June 2017 - keycloak-user - Jboss List Archives

Does keycloak tomcat valve need connectivity to IDP?

by ken edward

Hello, Does the keycloak tomcat saml valve need connectivity to the IDP (in my case ADFS)? Or does is only the client browser connecting to the IDP via redirects from the tomcat server? Ken

7 years, 6 months

2
1
0 / 0

Development help

by Tomás García

Hi, I've developed an API service for Keycloak. It's a bit complex algorithm where the clientSession needs to be recovered later if something happens, so I put a note in the style of HMAC + Session ID as Keycloak does in other places and then next, when the algorithm needs to continue in the following request to the same endpoint, I recover the session. Inside the API service, I'm adding users so I have to commit the transaction just in case a ModelDuplicateException happens, as I've seen in other places of Keycloak's code. So I'm receiving this exception when I recover the client session from the note (note: a user was added and committed previously). I've tried to start a new transaction after committing, but yet I still get the same exception. Any help or ideas will be welcome. Thanks. 09:06:48,748 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /auth/realms/test/testApi/speciallogin : org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalStateException: Cannot access delegate without a transaction at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.ja va:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:4 3) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.IllegalStateException: Cannot access delegate without a transaction at org.keycloak.models.cache.infinispan.UserCacheSession.getDelegate(UserCacheSession.java:97) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserById(UserCacheSession.java:182) at org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:282) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:794) at com.test.keycloak.api.services.specialLogin(TestAPIService.java:157) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more

7 years, 6 months

1
2
0 / 0

A bug in the Brute Force Detection mechanism?

by Wieloch, Marcin

Hi, One day I was looking for a workaround for a lacking feature (KEYCLOAK-4204), and I have encountered a problem with Brute Force Detection mechanism. For some specific settings (e.g., MaxLoginFailures = 3, WaitIncrement = 24855 days, Max Wait = 24855 days, FailureResetTime = 24855 days) the mechanism does not work, i.e., I am still able to login after 3 (or more) failed login attempts. I think it is caused by integer overflows happening in lines 121 and 133 of DefaultBruteForceProtector (v. 3.1.0.Final). Could you please confirm this is a bug? I would then create an issue in your JIRA. Best regards, Marcin The information in this email and any attachments is confidential and intended solely for the use of the individual(s) to whom it is addressed or otherwise directed. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the Company. Finally, the recipient should check this email and any attachments for the presence of viruses. The Company accepts no liability for any damage caused by any virus transmitted by this email.

7 years, 6 months

1
0
0 / 0

Keycloak use-case with Android and custom API

by César Augusto Ribeiro

Hello, I have an APP (Android + NativeScript) and a custom NodeJS API that serves it.My idea is to let my API handle any authentication/authorization stuff through Keycloak - with keycloak-nodejs-connect. So we could have the following flow: - APP sends user and pass to this custom API;- API calls Keycloak to authenticate the user with data provided (/token, scope='offline_access' - to a public Keycloak client);- Keycloak returns a token to the API;- API returns the access token to the app, which holds it to be used in subsequent calls (Authorization Bearer ... header). In my tests through HTTP clients, simulating the flow I would have in the real case, I get HTTP Status 403 - Forbidden after token expiration. I have the impression that the refreshing of the token should be automatically done, but that doesn't seems to be happening. Small pieces of code: app.use(session({ secret: '...', resave: false, saveUninitialized: true, store: memoryStore, })); var keycloak = new Keycloak({ store: memoryStore, scope: 'offline_access' }, 'keycloak.json'); app.use(keycloak.middleware()); app.post('/login', function (req, res) { keycloak.grantManager.obtainDirectly('USER', 'PASS').then(grant => { keycloak.storeGrant(grant, req, res); ... }, error => { ... }); }); app.get('/someProtectedEndpoint', keycloak.protect(), function (req, res, next) { ... }); Do you see anything wrong in this use-case? Maybe I also need to store the refresh token in the client and use it to somehow force token refresh? Maybe it's not a good auth flow at all? For who wants some SO points: https://stackoverflow.com/q/44656168/643416 Thanks in advance!

7 years, 6 months

1
0
0 / 0

How to disable user roles updates with subsequent idp logins?

by Корчемкин Дмитрий

Hello, I have a following scenario: user logs in for the first time from AD FS. There is a mapper in place that assigns him a role. He is then assigned some more roles manually. When he logs in second time, all the roles added by hand are being removed. I've tried looking for something to disable this on keycloak side, but i don't see anything relevant in documentation. Unfortunately, i don't have access to that particular AD FS. Is there a way to stop this overriding on Keycloak side, or is assigning all roles by mappers the only way? Best regards, Dmitry

7 years, 6 months

2
2
0 / 0

How to handle multivalued custom attributes in account client?

by Federico Navarro Polo - Info.nl

Hello, I’m facing a scenario where I have defined a custom attribute as multivalued. It works all fine using the REST admin API, and while in the Keycloak admin console is displayed as a ‘##’ separated string, it’s also functional in terms of displaying/editing the values. However, when it comes to adding the attribute to the account client, it apparently only shows the first element of the attribute, and I get the following log trace: >>> [org.keycloak.forms.account.freemarker.model.AccountBean] (default task-41) There are more values for attribute 'additionalProductIds' of user 'somebody(a)somewhere.com' . Will display just first value Am I overlooking some configuration to enable the handling of multivalued custom attributes? Met vriendelijke groet, Federico Navarro backend developer federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<http://www.linkedin.com/in/jasperleferink> | +31 (0)2 05 30 91 61<tel:+31205309161> info.nl<http://www.info.nl/> Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>

7 years, 6 months

2
1
0 / 0

Conflicting logins with admin console

by Kyle Swensson

Hello, (I have asked this question before to no avail, but the wording was poor so I want to rephrase it in hopes of getting more help) I am having an issue with conflicting logins from a user application and the keycloak admin console The issue arises when I authenticate on my user application as a basic user, using Tomcat. Then, I navigate to the Keycloak Admin Console login page on a different window. Despite being logged in as a basic user on my user application, I am still shown the empty login page for the keycloak admin console. After navigating to the Keycloak admin console login page, my session on my user application becomes broken, and I'm not sure why. At this point if I refresh the page containing my application I will find a 403 error in my console, however I can still access everything in my user application normally. Additionally, for some reason I can no longer log out from my session like i normally would (by hitting the authorization endpoint), when I try to log out nothing happens. The only way that I can get it out of this permanently logged in state is by going to "account" and manually ending all of the sessions for my user. It may be worth noting that I can also still log in to the admin console with a different user, and use the admin console as normal while this is happening. If I log onto the admin console while this is happening and look at all of the active sessions, I can see that there is indeed still an active session for the basic user using the user application. I assume that is the root of the problem, but I'm not sure what's causing this to happen. Setting the "Revoke Refresh Token" option in the keycloak admin console to ON does prevent this from happening, however it also makes the rest of my application become very buggy and slow so leaving that on isn't really a viable option. I'm wondering if this might be an actual bug with Keycloak, or if this is just being caused by some configuration error on my side. I am currently using Keycloak 2.3 for my application, but I have tried temporarily upgrading to Keycloak 3.1 and that didn't help the issue.

7 years, 6 months

2
6
0 / 0

Social Logins - Allow only specific Domains to authenticate

by Michel Laporte

Hi there, Is there any way of configuring social clients to whitelist domains? At the moment, we are looking to externalise a service and any Google account can authenticate with Google on the service, we want to limit it to only the allowed domains specific or specify accounts to log in. Is this do-able? Another thread stated authentication flows is do-able but he link explaining how was dead as it went to Githubs Keycloak page which is now non existent and the Authentication Flows documentation is not too clear. Thanks -- *Michel Laporte* DevOps Engineer T: +44 20 7758 7162 UK House • 180 Oxford Street • London • W1D 1NN -- ------------------------------------- essencedigital.com <http://www.essencedigital.com/> Google+ <https://plus.google.com/102138558390623994587/about> • Facebook <http://www.facebook.com/essencedigital> • Twitter <https://twitter.com/essencedigital> • YouTube <http://www.youtube.com/essencedigitalvideos>

7 years, 6 months

3
3
0 / 0

Is there a way to return a customized error message from servlet interception of keycloak.

by rafterjiang

We are using spring boot to do the web api/url authentication. We have set up the auth roles and patterns in application.properties. Everything works fine. Only problem is, when web API auth fails,keycloak returns a either 401 or 403 to client. For example: { "status": "401", "errorCode": "SERVER_ERROR", "message": "internal server error" } or { "status": "403", "errorCode": "SERVER_ERROR", "message": "internal server error" } The error message is too vague, is it possible to customize the error message so client knows clearly what goes wrong? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Is-there-a-way-to-return-a-custo... Sent from the keycloak-user mailing list archive at Nabble.com.

7 years, 6 months

1
0
0 / 0

SAML Client Error Code 431

by Vogel, Sven

Hi Anybody, we have a problem to get saml to work with cloudstack. Maybe anybody can help. 1. We created a saml client. 2. We filled all information in cloudstack a. saml2.default.idpid -->http://192.168.85.40:8080/auth/realms/example.cloud/protocol/saml b. saml2.idp.metadata.url --> http://192.168.85.36/metadata.xml (we used the SAML Metadata IDPSSODescriptor) 3. When we use login on the saml provider from cloudstack we get the following error a. { loginresponse: { uuidList: [ ], errorcode: 431, errortext: "IdP ID (http://192.168.85.40:8080/auth/realms/example.cloud) has no Single Sign On URL defined please contact null <null>, cannot proceed." } } Is there anybody who can help? Maybe it's a problem that we forgott something. Before we used ipsilon and the things work. Maybe we have not enough knowledge. Thanks Sven

7 years, 6 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2017