March 2016 - keycloak-user - Jboss List Archives

Client Mappers. Can I define mappers programmatically?

by Reed Lewis

I have the need to define mappers programmatically instead of using fixed entries from user attributes. For example, I might want the following entries in my JWT: xxx: {d1:{[V1:123, V2:345, V3:567]},d2:{[V1:321, V2:xyz, V3:876]}} So I might have the following values in my attributes for the user: Xxx.d1.v1 123 Xxx.d1.v2 345 Xxx.d1.v3 567 Xxx.d2.v1 321 Xxx.d2.v2 xyz Xxx.d2.v3 876 But I might also have xxx.d3, xxx.d4, …. Is there a way to have Keycloak generate a JWT with all of the entries? Can I write a plug in that does this? Thank you, Reed Lewis

8 years, 10 months

4
4
0 / 0

REST(MicroServices) authentication through SAML 2.0

by Siva

Hi Experts, I've got scenario, seeking your valuable inputs to take this in right direction. My application is complete server side solution which has 6 different modules and it expose only the REST(Microservices) end points(5 modules are hosted in tomcat 8 container and 1 is hosted in Apache Karaf [OSGI bundle] ) to the external world ; which will be accessed by different enterprise and they need to integrate their SAML 2.0 IDP for authentication. These Microservices end points could be integrated with their existing portals or could be integrated with their existing mobile app applications, in some scenario's it could be an exclusive client application built to consume our REST end points which could potentially be a browser based and Mobile app. The challenge here is, for now we could use only SAML 2.0 based authentication since not all the organizations support OIDC/OAuth2.0 and as well our application could be flexible enough to be integrated with the existing client portals which uses SAML 2.0 authentication. We are planning to use keycloak as IDP broker to secure our endpoints. Questions : 1) Can this be achieved in keycloak? If yes, could you please provide some inputs on architectural directions in keycloak; like should all the modules need to be configured under 1 relam and need to have a separate brokering relam? 2) Does keycloak support Apache karaf container? I couldn't find any adapter for this under SAML adapter category. 3) For REST style endpoints, how should the user credential/Token details need to shared? Any example links? kerberos is not a complete solution here, since it need to work on all the devices(Desktop,Laptop & handheld). 4) For the REST based solution, can the application completely rely on keycloak for the session management, after the first time the user is authenticated? Any inputs on this will be highly valued. Regards, Siva.

8 years, 10 months

3
5
0 / 0

Database errors since Keycloak 1.9.0.Final (?)

by Edgar Vonk - Info.nl

Hi, Since upgrading to Keycloak 1.9.0 Final (I think) we get a lot of database related errors. E.g.: [0m[33m09:03:25,648 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) SQL Error: 942, SQLState: 42000 [0m[31m09:03:25,649 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-2) ORA-00942: table or view does not exist [0m[0m09:03:25,656 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (Timer-2) HHH000327: Error performing load command : org.hibernate.exception.SQLGrammarException: could not extract ResultSet [0m[31m09:03:25,666 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0062: Error occurred during sync of changed users: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.SQLGrammarException: could not extract ResultSet at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy64.find(Unknown Source) at org.keycloak.models.jpa.JpaRealmProvider.getRealm(JpaRealmProvider.java:86) at org.keycloak.models.cache.infinispan.RealmAdapter.getDelegateForUpdate(RealmAdapter.java:56) at org.keycloak.models.cache.infinispan.RealmAdapter.updateUserFederationProvider(RealmAdapter.java:734) at org.keycloak.services.managers.UsersSyncManager$6.run(UsersSyncManager.java:248) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.services.managers.UsersSyncManager.updateLastSyncInterval(UsersSyncManager.java:237) at org.keycloak.services.managers.UsersSyncManager.access$100(UsersSyncManager.java:44) at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:138) at org.keycloak.services.managers.UsersSyncManager$3$1.call(UsersSyncManager.java:130) at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) at org.keycloak.services.managers.UsersSyncManager$3.run(UsersSyncManager.java:130) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.services.managers.UsersSyncManager.syncChangedUsers(UsersSyncManager.java:120) at org.keycloak.services.managers.UsersSyncManager$5.run(UsersSyncManager.java:200) at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:46) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Any ideas on what could cause this? cheers

8 years, 10 months

3
3
0 / 0

Typical memory usage Keycloak in production?

by Edgar Vonk - Info.nl

Hi, I was wondering what would be typical (max) memory usage for a Keycloak instance running in production for a customer portal with average (whatever that means..) usage and thousands of users in Keycloak (with maybe a few dozen active at any one time)? We are running Keycloak in a Docker container on Mesos/Marathon with Oracle as database and Active Directory as user store. We are wondering whether to configure this Docker container to have say 512MB of memory or maybe even 1024MB. Any advice? cheers

8 years, 10 months

2
1
0 / 0

LDAP Query Failed - AD connection reset

by Adrian Matei

Hi everyone, >From time to time we are experiencing the following error : "LDAP Query Failed" (connection resets) for example by user registration, but by the second try it usually works.... Connection to AD takes place via ldaps and keycloak (1.7.0.Final) running on a JBoss EAP 6.4 with Java 8 installed. The complete stacktrace from server.log: 08:47:05,029 ERROR [org.keycloak.services.resources.ModelExceptionMapper] (http-/159.232.186.74:8443-7) LDAP Query failed: org.keycloak.models.ModelException: LDAP Query failed at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:153) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:160) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:440) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.LDAPFederationProvider.loadAndValidateUser(LDAPFederationProvider.java:230) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.LDAPFederationProvider.validateAndProxy(LDAPFederationProvider.java:89) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:130) [keycloak-model-api-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:163) [keycloak-model-api-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.models.sessions.infinispan.compat.UserSessionAdapter.getUser(UserSessionAdapter.java:62) [keycloak-model-sessions-infinispan-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.services.resources.LoginActionsService.initEvent(LoginActionsService.java:732) [keycloak-services-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:798) [keycloak-services-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.services.resources.LoginActionsService.requiredActionPOST(LoginActionsService.java:750) [keycloak-services-1.7.0.Final.jar:1.7.0.Final] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_66] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_66] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_66] at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_66] at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:168) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:158) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:91) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:561) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:543) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:128) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.12.Final-redhat-1.jar:] at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-2.jar:1.0.2.Final-redhat-2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61) [keycloak-services-1.7.0.Final.jar:1.7.0.Final] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.5.Final-redhat-3.jar:7.5.5.Final-redhat-3] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.12.Final-redhat-1.jar:7.5.12.Final-redhat-1] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_66] Caused by: org.keycloak.models.ModelException: Querying of LDAP failed org.keycloak.federation.ldap.idm.query.internal.LDAPQuery@7434dc3b at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:158) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:149) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] ... 42 more Caused by: javax.naming.CommunicationException: simple bind failed: ldaps.AD_hostname:636 [Root exception is java.net.SocketException: Connection reset] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) [rt.jar:1.8.0_66] at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:122) at org.jboss.as.naming.InitialContext.init(InitialContext.java:107) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) [rt.jar:1.8.0_66] at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:98) at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:44) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.8.0_66] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) [rt.jar:1.8.0_66] at javax.naming.InitialContext.init(InitialContext.java:244) [rt.jar:1.8.0_66] at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) [rt.jar:1.8.0_66] at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createLdapContext(LDAPOperationManager.java:453) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:518) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:148) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:149) [keycloak-ldap-federation-1.7.0.Final.jar:1.7.0.Final] ... 43 more Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:209) [rt.jar:1.8.0_66] at java.net.SocketInputStream.read(SocketInputStream.java:141) [rt.jar:1.8.0_66] at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) [jsse.jar:1.8.0_66] at sun.security.ssl.InputRecord.read(InputRecord.java:503) [jsse.jar:1.8.0_66] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) [jsse.jar:1.8.0_66] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) [jsse.jar:1.8.0_66] at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) [jsse.jar:1.8.0_66] at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) [jsse.jar:1.8.0_66] at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) [rt.jar:1.8.0_66] at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) [rt.jar:1.8.0_66] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) [rt.jar:1.8.0_66] ... 62 more Anybody else experienced and fixed this? Thanks, Adrian

8 years, 10 months

2
2
0 / 0

Keycloak on Openshift with custom domain and SSL certificate

by Mark Hayen

Hi, We're running our application on Openshift Online. Of course it is secured by keycloak running in the same gear. The openshift webconsole offers the possibility to import the certificate etc. but when trying to access the application it throws the following error. ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-48) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target What do I have to do to enable keycloak to find the stuf it needs? Thank you Mark Hayen first8.nl

8 years, 10 months

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2016