Not able to setup Keycloak to fully replicate user sessions in cluster
by Jyoti Kumar Singh
Hi Team,
We are setting up keycloak:3.1.0.Final in a cluster mode for HA with full
user sessions replication in a cloud system, i.e. when one node goes down
then user will keep logged in on other node.
I have setup cluster by using standalone-ha.xml and having infinispan cache
as mentioned below:-
<cache-container name="keycloak" jndi-name="infinispan/Keycloak">
<transport lock-timeout="60000"/>
<invalidation-cache name="realms" mode="SYNC"/>
<invalidation-cache name="users" mode="SYNC"/>
<distributed-cache name="sessions" mode="SYNC" owners="2"/>
<distributed-cache name="loginFailures" mode="SYNC"
owners="2"/>
</cache-container>
Every thing works fine except below use case:-
1. Node 1 and Node 2 both are up and user logged in - User session is
getting generated by Node 1
2. Node 1 is now stopped and user session is getting replicated in Node 2 -
User is still able to use the Keycloak console
3. Node 1 is up again and request is being transferred from LB to Node 1 -
User is asked to log in again because session cache is not replicated to
Node 1 immediately once it is up
I saw one option to add *start="EAGER" *in cache-container to fix this but
looks like with latest version of WildFly it is no longer supported. Do we
have any other way to fix this issue ?
--
*With Regards, Jyoti Kumar Singh*
7 years, 6 months
X509 Identity Brokering
by Thiago Presa
Hi,
Does Keycloak support some sort of Identity Brokering through X509? I
managed to configure the X509 Client Certificate, but it only replaces the
password, and requires the user to be already registered. What I would like
to achieve is to automatically register the users who present a valid X509
Certificate. Is that possible?
Best regards,
Thiago Presa
7 years, 6 months
Third slave disconnects random slave
by Marc Tempelmeier
Hi,
I want to connect 3 slaves in Domain Mode, everything works fine for 2 slaves, but if I connect a third one random of the former two get disconnected after a cluster-wide rebalance:
slave1_1 | [Server:slave1]
slave3_1 | [Server:slave3] 06:58:42,688 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 54) HV000001: Hibernate Validator 5.2.3.Final
slave1_1 | 06:58:42,675 INFO [org.jboss.as.process.Server:slave1.status] (reaper for Server:slave1) WFLYPC0011: Process 'Server:slave1' finished with an exit status of 137
slave1_1 | [Host Controller] 06:58:42,877 INFO [org.jboss.as.host.controller] (ProcessControllerConnection-thread - 2) WFLYHC0027: Unregistering server slave1
I think there is some setting I missed?
Best regards and thanks
Marc
7 years, 7 months
Cache-Control set to private
by Dana Danet
Using a vanilla Spring Boot / Keycloak implementation.
springBootVersion = '1.5.2.RELEASE’
keycloakAdminClient : "org.keycloak:keycloak-admin-client:3.0.0.Final”,
keycloakSpringBootAdapter : "org.keycloak:keycloak-spring-boot-adapter:3.0.0.Final”,
keycloakTomcatAdapter : "org.keycloak:keycloak-tomcat8-adapter:3.0.0.Final",
I’m having difficulty updating the Cache-Control from private to anything else. It appears that this is a Tomcat setting that usually is set via Spring Security. Unfortunately I cannot find anyway to affect this value unless I listen for the lifecycle event and then configure the KeycloakAuthenticatorValve.
What am I doing wrong here?
@Configuration
public class KeycloakAuthenticatorValveCustomizerConfig implements EmbeddedServletContainerCustomizer, LifecycleListener
{
private TomcatEmbeddedServletContainerFactory container;
@Override
public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer)
{
container = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
container.addContextLifecycleListeners(this);
}
@Override
public void lifecycleEvent(LifecycleEvent event)
{
if (event.getLifecycle().getState() == INITIALIZED) {
configureKeycloakValve();
}
}
private void configureKeycloakValve() {
for (Valve valve : container.getContextValves()) {
if (valve instanceof KeycloakAuthenticatorValve) {
KeycloakAuthenticatorValve keycloakAuthenticatorValve = (KeycloakAuthenticatorValve) valve;
keycloakAuthenticatorValve.setSecurePagesWithPragma(true);
}
}
}
}
Within org.apache.catalina.authenticator.AuthenticatorBase securePagesWithPragma is now set to true.
if (constraints != null && disableProxyCaching &&
!"POST".equalsIgnoreCase(request.getMethod())) {
if (securePagesWithPragma) {
// Note: These can cause problems with downloading files with IE
response.setHeader("Pragma", "No-cache");
response.setHeader("Cache-Control", "no-cache");
} else {
response.setHeader("Cache-Control", "private");
}
response.setHeader("Expires", DATE_ONE);
}
-dana
7 years, 7 months
For tomcat SAML adapter, is /saml required in URL?
by ken edward
Hello,
I am implementing the tomcat SAML adapter with the IdP being ADFS.
QUESTION:
1.) I see the below reference in the doc that seems to say the /saml
needs to the appended to the URL of the SP? or is this only for
servlet adapter and NOT tomcat adapter that my have servlets?
"For each servlet-based adapter, the endpoint you register for the
assert consumer service URL and and single logout service must be the
base URL of your servlet application with /saml appended to it, that
is, https://example.com/contextPath/saml."
as in the below ???
<SP entityID="http://localhost:8081/sales-post-sig/saml"
sslPolicy="EXTERNAL"
nameIDPolicyFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
logoutPage="/saml/logout.jsp"
forceAuthentication="false"
isPassive="false"
turnOffChangeSessionIdOnLogin="false">
<Keys>
<Key signing="true" >
<KeyStore resource="/WEB-INF/keystore.jks" password="store123">
<PrivateKey
alias="http://localhost:8080/sales-post-sig/" password="test123"/>
<Certificate alias="http://localhost:8080/sales-post-sig/"/>
</KeyStore>
</Key>
</Keys>
Ken
7 years, 7 months
IDToken vs AccessToken
by John D. Ament
Hi
I noticed that when using Bearer, an AccessToken gets set in the
KeycloakPrincipal's SecurityContext. However, when I do an SP initiated
login the IDToken gets set. I was wondering if these two could be
consistent, or if the inconsistency were at least explainable?
I'm also wondering, will the presence of a bearer header cause the keycloak
adapter cookie to get set?
John
7 years, 7 months
Does keycloak tomcat adapter require IDP metadata.xml ??
by ken edward
Hello,
I have installed the keycloak tomcat adapter in my tomcat 8 instance.
I want to use ADFS as my IDP (no keycloak server)
QUESTION:
1.) I configured the keycloak-saml.xml to point to the ADFS IDP. But I
am surprised that there is no reference to the IDP metadata.xml file
that I received from my ADFS admin? Is it used at all? How?
Ken
7 years, 7 months
Invalid token issuer when running as docker service
by Tom Braun
Hello,
got the follwing setup:
- frontend (oauth, angular2)
- rest-backend (bearerOnly, spring-boot with spring-security)
- keycloak (standalone)
If I run the three as "ordinary" processes, everything works fine.
However, if I try to run them as services within a docker (swarm mode)
the rest-backend keeps complaining about:
org.keycloak.common.VerificationException: Invalid token issuer.
Expected 'http://myhost:8180/auth/realms/myrealm', but was
'http://localhost:8180/auth/realms/myrealm'
I inserted myhost into my /etc/hosts to point to the IP of docker0. So
far it works, I can access the frontend on port 80 and keycloak on port
8180.
Is there a way to make keycloak report as myhost in the issuer token and
not as localhost?
Tried running keycloak behind a reverse-proxy - no change.
7 years, 7 months
