Class loading issue when refreshing token
by Guus der Kinderen
Hello cloakees.
I'm having an interesting problem while using the admin-client from 1.9.1.
Initially, things go well. I can extract data as expected. However, after a
couple of minutes (I think when the admin-client-token needs refreshing),
I'm suddenly getting errors: "java.lang.IllegalArgumentException: interface
org.keycloak.admin.client.token.TokenService is not visible from class
loader" I added a full stacktrace below.
I find it odd that some functionality does work, but other does not. What's
causing this? keycloak-admin-client-1.9.1.Final.jar is on the classpath,
which is where that interface appears to live.
Regards,
Guus
2016.03.24 10:18:50 WARN [Jetty-QTP-AdminConsole-58]:
org.eclipse.jetty.servlet.ServletHandler - /user-summary.jsp
javax.ws.rs.ProcessingException: java.lang.IllegalArgumentException:
interface org.keycloak.admin.client.token.TokenService is not visible from
class loader
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:430)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
at com.sun.proxy.$Proxy26.search(Unknown Source)
at
org.jivesoftware.openfire.plugin.KeycloakUserProvider.getUserCount(KeycloakUserProvider.java:134)
at
org.jivesoftware.openfire.user.UserManager.getUserCount(UserManager.java:263)
at
org.jivesoftware.openfire.admin.user_002dsummary_jsp._jspService(user_002dsummary_jsp.java:107)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)
at
com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:118)
at
com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:52)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:76)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:53)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.jivesoftware.admin.PluginFilter.doFilter(PluginFilter.java:80)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:162)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: interface
org.keycloak.admin.client.token.TokenService is not visible from class
loader
at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581)
at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557)
at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230)
at java.lang.reflect.WeakCache.get(WeakCache.java:127)
at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419)
at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719)
at
org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:70)
at
org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:122)
at
org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:74)
at
org.keycloak.admin.client.token.TokenManager.refreshToken(TokenManager.java:100)
at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:59)
at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:52)
at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:48)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:413)
... 40 more
10 years, 1 month
hook into auth flow after new client consent
by Bruce Shaw
I've created a Provider to execute some custom logic after a user registers
or logs in. I'm having trouble finding where to hook up any custom logic
for when a user consents to use a new client. So if he wants to use his
login for another site, after the consent form is accepted, how can I
execute some custom logic?
thanks
10 years, 1 month
Upload of SAML SP/Client metadata and detection of NameIdFormat
by Gabriel Lavoie
Hi,
I'm trying to pre-configure a SAML 2.0 SP/Client in a realm with the
upload of its metadata in XML format. The metadata I have currently tells
that it wants the e-mail address as the NameIdFormat:
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
After uploading the metadata, the Name ID Format attribute is set to
"username" which seems to be the default value.
Tested with 1.8.0 and 1.9.1
Is this the expected/desired behavior or this is something that Keycloak
could extract?
Thank you,
Gabriel
--
Gabriel Lavoie
glavoie(a)gmail.com
10 years, 1 month
Encoding theme selection in realm?
by Chris Hairfield
We've built some themes, login and email, and configured our Keycloak 1.6.1
such that the theme is available in both dropdowns on the first start of
the server, but I'd like to optimize a bit more. Since we import our
realms, is it possible to configure them such that our theme is selected
without any manual input?
On a related note, is it possible to configure the admin user such that we
don't need to reset their password on first start of the server? We expect
to upgrade to 1.7.x or higher soon, which may be relevant given how the
admin account is removed. I'd be curious to know whether my ask is possible
on either 1.6.1 or higher.
Thanks!
10 years, 1 month
Returned mail: Data format error
by MAILER-DAEMON
The original message was received at Fri, 25 Mar 2016 13:32:29 +0700 from lists.jboss.org [18.63.111.252]
----- The following addresses had permanent fatal errors -----
<keycloak-user(a)lists.jboss.org>
10 years, 1 month
Keycloak Admin Console scoped to just one Realm
by Thomas Darimont
Hello group,
We found out that one can get an admin console scoped to just one particular
realm if one changes the URL path slightly:
In this case we have a realm called "bubu" and a user with the
"realm-admin" role.
The link: http://localhost:8082/auth/admin/bubu/console/#/realms
will show an admin console scoped to just that one realm without any option
for selecting other realms.
Is this supported / expected behaviour or not? I couldn't find this
mentioned in the docs.
Cheers,
Thomas
10 years, 1 month
Nginx SSL endpoint login form action url uses wrong http scheme
by Gary Smith
Hi,
I currently have standalone Keycloak running behind an SSL enabled Nginx proxy, self signed certs. for the moment.
Keycloak client is running on http://localhost:8080, ssl required = none, Nginx setup to redirect any request to /auth to this instance of Keycloak.
This is a web app using the Keycloak Javascript Adapaer set to public.
Issue is the Keycloak login form action, it's url is using the http scheme rather than https so as a result login fails.
If I do a live edit in the browser of the forms url and change the scheme to https everything is fine and all the other url's (such as account information) work correctly in the app.
Wondering if I am doing something wrong here or if it is a known issue,
Cheers,
Gary.
10 years, 1 month
Total user count
by Guus der Kinderen
Hi there,
Recently, I switched from WSO2 Identity Server to Keycloak, and all of a
sudden, the sun is shining a bit brighter, birds are singing cheerful
songs, and I'm pretty sure I just saw a unicorn pass by, leaving
multi-colored droppings. Thanks!
That being said, I'm still pretty new, and could use some help. I'll
probably have more questions like these pretty soon. Is there a instant
messaging based channel (IRC, XMPP?) where you guys hang out? For the
entry-level questions that I have, that might be more suitable.
In any case: my first question: We're using keycloak to form the user base
of our existing product. Integration is going well, but I'm running into a
snag: the existing product has a paged user overview - much like the
keycloak administrative interface. However, unlike the keycloak interface,
I need to be able to calculate the exact amount of pages (keycloak resorts
to having a 'next page' button only, I need to explicitly provide
references to every page).
To be able to integrate, I need to find a way to retrieve the total number
of users for a particular realm. So far, I'm retrieving all users to be
able to count them, which quite obviously defeats the purpose of having a
paginated call in the first place. Is there a better way than
keycloak.realm( "myRealm" ).users().search( null, null, null ).size() ?
Kind regards,
Guus
10 years, 2 months
Internal Server Error when trying to get (all) members of a group
by Guus der Kinderen
Hiya,
Using the admin-client on a Keycloak 1.9.1 instance, I'm running into
something odd. I'm trying to obtain all members from a particular group in
a particular realm. My code, simplified:
public List<UserRepresentation> getAllUsersInGroup( String groupName )
{
RealmResource realmRes = keycloak.realm( "myrealm" );
GroupRepresentation group = realmRes.getGroupByPath( "/" + groupName );
GroupResource groupRes = realmRes.groups().group( group.getId() );
return groupRes.members( null, null );
}
Oddly enough, the last line throws
a javax.ws.rs.InternalServerErrorException.
When I look at the log from my keycloak intance, I see a stacktrace that
suggests that -2 is used for the maxResult value (but it isn't - it's
null). What's going on here?
13:32:01,519 ERROR [io.undertow.request] (default task-40) UT005023:
Exception handling request to
/auth/admin/realms/myrealm/groups/ad2251c9-8e21-4eb6-903d-679f49cceb9e/members:
org.jboss.resteasy.spi.UnhandledException:
java.lang.IllegalArgumentException: Negative value (-2) passed to
setMaxResults
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: Negative value (-2) passed
to setMaxResults
at org.hibernate.jpa.spi.BaseQueryImpl.setMaxResults(BaseQueryImpl.java:131)
at
org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:78)
at
org.hibernate.jpa.spi.AbstractQueryImpl.setMaxResults(AbstractQueryImpl.java:32)
at
org.keycloak.models.jpa.JpaUserProvider.getGroupMembers(JpaUserProvider.java:382)
at
org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.getGroupMembers(DefaultCacheUserProvider.java:203)
at
org.keycloak.models.UserFederationManager$2.query(UserFederationManager.java:194)
at
org.keycloak.models.UserFederationManager.query(UserFederationManager.java:297)
at
org.keycloak.models.UserFederationManager.getGroupMembers(UserFederationManager.java:190)
at
org.keycloak.services.resources.admin.GroupResource.getMembers(GroupResource.java:189)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
10 years, 2 months
User old password verification via REST admin api
by Adrian Matei
Hi everyone,
Use case: "reset user password via REST admin API - PUT
/admin/realms/{realm}/users/{id}/reset-password"
Is there a possibility to verify the user's old password before changing
it, as is the case via the Account app?
Thanks,
Adrian
10 years, 2 months
