Production hosting requirements for Keycloak
by Richard Lavallee
Where can I find a list of minimum production requirements for hosting keycloak instance(s) for CentOS 7 and Microsoft Windows?
E.g. Number of CPUs, appserver, database requirement, RAM, Disk space.
Thanks
-Richard
8 years, 8 months
DSA_SHA1 error
by Emanuel Couto
I'm getting the following error when trying to connect to a SAML 2.0
identity provider:
15:57:50,387 ERROR [org.keycloak.services] (default task-27)
couldNotSendAuthenticationRequestMessage:
org.keycloak.broker.provider.IdentityBrokerException: Could not create
authentication request.
at
org.keycloak.broker.saml.SAMLIdentityProvider.performLogin(SAMLIdentityProvider.java:124)
at
org.keycloak.services.resources.IdentityBrokerService.performLogin(IdentityBrokerService.java:157)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.saml.common.exceptions.ProcessingException:
javax.xml.crypto.dsig.XMLSignatureException: PL00100: Signing Process
Failure:
at
org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.signSAMLDocument(SAML2Signature.java:162)
at
org.keycloak.saml.BaseSAML2BindingBuilder.signDocument(BaseSAML2BindingBuilder.java:266)
at
org.keycloak.saml.BaseSAML2BindingBuilder$BasePostBindingBuilder.<init>(BaseSAML2BindingBuilder.java:145)
at
org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder$PostBindingBuilder.<init>(JaxrsSAML2BindingBuilder.java:38)
at
org.keycloak.protocol.saml.JaxrsSAML2BindingBuilder.postBinding(JaxrsSAML2BindingBuilder.java:87)
at
org.keycloak.broker.saml.SAMLIdentityProvider.performLogin(SAMLIdentityProvider.java:119)
... 48 more
Caused by: javax.xml.crypto.dsig.XMLSignatureException: PL00100: Signing
Process Failure:
at
org.keycloak.saml.common.DefaultPicketLinkLogger.signatureError(DefaultPicketLinkLogger.java:184)
... 54 more
Caused by: javax.xml.crypto.dsig.XMLSignatureException:
java.security.InvalidKeyException: can't identify DSA private key.
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:403)
at
org.keycloak.saml.processing.core.util.XMLSignatureUtil.signImpl(XMLSignatureUtil.java:624)
at
org.keycloak.saml.processing.core.util.XMLSignatureUtil.sign(XMLSignatureUtil.java:347)
at
org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.sign(SAML2Signature.java:143)
at
org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.signSAMLDocument(SAML2Signature.java:160)
... 53 more
Caused by: java.security.InvalidKeyException: can't identify DSA private
key.
at
org.bouncycastle.jcajce.provider.asymmetric.dsa.DSAUtil.generatePrivateKeyParameter(Unknown
Source)
at
org.bouncycastle.jcajce.provider.asymmetric.dsa.DSASigner.engineInitSign(Unknown
Source)
at java.security.Signature$Delegate.init(Signature.java:1152)
at
java.security.Signature$Delegate.chooseProvider(Signature.java:1112)
at
java.security.Signature$Delegate.engineInitSign(Signature.java:1176)
at java.security.Signature.initSign(Signature.java:527)
at
org.apache.jcp.xml.dsig.internal.dom.DOMSignatureMethod.sign(DOMSignatureMethod.java:267)
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.sign(DOMXMLSignature.java:399)
... 57 more
I don't understand this error.
8 years, 8 months
AJAX(xhr) calls
by Gregory Orciuch
Hi,
we do protect our app with the KeyCloak wildfly adapter. Generally it's jee
app + JSF (primefaces).
The case is, when SSO session is expired, the user on the webpage can still
try to make AJAX call to JSF application. In same time, adapter intercepts
and wants the request to go to keycloack page for redirection to relogin
(http 302).
>From what I read, ajax does not well support the 302 response and in order
to make browser to really redirect response should contain an XML with
something like
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<partial-response>
<redirect url="http://keycloak:8080/auth/..."></redirect>
</partial-response>
Is there a way to make KeyCloak aware of AJAX calls ? and not produce 302 ?
I could even contribute and write some code in order to support such
configuration. Just name the class where I should look for.
Cheers,
Gregory
8 years, 8 months
Re: [keycloak-user] keycloak-nodejs-connect connection issues
by Bruno Oliveira
Hi Elston, I'm including the keycloak-user mailing list. If you haven't
subscribed yet, please do it for further questions.
Have you tried to run the examples from here[1]? How your realm JSON
file looks like?
[1] - https://github.com/keycloak/keycloak-nodejs-connect/tree/master/example
On 2016-05-05, Elston Baretto wrote:
> Hi Bruno
>
> I've been banging my head against a brick wall for while now and wondering
> if you can rescue me since you're a contributor.
>
> I currently have a loopback app that I'm trying to protect with Keycloak
> and my server/boot/root.js contains:
>
> module.exports = function (server) {
> var session = require('express-session');
> var Keycloak = require('keycloak-connect');
>
> var keycloak = new Keycloak();
> var memoryStore = new session.MemoryStore();
>
> server.use(session({
> secret: '3249d976-7c6c-481d-83e6-c8012904f00a',
> resave: false,
> saveUninitialized: true,
> store: memoryStore,
> }))
>
> var keycloak = new Keycloak({
> store: memoryStore
> });
>
> server.use(keycloak.middleware({}));
>
> server.get('/*', keycloak.protect(), function (req, resp) {
> resp.send('hello');
> })
>
> };
>
> I've tried to follow the example as closely as possible but when I hit any
> API I get into a redirect loop and the request fails.
>
> I've also tried swapping the server.use(session line with
> server.use(keycloak but then see:
>
> Cannot read property 'keycloak-token' of undefined
>
> Is there something I'm doing wrong?
>
> Thanks in advance!
>
> Cheers,
> Elston
--
abstractj
PGP: 0x84DC9914
8 years, 8 months
From UserFederation to Authenticator info flow
by Tech @ PSYND
Dear experts,
we are getting information through a UserFederation class, and we need
to use the information collected for an Authenticator.
What should we do pass the data from a UserFederation to the
Authenticator?
8 years, 8 months
CUstom authentication flow
by Tech @ PSYND
Dear experts,
I'm working with version 1.9.4 of the product, I'm developing a couple
of custom forms that should be integrated into an authentication
workflow.
Following the example integrated into the product:
1) I compiled the "org.keycloak.examples.authenticator"
2) I copied the "secret'question.ftl" and "secret'question'config.ftl"
files into the keycloak/themes/keycloak/login and
keycloak/themes/base/login
3) I moved the generated jar file
"authenticator-required-action-example.jar" into keycloak/providers
4) I opened the admin console, I create a new flow consisting of
"Username and passowrd" and "Secret-question".
I try to login with a user and the error message that I get is:
15:36:26,319 ERROR
[org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider]
(default task-15) Failed to process template:
org.keycloak.theme.FreeMarkerException: Failed to process template
secret-question-config.ftl
That is compatible with what I found here:
https://issues.jboss.org/browse/KEYCLOAK-2534
But I copied the files in the correct position: what else could cause
such error?
Thanks
8 years, 8 months
realm-identity-provider html for custom identity provider
by Vincent Sluijter
Hello,
We created a custom (saml) identity provider module for keycloak and we want to configure it through the admin interface. To do this keycloak seems to expect a 'realm-identity-provider-providerid.html' in the base.admin.resources.partials theme folder.
- What would be the best way to add this custom html file? We tried to add it to the module with a keycloak-themes.json but this only works when selecting the new theme in the Master realm.
- Is it possible to extend the base/keycloak theme through the module? Because adding a theme for a provider in the master realm does not seem very maintainable.
Vincent
This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050.
8 years, 8 months
Environment-specific configuration available in theme
by Chris Hairfield
We're considering building an account management theme that is capable of
uploading a profile photo. We'd save the photo to an S3 bucket, and would
wish to do so based on environment; our stage Keycloak would point to a
stage S3 bucket, prod to the prod bucket, etc..
Is there a way to configure Keycloak on a per-environment basis such that
our theme could know its environment in order to point to the correct S3
bucket?
Thanks!
Chris
8 years, 8 months
SMS customize authentication workflow
by Tech @ PSYND
Dear experts,
after the successful login we would like the person to be challenged by
a SMS sent on the phone.
We think that the best option is to customize the OTP interface where,
instead of trigger the procedure that will wait for the OTP challenge,
will call a web service (already developed) and it will wait for the
user entering the SMS received on the mobile.
What steps should we perform to reach this goal?
Thanks in advance
8 years, 8 months
