IDP initiated login redirect loop
by Drew Weirshousky
Hi,
I'm having issues trying to get IDP inititated login to work. I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also. The IDP is Okta and Keycloak is the SP. Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user. "An error occurred, please login again through your application." I suspect this is a configuration issue but I am not sure. 3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5.
Thanks
Drew
7 years, 1 month
Re: [keycloak-user] Importing big realms
by Buda, Mikolaj
I managed to fix the problem by exporting users to separate files each 5000
and then perform a partialImport on imported realm.
On Wed, Nov 29, 2017 at 12:16 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Please don't drop the mailing list
>
> On 29 November 2017 at 11:08, Buda, Mikolaj <mikolaj.buda@contractors.
> roche.com> wrote:
>
>> The problem is, we cannot use this Export/Import functionality as it
>> requires to restart the Keycloak. I managed to build the same json file
>> using many GET requests and now I would like to upload it on another
>> instance without restarting the application.
>>
>> On Wed, Nov 29, 2017 at 11:00 AM, Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> How many users and how long time?
>>>
>>> With a large amount of users you should split the user into separate
>>> files, see http://www.keycloak.org/docs/latest/server_admin/index.h
>>> tml#_export_import for more details.
>>>
>>> On 29 November 2017 at 10:31, Buda, Mikolaj <
>>> mikolaj.buda(a)contractors.roche.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I've just created a tool that prepares a full backup of realm in json
>>>> (the
>>>> same as during export at standalone startup). Sometime it is 60MB of
>>>> data
>>>> (many users). Import process takes a long time. Do you have any ideas
>>>> how
>>>> to speed up this process?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
7 years, 1 month
Issue with RH-SSO 7.1 domain clustered mode example deployment (Cannot authenticate)
by Olivier Rivat
Hi,
I have an issue authenticating againt the RH-SSO installed in domain
cluster mode.
I have am using RH-SSO server 7.1, and have just deployed a fresh new
install of the rh-sso ZIP file
I am following step-by-step
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/...
1) I have first created master and and slaves in teh domain
~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$
../../bin/domain.sh --host-config=host-master.xml
~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$
../../bin/domain.sh --host-config=host-slave.xml
2) I have added the admin user user running add-user.sh
~/redhat/cluster_rh_7.1/rh-sso-7.1/bin$ ./add-user.sh
Quel type d'utilisateur souhaitez-vous ajouter ?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a):
Saisir les informations sur le nouvel utilisateur
Utiliser le domaine 'ManagementRealm' selon les fichiers de propriétés
existants.
Nom d'utilisateur : admin
Le nom d'utilisateur 'admin' est facile à deviner
Êtes-vous certain de vouloir ajouter l'utilisateur 'admin' oui/non ? oui
Les recommandations de mot de passe sont énumérés ci-dessous. Pour
modifier ces restrictions, modifier le fichier de configuration
add-user.properties.
- Le mot de passe doit être différent du nom d'utilisateur
- Le mot de passe doit correspondre à une des valeurs limitées
suivantes {root, admin, administrator}
- Le mot de passe doit contenir au moins 8 caractères, 1 caractère(s)
alphabétique(s), 1 chiffre (s), 1 symbole(s) non alpha-numériques
Mot de passe :
Saisir mot de passe à nouveau :
Quels groupes souhaitez-vous impartir à cet utilisateur ? (Veuillez
saisir une liste séparée par des virgules, ou laisser vide)[ ]:
L'utilisateur 'admin' va être ajouté pour le domaine 'ManagementRealm'
Est-ce correct ? oui/non? oui
Utilisateur 'admin' ajouté au fichier
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/configuration/mgmt-users.properties'
Utilisateur 'admin' ajouté au fichier
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration/mgmt-users.properties'
Utilisateur 'admin' ajouté aux groupes dans le fichier
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/configuration/mgmt-groups.properties'
Utilisateur 'admin' ajouté aux groupes dans le fichier
'/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration/mgmt-groups.properties'
Est-ce que ce nouvel utilisateur va être utilisé pour qu'un processus AS
puisse se connecter à un autre processus AS, comme par exemple
pour qu'un contrôleur d'hôte esclave se connecte au master ou pour une
connexion distante de serveur à serveur pour les appels EJB.
oui/non ? oui
Pour représenter l'utilisateur, ajouter ce qui suit à la définition des
identités du serveur <secret value="IXRhS2V6bzkw" />
3) I have added <secret value="IXRhS2V6bzkw" /> to host-slave.xml
4) I have restarted both servers
5) The issue:
When I connecting to http://localhost:8080/auth with admin and the
password, I obtain the message
Server:server-one] 18:41:37,959 WARN [org.keycloak.events] (default
task-15) type=LOGIN_ERROR, realmId=master,
clientId=security-admin-console, userId=null, ipAddress=127.0.0.1,
error=user_not_found, auth_method=openid-connect, auth_type=code,
redirect_uri=http://localhost:8080/auth/admin/master/console/,
code_id=c66df7c9-1bba-47f4-b7ff-280905d53185, username=admin
6)Further troubleshooting:
Only thing missing is that I have not found where to grab
keycloak-server.json to copy it to
server-one/configuration/keycloak-server.json (as descrined in RH-SSO 7.1 ).
But is really needed ? I am a little bit confused
If it is really missing and the reason why I am failing on this example,
where can it be found, as it is not described in teh RH-SSO 7.1 where to
grab it ?
(I have also found following POST:
http://blog.keycloak.org/2016/09/keycloak-serverjson-rip.html
>>>>>>>>>>>>>>>>>>>>>>>
We have moved configuration of the Keycloak server from
keycloak-server.json to standalone.xml, standalone-ha.xml, or
domain.xml. Which xml file you use will depend on how you run your
server. I'll reference standalone.xml from here on out, but
configuration is the same for each file.
As of version 2.2.0, keycloak-server.json will no longer be shipped with
Keycloak. We do provide a conversion tool to help you make the switch.
So now, you can configure the entire server from a single xml file.
Keycloak server configuration is done in the same file where you
configure data sources, socket bindings, logging, and clustering.
But there are other advantages...
>>>>>>>>>>>>>>>>>>>>>>>
7) So, from all what I have described, how is it possible to overcome this ?
Is it a mistake of mine ?
Is it due to something not being clearly documented ?
or other ?
Waiting for your comments and suggestions,
Regards,
Olivier Rivat
7 years, 1 month
Importing big realms
by Buda, Mikolaj
Hi,
I've just created a tool that prepares a full backup of realm in json (the
same as during export at standalone startup). Sometime it is 60MB of data
(many users). Import process takes a long time. Do you have any ideas how
to speed up this process?
7 years, 1 month
Convert Keycloak tokens to "cookies" for a Spring-boot app
by Hylton Peimer
I have a backend server secured using Keycloak Spring web security adaptor.
The UI uses the cookies to store the session reference.
Now another website would like to implement "SSO" - have a link in their
page to connect directly into my application. This other website is able to
obtain access/refresh tokens directly from the Keycloak.
How can I "convert" the access token to a cookie, which will be recognized
by my Spring backend?
7 years, 1 month
Re: [keycloak-user] bug in keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
by Bruno Oliveira
There are some possibilities that I can think for "Connection
refused"
1. Not having services-jaxrs deployed. Or deployed in the incorrect
port.
Most of the quickstarts require this service
2. Trying to follow the instructions to deploy the quickstarts without -DskipTests
This was already fixed in this PR https://github.com/keycloak/keycloak-quickstarts/pull/70/files
The reason why you *must* use -DskipTests for deployment, is because
Arquillian will run integration tests and deploy on the same port. If
you don't like it, there are two options: change Arquillian port or
start WildFly in a different port.
On 2017-11-25, Bodo Teichmann wrote:
> -Pwildfly-managed didn’t work either, just got other errors:
>
> ….
> Started 332 of 578 services (393 services are lazy, passive or on-demand)
> Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 6.892 sec <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 6.891 sec <<< ERROR!
> java.lang.ExceptionInInitializerError
> at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
> Caused by: java.net.ConnectException: Connection refused (Connection refused)
> at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81)
>
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 6.892 sec <<< ERROR!
> java.lang.NoClassDefFoundError: Could not initialize class org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
>
> Nov 25, 2017 7:06:11 PM org.jboss.arquillian.core.impl.ObserverImpl resolveArguments
> WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It won't be invoked.
> 19:06:11,395 INFO [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0236: Suspending server with no timeout.
> 19:06:11,402 INFO [org.jboss.as.server] (Management Triggered Shutdown) WFLYSRV0241: Shutting down in response to management operation 'shutdown'
> 19:06:11,429 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS]
> 19:06:11,431 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0019: Host default-host stopping
> 19:06:11,432 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending
> 19:06:11,436 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 127.0.0.1:8443
> 19:06:11,441 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-3) WFLYJCA0019: Stopped Driver service with driver-name = h2
> 19:06:11,442 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTP listener default suspending
> 19:06:11,443 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 127.0.0.1:8080
> 19:06:11,443 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0004: Undertow 1.4.0.Final stopping
> 19:06:11,533 INFO [org.jboss.as] (MSC service thread 1-5) WFLYSRV0050: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) stopped in 118ms
>
> Results :
>
> Tests in error:
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> Run 1: ArquillianProfileJeeVanillaTest.org<http://ArquillianProfileJeeVanillaTest.org>.keycloak.quickstart.ArquillianProfileJeeVanillaTest » ExceptionInInitializer
> Run 2: ArquillianProfileJeeVanillaTest.org<http://ArquillianProfileJeeVanillaTest.org>.keycloak.quickstart.ArquillianProfileJeeVanillaTest » NoClassDefFound
>
>
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0
>
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] ------------------------------------------------------------------------
>
>
> Am 25.11.2017 um 18:55 schrieb Bruno Oliveira <bruno(a)abstractj.org<mailto:bruno@abstractj.org>>:
>
>
> Try to pass -Pwildfly-managed, it should work. We have some jiras to fix the docs.
>
> On Sat, Nov 25, 2017, 12:59 PM Bodo Teichmann <Bodo.Teichmann(a)brandad-systems.de<mailto:Bodo.Teichmann@brandad-systems.de>> wrote:
> i just followed the "Getting Started" Dokumentation 3.4.
> Everything ok until it comes to :
> Chapter 4.3.:
> after git-clone and
> >cd keycloak-quickstarts/app-profile-jee-vanilla
> i tried:
> >mvn clean wildfly:deploy
> but got the error:
>
> -------------------------------------------------------------------------------
> Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
> -------------------------------------------------------------------------------
> Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE!
> org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 0.907 sec <<< ERROR!
> java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
> at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
> at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
> at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
> at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
> at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
> at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
> at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
> at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
> at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
> ... 15 more
> Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss
> at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
> at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
> at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
> at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
> at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
> at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
> at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
> at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
> at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
> ... 20 more
> Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified
> at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
> at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
> at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
> ... 44 more
>
>
> until it tried
>
> >mvn clean wildfly:deploy -DskipTests
>
> which worked.
>
> Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started“?
>
> bodo
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
abstractj
7 years, 1 month
Keycloak 3.4.0 cross datacenter issue with external Infinispan
by Vikrant Singh
Hi All,
We are running Cross dc setup with 2 data centers. In this setup we are
using external infinispan server 9.1.2.Final. Each dc will have its own
external infinispan cluster. And cross dc infinispan cluster is formed
using Relay2 protocol.
We haven't faced any issues till 3.2.1.Final. When we trying to upgrade
Keycloak to 3.4.0.Final we are facing the following issue: Keycloak in
first data center are starting up fine but keycloak in second data center
fails to start with below error
16:18:58,473 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21]
(pool-13-thread-1) ISPN004005: Error received from the server:
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
2017-11-28 16:18:58,473 DEBG 'Keycloak' stdout output:
16:18:58,473 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21]
(pool-13-thread-1) ISPN004005: Error received from the server:
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
16:18:58,474 ERROR
[org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer]
(ServerService Thread Pool -- 57) ExecutionException when computed future.
Errors: 1: java.util.concurrent.ExecutionException:
org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for
messageId=23 returned server error (status=0x85):
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
at java.util.concurrent.FutureTask.report(Unknown Source)
at java.util.concurrent.FutureTask.get(Unknown Source)
at
org.infinispan.commons.util.concurrent.NotifyingFutureImpl.get(NotifyingFutureImpl.java:88)
at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart.getResult(DefaultExecutorService.java:1083)
at
org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.innerGet(DefaultExecutorService.java:868)
at
org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.get(DefaultExecutorService.java:848)
at
org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer.startLoading(InfinispanCacheInitializer.java:102)
at
org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:41)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:273)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:263)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:255)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$200(InfinispanUserSessionProviderFactory.java:62)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:110)
at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:68)
at
org.keycloak.services.resources.KeycloakApplication$2.run(KeycloakApplication.java:165)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:158)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown
Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:265)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by:
org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for
messageId=23 returned server error (status=0x85):
java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
at
org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:350)
at
org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:139)
at
org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:125)
at
org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56)
at
org.infinispan.client.hotrod.impl.operations.ExecuteOperation.executeOperation(ExecuteOperation.java:48)
at
org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:54)
at
org.infinispan.client.hotrod.impl.RemoteCacheImpl.execute(RemoteCacheImpl.java:724)
at
org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader.loadSessions(RemoteCacheSessionsLoader.java:109)
at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229)
at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70)
at
org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34)
at
org.infinispan.commands.read.DistributedExecuteCommand.perform(DistributedExecuteCommand.java:107)
at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.doLocalInvoke(DefaultExecutorService.java:1112)
at
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.call(DefaultExecutorService.java:1102)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
At the same time we are getting below in external Infinispan
2017-11-28 16:51:37,357 DEBUG
[org.infinispan.server.hotrod.HotRodExceptionHandler]
(HotRod-ServerWorker-9-3) Exception caught:
org.infinispan.commons.CacheException: java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roo
ts:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
at
org.infinispan.commons.dataconversion.MarshallerEncoder.fromStorage(MarshallerEncoder.java:36)
at
org.infinispan.cache.impl.EncoderEntryMapper.decode(EncoderEntryMapper.java:43)
at
org.infinispan.cache.impl.EncoderEntryMapper.apply(EncoderEntryMapper.java:57)
at
org.infinispan.cache.impl.EncoderEntryMapper.apply(EncoderEntryMapper.java:23)
at
java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
at
java.util.Spliterators$IteratorSpliterator.tryAdvance(Spliterators.java:1812)
at
org.infinispan.commons.util.Closeables$SpliteratorAsCloseableSpliterator.tryAdvance(Closeables.java:143)
at
java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
at
java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498)
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at
java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
at
org.infinispan.stream.impl.local.LocalCacheStream.collect(LocalCacheStream.java:258)
at
org.infinispan.util.AbstractDelegatingCacheStream.collect(AbstractDelegatingCacheStream.java:273)
at
jdk.nashorn.internal.scripts.Script$Recompilation$1$58$\^eval\_.loadSessions(<eval>:5)
at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(<eval>:22)
at
jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637)
at
jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494)
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393)
at
jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:421)
at
jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73)
at
jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:514)
at javax.script.CompiledScript.eval(CompiledScript.java:92)
at
org.infinispan.scripting.impl.ScriptingManagerImpl.execute(ScriptingManagerImpl.java:239)
at org.infinispan.scripting.impl.LocalRunner.runScript(LocalRunner.java:19)
at
org.infinispan.scripting.impl.ScriptingManagerImpl.runScript(ScriptingManagerImpl.java:222)
at
org.infinispan.scripting.impl.ScriptingTaskEngine.runTask(ScriptingTaskEngine.java:44)
at
org.infinispan.tasks.impl.TaskManagerImpl.runTask(TaskManagerImpl.java:99)
at
org.infinispan.server.hotrod.ContextHandler.realRead(ContextHandler.java:120)
at
org.infinispan.server.hotrod.ContextHandler.lambda$channelRead0$0(ContextHandler.java:52)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.ClassNotFoundException:
org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from
[Module "org.infinispan.commons:main" from local module loader @1c2c22f3
(finder: local module finder @18e8568 (roots:
/opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))]
at
org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at
org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at
org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:348)
at
org.jboss.marshalling.AbstractClassResolver.loadClass(AbstractClassResolver.java:131)
at
org.jboss.marshalling.AbstractClassResolver.resolveClass(AbstractClassResolver.java:112)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadClassDescriptor(RiverUnmarshaller.java:1087)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadNewObject(RiverUnmarshaller.java:1354)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:275)
at
org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:208)
at
org.jboss.marshalling.AbstractObjectInput.readObject(AbstractObjectInput.java:41)
at
org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromObjectStream(AbstractJBossMarshaller.java:134)
at
org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromByteBuffer(AbstractJBossMarshaller.java:112)
at
org.infinispan.commons.marshall.AbstractMarshaller.objectFromByteBuffer(AbstractMarshaller.java:82)
at
org.infinispan.commons.dataconversion.MarshallerEncoder.fromStorage(MarshallerEncoder.java:34)
... 35 more
I believe the error might be due to the latest code addition for supporting
cross dc. Any help on this issue is appreciated.
Thanks,
Vikrant
7 years, 1 month
bug in keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?
by Bodo Teichmann
i just followed the "Getting Started" Dokumentation 3.4.
Everything ok until it comes to :
Chapter 4.3.:
after git-clone and
>cd keycloak-quickstarts/app-profile-jee-vanilla
i tried:
>mvn clean wildfly:deploy
but got the error:
-------------------------------------------------------------------------------
Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest
-------------------------------------------------------------------------------
Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE!
org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 0.907 sec <<< ERROR!
java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103)
at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52)
at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162)
... 15 more
Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85)
at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265)
at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74)
at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96)
at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99)
at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145)
at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116)
at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290)
at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63)
... 20 more
Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified
at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44)
at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71)
at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80)
... 44 more
until it tried
>mvn clean wildfly:deploy -DskipTests
which worked.
Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started“?
bodo
7 years, 1 month
Operations through keycloak-spring-security-adapter produce status 500 when token is expired
by Dmitry Korchemkin
Hello,
We're facing a problem with operations performed through a gateway (using
keycloak spring-security-adapter 3.4.0.Final). They result in
"org.keycloak.exceptions.TokenNotActiveException: Token is not active" if
attempted with expired token. Unlike "token is almost expired" error, which
correctly returns 401, this one throws NullPointerException and as a result
produces 500 status code, not 401:
Caused by: java.lang.NullPointerException: null
at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44)
This is observed even when accessing keycloak's own endponts (/users).
I've seen an issue on JIRA https://issues.jboss.org/browse/KEYCLOAK-5195
which looks like it describes exactly out problem, but it's supposed to be
fixed in 3.4.0.Final.
Here's relevant part of our http security config (requestMatcher filters
some requests bound for IdP itself) from the gateway:
@Override
@Bean
@Primary
protected KeycloakAuthenticationProcessingFilter
keycloakAuthenticationProcessingFilter() throws Exception {
return new
KeycloakAuthenticationProcessingFilter(authenticationManagerBean(),
new NeedValidateJwtTokenRequestMatcher(gatewayRoute));
}
@Bean
public HttpSecurityConfigurer getHttpSecurityConfigurer() {
return httpSecurity -> {
httpSecurity.authorizeRequests()
.anyRequest().permitAll();
httpSecurity.addFilterBefore(traceMethodFilter,
CorsFilter.class);
httpSecurity.addFilterBefore(corsFilter,
KeycloakAuthenticationProcessingFilter.class);
};
}
Is it something with how we use the adapter in the gateway or the fix from
KEYCLOAK-5195 is missing from 3.4.0.Final (or maybe it is not even relevant
in this case)?
Best regards,
Dmitry
7 years, 1 month
domain-extension example not working OOTB, need admin-cli scope tweaking
by Dmitry Telegin
Hi,
The domain-extension example used to work out of the box as of KC
3.1.0, but no longer works with KC >= 3.2.0. That's because in 3.1.0
the "admin-cli" client's scope had the "admin" role mapped by default,
which is no longer the case for 3.2.0+, hence no "realm_access" field
in the JWT token, hence null auth.getToken().getRealmAccess() in
ExampleRestResource::checkRealmAdmin(), hence non-working
authorization.
I think either the 3.1.0 behavior should be restored, or the domain-
extension readme should contain a line about the necessary manual tweak
to the admin-cli scope. What do you think?
Dmitry
7 years, 1 month
