Persistent Redirect Params in Registration
by Gregor Tudan
Hi,
I’m trying to find a solution for passing redirect parameters reliably through the registration page.
Our users will go through some steps prior to the registration. We generate an anonymous profile for saving the user input of this step. Then we trigger a registration in Keycloak and pass the id of the profile as parameter in the redirect url.
This works fine in happy path, but breaks on some occasions:
- we use email-verification. If registration works, but the user fails to confirm the mail-address before the link expires, he will be promted to complete the confirmation the next time he logs in. But the mail in the Confirmation-link will now no longer contain the redirect params of the original mail
- if an error occurs during the registration (the user fails multiple times to fill out the form) an error message will be shown prompting the user to restart the registration. The original params will be lost.
Is there a way to pass the query params in a more reliable manner through Keycloak?
Or is it better to implement this kind of logic in the application code? If so, are there any recommendations? Email-Verification makes this quiet hard to do, as the registration can be completed on a completely different device.
Thanks,
Gregor
6 years, 1 month
Unable to unmarshall bytes for CLIENT_CACHE_ENTRY_CREATED
by Nicolas Ocquidant
Hi
This is my very simple UC to reproduce:
1. Start one Infinispan node with passivation=false and shared=true (I
don't think parameters are important here)
2. Start one Keycloak node configured with a remote-cache
3. Populate Keycloak using admin console (one realm, one client, one role
and one user)
3. Ask for an access token with curl (no client_secret)
Than, in Codec21.readCacheEvent():
case CLIENT_CACHE_ENTRY_CREATED:
Object createdKey = dataFormat.keyToObj(ByteBufUtil.readArray(buf),
status, whitelist); <-- BOOM
My config is:
<distributed-cache name="sessions" owners="1" remote-timeout="600000"
statistics-enabled="true">
<binary-memory eviction-type="COUNT" size="10000"/>
<remote-store cache="sessions" socket-timeout="600000"
remote-servers="remote-cache" passivation="false" fetch-state="false"
purge="false" preload="false" shared="true">
<property name="rawValues">true</property>
<property
name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</distributed-cache>
The stack trace is (see below).
It is a config issue?
Thanks for your help
--nick
11:09:13,373 WARN
[org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder]
(Thread-0) ISPN004039: Unable to complete reading event from server /
127.0.0.1:11222:
org.infinispan.client.hotrod.exceptions.HotRodClientException:: ISPN004034:
Unable to unmarshall bytes
01012926033E2439633136373130642D653432332D343134342D396163652D393461356564353639313462
at
org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:48)
at
org.infinispan.client.hotrod.DataFormat.keyToObj(DataFormat.java:93)
at
org.infinispan.client.hotrod.impl.protocol.Codec21.readCacheEvent(Codec21.java:75)
at
org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:153)
at
org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98)
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at
io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at
io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461)
at
io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Unsupported protocol version 1
at
org.jboss.marshalling.river.RiverUnmarshaller.start(RiverUnmarshaller.java:1349)
at
org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.startObjectInput(AbstractJBossMarshaller.java:129)
at
org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromByteBuffer(AbstractJBossMarshaller.java:110)
at
org.infinispan.commons.marshall.AbstractMarshaller.objectFromByteBuffer(AbstractMarshaller.java:82)
at
org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:32)
... 25 more
6 years, 1 month
null pointer in org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598) while starting keycloak
by Madhu
Hi ,I am starting keycloak where i have about 400 realms and the startup was timing out, after i tweaked the wildfly server setting , i get the following error ,and the application fails to start.
Help will be appriciated., why is getUsersCount throwoing null pointer?
Caused by: java.lang.NullPointerException at org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:451) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:460) at org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55)
:07:24,279 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 62) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect09:07:24,323 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 62) Envers integration enabled? : true09:07:24,893 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 62) HV000001: Hibernate Validator 5.3.6.Final09:07:25,718 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 62) HHH000397: Using ASTQueryTranslatorFactory09:13:12,576 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 62) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485)Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 moreCaused by: java.lang.NullPointerException at org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:451) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:460) at org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55) at org.keycloak.services.resources.KeycloakApplication$2.run(KeycloakApplication.java:163) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:159) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more
09:13:12,581 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal09:13:12,654 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000080: Disconnecting JGroups channel ee09:13:12,662 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000080: Disconnecting JGroups channel ee09:13:12,663 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thre
6 years, 1 month
Using Gatekeeper with ingress-nginx
by David Leonard
Hello everyone,
We're attempting to use Gatekeeper to integrate into a workflow with auth_request to provide authorization from Keycloak. We're wanting to use this in our Kubernetes stack to sidecar Gatekeeper to our nginx-ingress controller.
We're attempting to follow a setup similar to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/aut... but replacing oauth2_proxy with Gatekeeper. We are able to complete a full authorization cycle using /oauth/expired to test if we have a current token.
This doesn't seem to work though because the X-Auth-* headers get passed only into the "proxied" application. Specifically oauth2_proxy provides the following config item:
-set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
We're wanting to sidecar Gatekeeper because we get the infinite flexibility of nginx-ingress. Is it possible to set a flag similar to -set-xauthrequest? Looking at the code itself it seems this is not possible, as the headers are only ever set in the middleware.
Thanks!
--
David Leonard
Director of Professional Services, South Region
303.245.4509
3010 Waterview Parkway, Richardson, TX, 75080
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.
6 years, 1 month
Users/Groups access restrictions
by Lyderic Dubut
Hi Keycloak peoples!
I'm slowly introduce keycloak in production environnement, but I still
do not Know how to restric permissions to users or groups.
To picture my words,
I have 3 Applications A,B and C
All company people can access to the application A
For the application B I want prohibit access to non-admin group member.
So when a non-admin clic on OIDC button to login in app an redirect to
keycloak, I wan't a message like "you don't have permissions".
And for the application C all people can access except Bob because he
have broken twice this application :-)
It's posisble to do it?
6 years, 1 month
Configure EMail failed
by So Be
Hi,
as an administrator, I like to receive notifications when users log into
Keycloak.
I tried to configure the EMail for the realm but I got
Logged in user does not have an e-mail.
Any idea about what causing this?
Thank you.
6 years, 1 month
Re: [keycloak-user] How to package a provider as EAR
by marco.scheuermann@daimler.com
Hi together,
do you have any example how to package a provider implementation as an EAR file?
I packaged it as JAR and it works but then I added some external libs (JARS) so I have the requirement to
package it as an EAR.
Thank you,
Marco
Marco Scheuermann
Dipl.-Informatiker
[id:image001.png@01D3CB2E.313F1BF0]
Software Engineer
RD/UIA – Team Rising Stars
Tel.: +49 151 5860 5255
E-Mail: marco.scheuermann(a)daimler.com
Daimler AG
Sitz und Registergericht/Domicile and Court of Registry: Stuttgart
HRB-Nr./Commercial Register No. 19360
Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Manfred Bischoff
Vorstand/Board of Management: Dieter Zetsche (Vorsitzender/Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Hubertus Troska, Bodo Uebber, Thomas Weber
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
6 years, 1 month
Adding attributes during login
by Craig Setera
We have an attribute we use to allow customers to to "scope" or "namespace"
a users interaction with our system (a "partner code" that is known to our
system). In our previous proprietary Java session-based security system,
this value was stored in the Java session at the time of login and used by
the authorization engine to further restrict what the user was allowed to
see.
As we transition to using Keycloak for authentication, I'm wondering if
there is a way to use Keycloak to manage this partner code during a login
session? Some way to send the value during the Keycloak login sequence and
then later retrieve it based on the access token?
Thanks for any insights.
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
6 years, 1 month
