Keycloak Open Network Sockets Keep Growing
by Scott Baugher
Bottom line up-front: Keycloak's open socket connections (file handles)
keep growing.
I'm running Keycloak 3.2.1 Final in production on MS Azure using Ubuntu
16.04 LTS.
All clients interact with Keycloak using the Javascript adapter.
I have two Keycloak servers configured in HA mode. I have tried running
the servers behind an Azure load balancer, and directly exposed to the
Internet (to eliminate the load balancer as an issue), with no difference.
I have also kept the servers in HA mode, but pulled one out of the load
balancer pool. The server no longer in the pool does not see its
connections grow.
Monitored over a period of several days, the Java process associated with
Keycloak starts around 400 file handles when the server is started, and
keeps climbing by 30 - 80 handles per hour until it reaches the maximum, at
which point keycloak stops functioning.
If I do an "lsof -p [keycloak-pid]", it has hundreds to thousands of
network socket connections open to real customer IP addresses (far more
than would ever be expected based on the number of users). The number of
connections never goes down (until the server is rebooted).
I looked through all of issues resolved in every release since 3.2.1, but
see nothing related to this. Does anyone have any idea what could possibly
be going on?
6 years, 11 months
Offline tokens
by O'Callaghan, John
Hi
I’m hoping someone can help with a question I have around offline tokens. I would like to be able to generate offline tokens for users of my system. At the moment the only way I can see to be able to create an offline token is to POST to “/realms/<name>/protocol/openid-connect/token“ with a scope : “offline_access” and pass in their username/password.
This works fine if I am asking users to create their own offline tokens, but what I would like to be able to do is allow an admin user to create these offline tokens for users on request (without knowing their password). Is this possible? I have had a look in the REST api and didn’t see anything there but maybe its not documented?
Many thanks!
John
Accenture Global Solutions Limited, 3 Grand Canal Plaza, Grand Canal Street Upper, Dublin 4
This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. If you have received this e-mail in error, please notify the sender immediately and delete the original. Communications with Accenture or any of its group companies (“Accenture”), including telephone calls and e-mails, may be monitored by our systems for quality control and/or evidential purposes. Accenture does not accept service by e-mail of court proceedings, other processes or formal notices of any kind. Private company limited by shares registered in Ireland, Number 554978
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy.
______________________________________________________________________________________
www.accenture.com
6 years, 11 months
Why is the KEYCLOAK_LOCALE cookie httponly? And is there a way to get the locale on first call of page?
by Dominik Guhr
Hi everyone,
so I tried to theme the loginpage here, which worked out pretty well at
first, but when internationalization was a thing (I had to change the
provided internationalization to a selectbox) I tried to get the
KEYCLOAK_LOCALE cookie at page load to set the selected option by this
cookie.
sadly, document.cookie doesn't have the KEYCLOAK_LOCALE cookie inside,
because it seems to be set to httponly=true which doesn't make it
accessible via js.
So, this was a problem because when you first(!) call the loginpage,
there is no queryparam kc_locale=... set and I had to figure out which
language is used and thus how to set the dropdowns selected option
accordingly.
My custom dropdown code just looks like this:
<#if realm.internationalizationEnabled>
<select name="languages" id="locale_dropdown">
<#list locale.supported as l>
<option value="${l.url}"><a href="${l.url}"><${l.label}></a></option>
</#list>
</select>
</#if>
now when changing the login to english, not logging in, on next call of
a protected page and redirect to the loginpage, I can't check in js
which locale is set, for no querystring is set and the cookie is not
accessible.
So, 3 concrete questions:
a) why is it httponly? xss attack prevention?
b) Would it be possible to always get the locale in the querystring of
login/pw form redirect?
c) alternatively, is it possible to get the current locale in jsf by
accessing locale.?
Thanks in advance!
Best regards,
Dominik
6 years, 11 months
get Authorization reasons
by Corentin Dupont
Hi,
I'm using the entitlement API to protect the resources of my API.
Sometimes the user gets a "not authorized" message, and it's hard for him
to known why.
Is there any way to provide the user why more information with why it was
rejected?
Something similar with the infos provided by the "evaluate" panel, but with
the API.
Thanks
Corentin
6 years, 11 months
Decoupled IDP brokering in different networks
by Scheinmann, Jonathan
Hi community,
We currently have a setup of two Keycloak IDP's in completely different networks. That means, both Keycloak instances cannot see each other. However, the user (from the browser's point of perspective) can access both instances over a vpn connection. We would now like to "connect" both keycloak instances over identity brokering in a way that both instances can perform the authentication process without communicating directly with each other (maybe indirectly through the user's browser). We set up IDP brokering between both and everything worked fine to the point where the brokering instance performs a call-back to the other instance which of course led to an unknownhostexception.
The question is therefore: is there a way to pass user data between both keycloak instances without direct communication but through a browser authentication flow. Or would that be a security risk?
Regards
Jonathan
6 years, 11 months
