Custom Keycloak UserStorageProvider not used when using a Local interface
by Niels Bertram
Strange thing, if I create a Local interface for the UserStorageProvider
and then register a corresponding Stateful bean I can return it with the
provider factory but Keycloak refuses to use it, even though the actual EJB
implements all the other required interfaces.
Obviously I cannot extend the local interface with all the SPI interfaces
but I would have thought that it is enough for me to return a ? extends
UserStorageProvider from the provider factory and KC would be able to run
with this. Whacking a @Local on the actual EJB bean as in the keycloak
example
<https://github.com/keycloak/keycloak/blob/2b65adc15fe617fe0a61c49e7c99f39...>
a) does not allow the programming to interfaces and b) generates a big fat
warning in Intellj that it is bad practice.
Any comments, thoughts or ideas on how fix this?
*Local interface*
@Local
public interface CustomUserStorageProvider extends UserStorageProvider {
KeycloakSession getSession();
void setSession(KeycloakSession session);
ComponentModel getModel();
void setModel(ComponentModel model);
}
*The EJB*
@Stateful
@Local( CustomUserStorageProvider.class)
public class CustomUserStorageProviderBean implements
CustomUserStorageProvider,
UserLookupProvider,
CredentialInputValidator,
CredentialInputUpdater,
UserRegistrationProvider,
UserQueryProvider {
...
}
Another thing I noticed, even if following the JPA example to the letter, a
properly annotated EJB lifecycle method @PreDestroy is never called as the
EJB is yanked from the context by (container) unmanaged code. I can sort of
see why but not sure this is ideal. Wouldn't it be possible to "weld" the
providers together in Keycloak ... something along the lines of
CDI.current().getBeanManager() in the provider factory?
6 years, 11 months
getRoleMappings - please I need a help
by JOSE INACIO DA SILVA JUNIOR
Hi,
I'm changing PropertyFileUserStorageProvider example. And I need to override the method: Set<RoleModel> getRoleMappingsInternal(); of the class
AbstractUserAdapterFederatedStorage.class in order to retrive external roles based on a legacy system.
How can I do that?
I've tried:
protected Set<RoleModel> getRoleMappingsInternal() {
Set<RoleModel> roles = new HashSet<>();
RoleModel role = new MyRoleAdapter(realm,"role1","role1","role1 description", false);
roles.add(role);
return roles;
}
The code of MyRoleAdapter:
public class MyRoleAdapter implements RoleModel{
private String id;
private String name;
private String description;
private RealmModel container;
private boolean isClientRole;
public RoleProdesanAdapter(RealmModel container, String id, String name, String description, boolean isClientRole) {
this.id = id;
this.name = name;
this.description = description;
this.container = container;
this.isClientRole = isClientRole;
}
// getters
}
Please help me. I've tried a lot but without success!
Thanks in advance!
Inácio
6 years, 11 months
keycloak cluster - keycloak-user@lists.jboss.org "database error message session is closed" after stopping server-one
by Olivier Rivat
Hi,
I am trying to setup a cluster example.
I would like to test the HA of my keycloak cluster configured in domain
mode.
If I stop the master node (server-one), I obtain the error message on
slave server-two, when trying to authenticate:
ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default
task-7) Connection is broken: "session closed" [90067-193]
For this I have deployed:
-keyclock 3.4 (latest)
-Wildfly 11
-installed the Jboss EAP adapter.
1) app-jee-vanilla application
==============================
I have used keycloak quick start example and used app-profile-jee-vanilla
The app-jee-vanillan is deployed in wildfly server
wildfly server is authenticating against Keycloak ins standalone mode.
I have first tested in standalone mode and everything works fine fine as
expected.
(Keyclock is strated in standalone mode on port 8180 and wildfly on port
8080)
2) Configuring the cluster
===========================
1. I have configured the cluster
2. I have run teh command add-user.sh to a create a secret beween master
and slave
3. I have copied teh secret in the host-slave.xml
4. I have created an admin user
bin/add-user-keycloak.sh -r master -u admin6 -p admin6 --domain
5. This admin user has been copied to
mkdir ${KEYCLOAK_HOME}/domain/servers/server-one/configuration
◦ Then copy "keycloak-add-user.json" to the directory above.
6) Both servers are started successfuly with the command
(master)
./domain.sh --host-config=host-master.xml -Djboss.http.port=8180
-Djboss.https.port=8543 -Djboss.ajp.port=8109
-Djboss.management.http.port=10090
(slave)
./domain.sh --host-config=host-slave.xml -Djboss.http.port=8180
-Djboss.https.port=8543 -Djboss.ajp.port=8109
-Djboss.management.http.port=10090
7) I can authenticate successfully to http://localhost:8080/vanilla,
whivh redirects to the the cluster for authentication
8) Stopping Node server-two
I am connecting to the cluster admin console at URL http://localhost:10090
I can stop node server-two, and still continue to log to teh vanilla app
as before.
9) Stopping node server-one (master-node)
I am connecting to the cluster admin console at URL
http://localhost:10090 and stopping node1 (server-one) which is the
master node
server-ones shows:
[Server:server-one] 14:30:25,320 INFO [org.jboss.as] (MSC service
thread 1-7) WFLYSRV0050: Keycloak 3.4.3.Final (WildFly Core 3.0.8.Final)
stopped in 389ms
[Server:server-one]
14:30:25,380 INFO [org.jboss.as.process.Server:server-one.status]
(reaper for Server:server-one) WFLYPC0011: Process 'Server:server-one'
finished with an exit status of 0
[Host Controller] 14:30:25,420 INFO [org.jboss.as.host.controller]
(ProcessControllerConnection-thread - 2) WFLYHC0027: Unregistering
server server-one
When I try to connect to the vanilla app, I obtain teh following error
message on server-two:
[Server:server-two] 14:30:25,233 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2)
ISPN000094: Received new cluster view for channel ejb:
[asus:server-two|2] (1) [asus:server-two]
[Server:server-two] 14:30:25,237 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2)
ISPN000094: Received new cluster view for channel ejb:
[asus:server-two|2] (1) [asus:server-two]
[Server:server-two] 14:30:25,335 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2)
ISPN000094: Received new cluster view for channel ejb:
[asus:server-two|2] (1) [asus:server-two]
[Server:server-two] 14:30:25,337 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2)
ISPN000094: Received new cluster view for channel ejb:
[asus:server-two|2] (1) [asus:server-two]
[Server:server-two] 14:30:25,338 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2)
ISPN000094: Received new cluster view for channel ejb:
[asus:server-two|2] (1) [asus:server-two]
[Server:server-two] 14:32:10,526 WARN [org.keycloak.events] (default
task-5) type=REFRESH_TOKEN_ERROR, realmId=master,
clientId=app-profile-vanilla,
userId=202be260-c68e-4871-944e-46122e903531, ipAddress=127.0.0.1,
error=invalid_token, grant_type=refresh_token,
refresh_token_type=Refresh,
refresh_token_id=ae38ae31-a0bc-4958-964e-fc4e6ec9b13f,
client_auth_method=client-secret
[Server:server-two] 14:32:27,087 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7) SQL
Error: 90067, SQLState: 90067
[Server:server-two] 14:32:27,087 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7)
Connection is broken: "session closed" [90067-193]
[Server:server-two] 14:32:27,089 WARN [org.keycloak.services] (default
task-7) KC-SERVICES0013: Failed authentication:
javax.persistence.PersistenceException:
org.hibernate.exception.GenericJDBCException: could not prepare statement
[Server:server-two] at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
[Server:server-two] at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
[Server:server-two]
Hence, it is no longer possibel to authenticate.
What could be the cause of the error message:
ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default
task-7) Connection is broken: "session closed" [90067-193]
Could it be a misconfiguration ?
Could it be a bug ?
How is it possible to overcome this issue ?
Note:
This issue is happening with H2 and postgresql database as well.
Regards,
Olivier
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
6 years, 11 months
Keycloak 2.5.5 Ldap user group member ship is not syncing
by Nangunoori, Srinivas
Hi,
I am using Keycloak 2.5.5 and I have created group-ldap-mapper. When I press “Sync LDAP Groups to Keycloak”, only groups are syncing to keycloak but not the users.
I can sync users by pressing “Synchronize all users”. But I am missing ldap group membership info.
Can someone help me to solve this issue.
--Srini
6 years, 11 months
DefaultKeycloakTransactionManager.begin doesn't call afterCompletion.begin
by Adrian Gonzalez
Hello,
I'm having some issued when deleting a realm containing 20.000 groups (via /realms/{id] REST API).It's just takes some time and the transaction is aborted.
What I tried for the moment, is to write a REST endpoint which deletes the groups in batches.The endpoint begins and commit transaction in a loop (in batches of 100).
What I see is that after the first commit and the second begin, I have a
|03:18:02,861ERROR[org.keycloak.services.error.KeycloakErrorHandler](defaulttask-14)Uncaughtservererror:java.lang.IllegalStateException:Cannotaccessdelegatewithoutatransaction|atorg.keycloak.models.cache.infinispan.UserCacheSession.getDelegate(UserCacheSession.java:98)|atorg.keycloak.models.cache.infinispan.UserCacheSession.getUsers(UserCacheSession.java:632)|atorg.keycloak.models.cache.infinispan.UserCacheSession.getUsers(UserCacheSession.java:642)|atorg.gonzalad.keycloak.idp.user.rest.BenchmarkResource.deleteRealm(BenchmarkResource.java:88)
This seems to be because DefaultKeycloakTransactionManager.begin() calls only tx.begin of transactions attribute.But it doesn't call the begin() for the prepare nor for the afterCompletion attribute.
And since the UserCacheSession.getDelegate() has registered a callback in the afterCompletion attribute, UserCacheSession.getDelegate() isn't aware that I restarted a second transaction.
Should I raise an issue or did I misunderstood the issue ?
ThanksAdrian
6 years, 11 months
registration new flow
by Stephen Henrie
Hi all,
I am using Keycloak 3.2.1 and trying to add a new flow step to the new user
registration flow so that I can add a script execution step as illustrated
in the attached image. However, with this configuration I am getting a
nullpointer exception when I click on the "Register" link and get a 500
error instead of the registration page.
Does anyone have any ideas what I might be doing wrong or if there is a
different way to accomplish what I am trying to do?
The stack trace from the log is below:
Thanks
Stephen
22:42:11,855 WARN [org.keycloak.services] (default task-1)
KC-SERVICES0013: Failed authentication: java.lang.NullPointerException
at
org.keycloak.authentication.FormAuthenticationFlow.renderForm(FormAuthenticationFlow.java:281)
at
org.keycloak.authentication.FormAuthenticationFlow.processFlow(FormAuthenticationFlow.java:263)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:127)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:279)
at
org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:573)
at
org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:623)
at
org.keycloak.services.resources.LoginActionsService.registerPage(LoginActionsService.java:588)
22:42:11,860 WARN [org.keycloak.events] (default task-1)
type=REGISTER_ERROR, realmId=chassi, clientId=chassi-web-app, userId=null,
ipAddress=10.0.2.2, error=invalid_user_credentials,
auth_method=openid-connect, auth_type=code, redirect_uri=
http://localhost:3000/, code_id=c926d684-2a6b-4fb5-adb4-9df7de9d8483
6 years, 11 months
Service Accounts: multiple keys for a given Signed Jwt Authenticator
by Adrian Gonzalez
Hello,
I'm using rfc7523 I've set Client Authenticator=Signed Jwt, and downloaded the jks.
I'd like to know if there is a way to have multiple keys for a given Service Account ?This would provide me with a way of supporting multiple keys at the same time when rotating them.
Is the JWKS URL the only way of handling that ? And in this case, can it support all the keys in the JWK URL at the same time (i.e. case of blue green deployments) ?
Thanks,Adrian
6 years, 11 months
Re: [keycloak-user] Multiple User Storage Providers
by Ryan Slominski
Thanks Marek,
I am using 3.4.3, but the two Kerberos realms are not configured in a cross realm trust (I want the web apps in one specific Keycloak realm to trust either realm, but that trust shouldn't be universal and System Admins don't want to trust other realms for Workstation logins and cross realm trust would require new authorization considerations as it changes what "anyone with an account" means). Is cross realm trusts the only way to do what I'm after?
Ryan
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Ryan Slominski" <ryans(a)jlab.org>, "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Friday, February 9, 2018 9:04:56 AM
Subject: Re: [keycloak-user] Multiple User Storage Providers
Hi,
which Keycloak version are you using? In 3.4.3, we added support for the
scenario when the kerberos realms are in trust with each other (hence
you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could
you try with 3.4.3 and see if it helps? Otherwise please create JIRA
with the steps to reproduce and ideally with server.log (with DEBUG
option enabled on LDAP storage providers and with DEBUG logging
described in "Troubleshooting" section of our Kerberos documentation).
Thanks,
Marek
Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a):
> Hi Keycloak users,
> I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)?
>
> Thanks,
>
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...
6 years, 11 months
