March 2016 - keycloak-user - Jboss List Archives

by daniele.capasso＠dnshosting.it

Hi, I try to implements a direct access grant like a example https://keycloak.github.io/docs/userguide/keycloak-server/html/direct-acc... My client access type is confidential. On HttpResponse response = client.execute(post); I receive HTTP/1.1 400 Bad Request [Connection: keep-alive, X-Powered-By: Undertow/1, Server: WildFly/9, Transfer-Encoding: chunked, Content-Type: application/json, Date: Tue, 15 Mar 2016 08:34:36 GMT] org.apache.http.conn.BasicManagedEntity@7e3c3f85 this is my call POST /auth/realms/master/protocol/openid-connect/token HTTP/1.1 [Authorization: Basic YWRtaW46ZGFuaWVsZQ==] Content-Type: application/x-www-form-urlencoded; charset=UTF-8 this is my form params: [grant_type=password, username=a, password=a] What is wrong? Thank you Daniele

8 years, 10 months

2
1
0 / 0

server hang on adding admin user

by Tim Dudgeon

I'm get a strange and infrequent problem when I add the admin user to keycloak. I'm running keycloak inside a docker container (the jboss/keycloak-postgres:1.9.1.Final image), and I add the admin user using the KEYCLOAK_USER and KEYCLOAK_PASSWORD environment variables set the first time the container is started. Occasionally the server seems to hang and the docker container can't bet stopped or even killed. The logs show this: keycloak_1 | 10:56:19,876 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management keycloak_1 | 10:56:19,876 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 keycloak_1 | 10:56:19,877 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 1.9.1.Final (WildFly Core 2.0.10.Final) started in 12810ms - Started 422 of 789 services (529 services are lazy, passive or on-demand) keycloak_1 | keycloak_1 | Added 'admin' to '/opt/jboss/keycloak/standalone/configuration/keycloak-add-user.json', restart server to load user Seem like keycloak adds the admin user then gives up on life completely and can't be stopped. This only happens occasionally, but frequently enough to be a problem. Any ideas what's happening here? Tim

8 years, 10 months

1
0
0 / 0

Keycloak Importing Realm Failed

by Ebraheem Rabee

Hello , When I trying to import realm using REST client from Firefox with this data: POST http://xxx.xxx.x.xx:xxxx/auth/admin/realms { "id": "TestRealm", "enabled": true } The process return this error: 500 Internal Server Error Kindly, Find attached the Log file inside this email. Best Regards -- *Ebraheem Alrabee'* Java Developer BluLogix 737 Walker Rd Ste 3, Great Falls, VA 22066 t: 443.333.4100 | f: 443.333.4101 www.blulogix.com

8 years, 10 months

1
0
0 / 0

Migration Problem

by Alessandro Segatto

Hi , after upgrading form 1.7 to 1.9.1 i get this error when trying to login with master realm user: 10:52:45,478 WARN [org.keycloak.hash.PasswordHashManager] (default task-101) Could not find hash provider HmacSHA1 for password 10:52:45,478 WARN [org.keycloak.events] (default task-101) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=614f9a9e-37a2-4fa8-aa62-5a8c547c5f58, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://localhost:8443/auth/admin/master/console/, code_id=1a3b9e6d-538c-46c0-9762-6a92b76fcaec, username=xxx Password is right so i guess the problem is in the first warning ... how can i fix this ? Thank-you in advance, Alessandro -- Ing. Alessandro Segatto Software Engineer Research and Development *ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com Pursuant to Legislative Decree No. 196/2003, you are hereby informed that this message contains confidential information intended only for the use of the addressee. If you are not the addressee, and have received this message by mistake, please delete it and immediately notify us. You may not copy or disseminate this message to anyone. Thank you.

8 years, 10 months

2
3
0 / 0

Keycloak not falling back in Chrome

by Hugh Riley

Original attempt to post this was rejected ("No reason given"). Not sure why - if I'm violating any protocol or rule, please let me know. All, Recently, we made a change to our group policy object for Chrome that enables Kerberos delegation for our domain (setting Authentication Server whitelist and Kerberos Delegation server whitelist to *.domain.com). However, the change seems to have triggered an issue with Keycloak-backed sites. Upon going to a protected page, we get a failure page, but no prompt to enter credentials. Correct me if I'm wrong, but shouldn't Keycloak fall back to prompting for credentials when Kerberos isn't supported for that Client or if the ticket is invalid for some other reason? After the change, when we go to a Keycloak site, we get a page saying We're sorry ... Invalid username or password. In the Keycloak log we see: ESC[0mESC[33m16:49:30,218 WARN [org.keycloak.models.UserFederationManager] (default task-41) Don't have provider supporting credentials of type kerberos ESC[0mESC[33m16:49:30,222 WARN [org.keycloak.events] (default task-41) type=LOGIN_ERROR, realmId=<RealmName>, clientId=<ClientID>, userId=null, ipAddress=https, error=invali d_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://protectedsite.domain.com/protected/redirect_uri, code_id=blah-blah, response_mode=query ESC[0mESC[31m16:49:30,223 ERROR [org.keycloak.services] (default task-41) KC-SERVICES0013: failed authentication: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:184) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:664) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:270) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:116) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) This happens with Chrome version 48.0.2564.116 m and Keycloak 1.6 (running under Wildfly 9) and Keycloak 1.9.1 (running under Wildfly 10). Thanks in advance. Hugh

8 years, 10 months

2
2
0 / 0

Key cloak LDAP pagination for fetching groups?

by Jason Axley

Active Directory sets a max page size by default of 1000 entries. I’m seeing my READ_ONLY LDAP connection only ever returning a maximum of 1000 groups from LDAP . Is it supposed to support pagination? The method seeing this limit is in GroupLDAPFederationMapper.java: public UserFederationSyncResult syncDataFromFederationProviderToKeycloak() { LDAPQuery.java method public List<LDAPObject> getResultList() { Calls LDAPQuery.java fetchQueryResults() Which has this condition to check for pagination: if (getConfig().isPagination() && identityQuery.getLimit() > 0) { I have pagination set to True, but the identityQuery has a limit set to 0, so it never enters the pagination branch. Am I missing something about how to configure the group mapper to support pagination to fetch more than 1000 entries? What this causes right now is for Keycloak to not see a user as a member of a group that they are a member of because many groups beyond the 1000 have not been synchronized into Keycloak. I wonder if it would be better to support a Just-in-Time synchronization of just the groups that users are members of rather than syncing all groups and trying to do a union between the user groups and LDAP groups? I’d love to not have every group in the system anyhow as it gets really unwieldy in the UI. -Jason Jason Axley Sr. Security Engineer, Expedia Worldwide Engineering Team 425-679-4157 (o) | 206-484-2778 (m) | 206-55-AXLEY (gv) 333 108th Ave NE, 9S-282, Bellevue, WA 98004 EWE Security Wiki<https://confluence/display/POS/EWE+Security>

8 years, 10 months

2
2
0 / 0

Running Keycloak on OpenShift in its own gear

by Rens Verhage

Maybe I haven’t fully grasped the concepts behind OpenShift. I’d like to run my application in the OpenShift cloud and secure it with Keycloak. My application is already running, using 2 gears. 1 gear has the web-app running in WildFly 10, the 2nd gear hosts the PostgreSQL database. I tried adding Keycloak by adding a cartridge to my application like this using https://github.com/keycloak/openshift-keycloak-cartridge: rhc add-cartridge http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycl... This results in the following error: The cartridge 'http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycl...' will be downloaded and installed Adding http://cartreflect-claytondev.rhcloud.com/github/keycloak/openshift-keycl... to application ‘my_app' ... jboss-wildfly-10 already exists in your application It seems logical to me to run my application in WildFly on one gear and Keycloak, also on WildFly, on a second gear. What is best practice to add Keycloak to an existing OpenShift application, also running on WildFly? Should I deploy Keycloak in the same WildFly instance? I know the next question is off topic in this list, but I’ll ask it anyway. If I cannot deploy two cartridges based on the same ‘base cartridge’ within the same app, how does OpenShift scale up my application? Isn’t that the same thing? Regards, Rens Verhage

8 years, 10 months

2
3
0 / 0

Display specific 'token expired error message' when user tries to perform a 'user action' for which the token has expired?

by Edgar Vonk - Info.nl

hi, Somewhat related to https://issues.jboss.org/browse/KEYCLOAK-2125 (User Actions email link expires too early): when a user clicks on a ‘users action’ link and the token has expired we would like to show a specific error message to the user informing him/her of this. E.g. "We're sorry. The (temporary) token in the link you tried to access has expired. Please contact your administrator." Right now when a token (/user session) has expired and the user clicks on the user actions link in the email he/she sees the generic Keycloak account error screen: "We're sorry. An error occurred, please login again through your application.". The user now has no idea what went wrong and in our case cannot even login again as the user has no password yet. If I am not mistaken currently this is not possible because the original error code is not passed on to the error page (error.ftl) from FreeMarkerLoginFormsProvider#createResponse because the rendered page is of type "ERROR" in which case the original (error) message (#getFirstMessageUnformatted()) is not added to the list of attributes for the FTL? Am I correct in this? If so does it make sense to create a feature request JIRA ticket for it? cheers Edgar

8 years, 10 months

2
2
0 / 0

Couple of issues identified in 1.9.0.Final

by Lohitha Chiranjeewa

Hi, When we were testing out 1.9.0.Final, we came across two issues: 1) NullPointerException during DB migration (from 1.7.0 to 1.9.0) because of an issue in org.keycloak.migration.migrators.MigrateTo1_9_0.java class. Basically if realm.getDisplayNameHtml() is null, the exception gets thrown. 2) Cannot map the access codes returned after authentication to the AccessTokenResponse.java class. A jsonifying error occurs. Seems this has something to do with @JsonProperty annotation that has impacted with Jackson version upgrade. Are these issue already tracked? If not I can create JIRAs. Regards, Lohitha.

8 years, 10 months

2
5
0 / 0

Is a Keycloak server compatible with applications with older adapters ?

by Orestis Tsakiridis

Hello! Is it possible to secure applications using old adapters (say 1.6.1) with a keycloak server of more recent version (say 1.9.0) ? The question boils down to what is the proper upgrade policy in a keycloak secured system with many applications provided by different customers. If an application with an old adapter does not work with a newer keycloak server then it seems all (both keycloak and applications) should be upgraded in a single step.

8 years, 10 months

2
4
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2016