Performance with a large number of resources
by Scott Elliott
Using the photoz application as an example, what is the expected
performance if there are a very large (say, 5M) number of albums? What
about if there are multiple resources per album? You quickly get a very
large number of resources. The OIDC adapters cache some number of these, so
what effect will that have on the resource server?
Ideally there would be a way to authorize any resource associated with an
album, so if /album/vacation were authorized by /album/{id},
/album/vacation/photo/1 was also authorized, i.e., the URI that selects the
resource to be authorized would always be /album/vacation.
7 years, 8 months
Re: [keycloak-user] SSO from Java code
by Nirmal Kumar
Hi Josh,
I have deployed my WAR(s) by using the keycloak Tomcat and Spring security adapters. The web apps seems to be running fine with keycloak SSO enabled from browser where I am redirected to a Login page an then to the original url.
Apart from the browser I also have a use case where the web app REST calls can be made through Java code directly from other standalone Java applications.
Think as if the web app REST endpoints as a SDK and the consumers can be browser based as well as non-browser based.
The consumers here have a high degree of trust and have the username/password available.
That way I can think of "Resource Owner Password Credentials grant" to be used.
I read that we can use we can use generic OpenID Connect Resource Provider libraries for such cases:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc...
1./realms/{realm-name}/protocol/openid-connect/token
This is the URL endpoint for obtaining a temporary code in the Authorization Code Flow or for obtaining tokens via the Implicit Flow, Direct Grants, or Client Grants.
2./realms/{realm-name}/protocol/openid-connect/userinfo
This is the URL endpoint for the User Info service described in the OIDC specification.
3./realms/{realm-name}/protocol/openid-connect/logout
This is the URL endpoint for performing logouts.
I can think of using #1 to get the access token then passing this token for all my subsequent REST calls. I even tested this and found working.
Does this make sense or any other better alternatives?
Regards,
-Nirmal
-----Original Message-----
From: Josh Cain [mailto:jcain@redhat.com]
Sent: Friday, May 5, 2017 6:52 PM
To: Nirmal Kumar <nirmal.kumar(a)impetus.co.in>; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] SSO from Java code
Hi Nirmal,
Depending on what protocol you're using, I think Keycloak's got you covered. I'd check out either the SAML ECP flow[0] or the OIDC Resource Owner Password Credentials flow[1], both of which are supported by Keycloak.
However, I'd also point out that these are highly uncommon and should only be used in a small number of cases. Do you mind my asking why you're needing to cut a browser out of the picture?
[0]
http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/saml-ecp-v...
[1] https://tools.ietf.org/html/rfc6749#section-1.3.3
Josh Cain
Senior Software Applications Engineer, RHCSA Red Hat North America jcain(a)redhat.com M: +1 256-452-0150 IRC: jcain
On 05/05/2017 04:26 AM, Nirmal Kumar wrote:
> Hi All,
>
> I installed the standalone version of latest keycloak 3.0.0.Final and was pretty much impressed with the ease of getting SSO for my spring based REST web applications deployed on Tomcat 7.
>
> I am wondering if I can get the same SSO feature from Java code all without being ever going to a browser since I want the same from a CLI and no UI/browser.
>
> Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
7 years, 8 months
Two OIDC working, but not SSO
by Tech
Dear experts,
we are working with Moodle, a PHP based platform, where we have been
able to configure correctly Keycloak to implement OIDC.
To test Keycloak we cloned this application, with different URLs and we
did the first test:
* Connect to portal1
* User not recognized and redirected to Keycloak through OIDC
* Enter credentials stored into Keycloak
* User accepted and redirected to portal1
* Logout from portal1
After this we tested the second application:
* Connect to portal2
* User not recognized and redirected to Keycloak through OIDC
* Enter credentials stored into Keycloak
* User accepted and redirected to portal2
* Logout from portal2
In this case I know that OIDC is working for the two applications and we
can expect that also the SSO is working, but after the login in portal1
we have to login again portal2, and vice-versa.
We attach below here some logs, could you please help?
Thanks
*Login to portal1*
2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
Recovery) Send recover request for transaction origin node identifier 1
to EJB receiver with node name 79051ccf69ac
2017-04-25 09:54:45,055 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) new
JtaTransactionWrapper
2017-04-25 09:54:45,056 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) was
existing? false
2017-04-25 09:54:45,056 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-30) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/auth
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-30)
AUTHENTICATE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-30)
AUTHENTICATE ONLY
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) processFlow
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator: auth-cookie
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-30)
Could not find cookie: KEYCLOAK_IDENTITY
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator ATTEMPTED: auth-cookie
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: auth-spnego requirement: DISABLED
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) execution is processed
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: identity-provider-redirector requirement:
ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator: identity-provider-redirector
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator ATTEMPTED: identity-provider-redirector
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: null requirement: ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) execution is flow
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) processFlow
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: auth-username-password-form requirement: REQUIRED
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator: auth-username-password-form
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
TemplateLoader.findTemplateSource("template_en.ftl"): Not found
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
TemplateLoader.findTemplateSource("template.ftl"): Found
2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
"template.ftl"("en_US", UTF-8, parsed): using cached since
file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
2017-04-25 09:54:45,064 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator CHALLENGE: auth-username-password-form
2017-04-25 09:54:45,064 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
JtaTransactionWrapper commit
2017-04-25 09:54:45,064 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
JtaTransactionWrapper end
2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
Recovery) Send recover request for transaction origin node identifier 1
to EJB receiver with node name 79051ccf69ac
*After authentication to portal1**
*
2017-04-25 09:54:56,041 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) new
JtaTransactionWrapper
2017-04-25 09:54:56,041 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) was
existing? false
2017-04-25 09:54:56,042 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-31) RESTEASY002315: PathInfo:
/realms/Demo/login-actions/authenticate
2017-04-25 09:54:56,042 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-31)
authenticationAction
2017-04-25 09:54:56,042 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: auth-spnego requirement: DISABLED
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: null requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: auth-username-password-form requirement: REQUIRED
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) action: auth-username-password-form
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) authenticator SUCCESS: auth-username-password-form
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processFlow
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check execution: auth-otp-form requirement: OPTIONAL
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) authenticator: auth-otp-form
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processFlow
2017-04-25 09:54:56,141 DEBUG
[org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl]
(default task-31) Hibernate RegisteredSynchronization successfully
registered with JTA platform
2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:54:56,142 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-31) MySqlDS: getConnection(null,
WrappedConnectionRequestInfo@4570d800[userName=KeycloakUSR]) [0/20]
2017-04-25 09:54:56,143 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:54:56,144 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:54:56,144 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31)
type=LOGIN, realmId=Demo, clientId=moodle,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
auth_method=openid-connect, auth_type=code,
redirect_uri=https://localhost/moodleiam/auth/oidc/,
consent=no_consent_required,
code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Removing old user session: session: 9a5218f8-aa9c-496c-aa00-780430f19c1b
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
max-age: -1
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Expiring remember me cookie
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
2017-04-25 09:54:56,146 DEBUG
[org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
redirectAccessCode: state: bIJNAcPb8Rxz8Wb
2017-04-25 09:54:56,146 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
JtaTransactionWrapper commit
2017-04-25 09:54:56,149 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
2017-04-25 09:54:56,149 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterTransaction
2017-04-25 09:54:56,149 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
JtaTransactionWrapper end
2017-04-25 09:54:56,642 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) new
JtaTransactionWrapper
2017-04-25 09:54:56,642 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) was
existing? false
2017-04-25 09:54:56,642 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-24) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/token
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-24)
AUTHENTICATE CLIENT
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
client authenticator: client-secret
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
client authenticator SUCCESS: client-secret
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
Client moodle authenticated by client-secret
2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24)
type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
token_id=75173922-dd56-44ca-9255-9a5368e557f4,
grant_type=authorization_code, refresh_token_type=Refresh,
refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
client_auth_method=client-secret
2017-04-25 09:54:56,663 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
JtaTransactionWrapper commit
2017-04-25 09:54:56,663 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
JtaTransactionWrapper end
*Login to portal2**
*
2017-04-25 09:56:17,566 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new
JtaTransactionWrapper
2017-04-25 09:56:17,566 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was
existing? false
2017-04-25 09:56:17,567 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-6) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/auth
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-6)
AUTHENTICATE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-6)
AUTHENTICATE ONLY
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
processFlow
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator: auth-cookie
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
invoke authenticator.authenticate
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-6)
Could not find cookie: KEYCLOAK_IDENTITY
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator ATTEMPTED: auth-cookie
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: auth-spnego requirement: DISABLED
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
execution is processed
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator: identity-provider-redirector
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
invoke authenticator.authenticate
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator ATTEMPTED: identity-provider-redirector
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: null requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
execution is flow
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
processFlow
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: auth-username-password-form requirement: REQUIRED
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator: auth-username-password-form
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
invoke authenticator.authenticate
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
TemplateLoader.findTemplateSource("template_en.ftl"): Not found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
TemplateLoader.findTemplateSource("template.ftl"): Found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
"template.ftl"("en_US", UTF-8, parsed): using cached since
file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
2017-04-25 09:56:17,573 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator CHALLENGE: auth-username-password-form
2017-04-25 09:56:17,573 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
JtaTransactionWrapper commit
2017-04-25 09:56:17,573 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
JtaTransactionWrapper end
*After authentication to portal2**
*
2017-04-25 09:56:29,001 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
JtaTransactionWrapper
2017-04-25 09:56:29,001 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
existing? false
2017-04-25 09:56:29,001 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-4) RESTEASY002315: PathInfo:
/realms/Demo/login-actions/authenticate
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-4)
authenticationAction
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
execution is processed
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: auth-spnego requirement: DISABLED
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
execution is processed
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
execution is processed
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: null requirement: ALTERNATIVE
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: auth-username-password-form requirement: REQUIRED
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
action: auth-username-password-form
2017-04-25 09:56:29,099 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
authenticator SUCCESS: auth-username-password-form
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processFlow
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check execution: auth-otp-form requirement: OPTIONAL
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
authenticator: auth-otp-form
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processFlow
2017-04-25 09:56:29,100 DEBUG
[org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl]
(default task-4) Hibernate RegisteredSynchronization successfully
registered with JTA platform
2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:56:29,101 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-4) MySqlDS: getConnection(null,
WrappedConnectionRequestInfo@4570d800[userName=KeycloakUSR]) [0/20]
2017-04-25 09:56:29,102 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:56:29,103 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:56:29,104 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
type=LOGIN, realmId=Demo, clientId=moodle2,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
auth_method=openid-connect, auth_type=code,
redirect_uri=https://localhost/moodle2iam/auth/oidc/,
consent=no_consent_required,
code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
2017-04-25 09:56:29,104 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Removing old user session: session: 431cecf6-5a6b-4bbc-9467-3f52eff8090f
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
max-age: -1
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Expiring remember me cookie
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
redirectAccessCode: state: WUCTMXokISFDbFN
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
JtaTransactionWrapper commit
2017-04-25 09:56:29,106 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
2017-04-25 09:56:29,106 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterTransaction
2017-04-25 09:56:29,106 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
JtaTransactionWrapper end
2017-04-25 09:56:29,626 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) new
JtaTransactionWrapper
2017-04-25 09:56:29,626 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) was
existing? false
2017-04-25 09:56:29,627 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-13) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/token
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-13)
AUTHENTICATE CLIENT
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
client authenticator: client-secret
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
client authenticator SUCCESS: client-secret
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
Client moodle2 authenticated by client-secret
2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13)
type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
token_id=ff9b3385-1362-4559-ad53-05317755b280,
grant_type=authorization_code, refresh_token_type=Refresh,
refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
client_auth_method=client-secret
2017-04-25 09:56:29,656 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
JtaTransactionWrapper commit
2017-04-25 09:56:29,656 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
JtaTransactionWrapper end
2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default I/O-1)
Error reading request: java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:192)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
at
io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
at
org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
at
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at
io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059)
at
org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
7 years, 8 months
SAML attribute mapper with processing
by Anders KK
Hi there,
Do you have a guide on how to implement a custom SAML attribute mapper?
Does that involve building KC on our own?
What we need:
Our SAML Idp (a widely used public Danish service) provides a custom
attribute on the SAML assertion. To support a detailed user privileges
profile, a chunk of xml data is base 64 encoded and added as the value of a
single attribute as follows:
<Attribute Name="dk:gov:saml:attribute:Privileges_intermediate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>PD94bWwg ....based 64 encoded XML data.....
dmVyc2l==</AttributeValue>
</Attribute>
We want to implement a mapper that will: extract the attribute value, decode
the data, parse the XML and finally map each privilege to a role on the
Keycloak user.
Alternatively, if post-processing of the user is an option, we could map the
attribute on to the user and do the privilege/role processing later? Any
suggestions are appreciated :)
Kind regards,
Ulrik and Anders
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-attribute-mapper-with-proce...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 8 months
SSO from Java code
by Nirmal Kumar
Hi All,
I installed the standalone version of latest keycloak 3.0.0.Final and was pretty much impressed with the ease of getting SSO for my spring based REST web applications deployed on Tomcat 7.
I am wondering if I can get the same SSO feature from Java code all without being ever going to a browser since I want the same from a CLI and no UI/browser.
Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
7 years, 8 months
Use X.509 certificate when retrieving Access Token from OIDC Provider?
by Jeremy Waterman
Hi all,
We are using Keycloak as an identity broker with a third party service. We’ve set up the third party up as an OIDC Identity Provider within Keycloak, but we’ve hit a snag. The third party that we’re woking with requires that requests to retrieve an access token are sent with an X.509 certificate. We can’t find a way within Keycloak to set this up and when we hit the token server URL to exchange the authorization code for a token, we are getting an error back from the third party - “proper client ssl certificate was not presented.”
Any ideas on how to support this with Keycloak?
Thanks for any help!!
Jeremy
7 years, 8 months
Client Initiated Account Linking doubt
by Tomás García
I'm looking at this doc:
https://keycloak.gitbooks.io/documentation/server_development/topics/iden...
And unless your app lives inside a Java servlet guarded by Keycloak,
there's no way to use this feature, right? Due to the hash generation. I
don't see a way to get a client / user session Id since they're internal
stuff in Keycloak associated thanks to the cookie in the user's browser. I
get why it's needed though and I don't see any good alternative right now
for non-servlet apps (OpenID Connect enabled apps made in other languages
for instance)... but it's unfortunate that the doc doesn't clarify it.
Thanks.
7 years, 8 months
JavaScript Adapter issues after upgrade from 3.0.0 to 3.1.0
by Thorsten
Hi all,
I have played around with some Angular 4 stuff. I created plain vanilla
project through "ng new" and added the Keycloak 3.0.0 adapter pretty much
like it is done in the Keycloak GitHub "angular2-product-app" demo. Works
quite nice.
But the moment I upgrade the keycloak-js npm to 3.1.0 I get the error
"keycloak-js is not a module".
I am not sure but it looks like the new 3.1.0 adapter contains some buggy
or outdated TypeScript definitions.
Any ideas how to get 3.1.0 working with Angular 4?
Thanks,
Thorsten
7 years, 8 months
OpenID/OAuth Identity provider
by rohit chaudhary
Hi,
I need to access API secured by OAuth using keycloak, Should I go with
identity provider? Need help.
Thanks in advance
7 years, 8 months
Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
by Adam Keily
Downgrading is not an option as RHSSO 7.1 supports only openjdk 1.8.
After updating to latest 1.8 via RHEL repo and restarting keycloak it appears working. What version of JDK are you using?
-----Original Message-----
From: Adam Keily
Sent: Thursday, 4 May 2017 9:01 AM
To: 'Marek Posolda' <mposolda(a)redhat.com>
Subject: RE: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439
For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.
Adam
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:24 PM
To: Hendrik Dev <hendrikdev22(a)gmail.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
Sorry, I don't have much to add :( It seems you would need to fix your environment and windows domain configuration to use Kerberos/SPNEGO tokens instead of NTLM. Few posts with possible tips&tricks I found during quick googling:
http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-...
http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerb...
https://archive.sap.com/discussions/thread/998107
Marek
On 02/05/17 17:04, Hendrik Dev wrote:
> bump
>
> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22(a)gmail.com> wrote:
>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>> Hi,
>>>>
>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>> Purpose is to provide single sign on for users logging in via IE
>>>> from a windows domain.
>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>> Directory. The setup is working so far because i can login via
>>>> 'curl --negotiate'. There are also several other java applications
>>>> running in this environment which are capable of doing SPNEGO over
>>>> Kerberos authentication successfully.
>>>>
>>>> If the user access a Keycloak protected application the SPNEGO
>>>> login does not work and the Keycloak login page is displayed instead.
>>>> In the logs i see "Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right tag)" and thats totally right
>>>> because the browser sends
>>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>
>>>> For me it looks like the browser never gets either a
>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>>> In other words: The browser seems to never gets challenged to do
>>>> SPNEGO over Kerberos.
>>> I will try to summarize if I understand correctly:
>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>> Negotiate ntlm-token-is-here"
>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>> 4) Your browser didn't reply anything back
>>>
>>> Is it correct?
>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
>> As i said, the browser does not get a challenge.
>>
>>
>>
>>> It seems that your browser doesn't have kerberos ticket, hence
>>> that's why it uses NTLM instead. I think the best would be to fix
>>> your environment, so that it will send Kerberos token instead of NTLM at the step 2.
>>>
>>> Marek
>>>
>>>> I already tried to fix it
>>>>
>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad
>>>> 2ae25ce0d9cd703) but this oddly just ends up in a Basic Auth popup
>>>> from the browser.
>>>> For the client app the standard flow as well as direct access
>>>> grants is enabled.
>>>>
>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks
>>>> Hendrik
>>>>
>>
>>
>> --
>> Hendrik Saly (salyh, hendrikdev22)
>> @hendrikdev22
>> PGP: 0x22D7F6EC
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 8 months
