Keycloak token exchange failure behind loadbalancer and reverse proxy
by Niels Bertram
I am scratching my head with a specific setup problem which does not
generate any usable error messages.
I am running a haproxy as load balancer in a vm in front an apache web
server configured as reverse proxy connecting to the keycloak server via
ajp in another VM.
client browser (192.168.33.1)
login.vagrant.v8 (192.168.33.80) aka proxy.vagrant.v8 is haproxy
adds X-Forwarded-For X-Forwarded-Port X-Forwarded-Proto and X-Real-Ip
kc01.vagrant.v8 (192.168.33.81) apache reverse proxies to
wildfly on ajp port
Followed all the setup instructions in the documentation and if I connect
to apache proxying through to keycloak everything works fine. All web
resources are donwloaded fine however when I request a token exchange on
/auth/realms/master/protocol/openid-connect/token I get a 400 response. The
kc server log shows the corect IP address of the originating client and the
request dump from wildfly also shows the correct X-Forwarded-For header
coming in. However the query string remoteAddr=/192.168.33.80:54672 which I
believe is the one sent to the ajp connector shows some half valid IP
address which is that of the load balancer. Did anyone come across this
before? Looks like a bug of some sort.
The symptom is a endless loop trying to log into the admin panel.
Cheers
Niels
# cat standalone/log/server.log | grep -A 58 '2016-05-24 09:19:27,672'
2016-05-24 09:19:27,672 WARN [org.keycloak.events] (default task-19)
type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=admin, userId=null,
ipAddress=*192.168.33.1*, error=invalid_client_credentials,
grant_type=authorization_code
2016-05-24 09:19:27,673 INFO [io.undertow.request.dump] (default task-19)
----------------------------REQUEST---------------------------
URI=/auth/realms/master/protocol/openid-connect/token
characterEncoding=null
contentLength=229
contentType=[application/x-www-form-urlencoded]
cookie=KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjM5YTVkNTlmLWMyNDYtNDkwZi04ZGZkLTZhYzVhNzgyZDI5ZCIsImNpZCI6InNlY3VyaXR5LWFkbWluLWNvbnNvbGUiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9hZG1pbi9tYXN0ZXIvY29uc29sZS8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiOGQ5ZGI4MzctMjY2Ni00NDcxLTk0ZDgtZmFkMmIxMjA3NDQxIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL2FkbWluL21hc3Rlci9jb25zb2xlLyIsInN0YXRlIjoiNTQ4ZDE5ZTUtMjlkMS00NTU2LWFjNjAtYjZjZTM1ZmJiMGU2Iiwibm9uY2UiOiI5OGY3NDFiYS03MmQwLTQ0ZDUtOGQ0ZC1jZTAxNzZhYjMyMmUiLCJyZXNwb25zZV9tb2RlIjoiZnJhZ21lbnQifX0.I0jI4nDhbYtKNrVjdlwjjBe5mtd0a8u6Dm7rQXwLE60
cookie=KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhNjY5OWJkOS00MWQ4LTQyNWYtYjE5Ni04Y2QzNmJiZjBmNjQiLCJleHAiOjE0NjQxMTc1NjcsIm5iZiI6MCwiaWF0IjoxNDY0MDgxNTY3LCJpc3MiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiY2YyNDg4MTEtNmQ4Mi00N2U3LWJmOWEtN2IxOTdmYjk4OGQwIiwic2Vzc2lvbl9zdGF0ZSI6IjFiYTljODRlLTBlMzctNGE4Mi1hNDg0LWMyNWQyYzRhODBmYyIsInJlc291cmNlX2FjY2VzcyI6e319.E0vEe9XQJ_6IbDC_TEUfumQCJ0fS1_AOYsHh7svyGp16VC89sH9J1FQuLJfHYFVJlDTcE6o2ktLg0fLw2nLIdLOv-WXMseYr0KzudZveiLy1CZbRoPS9w9vlN-_EuXojiz0ORcyh90keUhqW5tMShccHvEaq_wpXOJQ6ITIglsgUXNhlSuEfpEcBy4CCqKQW98bRQiTKQOtoOfgc-Ez1RHR-7esTw-U22P_H-EMk23jI3nwuYGtqOn4Vvqb4-cHOzdyE_xaVWZxeteNKhU-RexfrMaHx1PSy3T796aY7gIljcqkxra-SA1dbOsRBawwlhJwFtojzBHEs1841gJ4bgg
cookie=KEYCLOAK_SESSION=master/cf248811-6d82-47e7-bf9a-7b197fb988d0/1ba9c84e-0e37-4a82-a484-c25d2c4a80fc
header=Accept=*/*
header=Accept-Language=en-US,en;q=0.8,de;q=0.6
header=Accept-Encoding=gzip, deflate
header=DNT=1
header=Origin=https://login.vagrant.v8
header=X-Original-To=192.168.33.80
header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
header=X-Forwarded-Proto=https
header=X-Forwarded-Port=443
header=X-Forwarded-For=192.168.33.1
header=Content-Length=229
header=Content-Type=application/x-www-form-urlencoded
header=Cookie=KC_RESTART=eyJhbGciOiJIUzI1NiJ9.eyJjcyI6IjM5YTVkNTlmLWMyNDYtNDkwZi04ZGZkLTZhYzVhNzgyZDI5ZCIsImNpZCI6InNlY3VyaXR5LWFkbWluLWNvbnNvbGUiLCJwdHkiOiJvcGVuaWQtY29ubmVjdCIsInJ1cmkiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9hZG1pbi9tYXN0ZXIvY29uc29sZS8iLCJhY3QiOiJBVVRIRU5USUNBVEUiLCJub3RlcyI6eyJhY3Rpb25fa2V5IjoiOGQ5ZGI4MzctMjY2Ni00NDcxLTk0ZDgtZmFkMmIxMjA3NDQxIiwiYXV0aF90eXBlIjoiY29kZSIsImlzcyI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vbG9naW4udmFncmFudC52OC9hdXRoL2FkbWluL21hc3Rlci9jb25zb2xlLyIsInN0YXRlIjoiNTQ4ZDE5ZTUtMjlkMS00NTU2LWFjNjAtYjZjZTM1ZmJiMGU2Iiwibm9uY2UiOiI5OGY3NDFiYS03MmQwLTQ0ZDUtOGQ0ZC1jZTAxNzZhYjMyMmUiLCJyZXNwb25zZV9tb2RlIjoiZnJhZ21lbnQifX0.I0jI4nDhbYtKNrVjdlwjjBe5mtd0a8u6Dm7rQXwLE60;
KEYCLOAK_IDENTITY=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhNjY5OWJkOS00MWQ4LTQyNWYtYjE5Ni04Y2QzNmJiZjBmNjQiLCJleHAiOjE0NjQxMTc1NjcsIm5iZiI6MCwiaWF0IjoxNDY0MDgxNTY3LCJpc3MiOiJodHRwczovL2xvZ2luLnZhZ3JhbnQudjgvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiY2YyNDg4MTEtNmQ4Mi00N2U3LWJmOWEtN2IxOTdmYjk4OGQwIiwic2Vzc2lvbl9zdGF0ZSI6IjFiYTljODRlLTBlMzctNGE4Mi1hNDg0LWMyNWQyYzRhODBmYyIsInJlc291cmNlX2FjY2VzcyI6e319.E0vEe9XQJ_6IbDC_TEUfumQCJ0fS1_AOYsHh7svyGp16VC89sH9J1FQuLJfHYFVJlDTcE6o2ktLg0fLw2nLIdLOv-WXMseYr0KzudZveiLy1CZbRoPS9w9vlN-_EuXojiz0ORcyh90keUhqW5tMShccHvEaq_wpXOJQ6ITIglsgUXNhlSuEfpEcBy4CCqKQW98bRQiTKQOtoOfgc-Ez1RHR-7esTw-U22P_H-EMk23jI3nwuYGtqOn4Vvqb4-cHOzdyE_xaVWZxeteNKhU-RexfrMaHx1PSy3T796aY7gIljcqkxra-SA1dbOsRBawwlhJwFtojzBHEs1841gJ4bgg;
KEYCLOAK_SESSION=master/cf248811-6d82-47e7-bf9a-7b197fb988d0/1ba9c84e-0e37-4a82-a484-c25d2c4a80fc
header=Referer=
https://login.vagrant.v8/auth/admin/master/console/
header=Host=login.vagrant.v8
locale=[en_US, en, de]
method=POST
protocol=HTTP/1.1
queryString=
* remoteAddr=/192.168.33.80:54672 <http://192.168.33.80:54672>*
remoteHost=proxy.vagrant.v8
scheme=https
host=login.vagrant.v8
serverPort=443
--------------------------RESPONSE--------------------------
contentLength=123
contentType=application/json
header=X-Powered-By=Undertow/1
header=Server=WildFly/10
header=Content-Type=application/json
header=Content-Length=123
header=Date=Tue, 24 May 2016 09:19:27 GMT
status=400
10 years
Resetting password
by JAYAPRIYA ATHEESAN
Hi,
When a user clicks on reset password/forget password and enters an email id
which is not registered with keycloak, it does not show any error.
Is there any option to give an error message to the user saying "email id
doesn't exist".
Note : We are using keycloak 1.6.0Final.
Thanks,
Jayapriya Atheesan
10 years
SysoutEventListenerProvider example is not working
by Sarp Kaya
Hello,
I have followed the instructions in the provided example (from keycloak-examples-1.9.4.Final.zip). The steps I have done are:
1. ran mvn clean install
2. Copied event-listener-sysout-example.jar file from target to providers directory in keycloak
3. Registered provider in keycloak-server.json
4. Restarted the standalone server
I am getting the error below now:
07:12:51,542 INFO [org.keycloak.services] (ServerService Thread Pool -- 55) KC-SERVICES0001: Loading config from /opt/jboss/keycloak/standalone/configuration/keycloak-server.json
07:12:51,946 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 55) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: org.jboss.modules.ModuleNotFoundException: org.keycloak.examples.event-sysout:main
at org.keycloak.provider.wildfly.ModuleProviderLoaderFactory.create(ModuleProviderLoaderFactory.java:44)
at org.keycloak.provider.ProviderManager.<init>(ProviderManager.java:56)
at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:71)
at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:225)
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:77)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
Caused by: org.jboss.modules.ModuleNotFoundException: org.keycloak.examples.event-sysout:main
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:223)
at org.keycloak.provider.wildfly.ModuleProviderLoaderFactory.create(ModuleProviderLoaderFactory.java:40)
... 28 more
07:12:51,976 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: org.jboss.modules.ModuleNotFoundException: org.keycloak.examples.event-sysout:main
Caused by: org.jboss.modules.ModuleNotFoundException: org.keycloak.examples.event-sysout:main"}}
Am I missing an unknown step? The readme file only mentions copying the jar file to providers. If not what could be wrong?
Kind Regards,
Sarp Kaya
10 years
Keycloak OAuth High CPU usage
by Vaibhav Naldurgkar
Hi All,
I am using Keycloak 1.9.3 with default configuration. Keycloak server is installed on RHEL 6.5 virtual image with 4 CPU , 8 GB RAM and java version is jdk1.8.0_73 We are trying to use keycloak as a OAuth provider. But when we try and generate token(http:///auth/realms/master/protocol/openid-connect/token) for more than 10-20 users the server gets too slow and cpu usage goes over 100%.
Any pointers on how to improve performance of keycloak OAuth provider. We need to support at least 200 concurrent users.
Thanks, Vaibhav
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
10 years
How to include the keycloak wildfly adapter libraries in the secure war application classpath?
by Darrell Wu
Hi,
With the keycloak wildfly adapter for version 1.9.x i've noticed that the
location of the Keycloak Subsystem modules have changed from
modules\system\layers\base\org\keycloak to
modules\system\add-ons\keycloak\org\keycloak
Now on my secure war application server I've installed the keycloak wildfly
adpater by unzipping the archive and running the adapter-install.cl script.
Now In my application i'm getting a
ClassNotFoundException: org.keycloak.KeycloakSecurityContext
when the following is executed
KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
httpRequest.getAttribute(KeycloakSecurityContext.class.getName());
Obviously the application isn't loading the keycloak modules in the
classpath.
What is the proper way to include the keycloak libraries in my app?
Should my app have a jboss-deployment-structure.xml file or should the
libraries be moved back to modules\system\layers\base\org\keycloak?
Thanks
--
Darrell Wu
1Place Limited
P.O. Box 125152, St Heliers, Auckland 1740, New Zealand
Level 4, 1 Queen Street, Auckland 1010, New Zealand
Phone: +64 9 5200612 ext 521 | Mob: +64 21 262 4898 | Fax: +64 9 5246203
Email: darrell(a)1placeonline.com | Web: www.1placeonline.com
10 years
Offline token validation - can it be deployed within a Docker image
by Haim Vana
Hi,
We are using offline tokens for internal flows, and we would to create a Docker image with the offline token to be used for example for all developers.
However the offline token validation failed on different host (than the one it was generated from).
Is there an option to pass the URL validation just for dev ? or overcome it in a different way ?
Any advice will be appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
How to set realm tokens units programmatically
by Haim Vana
Hi,
When I am setting realm tokens programmatically, for example 'Sso Session Idle Timeout', how can I set its units ?
This is how I am setting the parameter programmatically:
realmRepresentation.setSsoSessionIdleTimeout(120);
However I couldn't find how to set the units from minutes to hours, when I am setting the above it is displayed (and act !) as 2 minutes in the UI.
Any advice will be appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
redirection error with Keycloak-proxy
by Guy Bowdler
Hi:)
Has anybody seen this error?
I have (http://host.name/appname) --> [KeyCloakProxy:80 --> nginx:8080]
--> [Web apps on different boxes] where [] denotes on same box.
Namespace is hostname/appname where nginx location directives proxy out
again to different boxes.
I've previously had this working but when I changed the keystore it all
broke and haven't found the problem yet. Troubleshooting steps have
been to take out the ssl entirely and try different client settings. If
I remove the contraints in the proxy config, it proxies ok to the
webpages, and it the constraints are in, I log in ok and then the
browser goes blank with a URL like this in the address bar:
http://apps.host.name/python?state=0%2F52043b01-976f-464f-8651-ebe295aac2...
The error stack below is from the console of the keycloak proxy.
Refreshing the page, simply returns a different error of "NO STATE
COOKIE".
Thanks in advance for any assistance,
kind regards
Guy
ERROR: failed to turn code into token
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at
sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.UndertowAuthenticationMechanism.authenticate(UndertowAuthenticationMechanism.java:56)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
at
org.keycloak.proxy.ProxyAuthenticationCallHandler.handleRequest(ProxyAuthenticationCallHandler.java:44)
at
org.keycloak.proxy.ConstraintMatcherHandler.handleRequest(ConstraintMatcherHandler.java:89)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
org.keycloak.adapters.undertow.UndertowPreAuthActionsHandler.handleRequest(UndertowPreAuthActionsHandler.java:54)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.session.SessionAttachmentHandler.handleRequest(SessionAttachmentHandler.java:68)
at
io.undertow.server.handlers.PathHandler.handleRequest(PathHandler.java:94)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:232)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at
org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
May 24, 2016 11:04:30 AM org.keycloak.adapters.OAuthRequestAuthenticator
checkStateCookie
WARN: No state cookie
10 years
Updating real settings
by Alessandro Segatto
Hi ! I've a production environment with a realm defined for keycloak
clients and a set of users registered in this realm. I'd like to update
realm settings by importing them from the json, but i don't want to delete
/ overwrite registered users. I think i can achieve this goal by exporting
the realm with users and then importing it back overwriting realm json with
the new configurations but keeping users json.
Are there any alternative pipelines to achieve this goal ?
Thanks ,
Alessandro
--
Ing. Alessandro Segatto
Software Engineer
Research and Development
*ESTECO S.p.A.* - AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549 | www.esteco.com
Pursuant to Legislative Decree No. 196/2003, you are hereby informed that
this message contains confidential information intended only for the use of
the addressee. If you are not the addressee, and have received this message
by mistake, please delete it and immediately notify us. You may not copy or
disseminate this message to anyone. Thank you.
10 years
KeyCloak offline tokens and architecture
by Haim Vana
Hi,
We are evaluating KeyCloak to be our SSO server, and we have a few questions regarding the offline token usage.
First our high level use case is as follows:
We have multi-tenancy applications, each tenant will have its own realm (which means the same clients will be defined for each realm).
One of the applications has 3 authentication scenarios:
1. User using SDK flow to access the application (by code)
2. Offline job
3. External micro service (not registered in KeyCloak) that needs to access our application micro service
4. UI login
We thought to use offline token for the first three, and define a single client for UI and micro services.
Does our approach make sense ? specially regarding the realm per tenant and the fact that we will have to create the same clients for each realm,
The offline token usage for the authentication flows, and the single client for the UI and micro service.
Regarding the offline tokens - why are they per client ? is it mean that when using the client offline token (and getting the real token from KeyCloak) we will not be able to use it for other client (within the realm) micro service ?
Also how can we generate them for each of the following cases (also described above):
1. User - should manually add the token to his code, so we thought to provide it within the application, however how can we generate the offline token to already logged in user ? we would like to avoid generating the offline token to all users and to use separate offline login page.
2. Offline job - the offline job which is cross realms will use special operator realm, the token will be generated manually by the admin which will stored it in the file system for the offline job usage, how can the admin generate this token ? can it be done in the admin console ? if not I guess we will have to create a service that logs him to the application and generate the token, is there an alternative ?
3. Micro service - it's very similar flow to the offline job only that the admin will have to create offline token per realm.
I hope it's not too much [https://issues.jboss.org/images/icons/emoticons/smile.png] and any advice will be highly appreciated.
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
10 years
