Idle connections are not closed
by Kir Merzlikin
Hi all,
I deploy Keycloak server app to Cloud Foundry and use ClearDB service as
relational database for Keycloak.
ClearDB has a restriction, that it closes all connections, that are idle for
90 seconds.
To not run into the situation, when Keycloak tries to use closed connection,
I've added following datasource configuration (based on Pivotal
recommendations
<https://discuss.pivotal.io/hc/en-us/articles/230433268-Suggested-Configur...>
):
But even after applying this configuration I see in the ClearDB management
console that idle connections are closed only after 90 seconds and not after
60 seconds (1 minute) as it's specified with "idle-timeout-minutes"
parameter.
So, have anybody of you faced similar situation? Or maybe you have some
ideas why these idle connections are not being closed.
Thanks.
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Idle-connections-are-not-closed-...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 5 months
Customize admin console to support custom attributes
by Thomas Recloux
Hi All,
Is there a way to extend the admin console in order to support more
attributes than email, first name and last name ?
We'd like to offer a guided UI, compared to the "attributes" tab.
Thank you, Thomas
7 years, 5 months
error=pkce_verification_failed
by Federico Navarro Polo - Info.nl
Hello,
After upgrading our Keycloak version to 3.1.0, we’ve started seeing the following error in one of our use cases (using AppAuth).
2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting Client, codeVerifier = KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA
2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE codeChallengeMethod = S256
2017-07-11 16:21:12,135 WARN [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername = someone(a)somewhere.nl
2017-07-11 16:21:12,136 WARN [org.keycloak.events] (default task-24) type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x, userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x, error=pkce_verification_failed, grant_type=authorization_code, code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret
I saw this bug report, which could be related to the issue (still open for 3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956
Is it possible to disable PKCE from Keycloak configuration?
Met vriendelijke groet,
Federico Navarro
backend developer
federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<https://www.linkedin.com/company/info-nl> | +31 (0)2 05 30 91 61<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
7 years, 5 months
Keycloak Cookies
by John D. Ament
Hi,
I have a use case where I need to login to my app via keycloak, but using
my app's login screen. We've been using the OIDC endpoint in keycloak via
a POST to authenticate the user and get an accesstoken/refreshtoken back.
However, we're seeing that its then very hard to actually get into a
keycloak screen (which we use to do account management). So I was
wondering, is there something in the JS adapter that should fix this? We
don't see any of the keycloak cookies being set.
John
7 years, 5 months
User Name Complexity
by Geadah, Nicolas (VEC)
There seems to be no "out-of-the-box" support for username complexity requirements; as such, users can register with usernames as short as 1 character, which is problematic and potentially unsafe in a production environment.
What is the best way to enforce a set of username complexity requirements, such as minimum/maximum length - presence of numeric/special characters - etc.
Thank you
7 years, 5 months
Idle connections are not closed
by Кир Мерзликин
Hi all,
I deploy Keycloak server app to Cloud Foundry and use ClearDB service as
relational database for Keycloak.
ClearDB has a restriction, that it closes all connections, that are idle
for 90 seconds.
To not run into the situation, when Keycloak tries to use closed
connection, I've added following datasource configuration (based on Pivotal
recommendations
<https://discuss.pivotal.io/hc/en-us/articles/230433268-Suggested-Configur...>
):
- - - - - - - - -
<datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:mysql://
blah.cleardb.net/blah?user=blah&password=blah</connection-url>
<driver>mysql</driver>
<pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>10</max-pool-size>
</pool>
<timeout>
<idle-timeout-minutes>1</idle-timeout-minutes>
</timeout>
<validation>
<validate-on-match>true</validate-on-match>
<valid-connection-checker
class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"/>
<exception-sorter
class-name="org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"/>
</validation>
</datasource>
- - - - - - - - -
But even after applying this configuration I see in the ClearDB management
console that idle connections are closed only after 90 seconds and not
after 60 seconds (1 minute) as it's specified with "idle-timeout-minutes"
parameter.
So, have anybody of you faced similar situation? Or maybe you have some
ideas why these idle connections are not being closed.
Thanks.
Kir
7 years, 5 months
Re: [keycloak-user] Identity provider, keycloak js adapter and session management
by Peter Nalyvayko
Thanks, Marek.
--------------------------------------------
On Wed, 7/12/17, Marek Posolda <mposolda(a)redhat.com> wrote:
Subject: Re: [keycloak-user] Identity provider, keycloak js adapter and session management
To: "Peter Nalyvayko" <petervn1(a)yahoo.com>, keycloak-user(a)lists.jboss.org
Date: Wednesday, July 12, 2017, 7:17 AM
There was some
related fix in latest
master https://issues.jboss.org/browse/KEYCLOAK-5139
. However
your issue with iframe looks like something different.
Feel free
to create JIRA if it won't help.
Ideally you can also send PR. We have tests for
pairwise in OIDCPairwiseClientRegistrationTest.java
and there are some IFrame related tests in LoginStatusIframeEndpointTest
.
Marek
On 07/07/17 18:06, Peter Nalyvayko wrote:
Some additional info: we can also reproduce the
same behavior using the Pairwise subject identifier, i.e.
users keep getting logged out after 5 seconds.
--------------------------------------------
On Thu, 7/6/17, Peter Nalyvayko <petervn1(a)yahoo.com>
wrote:
Subject: Identity provider, keycloak js adapter and session
management
To: keycloak-user(a)lists.jboss.org
Date: Thursday, July 6, 2017, 12:10 PM
Hi,
We've hit a bit of a snag while setting
up our one page js client. Changing the value of the
"sub"
claim to anything other than the unique identifier of the
keycloak user causes the keycloak adapter to detect the
changes to the session and clear out the tokens, forcing
the
users to re-log in after every 5 seconds.
We are using the version 2.3.0 of
keycloak. Our app is set up to use keycloak.js adapter for
all things related to OIDC. The adapter is configured to
use
the "code authorization" (standard) flow. The
instance of
keycloak is configured to use an external OIDC identity
provider and the users are uniquely identified by their
e-mails. Naturally, we wanted that the "sub"
claim in the
claim set returned by calling the keycloak's OIDC
/token
endpoint would return the unique identity of the external
user rather than the internal identifier of the keycloak
user, so we re-configured the keycloak client by adding a
property mapper to map the user's email to the
"sub" claim,
here the example of the access token:
{
"sub": "user(a)company.com",
"iat": 223235098325,
"email": "user(a)company.com",
...
}
Once we had implemented these changes
on the keycloak side, our users were able to initially sign
into the application, but when they tried to access any
functionality within the app, they would be prompted to
sign
in again. The problem seems to related to the OIDC session
management and the assumption and the "sub" claim
always
matches the keycloak user's unique identifier.
We narrowed the problem down to four
components:
- keycloak.js
- login-status-iframe.html
-
services\srv\main\java\org\keycloak\protocol\oidc\endpoints\LoginStatusIframeEndpoint.java
-
services\src\main\java\org\keycloak\services\managers\AuthenticationManager.java
In keycloak.js, line 637, the
implementation creates a session id to be used to check the
session state. Notice that the code uses the value from the
"sub" claim:
var sessionId = kc.realm + "/"
+ kc.tokenParsed.sub;
In
AuthenticationManager.createLoginCookie, line 306, the
value
of the "SESSION_COOKIE" is set to:
String sessionCookieValue =
realm.getName() + "/" + user.getId();
Sadly, in our configuration, the value
returned of by user.getId() is not the same as the value
stored in the "sub" claim, thus causing the
session
management code in login-status-iframe.html, line 53 to
clear out any tokens and force the users to re-login the
next time it checks the session state (default is 5 second
intervals):
var cookie = getCookie();
if (sessionState == cookie) {
... } else { callback("changed"); }
Looking at the
LoginStatusIframeEndpoint.preCheck
(LoginSatusIframeEndpoint.java, lines 71-93), we've
noticed
that the implementation does not even make use of the user
identity, only the session id.
The workaround, at least temporary, for
us was to add the "id" claim containing the user
identity
internal to keycloak, and modify the keycloak JS adapter
code to look for the "id" claim and use its value
instead of
the value in the "sub" claim when creating the
session id,
i.e.:
var sessionId;
if (kc.tokenParsed.id) {
sessionId =
kc.realm + "/" + kc.tokenParsed.id;
} else {
sessionId =
kc.realm + "/" + kc.tokenParsed.sub;
}
Is this a bug, or does it work as
intended, i.e. the users should never set the
"sub" claim to
anything other than the keycloak's user identity? If
this is
a bug, I can submit a JIRA request and a fix as long as the
workaround above seems like an acceptable solution
Any comments are welcome
Regards,
Peter
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 5 months
Password reset link expires after clicking it once
by Anunay Sinha
Hi
We are sending the reset password link.
Once you click on the link and for some reason do not complete the action
of reseting the password, and then try again with same link it gives the
following error
We're *sorry* ...
An error occurred, please login again through your application.
There is already an issue raised and its states to be fixed in 1.9.0
I am using 2.4.0 and am still facing this issue
Is this a configuration that I need to take care of?
7 years, 5 months
Recommended way to import user accounts with external identity provider information?
by Federico Navarro Polo - Info.nl
Hello,
I’m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all).
From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import:
{
"realm": "test",
"users": [
{
"createdTimestamp" : 1476191007295,
"username" : "somebody(a)somewhere.com",
"enabled" : true,
"totp" : false,
"emailVerified" : true,
"firstName" : "Test",
"lastName" : "Test",
"email" : "somebody(a)somewhere.com",
"credentials" : [ ],
"disableableCredentialTypes" : [ ],
"requiredActions" : [ ],
"federatedIdentities" : [ {
"identityProvider" : "facebook",
"userId" : "0123456789",
"userName" : "somebody(a)somewhere.com",
} ],
"realmRoles" : [ "offline_access", "uma_authorization" ],
"clientRoles" : {
"account" : [ "manage-account", "view-profile" ]
}
}
]
}
, which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the “Account linking” screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration.
I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can’t figure out what is it. Is there any possible way to avoid the account linking step?
Met vriendelijke groet,
Federico Navarro
backend developer
federico(a)info.nl<mailto:federico@info.nl> | LinkedIn<https://www.linkedin.com/company/info-nl> | +31 (0)2 05 30 91 61<tel:+31205309161>
info.nl<http://www.info.nl/>
Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100<tel:+31205309100>
7 years, 5 months
Internal System Error on screens when a code is expired
by Federico Navarro Polo - Info.nl
Hello,
There are some screens / links generated by Keycloak that make use of an authorization code, like registration link, forgotten password link, verification link, etc. When those codes expire or a code is already used, the feedback to the user will be just an Internal Server Error screen.
This is not very user friendly, since the user doesn’t know what he has done wrong (eg: a simple refresh on the register page will trigger the issue). I wonder if there is a simple way to modify this behavior, and for instance show a different error message informing of the actual problem (eg: the code is invalid. Please go to {link} to restart the process), or this is really a new functionality to be requested to the Keycloak team via JIRA.
Regards,
Federico
7 years, 5 months
