April 2016 - keycloak-user - Jboss List Archives

by Juan Diego

Hi, I am no t sure on some terms, but what type of client I should create on keycloak. I want my app to be able to connect to another app rest services without any login from any users. Is there an example for apps to connect without any intervention of the users. Thanks Juan

10 years, 1 month

2
2
0 / 0

Adding custom FormAction

by Kyle Renfro

Keycloak 1.9.1-Final I'm having some trouble implementing a custom FormAction to an authentication Flow. I've hit a wall and decided to step-back and make sure that I am performing the correct steps in the Keycloak admin interface to add a FormAction to a flow. As a test, I want to remove and then add the stock "Profile Validation" execution to a Registration flow. I'm getting a (hopefully reproducible) exception performing the following steps. I'm attempting to follow the documentation in section "34.5.3 Adding FormAction to the Registration Flow" 1. Click main "Authentication" link. 2. Select "Registration" flow 3. Press "Copy" button to get a flow I can edit 4. Name the copy "test" 5. From the "Actions" pull down for the "Profile Validation" execution - choose "delete" 6. From the "Actions" pull down for the "Test Registration Form" choose "Add Execution" 7. Select the "Profile Validation" provider and press "Save" I get the message "Error! An unexpected server error has occurred." Is this reproducible? Am I missing a step here or perhaps not understanding something? Thanks for your help! Kyle Here is the stacktrace from keycloak logs: 08:58:13,611 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-101) RESTEASY002005: Failed executing POST /admin/realms/master/authentication/flows/test registration form/executions/execution: org.jboss.resteasy.spi.BadRequestException: No authentication provider found for id: registration-profile-action at org.keycloak.services.resources.admin.AuthenticationManagementResource.addExecution(AuthenticationManagementResource.java:394) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

10 years, 1 month

1
0
0 / 0

Keycloak Password Hashing Suggestion request

by Rajkiran K

Hi, We have a requirement, where we need to migrate the users *(In Bulk users JSON file format -- Need to migrate all users in one go)* into keycloak users, without resetting their password, In Our Existing system, user passwords are Hashed with Bcrypt algorithm with strength 10. In our observation Password Hashing SPI supporting Pbfdk2 algorithm. Does this Password Hashing SPI supports Bcrypt algorithm with strength 10 . Is it possible to migrate all users without resetting the password into keycloak. Also there is any way to use same bcrypt password hash from Existing system to key cloak database. If it is possible can you please provide any documentation for implementing this requirement. Thanks in advance. Thanks Raj Kiran

10 years, 1 month

3
2
0 / 0

Re: [keycloak-user] Login works sometimes, sometimes doesn't

by Jesse Chahal

>From what I can tell we don't have a filter adding caching to HTTP302 calls. I did not update the distributed-cache settings to have more then one owner. I made the update after the fact and restarted keycloak. This did not fix the problem and I still end up with the same stracktraces I sent out in the original email. This setting is a bit worrying to me as I would have to hardcode the cache to distribute to a specific number of nodes rather then distribute the cache to all nodes within the cluster. We will be doing doing elastic load balancing to dynamically increase and decrease the number of keycloak nodes into the cluster. It seems once we have ended up in this state it is impossible to undo? There might have been something persisted to the database that made this issue permanent? We definitely had keycloak 1.9.1 working before we switched from running a single instance without HA mode to HA mode. HA mode did appear to work for awhile until we had terminated one of the nodes in the cluster. We enabled HA mode based on some comments made by others on the user distribution list. I believe the thread was on http://lists.jboss.org/pipermail/keycloak-user/2016-April/005667.html . It was on the same version of keycloak as us but was running on ECS (docker) instead of EC2. Preferably I would like to turn the cache off entirely as we are not currently restricted to performance issues right now. Is there a way to completely turn off cache so I could run multiple keycloak instances without needing to run in HA mode? I did see some keycloak PR's that had added sections to the keycloak-server.json which set session cache to true/enabled. Couldn't I simply set it to false/disabled to achieve the desired result? Thanks, Jesse > Date: Wed, 13 Apr 2016 23:13:46 -0400 > From: Bill Burke <bburke(a)redhat.com> > Subject: Re: [keycloak-user] Login works sometimes, sometimes doesn't > To: keycloak-user(a)lists.jboss.org > Message-ID: <570F0AEA.9010102(a)redhat.com> > Content-Type: text/plain; charset=windows-1252; format=flowed > > These problems only happen when a cluster node dies? If so: > > How are you setting up the distributed cache for user sessions? If you > have only 1 owner, then the session is only replicated on one node. > This is the default behavior. > > <distributed-cache name="sessions" mode="SYNC" owners="1"/> > > 302 redirects should not be cached by the browser unless a Cache-Control > header is set. Do you have a filter doing this? > > http://stackoverflow.com/questions/12212839/how-long-is-a-302-redirect-sa... > > > > On 4/13/2016 9:53 PM, Jesse Chahal wrote: >> Hi, >> >> So it looks like the previous fix to the logout URL did the trick. >> I've now run into a much harder to solve problem (and harder to >> describe). We are inconsistently able to login to our client >> applications using keycloak for authentication. Trying the same >> username+password has about an 80% chance of logging you in correctly. >> It has a 15% chance of logging you in correctly if a keycloak node >> within a keycloak cluster dies. I made up the %'s but its based on >> what we are observing. So a user is actually able to login in the >> sense of putting in a username+password and getting redirected to the >> client applications, after that things may or may not go wrong. Often >> times they will access the client application with the correct role >> and everything will work ok. Sometimes though if something goes wrong >> they will be redirected back to the client and will not be able to >> access the client correctly. The below stacktraces usually show up in >> those cases. I think it might be related to keycloak cache + browser >> cache having weird issues as the only way to I've seen to resolve this >> issues is to destroy the session cache within keycloak and get rid of >> the browser cache (browser cache is more of a fault of the client app >> probably). Even with this it can take multiple attempts before a user >> regains the ability to go to the keycloak admin page and still may or >> may not lead to a successful redirect to the client with a correctly >> authenticated account (could start this whole weird loop again with >> the stracktraces below). I don't know if anyone has come into an issue >> like this. I was also hoping to find examples of client applications >> that have their own accounts which somehow get mapped to keycloak >> accounts but I haven't seen any. >> >> >> Environment >> ------------------------ >> - keycloak 1.9.1.Final >> - running using standalone-HA.xml >> - using JGroups+JDBC_Ping >> - postgres database >> - on AWS >> - some global roles (set on user accounts) >> >> Client >> ------------ >> - running on Wildfly10 >> - using keycloak subsystem >> - client protocol = openid-connect >> - access type = confidential >> - standard flow enabled >> - client authenticator = client id and secret >> >> >> Keycloak 1.9.1 server error >> ------------------------------------------- >> 2016-04-14 01:20:11,112 WARN [org.keycloak.events] (default task-17) >> type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, >> clientId=some_wildfly_client, userId=null, ipAddress=123.456.789.0, >> error=invalid_code, grant_type=authorization_code, >> code_id=b2744ba1-7f74-4849-8077-b17659af3095, >> client_auth_method=client-secret >> 2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2) >> type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId= >> some_wildfly_client, userId=null, ipAddress=123.456.789.0, >> error=invalid_code, grant_type=authorization_code, >> code_id=58a57076-1f8e-404e-813b-13c31abe8efb, >> client_auth_method=client-secret >> 2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2) >> type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId= >> some_wildfly_client, userId=null, ipAddress=123.456.789.0, >> error=invalid_code, grant_type=authorization_code, >> code_id=58a57076-1f8e-404e-813b-13c31abe8efb, >> client_auth_method=client-secret >> >> >> >> Wildfly 10 client server error: >> ----------------------------------------- >> 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >> (default task-13) [gwt_pc3q14cr_101 blah(a)example.com ] failed to turn >> code into token >> 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >> (default task-13) [gwt_pc3q14cr_101 blah(a)example.com ] status from >> server: 400 >> 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >> (default task-13) [gwt_pc3q14cr_101 blah(a)example.com ] >> {"error_description":"Code not found","error":"invalid_grant"}

10 years, 1 month

2
1
0 / 0

Keycloak 1.9.2.Final released

by Stian Thorgersen

The team has done an awesome job this time around and we've spent the last few weeks polishing and fixing! With 141 issues resolved this release takes us one step closer to having a supported version of Keycloak. For the next release we will focus on extending our testsuite as well as improving documentation. If you haven't already upgraded to 1.9.x now is the time! For the full list of resolved issues check out JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> and to download the release go to the Keycloak homepage. <http://www.keycloak.org/downloads>

10 years, 1 month

5
4
0 / 0

Error with the nodejs example and KC 1.9.1

by Sebastien Blanc

Hi, I'm trying the nodejs example provided here https://github.com/sebastienblanc/keycloak-nodejs-connect/tree/master/exa... and using Keycloak 1.9.1.Final. Once the nodejs app launched I am corectly redirected to the login page. But once I log in I can see a stacktrace in KC : https://gist.github.com/sebastienblanc/337597c8e570e5267c26f30b93c3c804 and the nodejs app hangs. Is it because of KC version, should I try with KC master ? Thx, Sebi

10 years, 1 month

4
5
0 / 0

Re: [keycloak-user] Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's crypto provider, keycloak should use that.

by jazz

Hi Ashkay, Stian and Marko, This question helps me with something similar I asked yesterday. I enabled strong ciphers in the JVM (JCE installed). However, when I switch SSL logging on using "-Djavax.net.debug=ssl:handshake" I see that strong ciphers on the ssl proxy (ECDHE) are not supported (therefore the message Ignoring unsupported cipher suites). 2016-04-13 22:05:43,040 INFO [stdout] (default task-15) Allow unsafe renegotiation: false 2016-04-13 22:05:43,042 INFO [stdout] (default task-15) Allow legacy hello messages: true 2016-04-13 22:05:43,043 INFO [stdout] (default task-15) Is initial handshake: true 2016-04-13 22:05:43,044 INFO [stdout] (default task-15) Is secure renegotiation: false 2016-04-13 22:05:43,048 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 2016-04-13 22:05:43,049 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 2016-04-13 22:05:43,050 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 2016-04-13 22:05:43,050 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 2016-04-13 22:05:43,051 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 2016-04-13 22:05:43,052 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 2016-04-13 22:05:43,055 INFO [stdout] (default task-15) %% No cached client session 2016-04-13 22:05:43,056 INFO [stdout] (default task-15) *** ClientHello, TLSv1.2 2016-04-13 22:05:43,058 INFO [stdout] (default task-15) RandomCookie: GMT: 1460512151 bytes = { 14, 53, 153, 224, 92, 2, 43, 139, 161, 201, 181, 69, 65, 9, 110, 156, 40, 223, 11, 184, 237, 137, 9, 239, 221, 180, 164, 163} 2016-04-13 22:05:43,059 INFO [stdout] (default task-15) Session ID: {} 2016-04-13 22:05:43,060 INFO [stdout] (default task-15) Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Which ciphers are used by the Bouncycastle provider? Can I enable the use of ECDHE ciphers? These ciphers are enabled in the ssl proxy: ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256- SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM SHA256:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; Best regards, Bart Message: 2 Date: Thu, 14 Apr 2016 13:28:19 +0200 From: Stian Thorgersen <sthorger(a)redhat.com> Subject: Re: [keycloak-user] Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's crypto provider, keycloak should use that. To: Akshay Kini <kga.official(a)gmail.com> Cc: keycloak-user <keycloak-user(a)lists.jboss.org> Message-ID: <CAJgngAcMjw2g8Ti425RqDKiD1b2FDfeO6F+nb+1KS97AXMoq7w(a)mail.gmail .com> Content-Type: text/plain; charset="utf-8" Afraid it's hardcoded to use Bouncycastle as the provider. You can open a JIRA for it though.

10 years, 1 month

2
1
0 / 0

Can't add OpenID (Auth0) provider

by Scott Dunbar

Hello, I'm trying to add an OpenID provider to KeyCloak to use to log in with. I am attempting to use Auth0's provider as that is what the company I'm working with has chosen as a authentication provider. I can use the import feature to get the parameters into KeyCloak and have set my id and secret. Additionally, I changed the Default Scopes to "openid profile email". I'm trying to test with the KeyCloak console. The first thing I see when going to http://localhost:8080/auth/admin/ is a 404 when the browser tries to get http://localhost:8080/auth/realms/master/protocol/openid-connect/undefined If I attempt to login anyway with the Auth0 provider I've created I see: RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/master/protocol/openid-connect/undefined several times in the logs and, eventually, org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: token signature validation failed I'm using Wildfly 10.0.0.Final, and keycloak-overlay-1.9.1.Final. This installation is pretty much "out of the box" - I've don't nothing more than extract Wildfly, extract KeyCloak, run keycloak-install.cli, and create a user. Any pointers of what I'm messing up? -- Scott Dunbar Cell: 303 667 6343

10 years, 1 month

1
1
0 / 0

Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's crypto provider, keycloak should use that.

by Akshay Kini

Hi Folks, *Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's cryptography provider to a custom one, Keycloak should use that provider for all cryptography operations.* Some context for this: In our use case, our entire JVM runs with a FIPS compliant Cryptography Provider being available. If code that is running, on it is using the JCA correctly, then that code will also be FIPS ready. Thanks, Regards, Akshay

10 years, 1 month

2
1
0 / 0

Internal and External Keycloak IDP's

by Travis De Silva

Hi, I have a client that as per their corporate security policy, require a seperate KeyCloak instance for external users and a seperate one for internal users. The external one is located in a different DMZ zone and the internal one is located inside the firewall. The internal and external client applications are also different. Each of these client applications connect to a common java services layer (JAX-RS based REST API's) The Java Restful services are located in the same zone as the internal KeyCloak IDP. External users can access these services via proxy and firewall controls. My issue is how do I secure the common services war against two IDP's? Option 1 Had a look at the multi-tenant example ( https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant) which is the closet to my use case but it seems to work off a single or clustered Keycloak instance and not seperate keycloak instances. Option 2 My next idea is to maybe on the services.war store the keys from the two different keycloak instances and then have a filter than will read the token and validate it against they keys. But this means I will not be able to use the standard Java security annotations in my services classes to project the classes/methods via annotations. Option 3 Can I use the internal Keycloak instance to somehow use the external keycloak instance as a federated user provider? Then I am hoping to secure the common war against the internal keycloak? Is this a viable option to explore? Has anyone encountered a similar use case? I suspect this is a common practice in corporate environments? Cheers Travis

10 years, 1 month

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user April 2016