February 2018 - keycloak-user - Jboss List Archives

Modcluster does connect in SSL to keyclaok

by Olivier Rivat

Hi, I am trying to setup modcluster in SSL to keycloak connection the error I obtained is: 11:53:32,916 ERROR [org.jboss.modcluster] (UndertowEventHandlerAdapter - 1) MODCLUSTER000043: Failed to send INFO command to vps383894.ovh.net/79.137.82.56:8180: Unrecognized SSL message, plaintext connection? My proxy_cluster.conf is MemManagerFile /var/cache/mod_cluster LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule advertise_module /usr/lib/apache2/modules/mod_advertise.so LoadModule manager_module /usr/lib/apache2/modules/mod_manager.so LoadModule proxy_cluster_module /usr/lib/apache2/modules/mod_proxy_cluster.so LoadModule cluster_slotmem_module /usr/lib/apache2/modules/mod_cluster_slotmem.so <IfModule manager_module> Listen 8180 http SSLProxyEngine On SSLProxyVerify require SSLProxyVerifyDepth 1 # if not using self signed certificates set the verify depth appropriately SSLProxyCACertificateFile /home/olivier/dev/MyRootCA.pem SSLProxyMachineCertificateFile /home/olivier/dev/MyClient1.pem SSLProxyProtocol ALL -SSLv2 <VirtualHost vps383894.ovh.net:8180> SSLEngine on SSLCertificateFile /home/olivier/dev/MyClient1.pem SSLCertificateKeyFile /home/olivier/dev/certs/MyClient1.key <Directory /> # add ip of JBoss nodes to join this proxy here #Require ip vps383894.ovh.net #Require all granted Allow from all Order deny,allow Allow from all </Directory> ServerAdvertise on EnableMCPMReceive <Location /mod_cluster_manager> SetHandler mod_cluster-manager # add ip of clients allowed to access mod_cluster-manager #Require ip vps383894.ovh.net #Require all granted Allow from all Order deny,allow LogLevel message </Location> </VirtualHost> </IfModule> The standalone-ha.xml contains the following modif: <subsystem xmlns="urn:jboss:domain:modcluster:3.0"> <mod-cluster-config advertise-socket="modcluster" proxies="proxy1" connector="https"> <dynamic-load-provider> <load-metric type="busyness"/> </dynamic-load-provider> <ssl key-alias="Myclient1" password="secret" certificate-key-file="/home/olivier/dev/keycloak/keycloak-3.4.3.Final/standalone/configuration/keystore.jks" ca-certificate-file="/home/olivier/dev/keycloak/keycloak-3.4.3.Final/standalone/configuration/truststore.jks"/> </mod-cluster-config> </subsystem> and <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/> <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/> <socket-binding name="http" port="${jboss.http.port:8080}"/> <socket-binding name="https" port="${jboss.https.port:8443}"/> <socket-binding name="jgroups-mping" interface="private" port="0" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/> <socket-binding name="jgroups-tcp" interface="private" port="7600"/> <socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45688"/> <socket-binding name="modcluster" port="0" multicast-address="${jboss.modcluster.multicast.address:224.0.1.105}" multicast-port="23364"/> <socket-binding name="txn-recovery-environment" port="4712"/> <socket-binding name="txn-status-manager" port="4713"/> <outbound-socket-binding name="mail-smtp"> <remote-destination host="localhost" port="25"/> </outbound-socket-binding> <outbound-socket-binding name="proxy1"> <remote-destination host="79.137.82.56" port="8180"/> </outbound-socket-binding> </socket-binding-group> Keycloaks is lauched as follows: /standalone.sh -c standalone-ha.xml -Djboss.socket.binding.port-offset=300 -Djboss.node.name=node1 -Djboss.bind.address=vps383894.ovh.net MyRootCA and MyClientt1 are part of the keystores.jks What coudl be wrong with my settings ? Regards, Olivier -- <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif> <http://www.janua.fr/images/6g_top.gif> Olivier Rivat CTO orivat(a)janua.fr <mailto:dchikhaoui@janua.fr> Gsm: +33(0)682 801 609 Tél: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr <http://www.janua.fr/> <http://www.janua.fr/images/6g_top.gif>

6 years, 11 months

1
0
0 / 0

Duplicate User showing in admin console after user import via federation

by Christian Chive

Hi, This is my first time using a mailing list, and my colleagues found it hysterical that I'd never heard of the concept before, so apologies if I'm doing something incorrectly. I have based my code off of https://github.com/keycloak/keycloak/tree/master/examples/providers/user-... I've been reading Section 11.X to help troubleshoot http://www.keycloak.org/docs/3.4/server_development/index.html#credential... Here are (I think) all of the relevant methods I overrode. I excluded methods I figured were irrelevant. https://pastebin.com/0CF1n4xy My goal: Using keycloak 3.4, write a provider that allows me to log in with credentials in a simple key/value properties file. Once a user logs in for the first time while keycloak is up, keycloak will create a new user and add it to the UserLocalStorage so the next time the user logs in, it will query the UserLocalStorage to retrieve the user and skip hitting the external store. The end goal is to hook into our SQL DB and slowly migrate users on a per-login basis. I've got all of this working, except whenever I go into the admin console and go to Users -> View All Users, I see duplicates of all of the users that have been migrated over - same ID, same username. I had thrown debug statements all over my overridden methods and the getUsers method seemed to be returning the correct (non duplicate) amount of accounts, but the 'isConfiguredFor' coming from the CredentialInputValidator interface was being called twice for each account, but couldn't figure out why. An important note, once I unlink the users and remove the provider, the users that remain in the 'Users -> View All' display no duplicates. Any help would be sincerely appreciated. Thank you!

6 years, 11 months

1
0
0 / 0

Auto Refresh of external IDP tokens

by Carlos Feria

Hi All. I'm facing a problem trying to retrieve an external IDP token from google using the Broker configuration. This is the context: I have a Keycloak offline_token of every user of my application, then I use these offline_tokens to retrieve external IDP Token (Google) calling to: GET /auth/realms/{realm}/broker/{provider_alias}/token Authorization: Bearer {keycloak_access_token} The http GET returns an access token and I use that access token to get information from Google. The problem is that The access token retrieved has an expiration of 1 hour and after that I'm not able to call to google any more. After reading the documentation I found this part: http://www.keycloak.org/docs/latest/server_development/index.html#retriev... That part said: "These external tokens can be re-established by either logging in again through the provider, or using the client initiated account linking API." It means that I have to force to the user to login again and again every time I found the external token has been expired? Is it possible to re-establish the external IDP token without the intervention of the user? This doesn't seems to be a big problem, but because in my case I have Keycloak offline_tokens I can't re-establish the external IDP token. How would I face this problem? -- Carlos E. Feria Vila

6 years, 11 months

1
0
1 / 0

Re: [keycloak-user] kcadm CLI for kerberos user storage API needs updating?

by Ryan Slominski

Hi Keycloak Users, I figured out that single quotes are sometimes required around CLI attributes and sometimes not (doesn't seem to have anything to do with whitespace either). I've created an issue ticket in Jira to update the documentation to reflect the new "create components" API instead of the old "create user-federation/instances" API. Issue created: https://issues.jboss.org/browse/KEYCLOAK-6583 And make the fix in the documentation repository. Pull request: https://github.com/keycloak/keycloak-documentation/pull/328 Ryan ----- Original Message ----- From: "Ryan Slominski" <ryans(a)jlab.org> To: "keycloak-user" <keycloak-user(a)lists.jboss.org> Sent: Wednesday, February 7, 2018 10:25:09 AM Subject: Re: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? I figured out why the kerberos component wasn't showing up in the web console. I now see that realm name and realm ID are not identical by default. It might make sense to update the CLI docs to suggest that when creating a realm you explicitly set the ID to be the same as the realm name as the web console automatically does. That is why I was seeing the command line listing the component as part of the realm, but not visible when browsing from the web console. The first part of my question still remains. It seems the kcadm tool cannot be used to create or modify a user storage provider with all of the fields. Some fields seem to cause parsing errors on the server. Including these fields in the initial create command doesn't work. Neither does including them in an update command: kcadm.sh update components/my-kerberos-component-id -r demorealm -s config.kerberosRealm=["my-kerberos-realm-name"] Also results in: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token ----- Original Message ----- From: "Ryan Slominski" <ryans(a)jlab.org> To: "keycloak-user" <keycloak-user(a)lists.jboss.org> Sent: Tuesday, February 6, 2018 2:16:32 PM Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? I'm following the latest CLI documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs... ), but the section about managing Kerberos user storage providers seems to be out-of-date. The related REST API documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs... ) points out major changes occurred after version 2.4.0. In particular the following command no longer works: kcadm.sh create user-federation/instances -r demorealm ... Instead it seems it should be something like the following: kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\ -s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"] However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes: -s config.keyTab=["path-to-keytab"] -s config.kerberosRealm=["kerberos-realm-name"] -s config.cachePolicy=["DEFAULT"] -s config.editMode=["READ_ONLY"] -s config.serverPrincipal=["http-principal-name"] Including any one of them results in the server throwing the following exception: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web. It DOES show up when queried from the command line with: kcadm.sh get components -r demorealm But oddly doesn't show up if you filter as the web does with: kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider Any help is appreciated. Thanks, Ryan _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...

6 years, 11 months

1
0
0 / 0

User impersonation - JWT

by Harry Trinta

Dears, I need a help with user impersonation on keycloak. I am authenticating users through the "/realms/test/protocol/openid-connect/token". As expected, it returns a token JWT. In my app, all requests go through apiman, which validates the JWT. Now, I need to personification of user. I'm calling the service "/admin/realms/test/users/USER_ID/impersonation", sending the token in the header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...). The service /impersonation creates the user session on keycloak, however doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified user instead of cookie.* It's possible? Best regards Harry Costa

6 years, 11 months

3
4
0 / 0

Application icons based

by trmadhu＠tafe.com

Dear Support When we login in the keycloak IDP page, we are able to see the list of application name with details, can we customize this page, we need to show the application as Icons (instead of showing Application, available permissions, grant permissions etc. Kindly support . [cid:image001.jpg@01D3A529.482039B0] T R Madhu Associate Principal Consultant | Enterprise Application Admin Mobile No : 99400 76612 www.tafe.com<http://www.tafe.com/> Above email is subject to 'Disclaimer' as per <a href="http://tafe.co.in/email-disclaimer.htm">http://tafe.co.in/email-disclaimer.htm</a>

6 years, 11 months

1
0
0 / 0

Re: [keycloak-user] Customize login page

by trmadhu＠tafe.com

Dear Support When we login in the keycloak IDP page, we are able to see the list of application name with details, can we customize this page, we need to show the application as Icons (instead of showing Application, available permissions, grant permissions etc. Kindly support . [cid:image001.jpg@01D3A528.6FA7F730] T R Madhu Associate Principal Consultant | Enterprise Application Admin Mobile No : 99400 76612 www.tafe.com<http://www.tafe.com/> Above email is subject to 'Disclaimer' as per <a href="http://tafe.co.in/email-disclaimer.htm">http://tafe.co.in/email-disclaimer.htm</a>

6 years, 11 months

1
0
0 / 0

Customize login page

by trmadhu＠tafe.com

Dear Support We want to customize the login url for the end users, currently to access the Keycloak IDP, the URL will be https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3... Can we have a redirect rule, when user types abc.def.com, it should redirect to the application page / customised URL. Regards Madhu T R Above email is subject to 'Disclaimer' as per <a href="http://tafe.co.in/email-disclaimer.htm">http://tafe.co.in/email-disclaimer.htm</a>

6 years, 11 months

1
0
0 / 0

Keycloak forum

by valsaraj pv

Hi, Is there any Keycloak forum website? Thanks!

6 years, 11 months

2
2
0 / 0

Modcluster integration with keycloak

by Olivier Rivat

Configuring Keycloak With Modcluster in standalone h amode with wildfly 1) I am atrying to setup a cluster ins standalone mode with keycloak. I have -keycloak 3.4.3 -wildfly 11 -modcluster 1.3 1) mod_cluster ============== I have configured on a unnutu distribution mod_cluster as follwos: MemManagerFile cache/mod_cluster <IfModule manager_module> Listen 8180 http <VirtualHost vps383894.ovh.net:8180> <Directory /> # add ip of JBoss nodes to join this proxy here Require ip 127.0.0.1 #Require all granted Allow from all </Directory> ServerAdvertise on EnableMCPMReceive <Location /mod_cluster_manager> SetHandler mod_cluster-manager # add ip of clients allowed to access mod_cluster-manager Require ip 127.0.0.1 #Require all granted Allow from all </Location> </VirtualHost> </IfModule> I can access it at URL http://vps383894.ovh.net:8180/mod_cluster_manager to check that mod_cluster is operational 2) Keycloak server ================== On my server I have instaled keycloak http://www.keycloak.org/docs/latest/server_installation/index.html#_examp... route add -net 224.0.0.0 netmask 240.0.0.0 dev lo ifconfig lo multicast The difference I have introduced I have started it as ./standalone.sh -c standalone-ha.xml -Djboss.socket.binding.port-offset=200 -Djboss.node.name=node1 I have updated the xml as follows: <subsystem xmlns="urn:jboss:domain:undertow:4.0"> <buffer-cache name="default"/> <server name="default-server"> <ajp-listener name="ajp" socket-binding="ajp"/> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <http-invoker security-realm="ApplicationRealm"/> <filter-ref name="proxy-peer"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> <session-cookie name="AUTH_SESSION_ID" http-only="true" /> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core" /> </filters> </subsystem> changes: 2.1) X-Forwarded-For AJP Config <subsystem xmlns="urn:jboss:domain:undertow:4.0"> <buffer-cache name="default"/> <server name="default-server"> <ajp-listener name="ajp" socket-binding="ajp"/> <http-listener name="default" socket-binding="http" redirect-socket="https"/> <host name="default-host" alias="localhost"> ... <filter-ref name="proxy-peer"/> </host> </server> ... <filters> ... <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core" /> </filters> </subsystem> 2.2) servlet-container name="default"> <session-cookie name="AUTH_SESSION_ID" http-only="true" /> ... </servlet-container> 3) Traces ========= Now I try to access to http://vps383894.ovh.net:8180/auth to access to teh keycloak authent URL I obtain the following errors in apache module in error log trace Tue Feb 13 11:07:44.023463 2018] [core:notice] [pid 17183:tid 140195770410880] AH00094: Command line: '/usr/sbin/apache2' [Tue Feb 13 11:43:03.239246 2018] [mpm_event:notice] [pid 17183:tid 140195770410880] AH00491: caught SIGTERM, shutting down [Tue Feb 13 11:43:04.383906 2018] [ssl:warn] [pid 23735:tid 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:43:04.415962 2018] [ssl:warn] [pid 23736:tid 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:43:04.421178 2018] [:notice] [pid 23736:tid 139634017527680] Advertise initialized for process 23736 [Tue Feb 13 11:43:04.422642 2018] [mpm_event:notice] [pid 23736:tid 139634017527680] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal operations [Tue Feb 13 11:43:04.422682 2018] [core:notice] [pid 23736:tid 139634017527680] AH00094: Command line: '/usr/sbin/apache2' [Tue Feb 13 11:55:14.852179 2018] [mpm_event:notice] [pid 23736:tid 139634017527680] AH00491: caught SIGTERM, shutting down [Tue Feb 13 11:55:15.984187 2018] [ssl:warn] [pid 25890:tid 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:55:16.005249 2018] [ssl:warn] [pid 25891:tid 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:55:16.009504 2018] [:notice] [pid 25891:tid 140179862239104] Advertise initialized for process 25891 [Tue Feb 13 11:55:16.010908 2018] [mpm_event:notice] [pid 25891:tid 140179862239104] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal operations [Tue Feb 13 11:55:16.010932 2018] [core:notice] [pid 25891:tid 140179862239104] AH00094: Command line: '/usr/sbin/apache2' [Tue Feb 13 12:13:35.051090 2018] [proxy:warn] [pid 25895:tid 140179444545280] [client 82.236.158.30:49992] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:57.552528 2018] [proxy:warn] [pid 25895:tid 140179452937984] [client 82.236.158.30:49996] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.508734 2018] [proxy:warn] [pid 25896:tid 140179461330688] [client 82.236.158.30:49998] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.670853 2018] [proxy:warn] [pid 25895:tid 140179427759872] [client 82.236.158.30:50000] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.819705 2018] [proxy:warn] [pid 25896:tid 140179452937984] [client 82.236.158.30:50002] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.980052 2018] [proxy:warn] [pid 25895:tid 140179419367168] [client 82.236.158.30:50004] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:14:50.778001 2018] [proxy:warn] [pid 25895:tid 140179385796352] [client 82.236.158.30:50014] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. WHat's going wrong ? How is it possible to fix this ? Regards, Olivier -- <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif> <http://www.janua.fr/images/6g_top.gif> Olivier Rivat CTO orivat(a)janua.fr <mailto:dchikhaoui@janua.fr> Gsm: +33(0)682 801 609 Tél: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr <http://www.janua.fr/> <http://www.janua.fr/images/6g_top.gif>

6 years, 11 months

1
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2018