JAX-RS Backend Service + Angular 2 Front-End + Role Authorization
by Gustavo Alvarez
Hello everyone.
I am developing a web application with Angular 2 on the front end, and
jax-rs services on the backend, I also need authorization with user roles
but I have the following problems:
1. The recommendation in the documentation is to establish the angular
customer as public, which means that the authorization can not go here.
2. If the backend is set as the confidential customer, the service can not
be consumed from angular 2 with the barer symbol.
3. If the backend is configured as a barer only client, the roles are not
validated on the authorization defined in keycloak.
Can you help me find a better configuration for this environment?
Thank you all.
Gaalvarez.
7 years, 10 months
Export
by Brian Schwartz
Is the keycloak export functionality broken since the last couple of
versions?
https://keycloak.gitbooks.io/server-adminstration-guide/
content/v/2.4/topics/export-import.html
I run this command:
./standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=
demokeycloak.json
I get this error:
14:00:33,664 INFO
[org.keycloak.exportimport.singlefile.SingleFileExportProvider]
(ServerService Thread Pool -- 48) Exporting model into file
/Users/xxxx/Downloads/keycloak-2.4.0.Final/bin/demokeycloak.json
14:00:34,163 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server
shutdown has been requested.
14:00:34,222 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-4) WFLYJCA0010: Unbound data source
[java:jboss/datasources/KeycloakDS]
14:00:34,267 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 48) MSC000001: Failed to start service jboss.undertow.deployment.
default-server.default-host./auth: org.jboss.msc.service.StartException in
service jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(
javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.
call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public org.keycloak.services.resources.KeycloakApplication(
javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.
construct(ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.
createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.
createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(
ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.
ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.
HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.
proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.
RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.
proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$
DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(
ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(
DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.
UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NullPointerException
at org.keycloak.models.utils.ModelToRepresentation$2.
compare(ModelToRepresentation.java:431)
at org.keycloak.models.utils.ModelToRepresentation$2.
compare(ModelToRepresentation.java:428)
at java.util.TimSort.countRunAndMakeAscending(
TimSort.java:356)
at java.util.TimSort.sort(TimSort.java:220)
at java.util.Arrays.sort(Arrays.java:1512)
at java.util.ArrayList.sort(ArrayList.java:1454)
at java.util.Collections.sort(Collections.java:175)
at org.keycloak.models.utils.ModelToRepresentation.
exportAuthenticationFlows(ModelToRepresentation.java:428)
at org.keycloak.models.utils.ModelToRepresentation.
toRepresentation(ModelToRepresentation.java:372)
at org.keycloak.exportimport.util.ExportUtils.exportRealm(
ExportUtils.java:87)
at org.keycloak.exportimport.singlefile.
SingleFileExportProvider$1.runExportImportTask(
SingleFileExportProvider.java:65)
at org.keycloak.exportimport.util.ExportImportSessionTask.
run(ExportImportSessionTask.java:35)
at org.keycloak.models.utils.KeycloakModelUtils.
runJobInTransaction(KeycloakModelUtils.java:236)
at org.keycloak.exportimport.singlefile.
SingleFileExportProvider.exportModel(SingleFileExportProvider.java:58)
at org.keycloak.exportimport.ExportImportManager.runExport(
ExportImportManager.java:102)
at org.keycloak.services.resources.KeycloakApplication.
<init>(KeycloakApplication.java:149)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(
NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorI
mpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.
newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.
construct(ConstructorInjectorImpl.java:150)
... 19 more
This has not worked for me since version 2.1.0.
I’m currently using version 2.4.0.Final.
Thanks
7 years, 10 months
mapper for client_session, clientid, clientAddress
by Ori Doolman
Hi,
I am using KC 2.4 and OIDC implicit flow with a public client.
In the client mapper, I have the following claims mapped and enabled for the Access Token : client_session, clientid, clientAddress.
However, they don't return as part of the token.
Other claims don't have this problem.
I noticed that all of those 3 claims are of type 'User Session Note'.
Is this related to the fact that my client is public?
Is there any way to get those properties into the access token?
I need, for logging purpose, to get a unique session ID and client information (name + IP address).
Thanks,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
7 years, 10 months
EntityManager and JpaEntityProvider SPI Error
by Bruno Palermo
Hi,
I've implemented a custom resource using ResourceProvider SPI and a
custom JPA entity using JpaEntityProvider SPI.
If I try to import a EntityManager inside my custom resource, using:
EntityManager em = session.getProvider(JpaConnectionProvider.class)
.getEntityManager();
When I try to access, I receive the following error:
*Stack Trace*
java.lang.NoClassDefFoundError: javax/persistence/EntityManager
java.lang.Class.getDeclaredMethods0(Native Method)
java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
java.lang.Class.getDeclaredMethods(Class.java:1975)
org.jboss.resteasy.util.GetRestful.hasJAXRSAnnotations(GetRestful.java:109)
org.jboss.resteasy.util.GetRestful.isSubResourceClass(GetRestful.java:38)
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:121)
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
java.lang.Thread.run(Thread.java:745)
If I remove the EntityManager code, the resource works fine.
Any ideas?
Thanks,
Bruno
7 years, 10 months
Identity Brokering Question
by Chris Savory
Is it possible to set up multiple keycloak realms as an identity broker to a single realm? For example, we have a site that is mutli-tenant and users are in different realms. Each site will connect to realm A, B, or C depending on where the user goes to log in. I want to build a micro-service that is available to serve authenticated requests from all the sites. So, can I set up a realm D that will accept bearer tokens from realms A, B or C?
--
Christopher Savory
Software Engineer | EdLogics
7 years, 10 months
Logout issue: UT000021: Session already invalidated with EAP7/WF10 adapter
by Petr Široký
Hello everyone,
I am having a logout issue when using the EAP7/WF10 adapter
(2.5.1.Final) with EAP 7.0.0.GA. The server is RH-SSO 7.0.0.GA (but I
also tried the upstream Keycloak 2.5.1.Final).
This is a simplified version of the code (full reproducer here
https://github.com/psiroky/servlet-app-keycloak-reproducer):
public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
....
request.logout();
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
...
}
The code first calls request.logout() and then session.invalidate().
This works OK when we are _not_ using the Keycloak adapter. However,
once we switch to Keycloak adapter we end up with
"java.lang.IllegalStateException:UT000021: Session already invalidated".
I've been debugging the calls and it happens, because the
request.logout() bubbles down to the Keycloak adapter code which calls
session.invalidate() as well. For some reason (bug in Undertow/EAP?) the
request.getSession(false) then returns what it seems to be a valid
session (the invalidated flag=false). The session.invalidate() call
happens again, but the session was in fact already invalidated and thus
Undertow throws that IllegalStateException.
Please note that exactly the same code works on EAP 6 (+ EAP6 adapter).
The session also gets invalidated as part of logout(), but then the
request.getSession(false) returns null, so the second call to
invalidate() does not happen (this kind of points to Undertow as the
culprit).
I am trying to figure out what the root cause is:
1) Our application should _not_ call both request.logout() and then
session.invalidate() (even though it works for EAP6 and also with e.g.
basic auth without the Keycloak integration)
2) Keycloak adapter should not call session.invalidate() as part of
request.logout()
3) Undertow does not properly propagate the invalidate() call by the
Keycloak adapter.
4) Something completely different?
Thanks,
Petr
7 years, 10 months
Configuring keycloak with JSON instead of UI
by Sarp Kaya
Hello,
I’m aware of keycloak import/export functionality but when I export keycloak configuration it exports with bunch of ids. I’m guessing this is useful for back-ups or duplicating the entire environment.
My problem is, say if you have different environments with slight configuration differences (because environments probably have different keys, URLs etc.) but would like to keep majority of the configuration the same; then this export/import becomes unusable:
1) Everything has an id, so therefore just exporting and then importing singular item will not work due to id mismatch.
2) During the import, it’s not possible to select what can be overwritten and what can be skipped. Importing condition applies for all.
My question is, what is the best practice to configure keycloak in multiple environments?
7 years, 10 months
Custom Email Provider
by Bruno Palermo
Hi,
I'm implementing a custom AWS SES email provider.
How can I choose which implementation to use for send emails?
Thanks,
Bruno
7 years, 10 months
