3.2.0 to 3.1.0 Downgrade causing login errors
by Sarp Kaya
Hello,
If we left the password encryptor default, upon upgrading from 3.1.0 to 3.2.0 and then followed by a downgrade to 3.1.0 causes login screen to give “Invalid username or password” issue.
I am guessing this is due to default encryptor being changed in V3.2.0. My question is after downgrade, is there a way to fix this issue? Especially if it is done on the master realm, then you simply cannot login anymore.
Thank you,
Sarp
7 years, 4 months
Keycloak 3.2.0 issue with PasswordHashProvider SPI
by Sarp Kaya
Hello,
I know that this is an internal SPI but I believe it’s broken.
I realised that interface has been changed, now it’s giving the iterations directly for the “encode” method. The problem is it’s always calling encode method with iterations valued –1 regardless of what you put in the UI. I realised that in keycloak for "Pbkdf2PasswordHashProvider” it’s defaulting to 20000 iterations; but if you want this to be higher or lower, it doesn’t work either (since iterations will always be –1)
My question is, could you please check this? Also if you don’t support “internal SPIs” how are we going to use other encryption methods such as bcrypt or scrypt etc?
7 years, 4 months
Unable To Add Server to Existing Keycloak Cluster
by Sagar Ahire
Hello,
I'm trying to add/start one more server to our existing keycloak cluster of
two nodes. I took the AMI snapshot of current running server and tried to
launch new keycloak service keeping the same configuration but getting the
following errors.
I'm using
*Keycloak version: 2.4.0*
*Wildfly version: 2.0.10*
*******Errors*******
*07:39:08,605 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 58) MSC000001: Failed to start service
jboss.infinispan.keycloak.sessions: org.jboss.msc.service.StartException in
service jboss.infinispan.keycloak.sessions:
org.infinispan.commons.CacheException: Unable to invoke method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl*
* at
org.wildfly.clustering.service.AsynchronousServiceBuilder$1.run(AsynchronousServiceBuilder.java:107)*
* at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)*
* at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)*
* at java.lang.Thread.run(Thread.java:745)*
* at org.jboss.threads.JBossThread.run(JBossThread.java:320)*
*Caused by: org.infinispan.commons.CacheException: Unable to invoke method
public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl*
---------------------------------------------------------------------------------------------------------------
*07:39:08,615 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([*
* ("subsystem" => "infinispan"),*
* ("cache-container" => "keycloak"),*
* ("distributed-cache" => "sessions")*
*]) - failure description: {"WFLYCTL0080: Failed services" =>
{"jboss.infinispan.keycloak.sessions" =>
"org.jboss.msc.service.StartException in service
jboss.infinispan.keycloak.sessions: org.infinispan.commons.CacheException:
Unable to invoke method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl*
* Caused by: org.infinispan.commons.CacheException: Unable to invoke
method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl*
* Caused by: org.infinispan.commons.CacheException: Initial state
transfer timed out for cache sessions on
ip-172-31-23-136.ap-southeast-1.compute.internal"}} *
*regards,*
**************end*************
*Any help is greatly appreciated.*
-Sagar
7 years, 5 months
Increasing logging for debugging "Internal Server Error" response
by Holtgrewe, Manuel
Dear all,
I have some grief with my Keycloak 3.2.0.Final setup.
I have setup my instance and connected it to my organization's AD and this part works well.
I am now trying to connect a client application (that supports OAuth 2) to the Keycloak instance. The application redirects me to the Keycloak login and after successful login, I'm redirected back to the app. So far so good.
The app then tries to do the equivalent of the following.
curl -k --data "refresh_token=SOMEVERYLONGTOKEN&grant_type=refresh_token&client_secret=eeBoTh2hoMifooDaiyig&client_id=igv" https://KEYCLOAK.MYORGA.NET/auth/realms/MYREALM/protocol/openid-connect/t...
from this, the app gets a "HTTP 500" response and the curl also displays "<html><head><title>Error</title></head><body>Internal Server Error</body></html>".
I'm running keycloak as a standalone app and so far did not succeed in debugging the problem. How can I increase log levels as to see where things are going bad?
Thanks,
Manuel
7 years, 5 months
"Failed to introspect token" problem
by Holtgrewe, Manuel
Hi, I am getting a problem with token introspection.
My setup is Keycloak 3.2.0.Final in combination with Apache+mod_auth_openidc. I configured mod_auth_openidc as an OAuth 2 resource server (for what it's worth, reproduced at the bottom).
I would be very grateful if someone could have a look and point me to where to continue working on resolving the problem. The problem
Thanks,
Manuel
I have a client "igv-files" setup and I can manually log me in for this OAuth client:
$ curl -X POST -d client_id=igv-files -d client_secret=030d8719-5479-4400-a8e9-185abac13cb1 -d 'username=ME(a)EXAMPLE.COM' -d 'password=MYPASS' -dgrant_type=password https://HOST/auth/realms/REALM/protocol/openid-connect/token
Result
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsNEhkVVhkdGxSamhta08yVTFld0JyX2hQYlZ6OWVINkQxNXBsVklSUGo4In0.eyJqdGkiOiIzYWJiNGQ4OC1jYjI0LTRlZDktODIwZS1kMTE5ODg0NzhjZTYiLCJleHAiOjE1MDAyOTQ5MjUsIm5iZiI6MCwiaWF0IjoxNTAwMjk0NjI1LCJpc3MiOiJodHRwczovL2N1Ymktc3NvLmJpaGVhbHRoLm9yZy9hdXRoL3JlYWxtcy9iaWhlYWx0aCIsImF1ZCI6Imlndi1maWxlcyIsInN1YiI6IjhkZjczMzllLTFiYWYtNDJhMS05ZjA3LWQzYzZjNjQ3NjQ4MCIsInR5cCI6IkJlYXJlciIsImF6cCI6Imlndi1maWxlcyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImFjZTYwM2ZiLWQ3MTUtNDQxMS1hNTZjLTJjZTY5YWM2NGJiMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9jdWJpLWlndi1maWxlcy5iaWhlYWx0aC5vcmciXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6Ik1hbnVlbCBIb2x0Z3Jld2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJob2x0Z3Jld2UsIG1hbnVlbCIsImdpdmVuX25hbWUiOiJNYW51ZWwiLCJmYW1pbHlfbmFtZSI6IkhvbHRncmV3ZSIsImVtYWlsIjoibWFudWVsLmhvbHRncmV3ZUBiaWhlYWx0aC5kZSJ9.a6XdNMW8uEefYKq7AhPg7_LAIIkKrZ3dOKi0pulOSd3W94mV3M0uqT10JbMrxWkGmZZHPaMDLx8U0U6fwCVTsmRsOH5IyKVxfAoSAMYoaTKHZCHrWENG2EdMqy39M_7iqkf2dZasav5EAuJPgjCi6vYpfRCWHYM_5U90uJu2Hi395u7Ro0xX9jfBytf1wt-ydDyG58L6HB8hqiLzQQTBep4soYz9-NzSTMOyljnYX8wtGhYUurYtTS2OGpf3Zd5vp54v6NRZmRH7vi3PSn2kEUEmGjBt-v-r3JNB8-IhMVnW6jyLKFlzJjml3NmZ2MzZsFwYXXlRbNODtVDuDuGRFg","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsNEhkVVhkdGxSamhta08yVTFld0JyX2hQYlZ6OWVINkQxNXBsVklSUGo4In0.eyJqdGkiOiI5ZWQ4NDJlNS1mMWEyLTQ0MmUtYTM2Ni0xZThkZmRkZTI4Y2UiLCJleHAiOjE1MDAyOTY0MjUsIm5iZiI6MCwiaWF0IjoxNTAwMjk0NjI1LCJpc3MiOiJodHRwczovL2N1Ymktc3NvLmJpaGVhbHRoLm9yZy9hdXRoL3JlYWxtcy9iaWhlYWx0aCIsImF1ZCI6Imlndi1maWxlcyIsInN1YiI6IjhkZjczMzllLTFiYWYtNDJhMS05ZjA3LWQzYzZjNjQ3NjQ4MCIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJpZ3YtZmlsZXMiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiJhY2U2MDNmYi1kNzE1LTQ0MTEtYTU2Yy0yY2U2OWFjNjRiYjAiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19fQ.M0FZU-RkfjWgGbShfXC8CFfqTCG5HG4weEGPHAMovAVLqgJj8cQjodkzhQAPUQTjjyEZeeShTnMtMcbbciJ-EBwCsDonc0eDELzGO3xKuZU8yURhKB6N2yheuhuX2eU0ChMGkURhD4Iju5umbYe8sdpAzte1S9iW9dxRl8Q4fw-gLfZ5oeD5dExQClBdJUWYire8T2wwvD68OKviiZbRfh1gCM6EkhTR121L8SOvA5k22E-gSrjBa6zk5OeiTqaaNgBt_eBOWEtKZvbQZVIEVX9-5TOViIXVDGLG30Wa7a0-Zk6bsAMLt2jV4FQqt_HPIegMAD3btPAN3qZ0-0QkJg","token_type":"bearer","not-before-policy":1500291033,"session_state":"ace603fb-d715-4411-a56c-2ce69ac64bb0"}
Then, I'm trying to access a resource in Apache (reproduced below, not so important, I think) from with I get a 401 Unauthorized reply.
The mod_auth_openidc tries to introspect the token and this is where things appear to fail.
Here is the log entry in my apache log, showing that it POSTs to the SSO host and gets back a failure.
[Mon Jul 17 14:38:56.287833 2017] [auth_openidc:debug] [pid 26627:tid 140542922938112] src/oauth.c(138): [client 172.16.128.8:43630] oidc_oauth_get_bearer_token: bearer token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsNEhkVVhkdGxSamhta08yVTFld0JyX2hQYlZ6OWVINkQxNXBsVklSUGo4In0.eyJqdGkiOiIzYWJiNGQ4OC1jYjI0LTRlZDktODIwZS1kMTE5ODg0NzhjZTYiLCJleHAiOjE1MDAyOTQ5MjUsIm5iZiI6MCwiaWF0IjoxNTAwMjk0NjI1LCJpc3MiOiJodHRwczovL2N1Ymktc3NvLmJpaGVhbHRoLm9yZy9hdXRoL3JlYWxtcy9iaWhlYWx0aCIsImF1ZCI6Imlndi1maWxlcyIsInN1YiI6IjhkZjczMzllLTFiYWYtNDJhMS05ZjA3LWQzYzZjNjQ3NjQ4MCIsInR5cCI6IkJlYXJlciIsImF6cCI6Imlndi1maWxlcyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImFjZTYwM2ZiLWQ3MTUtNDQxMS1hNTZjLTJjZTY5YWM2NGJiMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9jdWJpLWlndi1maWxlcy5iaWhlYWx0aC5vcmciXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6Ik1hbnVlbCBIb2x0Z3Jld2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJob2x0Z3Jld2UsIG1hbnVlbCIsImdpdmVuX25hbWUiOiJNYW51ZWwiLCJmYW1pbHlfbmFtZSI6IkhvbHRncmV3ZSIsImVtYWlsIjoibWFudWVsLmhvbHRncmV3ZUBiaWhlYWx0aC5kZSJ9.a6XdNMW8uEefYKq7AhPg7_LAIIkKrZ3dOKi0pulOSd3W94mV3M0uqT10JbMrxWkGmZZHPaMDLx8U0U6fwCVTsmRsOH5IyKVxfAoSAMYoaTKHZCHrWENG2EdMqy39M_7iqkf2dZasav5EAuJPgjCi6vYpfRCWHYM_5U90uJu2Hi395u7Ro0xX9jfBytf1wt-ydDyG58L6HB8hqiLzQQTBep4soYz9-NzSTMOyljnYX8wtGhYUurYtTS2OGpf3Zd5vp54v6NRZmRH7vi3PSn2kEUEmGjBt-v-r3JNB8-IhMVnW6jyLKFlzJjml3NmZ2MzZsFwYXXlRbNODtVDuDuGRFg
[Mon Jul 17 14:38:56.287980 2017] [auth_openidc:debug] [pid 26627:tid 140542922938112] src/cache/shm.c(156): [client 172.16.128.8:43630] oidc_cache_shm_get: enter, section="access_token", key="eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsNEhkVVhkdGxSamhta08yVTFld0JyX2hQYlZ6OWVINkQxNXBsVklSUGo4In0.eyJqdGkiOiIzYWJiNGQ4OC1jYjI0LTRlZDktODIwZS1kMTE5ODg0NzhjZTYiLCJleHAiOjE1MDAyOTQ5MjUsIm5iZiI6MCwiaWF0IjoxNTAwMjk0NjI1LCJpc3MiOiJodHRwczovL2N1Ymktc3NvLmJpaGVhbHRoLm9yZy9hdXRoL3JlYWxtcy9iaWhlYWx0aCIsImF1ZCI6Imlndi1maWxlcyIsInN1YiI6IjhkZjczMzllLTFiYWYtNDJhMS05ZjA3LWQzYzZjNjQ3NjQ4MCIsInR5cCI6IkJlYXJlciIsImF6cCI6Imlndi1maWxlcyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImFjZTYwM2ZiLWQ3MTUtNDQxMS1hNTZjLTJjZTY5YWM2NGJiMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9jdWJpLWlndi1maWxlcy5iaWhlYWx0aC5vcmciXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6Ik1hbnVlbCBIb2x0Z3Jld2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJob2x0Z3Jld2UsIG1hbnVlbCIsImdpdmVuX25hbWUiOiJNYW51ZWwiLCJmYW1pbHlfbmFtZSI6IkhvbHRncmV3ZSIsImVtYWlsIjoibWFudWVsLmhvbHRncmV3ZUBiaWhlYWx0aC5kZSJ9.a6XdNMW8uEefYKq7AhPg7_LAIIkKrZ3dOKi0pulOSd3W94mV3M0uqT10JbMrxWkGmZZHPaMDLx8U0U6fwCVTsmRsOH5IyKVxfAoSAMYoaTKHZCHrWENG2EdMqy39M_7iqkf2dZasav5EAuJPgjCi6vYpfRCWHYM_5U90uJu2Hi395u7Ro0xX9jfBytf1wt-ydDyG58L6HB8hqiLzQQTBep4soYz9-NzSTMOyljnYX8wtGhYUurYtTS2OGpf3Zd5vp54v6NRZmRH7vi3PSn2kEUEmGjBt-v-r3JNB8-IhMVnW6jyLKFlzJjml3NmZ2MzZsFwYXXlRbNODtVDuDuGRFg"
[Mon Jul 17 14:38:56.290061 2017] [auth_openidc:debug] [pid 26627:tid 140542922938112] src/util.c(600): [client 172.16.128.8:43630] oidc_util_http_post_form: post data="token_type_hint=requesting_party_token&token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsNEhkVVhkdGxSamhta08yVTFld0JyX2hQYlZ6OWVINkQxNXBsVklSUGo4In0.eyJqdGkiOiIzYWJiNGQ4OC1jYjI0LTRlZDktODIwZS1kMTE5ODg0NzhjZTYiLCJleHAiOjE1MDAyOTQ5MjUsIm5iZiI6MCwiaWF0IjoxNTAwMjk0NjI1LCJpc3MiOiJodHRwczovL2N1Ymktc3NvLmJpaGVhbHRoLm9yZy9hdXRoL3JlYWxtcy9iaWhlYWx0aCIsImF1ZCI6Imlndi1maWxlcyIsInN1YiI6IjhkZjczMzllLTFiYWYtNDJhMS05ZjA3LWQzYzZjNjQ3NjQ4MCIsInR5cCI6IkJlYXJlciIsImF6cCI6Imlndi1maWxlcyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImFjZTYwM2ZiLWQ3MTUtNDQxMS1hNTZjLTJjZTY5YWM2NGJiMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9jdWJpLWlndi1maWxlcy5iaWhlYWx0aC5vcmciXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6Ik1hbnVlbCBIb2x0Z3Jld2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJob2x0Z3Jld2UsIG1hbnVlbCIsImdpdmVuX25hbWUiOiJNYW51ZWwiLCJmYW1pbHlfbmFtZSI6IkhvbHRncmV3ZSIsImVtYWlsIjoibWFudWVsLmhvbHRncmV3ZUBiaWhlYWx0aC5kZSJ9.a6XdNMW8uEefYKq7AhPg7_LAIIkKrZ3dOKi0pulOSd3W94mV3M0uqT10JbMrxWkGmZZHPaMDLx8U0U6fwCVTsmRsOH5IyKVxfAoSAMYoaTKHZCHrWENG2EdMqy39M_7iqkf2dZasav5EAuJPgjCi6vYpfRCWHYM_5U90uJu2Hi395u7Ro0xX9jfBytf1wt-ydDyG58L6HB8hqiLzQQTBep4soYz9-NzSTMOyljnYX8wtGhYUurYtTS2OGpf3Zd5vp54v6NRZmRH7vi3PSn2kEUEmGjBt-v-r3JNB8-IhMVnW6jyLKFlzJjml3NmZ2MzZsFwYXXlRbNODtVDuDuGRFg"
[Mon Jul 17 14:38:56.290182 2017] [auth_openidc:debug] [pid 26627:tid 140542922938112] src/util.c(427): [client 172.16.128.8:43630] oidc_util_http_call: url=https://SSOHOST.org/auth/realms/REALM/protocol/openid-connect/token/i..., data=token_type_hint=requesting_party_token&token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsNEhkVVhkdGxSamhta08yVTFld0JyX2hQYlZ6OWVINkQxNXBsVklSUGo4In0.eyJqdGkiOiIzYWJiNGQ4OC1jYjI0LTRlZDktODIwZS1kMTE5ODg0NzhjZTYiLCJleHAiOjE1MDAyOTQ5MjUsIm5iZiI6MCwiaWF0IjoxNTAwMjk0NjI1LCJpc3MiOiJodHRwczovL2N1Ymktc3NvLmJpaGVhbHRoLm9yZy9hdXRoL3JlYWxtcy9iaWhlYWx0aCIsImF1ZCI6Imlndi1maWxlcyIsInN1YiI6IjhkZjczMzllLTFiYWYtNDJhMS05ZjA3LWQzYzZjNjQ3NjQ4MCIsInR5cCI6IkJlYXJlciIsImF6cCI6Imlndi1maWxlcyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImFjZTYwM2ZiLWQ3MTUtNDQxMS1hNTZjLTJjZTY5YWM2NGJiMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9jdWJpLWlndi1maWxlcy5iaWhlYWx0aC5vcmciXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6Ik1hbnVlbCBIb2x0Z3Jld2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJob2x0Z3Jld2UsIG1hbnVlbCIsImdpdmVuX25hbWUiOiJNYW51ZWwiLCJmYW1pbHlfbmFtZSI6IkhvbHRncmV3ZSIsImVtYWlsIjoibWFudWVsLmhvbHRncmV3ZUBiaWhlYWx0aC5kZSJ9.a6XdNMW8uEefYKq7AhPg7_LAIIkKrZ3dOKi0pulOSd3W94mV3M0uqT10JbMrxWkGmZZHPaMDLx8U0U6fwCVTsmRsOH5IyKVxfAoSAMYoaTKHZCHrWENG2EdMqy39M_7iqkf2dZasav5EAuJPgjCi6vYpfRCWHYM_5U90uJu2Hi395u7Ro0xX9jfBytf1wt-ydDyG58L6HB8hqiLzQQTBep4soYz9-NzSTMOyljnYX8wtGhYUurYtTS2OGpf3Zd5vp54v6NRZmRH7vi3PSn2kEUEmGjBt-v-r3JNB8-IhMVnW6jyLKFlzJjml3NmZ2MzZsFwYXXlRbNODtVDuDuGRFg, content_type=application/x-www-form-urlencoded, basic_auth=igv-files:030d8719-5479-4400-a8e9-185abac13cb1, bearer_token=(null), ssl_validate_server=1
[Mon Jul 17 14:38:56.373267 2017] [auth_openidc:debug] [pid 26627:tid 140542922938112] src/util.c(551): [client 172.16.128.8:43630] oidc_util_http_call: response={"error":"invalid_request","error_description":"Failed to introspect token."}
[Mon Jul 17 14:38:56.374242 2017] [auth_openidc:error] [pid 26627:tid 140542922938112] [client 172.16.128.8:43630] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_request""
[Mon Jul 17 14:38:56.374409 2017] [auth_openidc:error] [pid 26627:tid 140542922938112] [client 172.16.128.8:43630] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Failed to introspect token.""
And here is the log entry of the wildfly/keycloak showing the failure:
2017-07-17 14:40:43,769 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-25) new JtaTransactionWrapper
2017-07-17 14:40:43,780 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-25) was existing? false
2017-07-17 14:40:43,781 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-25) RESTEASY002315: PathInfo: /realms/REALM/protocol/openid-connect/token/introspect
2017-07-17 14:40:43,788 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-25) AUTHENTICATE CLIENT
2017-07-17 14:40:43,795 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-25) client authenticator: client-secret
2017-07-17 14:40:43,797 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-25) client authenticator SUCCESS: client-secret
2017-07-17 14:40:43,797 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-25) Client igv-files authenticated by client-secret
2017-07-17 14:40:43,797 DEBUG [org.keycloak.authorization.protection.introspect.RPTIntrospectionProvider] (default task-25) Introspecting requesting party token
2017-07-17 14:40:43,800 WARN [org.keycloak.events] (default task-25) type=INTROSPECT_TOKEN_ERROR, realmId=bihealth, clientId=igv-files, userId=null, ipAddress=172.16.96.165, error=invalid_request, detail='Failed to introspect token.', client_auth_method=client-secret
2017-07-17 14:40:43,802 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-25) JtaTransactionWrapper commit
2017-07-17 14:40:43,811 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-25) JtaTransactionWrapper end
## mod_auth_openidc configuration
OIDCOAuthClientID igv-files
OIDCOAuthClientSecret 030d8719-5479-4400-a8e9-185abac13cb1
OIDCOAuthIntrospectionEndpoint https://SSOHOST.org/auth/realms/REALM/protocol/openid-connect/token/intro...
OIDCOAuthIntrospectionEndpointAuth client_secret_basic
OIDCOAuthIntrospectionEndpointMethod POST
OIDCOAuthIntrospectionEndpointParams token_type_hint=requesting_party_token
OIDCOAuthIntrospectionTokenParamName token
<Location />
Authtype oauth20
Require valid-user
LogLevel debug
</Location>
# Resource Query for Apache
# curl -I --header "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJsNEhkVVhkdGxSamhta08yVTFld0JyX2hQYlZ6OWVINkQxNXBsVklSUGo4In0.eyJqdGkiOiIzYWJiNGQ4OC1jYjI0LTRlZDktODIwZS1kMTE5ODg0NzhjZTYiLCJleHAiOjE1MDAyOTQ5MjUsIm5iZiI6MCwiaWF0IjoxNTAwMjk0NjI1LCJpc3MiOiJodHRwczovL2N1Ymktc3NvLmJpaGVhbHRoLm9yZy9hdXRoL3JlYWxtcy9iaWhlYWx0aCIsImF1ZCI6Imlndi1maWxlcyIsInN1YiI6IjhkZjczMzllLTFiYWYtNDJhMS05ZjA3LWQzYzZjNjQ3NjQ4MCIsInR5cCI6IkJlYXJlciIsImF6cCI6Imlndi1maWxlcyIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImFjZTYwM2ZiLWQ3MTUtNDQxMS1hNTZjLTJjZTY5YWM2NGJiMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cHM6Ly9jdWJpLWlndi1maWxlcy5iaWhlYWx0aC5vcmciXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6Ik1hbnVlbCBIb2x0Z3Jld2UiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJob2x0Z3Jld2UsIG1hbnVlbCIsImdpdmVuX25hbWUiOiJNYW51ZWwiLCJmYW1pbHlfbmFtZSI6IkhvbHRncmV3ZSIsImVtYWlsIjoibWFudWVsLmhvbHRncmV3ZUBiaWhlYWx0aC5kZSJ9.a6XdNMW8uEefYKq7AhPg7_LAIIkKrZ3dOKi0pulOSd3W94mV3M0uqT10JbMrxWkGmZZHPaMDLx8U0U6fwCVTsmRsOH5IyKVxfAoSAMYoaTKHZCHrWENG2EdMqy39M_7iqkf2dZasav5EAuJPgjCi6vYpfRCWHYM_5U90uJu2Hi395u7Ro0xX9jfBytf1wt-ydDyG58L6HB8hqiLzQQTBep4soYz9-NzSTMOyljnYX8wtGhYUurYtTS2OGpf3Zd5vp54v6NRZmRH7vi3PSn2kEUEmGjBt-v-r3JNB8-IhMVnW6jyLKFlzJjml3NmZ2MzZsFwYXXlRbNODtVDuDuGRFg" https://FILESHOST/PATH
7 years, 5 months
Keycloak error 3.2.0 migration
by van der Vliet, Rody
Hi All,
Within our project we are migrating our Keycloak version from 2.5.4 to 3.2.0 Final.
However we are getting below error when trying to run Keycloak 3.2.0 Final on our Test Environment.
(We also tried to migrate from 2.5.4 to 3.0.0. That was successful. But when tried to migrate 3.0.0 to 3.2.0, again same error.)
It seems the migration scripts wants to include some DB records but is violating a unique constraint.
Is there anyone who has encountered the same problem or has an idea how we can resolve this issue?
Any help would be greatly appreciated.
Regards,
Rody van der Vliet
rody.van.der.vliet(a)accenture.com
ERROR:
2017-07-17 11:33:05,475 DEBUG [org.hibernate.engine.spi.ActionQueue] (ServerService Thread Pool -- 57) Changes must be flushed to space: KEYCLOAK_ROLE
2017-07-17 11:33:05,475 DEBUG [org.hibernate.SQL] (ServerService Thread Pool -- 57)
insert
into
KEYCLOAK_ROLE
(CLIENT, CLIENT_REALM_CONSTRAINT, CLIENT_ROLE, DESCRIPTION, NAME, REALM, REALM_ID, SCOPE_PARAM_REQUIRED, ID)
values
(?, ?, ?, ?, ?, ?, ?, ?, ?)
2017-07-17 11:33:05,506 DEBUG [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) could not execute statement [n/a]: java.sql.SQLIntegrityConstraintViolationException: ORA-00001: unique constraint (XYZ_KEYCLOAK.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:207)
at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:1044)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1329)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3584)
at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:3665)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeUpdate(OraclePreparedStatementWrapper.java:1352)
at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45)
at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2886)
at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3386)
at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:560)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:434)
at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337)
at org.hibernate.event.internal.DefaultAutoFlushEventListener.onAutoFlush(DefaultAutoFlushEventListener.java:50)
at org.hibernate.internal.SessionImpl.autoFlushIfRequired(SessionImpl.java:1251)
at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1319)
at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
at org.keycloak.models.jpa.JpaRealmProvider.getClientRole(JpaRealmProvider.java:252)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getClientRole(RealmCacheSession.java:743)
at org.keycloak.models.cache.infinispan.ClientAdapter.getRole(ClientAdapter.java:572)
at org.keycloak.migration.migrators.MigrateTo3_2_0.addRoles(MigrateTo3_2_0.java:66)
at org.keycloak.migration.migrators.MigrateTo3_2_0.migrate(MigrateTo3_2_0.java:50)
at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:84)
at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:243)
at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:184)
at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143)
at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:134)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
2017-07-17 11:33:05,506 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) SQL Error: 1, SQLState: 23000
2017-07-17 11:33:05,506 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 57) ORA-00001: unique constraint (XYZ_KEYCLOAK.UK_J3RWUVD56ONTGSUHOGM184WW2-2) violated
==================================================
The information transmitted via this e-mail is intended only for the person or
entity to which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon this information by persons or entities
other than the intended recipient is prohibited. If you received this in error,
please contact the sender and delete the material from any computer
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
7 years, 5 months
Language selection to client
by Geadah, Nicolas (VEC)
I configured my theme to support Spanish and English - works like a charm. Now how can I send the selected language to one of my client applications, so that the user does not have to make the language choice again when reaching the destination application? Is there something set on the KeycloakPrincipal that would indicate what language was selected?
7 years, 5 months
Java Spring Boot: possible inject user info?
by Dennis H
Does the keycloak java spring boot library provide a service, that contains
the user info, which can be injected in a class?
If not, how to retrieve the user info from the request?
I can't find this in the docs.
7 years, 5 months
Unable to make quickstart app-profile-saml-jee-jsp work
by Kevin Cuijpers
Hello,
I am trying to see if we can use KeyCloak to secure and make our current API's available through SAML.
We are running our application on Tomcat 8.5.8
I downloaded keycloak-3.2.0.Final and saml-tomcat8-adapter.
I was following the instructions described in quickstarts app-profile-saml-jee-jsp and applying it to our application.
However, I am not able to select Client Protocol: saml. I can only choose openid-connect.
In Identity Providers I tried to configure my own saml Identity Provider and use that in my setup but when I try to access the secured resource I get following error:
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No login page was defined for FORM authentication in context
I found a post of an older similar issue and it said it should be fixed in a new version:
http://lists.jboss.org/pipermail/keycloak-user/2016-November/008383.html
It points to https://issues.jboss.org/browse/KEYCLOAK-3669?filter=-2 but I can't find the issue.
The following things I have been trying to figure out but without success. Could you please help me clarify following questions or point me in the right direction to make it work?
- When I create a new realm I can only select Endpoints: OpenID Endpoint Configuration. I was expecting to also be able to select SAML 2.0 here or saml as described in the example.
- When I add Client, I only have Client Protocol openid-connect. If I want to add a new Identity Provider I need to add Single Sign-On Service URL: The url that must be used to send authentication requests (SAML AuthnRequest). I don't want to implement the Identity Provider. I was looking for a way to retrieve valid SAML tickets and specify what keys of the user are sent in that ticket. I would like this to be sent to a url inside my web app.
>From the description of app-profile-saml-jee-jsp I thought this is what I should be able to do but can't seem to figure it out.
Best regards,
Kevin
7 years, 5 months
Authentication Flow
by Jannik Hüls
Hi,
I have implemented a async authenticator like in https://github.com/stianst/authenticator-example. (Btw: Thanks for that)
I am now wondering if it is possible to implement a RealmResourceProvider that can mark the BankIDFlow as unsuccessful in a backchannel call. Such that the user does not have to enter the username but only has to redo the post when he again wants to open a protected resource.
Thanks!
Jannik
7 years, 5 months
