Correct setup of clientID
by Helio Frota
Hi,
1. Is correct to manually add clientID on keycloak.json ?
2. I found this email from archives:
>* > I was hoping this would Just Work, but I quickly discovered that some
of*
>* > the properties are "renamed" after the HTTP request:
*>* >
*>* > kc.authServerUrl = config['auth-server-url'];
*>* > kc.realm = config['realm'];
**>** > kc.clientId = config['resource'];*>* > kc.clientSecret
= (config['credentials'] || {})['secret'];*
*http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html
<http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html>*
clientId is now called 'resource' ?
thanks
8 years, 6 months
tomcat 7 SAMl adapter and <login-config> question
by David Guerra
Hi,
I am updating an old struts 1.3 web app and integrating our SAML - SSO
service with help of keycloak adapter for SAML.
I have some issues with that development on Tomcat 7: in the "web.xml"
file, the following lines are suppose to be add
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
Reading the other options, in the Wildfly the following code must be add:
<login-config>
<auth-method>KEYCLOAK-SAML</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
And, googling a like, I found that, on Tomcat 7, the correct configuration
must be:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
My question is: "BASIC" for tomcat 7 and SAML adapter is correct for my
development?
Thanks!!!
8 years, 6 months
Revoking individual refresh tokens
by Peter Nalyvayko
Hello,Is there a way to revoke/invalidate a refresh token issued to a specific user? My understanding is that I can revoke all of the previously issued refresh tokens using 'Revocation' and setting Not Before to Now; this is good but it would be great if I can revoke individual tokens as well.Thx--Peter
8 years, 6 months
impossible to get logs from adapter-saml
by David Guerra
Hi,
I am updating an old struts 1.3 web app and integrating our SAML - SSO
service with help of keycloak adapter for SAML.
I am facing a problem (perhaps a silly problem): I am using Tomcat 7 and I
try to get logs from the keycload saml adapter as said in:
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/debuggi...
with "log4j.logger.org.keycloak.saml=DEBUG" in my log4j.properties.
But there are no 'debug' info in the console. I have other debug info for
my application bat none for keycloak adapter.
I am doing something wrong?
Thanls for the help.
8 years, 6 months
Custom page for not found realm (tenant)
by Haim Vana
Hi,
We are using KeyCloak with multi-tenancy, each realm represents a tenant (customer).
Sometimes due to setup issue or typo in the realm name we are getting 404 page, is there a custom page or a way to customize a page for missing realm scenario ?
For example something like - Realm <name> doesn't exist...
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 6 months
Can't access admin console with realm admin (from 1.9.4 version and above)
by Haim Vana
Hi,
>From version 1.9.4 and above I can't access the admin console with realm admin user.
The realm admin user is a specific realm admin, it was created in the master realm and his only roles are the client (the realm) roles.
I am getting the below exception and it look like it's not a bug (see RealmsAdminResource.java line 114), if so how am I supposed to create an admin only for a realm ?
Also what about realm admins created in versions 1.9.3 could they still access the admin console if KeyCloak will be upgraded ?
2016-06-07 17:09:09,962 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-79) RESTEASY002005: Failed executing GET /admin/realms: org.keycloak.services.ForbiddenException
at org.keycloak.services.resources.admin.RealmsAdminResource.addRealmRep(RealmsAdminResource.java:114)
at org.keycloak.services.resources.admin.RealmsAdminResource.getRealms(RealmsAdminResource.java:102)
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 6 months
Re: [keycloak-user] Email internationalization
by Stian Thorgersen
If you change the PR to use MimeMessage#setSubject(subject, charset) we
should just add it. It's better to have it just work rather than require
changing default system encoding or using -Dfile.encoding.
On 7 June 2016 at 08:18, Nekrasov Aleksandr <a.nekrasov(a)ftc.ru> wrote:
> I`m configured new allocated standalone keycloak server with your note and
> it was very helpful in all my cases.
>
>
>
> Should we add a note to the documentation about this issue?
>
>
>
> I`m already create issue https://issues.jboss.org/browse/KEYCLOAK-3089
> and PR https://github.com/keycloak/keycloak/pull/2918 for it. Do you need
> to reject it?
>
>
>
> *From:* Tair Sabirgaliev [mailto:tair.sabirgaliev@gmail.com]
> *Sent:* Tuesday, June 07, 2016 11:52 AM
> *To:* keycloak-user(a)lists.jboss.org; Некрасов Александр Сергеевич; Stian
> Thorgersen
> *Subject:* RE: [keycloak-user] Email internationalization
>
>
>
> Did you try specifying default encoding for Java?
>
>
>
> in bin/standalone.conf: JAVA_OPTS=“….. -Dfile.encoding=UTF-8"
>
>
>
> --
> Tair Sabirgaliev
>
>
>
> On 7 June 2016 at 11:48:03, Nekrasov Aleksandr (a.nekrasov(a)ftc.ru) wrote:
>
> Hello.
>
> I have installed Wildfly10 on SunOS 5.10.
>
>
>
> I am using Microsoft Outlook as a client and it shows header Subject as
>
>
>
> Subject:
> =?ISO646-US?B?Pz8/Pz8/Pz8/Pz8/PyA/Pz8/Pz8gPz8/Pz8/Pz8/Pz8gPz8/Pz8=?=
>
>
>
> System encoding for some reasons is ISO646-US, which is diffefent with
> encoding, what I needed.
>
>
>
> *From:* Tair Sabirgaliev [mailto:tair.sabirgaliev@gmail.com]
> *Sent:* Tuesday, June 07, 2016 11:25 AM
> *To:* keycloak-user(a)lists.jboss.org; Некрасов Александр Сергеевич; Stian
> Thorgersen
> *Subject:* Re: [keycloak-user] Email internationalization
>
>
>
> Hi Aleksandr!
>
>
>
> What is your Wildfly version?
>
>
>
> Wildfly 8 has buggy Java Mail API. In Wildfly 9 and later proper encoding
> is done automatically, no need to `encodeText` manually.
>
>
>
> See my answer here:
> http://stackoverflow.com/questions/35010796/wildfly-9-x-fails-encoding-gr...
>
>
>
> --
> Tair Sabirgaliev
>
>
>
> On 7 June 2016 at 11:03:50, keycloak-user-request(a)lists.jboss.org (
> keycloak-user-request(a)lists.jboss.org) wrote:
>
> Message: 1
> Date: Mon, 6 Jun 2016 12:12:26 +0000
> From: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
> Subject: [keycloak-user] Email internationalization
> To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a(a)nut-mbx-4.win.ftc.ru>
> Content-Type: text/plain; charset="koi8-r"
>
> Hello everyone.
> I found a bug when trying to send email from keycloak to users with
> encoding against English.
> For example, when I try to send Russian message with subject "????????
> ???? ??????? ??????" I see "????????????? ?????? ??????????? ?????" in my
> email.
>
> I think you should update org.keycloak.email.DefaultEmailSenderProvider
> class with line
> msg.setSubject(subject);
> to
> msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));
>
> Thanks.
>
> Nekrasov Aleksander,
> Developer,
> Center of Financial Techologies
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f...
>
> ------------------------------
>
> Message: 2
> Date: Mon, 6 Jun 2016 19:38:59 +0200
> From: Stian Thorgersen <sthorger(a)redhat.com>
> Subject: Re: [keycloak-user] Email internationalization
> To: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Please create a JIRA. If you want to submit a PR that would be welcome as
> well.
>
> On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov(a)ftc.ru> wrote:
>
> > Hello everyone.
> >
> > I found a bug when trying to send email from keycloak to users with
> > encoding against English.
> >
> > For example, when I try to send Russian message with subject ?????????
> > ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in
> my
> > email.
> >
> >
> >
> > I think you should update org.keycloak.email.DefaultEmailSenderProvider
> > class with line
> >
> > msg.setSubject(subject);
> >
> > to
> >
> > msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));
> >
> >
> >
> > Thanks.
> >
> >
> >
> > Nekrasov Aleksander,
> >
> > Developer,
> >
> > Center of Financial Techologies
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c20...
>
> ------------------------------
>
>
8 years, 6 months
keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
by jazz
Hi,
I have wildfly 10 installed using nginx as https proxy server [1,
standalone-full.xml]. Works great when using weak ciphers in nginx. In
that case keycloak can connect back to the app after authentication
(redirect SSL). When using strong ciphers in nginx [2] is fails the ssl
handshake [4]. JCE seems enabled since the deployed app reports 2016-
04-13 21:41:33,304 INFO [stdout] (ServerService Thread Pool -- 83) max
allowed keylength = 2147483647
My question is: does keycloak use a limited set of ciphers? SNI works
fine according to the log. I was digging in the code, but could not
find something obvious [5]
Best regards, Jazz
[1] wildfly standalone-full.xml
<subsystem xmlns="urn:jboss:domain:undertow:3.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/> [... snip ...] <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8444}"/>
<socket-binding name="proxy-https" port="443"/>
[2] nginx ssl.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-
ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
[3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service
[4]
2016-04-13 21:41:46,495 INFO [stdout] (default task-7) default task-7,
setSoTimeout(0) called
2016-04-13 21:41:46,498 INFO [stdout] (default task-7) Allow unsafe
renegotiation: false
2016-04-13 21:41:46,500 INFO [stdout] (default task-7) Allow legacy
hello messages: true
2016-04-13 21:41:46,502 INFO [stdout] (default task-7) Is initial
handshake: true
2016-04-13 21:41:46,503 INFO [stdout] (default task-7) Is secure
renegotiation: false
2016-04-13 21:41:46,505 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,506 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,508 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,509 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 21:41:46,511 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,512 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,514 INFO [stdout] (default task-7) %% No cached
client session
2016-04-13 21:41:46,518 INFO [stdout] (default task-7) ***
ClientHello, TLSv1.2
2016-04-13 21:41:46,522 INFO [stdout] (default task-7)
RandomCookie: GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130,
99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12,
171, 41, 74, 46, 186, 180, 88 }
2016-04-13 21:41:46,523 INFO [stdout] (default task-7) Session ID: {}
2016-04-13 21:41:46,525 INFO [stdout] (default task-7) Cipher Suites:
[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-04-13 21:41:46,526 INFO [stdout] (default task-7) Compression
Methods: { 0 }
2016-04-13 21:41:46,527 INFO [stdout] (default task-7) Extension
signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
2016-04-13 21:41:46,529 INFO [stdout] (default task-7) Extension
server_name, server_name: [type=host_name (0),
value=keycloak.example.com]
2016-04-13 21:41:46,530 INFO [stdout] (default task-7) ***
2016-04-13 21:41:46,531 INFO [stdout] (default task-7) default task-7,
WRITE: TLSv1.2 Handshake, length = 138
2016-04-13 21:41:46,533 INFO [stdout] (default task-7) default task-7,
READ: TLSv1.2 Alert, length = 2
2016-04-13 21:41:46,534 INFO [stdout] (default task-7) default task-7,
RECV TLSv1.2 ALERT: fatal, handshake_failure
2016-04-13 21:41:46,535 INFO [stdout] (default task-7) default task-7,
called closeSocket()
2016-04-13 21:41:46,536 INFO [stdout] (default task-7) default task-7,
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
2016-04-13 21:41:46,537 INFO [stdout] (default task-7) default task-7,
called close()
2016-04-13 21:41:46,538 INFO [stdout] (default task-7) default task-7,
called closeInternal(true)
2016-04-13 21:41:46,539 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
failed to turn code into token: javax.net.ssl.SSLHandshakeException:
Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.ja
va:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:543)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFac
tory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnectio
n(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java
:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooled
ConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRe
questDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReque
stDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpCl
ient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReque
st.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthReques
tAuthenticator.java:314)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReque
stAuthenticator.java:260)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenti
cator.java:112)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloa
kAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(Ser
vletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:233)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:250)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
SecurityContextImpl.java:219)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Sec
urityContextImpl.java:121)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityCo
ntextImpl.java:96)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityCont
extImpl.java:89)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.
handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCa
cheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleReq
uest(AuthenticationConstraintHandler.java:51)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequ
est(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintH
andler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.
handleRequest(ServletSecurityConstraintHandler.java:56)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReq
uest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler
.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest
(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler
.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handl
eRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleReque
st(ServletPreAuthActionsHandler.java:69)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(S
ervletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Serv
letInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIn
itialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Serv
letInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793
)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.ja
va:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.j
ava:617)
at java.lang.Thread.run(Thread.java:745)
[5] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adap
ter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
8 years, 6 months
How to get specific client role programmatically
by Haim Vana
Hi,
I am using the KeyCloak API to create admin users and update their roles, I am able to add to an admin user all the available client roles, however how can I add a specific one ?
This is my code to get all the available client roles:
userResource.roles().clientLevel(userRealmClientId).listAvailable()
How can I get specific one and not all ?
Any advice will be appreciated,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 6 months
Performance issues with Federation provider enabled
by Fabricio Milone
Hi all,
I've been running load tests on our application during the last few weeks,
and having some performance issues when my custom federator is enabled.
The performance issue does not exist when the federator is disabled.
*Configuration*:
I have a cluster of 2 instances of Keycloak, with a standalone DB, we've
verified the DB isn't an issue when the federator is disabled. Both
instances have a quad core CPU and they are in the same network. We’ve left
the memory at 512MB. The test script, database and API that connects to the
federator are in separate machines.
*Federator*:
We have a simple custom federator that makes calls to a very performant
api, which has been tested and is ok. Additionally, we've tested stubbing
the API so the performance is not a problem there. This federator is using
a jaxb marshaller to create a request, again tested in isolation and is
performing well.
As the federator is doing a lot of calls to the API (3 per login request),
I've implemented a httpclient that uses a
PoolingHttpClientConnectionManager with 1000 connections available to use,
instead of using the standard apache httpclient from http components. That
hasn't improved a bit the performance of the system.
*Tests*:
It is a gatling scala script that could generate around ~300 (or more)
requests/second to the direct grants login endpoint using random usernames
from a list (all of them already registered using KC). The script is doing
a round robin across both instances of Keycloak with an even distribution
to each KC instance.
The idea is simulate a load of 300 to 1500 concurrent users trying to login
into our systems.
*Problem*:
If I run the tests without using a federation I can see a very good
performance, but when I try to run the tests with the custom federation
code, the performance drops from ~150 requests/second to 22 req/sec using
both instances.
Memory wise, it seems to be ok. I've never seen an error related to memory
with this configuration, also if you take a look at the attached visualVM
screenshot you'll see that memory is not a problem or it seems not to be.
CPU utilisation is very low to my mind, I'd expect more than 80% of usage
or something like that.
There is a method that is leading the CPU samples on VisualVM called
Semaphore.tryAcquire(). Not quite sure what's that for, still investigating.
I can see that a lot of new threads are being created when the test starts,
as it creates around 60requests/second to the direct grants login call, but
it seems to be a bottleneck at some point.
So I'm wondering if there is some configuration I'm missing on Keycloak
side that could be affecting the cluster performance when a federator is
enabled. Maybe something related to jpa connections, infinispan
configuration or even wildfly.
I'd really appreciate your help on this one as I'm out of ideas.
I've attached some screenshots of visualVM and tests results from my last
run today.
Sorry for the long email and please let me know if you need further
information.
Thank you in advance,
Regards,
Fab
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
8 years, 6 months
