redhat.com" <stian(a)redhat.com>
> > Date: Friday, February 12, 2016 at 6:29 PM
> >
> > To: Abdullah Sarp Kaya <akaya(a)expedia.com>
> > Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> > Subject: Re: [keycloak-user] Extending Themes via SPI
> >
> > There's a lot more to the login on Keycloak than a simple JSP page used
> > for JEE form-based authentication. We have user registration, password
> > recovery, OTP support, remember me, etc, etc..
> >
> > Take the look and feel (stylesheet) of your JSP login screen and apply it
> > to Keycloak with a custom theme. That's the simplest, quickest and best
> > option.
> >
> > On 12 February 2016 at 09:15, Sarp Kaya <akaya(a)expedia.com> wrote:
> >
> >>
> >> We have internal front end libraries that works with JSP only. From the
> >> sounds of SPI, I thought that I could use JSP and our internal libraries
> >> instead of FreeMarker templates. Also because our JSP login screen is
> >> almost ready it wouldn?t take much time to just deploy it (that?s what I
> >> thought).
> >>
> >> From: Stian Thorgersen <sthorger(a)redhat.com>
> >> Reply-To: "stian(a)redhat.com" <stian(a)redhat.com>
> >> Date: Friday, February 12, 2016 at 5:54 PM
> >> To: Abdullah Sarp Kaya <akaya(a)expedia.com>
> >> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> >> Subject: Re: [keycloak-user] Extending Themes via SPI
> >>
> >> What are you actually trying to achieve? We mainly support modifying the
> >> FreeMarker templates and stylesheets. Beyond that you may in theory be
> able
> >> to re-implement it all to replace FreeMarker with something else, but I
> >> don't see why you would want to and it would be a significant amount of
> >> work, and also maintenance.
> >>
> >> On 12 February 2016 at 07:08, Sarp Kaya <akaya(a)expedia.com> wrote:
> >>
> >>> Hi all,
> >>>
> >>> In regards to Extending Themes via SPI all I found is this
> documentation:
> >>>
> >>>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html
> >>> and
> >>>
> >>> <
> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html...
> >
> >>>
> >>>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html...
> >>> I found it a little less describing.
> >>>
> >>> When I implement those two classes, where do I put the new implemented
> >>> classes? How do I deploy them?
> >>> Can I also use Spring mvc and JSP and few maven dependencies instead of
> >>> freemarker?
> >>>
> >>> I also tried to find an example to extend theme using SPI but there
> >>> seems to be none. It would be really nice if you could provide a sample
> >>> hello world.
> >>>
> >>> Thank you very much,
> >>> Sarp Kaya
> >>>
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/dd16d...
>
> ------------------------------
>
> Message: 2
> Date: Fri, 12 Feb 2016 10:04:04 +0100
> From: Marko Strukelj <mstrukel(a)redhat.com>
> Subject: Re: [keycloak-user] Failed to make identity provider oauth
> callback: javax.net.ssl.SSLHandshakeException
> To: Marek Posolda <mposolda(a)redhat.com>
> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>,
> LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
> Message-ID:
> <
> CA+1OW+gXfMSC+CiLo3vCSvxt0M5Gt9Qp_9TV7AiWcsfBW+DA9Q(a)mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> When using 'truststore' provider it is up to you to make sure to
> include all the certificates you trust. Configuration via
> -Djavax.net.ssl.trustStore works the same - no automatic inclusion of
> cacerts. But it sounds like a good usability feature to add a flag
> that would automatically include cacerts as well. The problem is - it
> happens occasionally that some CAs turn out not to be trustworthy, and
> blindly importing all cacerts exposes you to that risk.
>
> One detail to emphasize, with third party not-self-signed certificates
> it's important to include the CA certificate used to create the
> specific server certificate, rather than the server certificate
> itself. Facebook servers use different short-lived server certificates
> - and with two consecutive requests you may be presented with two
> different server certificates - but they are all issued by the same
> long-lived trusted CA.
>
>
> On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda(a)redhat.com>
> wrote:
> > Facebook certificate should be signed by trusted authority, so it works
> with
> > default JDK truststore. At least for me it always works.
> >
> > Shouldn't truststore SPI use both provided file + default JDK truststore
> by
> > default? We may have flag to disable default JDK truststore, but not
> sure if
> > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache HTTP
> > client provided by HttpClientProvider SPI?
> >
> > Marek
> >
> >
> > On 11/02/16 15:23, Stian Thorgersen wrote:
> >
> > Does it work if you don't specify the truststore? That will use the
> default
> > truststore provided by the JDK.
> >
> > Also, does your truststore contain the required CA certs? For Facebook to
> > work it'll have to contain the required CA's for their certs
> >
> > On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
> > wrote:
> >>
> >> Hi, i'm getting the error below when I try to login with Facebook.
> >> I've followed the instructions at
> >>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> >> and
> >>
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> >>
> >> I was able to login with Facebook when trying at localhost. But at our
> >> development server we are getting this error.
> >>
> >> We are using EAP in domain mode.
> >>
> >> The truststore I placed inside of keycloak-server.json
> >> "truststore": {
> >> "file": {
> >> "file": "/home/soa/jboss/ssl/keycloak.jks",
> >> "password": "keycloak123",
> >> "hostname-verification-policy": "ANY",
> >> "disabled": false
> >> }
> >> }
> >>
> >>
> >> #######
> >>
> >> ERRO:
> >>
> >>
> >> 2016-02-11 10:44:53,927 ERROR
> >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
> >> callback: javax.net.ssl.SSLHandshakeException:
> >> sun.security.validator.ValidatorException: PKIX path building failed:
> >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find
> >> valid certification path to requested target
> >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
> >> [jsse.jar:1.8.0_45]
> >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> >> [jsse.jar:1.8.0_45]
> >> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> >> [jsse.jar:1.8.0_45]
> >> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
> >> at
> >>
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> [rt.jar:1.8.0_45]
> >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
> >> at
> >>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at
> >>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> >>
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
> >> at
> >>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
> >> at
> >>
> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
> >> at
> >>
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
> >> at
> >>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> >>
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
> >> Caused by: sun.security.validator.ValidatorException: PKIX path building
> >> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable
> >> to find valid certification path to requested target
> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> >> [rt.jar:1.8.0_45]
> >> at sun.security.validator.Validator.validate(Validator.java:260)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> >> [jsse.jar:1.8.0_45]
> >> at
> >>
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> >> [jsse.jar:1.8.0_45]
> >> ... 50 more
> >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> >> unable to find valid certification path to requested target
> >> at
> >>
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> >> [rt.jar:1.8.0_45]
> >> at
> >>
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> >> [rt.jar:1.8.0_45]
> >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> >> [rt.jar:1.8.0_45]
> >> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> >> [rt.jar:1.8.0_45]
> >> ... 56 more
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Leonardo Nunes
> >> ________________________________
> >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se
> >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta
> mensagem,
> >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou
> tomar
> >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem
> por
> >> engano, por favor avise imediatamente o remetente, respondendo o e-mail
> e em
> >> seguida apague-o. Agradecemos sua coopera??o.
> >>
> >> This message may contain confidential and/or privileged information. If
> >> you are not the addressee or authorized to receive this for the
> addressee,
> >> you must not use, copy, disclose or take any action based on this
> message or
> >> any information herein. If you have received this message in error,
> please
> >> advise the sender immediately by reply e-mail and delete this message.
> Thank
> >> you for your cooperation
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 12 Feb 2016 10:43:18 +0100
> From: Stian Thorgersen <sthorger(a)redhat.com>
> Subject: Re: [keycloak-user] Failed to make identity provider oauth
> callback: javax.net.ssl.SSLHandshakeException
> To: Marko Strukelj <mstrukel(a)redhat.com>
> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>,
> LEONARDO NUNES <leo.nunes(a)gjccorp.com.br>
> Message-ID:
> <
> CAJgngAf4-aAyu_aONLOiYC9Ap0LmAur7U-yn2pP7H4o2LKHsrw(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On 12 February 2016 at 10:04, Marko Strukelj <mstrukel(a)redhat.com> wrote:
>
> > When using 'truststore' provider it is up to you to make sure to
> > include all the certificates you trust. Configuration via
> > -Djavax.net.ssl.trustStore works the same - no automatic inclusion of
> > cacerts. But it sounds like a good usability feature to add a flag
> > that would automatically include cacerts as well. The problem is - it
> > happens occasionally that some CAs turn out not to be trustworthy, and
> > blindly importing all cacerts exposes you to that risk.
> >
>
> How about having a flag that is enabled by default that includes cacerts
> from Java? I'd actually think that update from CA certs are more likely
> going to happen by updating Java rather than manually maintaining a
> truststore.
>
>
> > One detail to emphasize, with third party not-self-signed certificates
> > it's important to include the CA certificate used to create the
> > specific server certificate, rather than the server certificate
> > itself. Facebook servers use different short-lived server certificates
> > - and with two consecutive requests you may be presented with two
> > different server certificates - but they are all issued by the same
> > long-lived trusted CA.
>
>
> >
> > On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda <mposolda(a)redhat.com>
> > wrote:
> > > Facebook certificate should be signed by trusted authority, so it works
> > with
> > > default JDK truststore. At least for me it always works.
> > >
> > > Shouldn't truststore SPI use both provided file + default JDK
> truststore
> > by
> > > default? We may have flag to disable default JDK truststore, but not
> > sure if
> > > it's ever needed. Also shouldn't we rewrite SimpleHTTP to use Apache
> HTTP
> > > client provided by HttpClientProvider SPI?
> > >
> > > Marek
> > >
> > >
> > > On 11/02/16 15:23, Stian Thorgersen wrote:
> > >
> > > Does it work if you don't specify the truststore? That will use the
> > default
> > > truststore provided by the JDK.
> > >
> > > Also, does your truststore contain the required CA certs? For Facebook
> to
> > > work it'll have to contain the required CA's for their certs
> > >
> > > On 11 February 2016 at 14:09, LEONARDO NUNES <leo.nunes(a)gjccorp.com.br
> >
> > > wrote:
> > >>
> > >> Hi, i'm getting the error below when I try to login with Facebook.
> > >> I've followed the instructions at
> > >>
> >
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> > >> and
> > >>
> >
> http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
> > >>
> > >> I was able to login with Facebook when trying at localhost. But at our
> > >> development server we are getting this error.
> > >>
> > >> We are using EAP in domain mode.
> > >>
> > >> The truststore I placed inside of keycloak-server.json
> > >> "truststore": {
> > >> "file": {
> > >> "file": "/home/soa/jboss/ssl/keycloak.jks",
> > >> "password": "keycloak123",
> > >> "hostname-verification-policy": "ANY",
> > >> "disabled": false
> > >> }
> > >> }
> > >>
> > >>
> > >> #######
> > >>
> > >> ERRO:
> > >>
> > >>
> > >> 2016-02-11 10:44:53,927 ERROR
> > >> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> > >> (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth
> > >> callback: javax.net.ssl.SSLHandshakeException:
> > >> sun.security.validator.ValidatorException: PKIX path building failed:
> > >> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> > find
> > >> valid certification path to requested target
> > >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > >> [jsse.jar:1.8.0_45]
> > >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
> > >> [jsse.jar:1.8.0_45]
> > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > >> [jsse.jar:1.8.0_45]
> > >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
> > >> [jsse.jar:1.8.0_45]
> > >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)
> > >> [jsse.jar:1.8.0_45]
> > >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)
> > >> [jsse.jar:1.8.0_45]
> > >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > >>
> > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
> > >> at
> > >>
> >
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
> > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > >> [rt.jar:1.8.0_45]
> > >> at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at
> > >>
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
> > >> [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
> > >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> > >>
> >
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
> > >> [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
> > >> at
> > >>
> >
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
> > >> at
> > >>
> >
> org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
> > >> at
> > >>
> >
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
> > >> [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
> > >> at
> > >>
> >
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > >>
> >
> org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
> > >> [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
> > >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
> > >> Caused by: sun.security.validator.ValidatorException: PKIX path
> building
> > >> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > unable
> > >> to find valid certification path to requested target
> > >> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
> > >> [rt.jar:1.8.0_45]
> > >> at sun.security.validator.Validator.validate(Validator.java:260)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> > >> [jsse.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
> > >> [jsse.jar:1.8.0_45]
> > >> ... 50 more
> > >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> > >> unable to find valid certification path to requested target
> > >> at
> > >>
> >
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
> > >> [rt.jar:1.8.0_45]
> > >> at
> > >>
> >
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
> > >> [rt.jar:1.8.0_45]
> > >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > >> [rt.jar:1.8.0_45]
> > >> at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> > >> [rt.jar:1.8.0_45]
> > >> ... 56 more
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> --
> > >> Leonardo Nunes
> > >> ________________________________
> > >> Esta mensagem pode conter informa??o confidencial e/ou privilegiada.
> Se
> > >> voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta
> > mensagem,
> > >> n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou
> > tomar
> > >> qualquer a??o baseada nessas informa??es. Se voc? recebeu esta
> mensagem
> > por
> > >> engano, por favor avise imediatamente o remetente, respondendo o
> e-mail
> > e em
> > >> seguida apague-o. Agradecemos sua coopera??o.
> > >>
> > >> This message may contain confidential and/or privileged information.
> If
> > >> you are not the addressee or authorized to receive this for the
> > addressee,
> > >> you must not use, copy, disclose or take any action based on this
> > message or
> > >> any information herein. If you have received this message in error,
> > please
> > >> advise the sender immediately by reply e-mail and delete this message.
> > Thank
> > >> you for your cooperation
> > >>
> > >> _______________________________________________
> > >> keycloak-user mailing list
> > >> keycloak-user(a)lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/cf9f6...
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 26, Issue 66
> *********************************************
>
8 years, 10 months
import not working in 1.8
by Tim Dudgeon
I've hit an issue with import. The command I used to use to import a
realm with 1.7.0 now gives an error with 1.8.1, but from reading the
docs all the options seem to be valid. Could someone point to what has
changed?
The command I'm using is
/opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0
-Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/tmp/json/yyy.json
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
Or to be more correct, I'm doing this in Docker, and it can be
reproduced like this:
docker run -it --rm -v $PWD:/tmp/json jboss/keycloak:1.8.1.Final
/opt/jboss/keycloak/bin/standalone.sh -b 0.0.0.0
-Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=/tmp/json/yyy.json
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
which tells me that I've specified an invalid option. It works fine if I
use the 1.7.0.Final image.
Tim
8 years, 10 months
Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException
by LEONARDO NUNES
Hi, i'm getting the error below when I try to login with Facebook.
I've followed the instructions at http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst... and http://keycloak.github.io/docs/userguide/keycloak-server/html/server-inst...
I was able to login with Facebook when trying at localhost. But at our development server we are getting this error.
We are using EAP in domain mode.
The truststore I placed inside of keycloak-server.json
"truststore": {
"file": {
"file": "/home/soa/jboss/ssl/keycloak.jks",
"password": "keycloak123",
"hostname-verification-policy": "ANY",
"disabled": false
}
}
#######
ERRO:
2016-02-11 10:44:53,927 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) [jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) [jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) [jsse.jar:1.8.0_45]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:904) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) [jsse.jar:1.8.0_45]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_45]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) [rt.jar:1.8.0_45]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [rt.jar:1.8.0_45]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282) [rt.jar:1.8.0_45]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257) [rt.jar:1.8.0_45]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) [rt.jar:1.8.0_45]
at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_45]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_45]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_45]
at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) [keycloak-services-1.8.1.Final.jar:1.8.1.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)
at org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [rt.jar:1.8.0_45]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) [rt.jar:1.8.0_45]
at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) [jsse.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) [jsse.jar:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) [jsse.jar:1.8.0_45]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) [jsse.jar:1.8.0_45]
... 50 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) [rt.jar:1.8.0_45]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) [rt.jar:1.8.0_45]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) [rt.jar:1.8.0_45]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) [rt.jar:1.8.0_45]
... 56 more
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 10 months
Extending Themes via SPI
by Sarp Kaya
We have internal front end libraries that works with JSP only. From the sounds of SPI, I thought that I could use JSP and our internal libraries instead of FreeMarker templates. Also because our JSP login screen is almost ready it wouldn't take much time to just deploy it (that's what I thought).
From: Stian Thorgersen <sthorger(a)redhat.com<mailto:sthorger@redhat.com>>
Reply-To: "stian(a)redhat.com<mailto:stian@redhat.com>" <stian(a)redhat.com<mailto:stian@redhat.com>>
Date: Friday, February 12, 2016 at 5:54 PM
To: Abdullah Sarp Kaya <akaya(a)expedia.com<mailto:akaya@expedia.com>>
Cc: "keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>" <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: Re: [keycloak-user] Extending Themes via SPI
What are you actually trying to achieve? We mainly support modifying the FreeMarker templates and stylesheets. Beyond that you may in theory be able to re-implement it all to replace FreeMarker with something else, but I don't see why you would want to and it would be a significant amount of work, and also maintenance.
On 12 February 2016 at 07:08, Sarp Kaya <akaya(a)expedia.com<mailto:akaya@expedia.com>> wrote:
Hi all,
In regards to Extending Themes via SPI all I found is this documentation:
http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html and
<http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html...>
http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html...
I found it a little less describing.
When I implement those two classes, where do I put the new implemented classes? How do I deploy them?
Can I also use Spring mvc and JSP and few maven dependencies instead of freemarker?
I also tried to find an example to extend theme using SPI but there seems to be none. It would be really nice if you could provide a sample hello world.
Thank you very much,
Sarp Kaya
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 10 months
User-Federation
by Stuart Jacobs
Hi Everyone,
I have an application that runs on a postgresql database, keycloak has been
configured and has created all the required tables/columns in my schema
using liquibase on start up of the keycloak server.
I need to authenticate users using the projects existing user table
obtaining the username and password from this table.
I have had a look at the federation provider project under the example
projects but this still eludes me as to how I change the keycloak mapping
to use my own tables in postgress?
Can someone please point me in the right direction or if someone has
implemented such a solution please share how you have done it?
Thanks everyone.
Regards,
Stuart Jacobs
--
www.symbiotics.co.za
********************************************************************************
This email and any accompanying attachments may contain confidential and
proprietary information. This information is private and protected by law
and, accordingly, if you are not the intended recipient, you are requested
to delete this entire communication immediately and are notified that any
disclosure, copying or distribution of or taking any action based on this
information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The
sender does not accept any liability or responsibility for any
interception, corruption, destruction, loss, late arrival or incompleteness
of or tampering or interference with any of the information contained in
this email or for its incorrect delivery or non-delivery for whatsoever
reason or for its effect on any electronic device of the recipient.
********************************************************************************
8 years, 10 months
Issues with password reset link expiration
by Michael Anthon
We are having issues with some users when they are attempting to use the password reset feature. It does work for most users however for some they always end up at an error page saying "WE'RE SORRY ... An error occurred, please login again through your application"
What I have been able to determine so far is that for the affected users we are seeing a double hit on that URL in the server logs and from what I understand, these reset URLs are invalidated as soon as they are accessed.
So here's the state of play
* works for most users
* some users hitting the reset URL twice
* URL is only valid for the first access (I'm not 100% sure about this, can someone confirm please?)
* URL is only valid for 30 minutes (but is being accessed within a few minutes of generation)
* affected users are mostly using Outlook
* some people tend to double click links in emails but I've verified with a reliable user that they are only clicking the link once
* having the affected person send themselves another reset email and then copy and paste the URL from the mail client usually resolves this problem
And questions
* is this an issue anyone else has noticed with Outlook, doesn't affect ALL Outlook users, just some
* is there a way to prevent the URL from being invalidated on initial access
* is it feasible to change the behavior so that the URL is only invalidated when the password is changed
* any other thoughts on how to avoid this issue?
Thanks and Regards,
Michael Anthon
InfoView Technologies Pty Ltd
12/15 Adelaide St, Brisbane Qld 4000
P O Box 15478, City East, Brisbane Qld 4000
PH: +61 7 3014 2204
F: +61 7 3014 2200
M: +61 408 768 055
michael.anthon(a)infoview.com.au
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Any views or opinions expressed in this email are solely those of the author and do not necessarily represent those of InfoView Technologies Pty Ltd.
8 years, 10 months
