Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer
by Marc Tempelmeier
Hi,
now to a real problem :)
We have a 3 Node cluster, I always the error after login, sometimes directly at the login. I promptly got logged out.
It´s basicly this error: https://issues.jboss.org/browse/KEYCLOAK-3586
But we get it on login to admin console.
Any ideas?
[Server:slave3] 10:14:09,847 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer
[Server:slave3] at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:180)
[Server:slave3] at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:211)
[Server:slave3] at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source)
[Server:slave3] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[Server:slave3] at java.lang.reflect.Method.invoke(Method.java:498)
[Server:slave3] at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
[Server:slave3] at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
[Server:slave3] at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
[Server:slave3] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
[Server:slave3] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
[Server:slave3] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
[Server:slave3] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[Server:slave3] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[Server:slave3] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[Server:slave3] at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[Server:slave3] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
[Server:slave3] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
[Server:slave3] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[Server:slave3] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
[Server:slave3] at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
[Server:slave3] at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
[Server:slave3] at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[Server:slave3] at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
[Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[Server:slave3] at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
[Server:slave3] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
[Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[Server:slave3] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
[Server:slave3] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
[Server:slave3] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
[Server:slave3] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
[Server:slave3] at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
[Server:slave3] at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
[Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[Server:slave3] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
[Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
[Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
[Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
[Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
[Server:slave3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
[Server:slave3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
[Server:slave3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[Server:slave3] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[Server:slave3] at java.lang.Thread.run(Thread.java:748)
7 years, 5 months
reverse proxy woes
by Tim Dudgeon
Hi All,
I'm having a problem with running keycloak behind an nginx reverse proxy.
I've had this running for some time now without problems, but have now
stood up a new system in a networking environment that I don't have much
control over, and for some reason things are not working.
My nginx proxy forwarding looks like this:
location /auth/ {
proxy_pass http://keycloak:8080/auth/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_connect_timeout 75s;
}
Similar for the app that is using keycloak for SSO (this is a tomcat
based servlet app).
In my keycloak's standalone.xml the http-listener element has had
proxy-address-forwarding="true" added.
This has all been fine, but in this new environment its not working.
I get the keycloak login prompt, and can login OK. But when I look in
the session in Keycloack the From IP address is 10.0.0.10 not the actual
IP address of the machine where the browser resides.
And the app using Keycloak denies access with this exception in the logs:
05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4]
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to
turn code into token
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
at
org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:48)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at
org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Can anyone shed any light on what might be wrong here?
Note this is using quite an old version of keycloak (2.1.0) though I
don't think this is the problem.
Thanks
Tim
7 years, 5 months
Re: [keycloak-user] Keycloak very slow on retrieving "events" (Sarp Kaya)
by Johan Heylen
We faced the same problem and added a series of indexes on the events table.
CREATE INDEX idx_event_entity_user_id_realm_id_dnsbelgium ON event_entity
USING btree (user_id, realm_id);
CREATE INDEX idx_event_entity_user_id_type_dnsbelgium ON event_entity USING
btree (user_id, type);
CREATE INDEX idx_event_entity_type_dnsbelgium ON event_entity USING btree
(type);
CREATE INDEX idx_event_entity_realm_id_dnsbelgium ON event_entity USING
btree (realm_id);
CREATE INDEX idx_event_entity_client_id_dnsbelgium ON event_entity USING
btree (client_id);
CREATE INDEX idx_event_entity_user_id_dnsbelgium ON event_entity USING
btree (user_id);
and now queries are working fast
Johan
On 4 July 2017 at 08:41, Sarp Kaya <akaya(a)expedia.com> wrote:
> Hello,
>
> When I click on Events, it takes very long time (more than a minute) just
> to display first 5 events. I checked what endpoint it uses and it?s using
> this:
>
> "/auth/admin/realms/<realm-id>/events?first=0&max=5? endpoint.
>
> I believe that there is something broken with the filtering option as it
> should never take more than a minute to just retrieve 5 results.
>
> I?m using Keycloak 3.1.0 and MySQL for the database.
7 years, 5 months
KeycloakSession users() returns UserRepresentation with no name after REGISTER event
by Matija Mazi
Hi,
I'm using an EventListenerProvider to catch user registration events (when
the user registers via Keycloak's Registration Form) and send the
registered user's details to an outside system.
Here's the relevant code:
public class LocoinsEventListenerProvider implements EventListenerProvider {
private final KeycloakSession session; // provided in constructor
@Override public void onEvent(Event evt) {
if (evt.getType() == EventType.REGISTER &&
Objects.equals(evt.getRealmId(), this.realm)) {
final String userId = evt.getUserId();
final RealmModel realm = session.realms().getRealm(evt.getRealmId());
final UserModel user = session.users().getUserById(userId, realm);
log.info("Customer registered, notifying application: id = {}, name = {}
{}, email = {}", userId, user.getFirstName(), user.getLastName(),
user.getEmail());
} } }
The problem is that user.getFirstName(), user.getLastName() are both
null (but user.getEmail() holds the correct value).
If I check the Keycloak database directly after this (table
USER_ENTITY), FIRST_NAME and LAST_NAME are both there.
Any ideas why this might be? How should I get what the first and last
name entered by the users?
Thanks!
P.S. If I create the user via the Keycloak REST API client and then
catch the corresponding Admin event (I don't get a REGISTER event in
this case),
the UserRepresentation obtained in the same way as above holds all the
data (first, last name etc.):
final UserRepresentation user = new UserRepresentation();
user.setUsername(email);
user.setEmail(email);
user.setFirstName(name);
kc.realm(*"MyRealm"*).users().create(user);
7 years, 5 months
Workflow Refresh token
by Antoine Carton
Hello,
Suppose a client "C" sends a request with an expired access token, to an
application "A".
Suppose that application "A" has the refresh token of client "C" and that
"A" automatically uses this refresh token so that everything is transparent
for client "C" until the refresh token expires as well.
The trouble is that a leak of the access token (yes, access token) of
client "C" will have the same result as a leak of the refresh token.
Is it a good practice to implement automatic refresh of the token? If it's
not, how should we use the refresh token?
The Oauth 2.0 RFC (https://tools.ietf.org/html/rfc6819#section-5.2.2.2)
explains that we have to bind the refresh token to the client_id to avoid
this situation. However, I am not able to understand what it means for
application "A"?
Thanks!
7 years, 5 months
ProviderFactory::postInit + transactions = startup failure
by Dmitry Telegin
Hi,
(TL;DR) if a KeycloakTransaction is opened from
ProviderFactory::postInit, sometimes the transaction is already active
on the underlying
org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads
to errors.
(full version) I think it's essential for the providers to be able to
access realm data in postInit(). For that, a transaction is required;
using KeycloakModelUtils.runJobInTransaction() is a convenient method
to do that:
@Override
public void postInit(KeycloakSessionFactory factory) {
KeycloakModelUtils.runJobInTransaction(factory,
(KeycloakSession session) -> {
List<RealmModel> realms = session.realms().getRealms();
// do stuff
});
}
When such a provider is deployed, in about half of cases Keycloak fails
to start due to the following exception:
java.sql.SQLException: IJ031017: You cannot set autocommit during a
managed transaction
(see full stacktrace here https://pastebin.com/ETtPqXQk)
I've managed to track it down to something that looks like transaction
clash over a single instance of
org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What happens
is that the two treads at the same time begin two KeycloakTransactions
which end up with the same instance of LocalManagedConnection. The
above exception results from the second begin() call.
There's a system property called "ironjacamar.jdbc.ignoreautocommit"
that allows to ignore the situation, but I think it's dangerous because
it doesn't eliminate the transaction clash, just suppresses the check.
If I'm not mistaken, this began to happen around Keycloak 2.2.x, which
coincides with the changes to Keycloak transaction management. That
said, do I need now some additional transaction coordination with the
rest of Keycloak, or is it a bug? If former, how do I do that? If
latter, how do we fix it?
I hope we'll sort it out, since the ability to access the data at every
phase of provider's lifecycle seems something fundamental to me.
Regards,
Dmitry
7 years, 5 months
Keycloak offline token
by Sherminator Kasuga
I have a web app (called A) that is using Keycloak to login in.
There is another external web app (called B) that uses an own system as
login.
Now I need to create a link between A to B that automatic logins into web
app B without keycloak login form (auto-login).
How can i reproduce this behavior?
I have user and a password for B , and i am thinking to use an offline
token could help me with this objective.
username=bburke&password=geheim&grant_type=password&scope=offline_access
Saving into the database of A the offline token at the first time that
i use the link and then using this offline token for the next.
could it be possible?
my idea is something like:
If database.offlinetoken = empty
LINK_TO_GENERATE_OFFLINE_TOKEN --- save this token into db after login in B
else
LINK_USING_OFFLINETOKEN
endif
Do you have any example about how to build above links? Thanks in advance :)
7 years, 5 months
Get "username" field in credential model for hashing password
by Jeremy SAFONT
Hi everybody,
I have to modify the behavior of the hash process in order to use username
+ password in order to match encryption of legacy passwords from imported
users.
I understood I have to implement PasswordHashProvider.
The blocking point is that the credentialModel object does not allow me to
get the login information.
I debugged keycloak to find where the model is filled and I find the
"toModel" method into "JpaUserProvider" class.
I would like to add "username" field into this function and this model but
I don't know how to proceed in order to get it in the PasswordHashProvider.
Someone have a detailed process to achieve this please ?
Thank you a lot !
--
*Jérémy S.*
*Développeur applications web*
7 years, 5 months
