February 2018 - keycloak-user - Jboss List Archives

by Angel Abella

Hello, We have a 2 server standalone-ha installation. When the number of sessions alive increases we get this errors: 2018-02-06 11:42:07,161 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-22) ISPN000136: Error executing command PutKeyValueCommand, writing keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,162 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,166 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-17) ISPN000136: Error executing command RemoveCommand, writing keys [0d8d4c5c-7971-46dd-b414-cb5f16862085]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,171 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-11) ISPN000136: Error executing command PutKeyValueCommand, writing keys [dfd69644-e241-465c-8a92-ef84e76caf62]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,173 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,205 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Any idea of what's going on? -- Angel Abella *IT * *BKOOL* *Connect* *| Sport* mail: aabella(a)bkool.com mob: +34 691 77 18 98 add: C/ San Joaquín 3 - 28231 Las Rozas - Madrid www.bkool.com

6 years, 11 months

4
7
0 / 0

Apache auth_openidc_module and Policy enforcer

by Guse, Christoph

Hi everybody, we currently did a proof of concept using Keycloak and we are very sure to fulfill the requirements using Keycloak. Thanks a lot for your work! At the moment I try out to use Apache with Keycloak using the auth_openidc_module. The redirect to Keycloak works but I’m wondering if it is possible to use the Authorization (Resources / Policies / Permissions) feature with auth_openidc_module. I would like to be able to configure the Apache resource authorization in Keycloak. We already managed to use Authorization in our Spring-Boot applications and we had to switch on the Policy Enforcer to use Authorization. Unfortunately I did not find this option in the configuration of auth_openidc_module in the documentation. In this documentation the authorization is configured in httpd.conf in the <Location> sections. Is Authorization available in auth_openidc_module? Cheers, Christoph Viega Holding GmbH & Co. KG, Sitz Attendorn, Amtsgericht Siegen HRA 7404, Komplementärinnen: Viega Holding Beteiligungs B.V. (Vorsitzende der Geschäftsführung: Walter Viegener, Claus Holst-Gydesen; Geschäftsführer: Ralf Baginski, Andreas Brockow, Andreas Fiefhaus, Dirk Gellisch, Peter Schöler); Viega Holding Beteiligungs GmbH (Geschäftsführer: Walter Viegener, Claus Holst-Gydesen) Rechtliche Verpflichtungen werden mit dieser Nachricht nur eingegangen, wenn eine davon unabhängige schriftliche Bestätigung erfolgt. Der Inhalt dieser Nachricht ist vertraulich und ausschließlich für den Adressaten bestimmt. Ihre unbefugte Verwertung oder Mitteilung an Dritte ist gesetzlich untersagt. Sind Sie selbst nicht der korrekte Empfänger, so vernichten Sie bitte diese Nachricht und benachrichtigen Sie uns unverzüglich. Herzlichen Dank für Ihre Mithilfe. No obligation is entered into by this message, unless confirmed independently. The information contained in this message is confidential, intended only for the addressee. If you are not the intended recipient, any use, review, dissemination, distribution or copying of this document is strictly prohibited. If you have received this document in error, please destroy the original message and notify us immediately. Thank you very much for your cooperation.

6 years, 11 months

2
1
0 / 0

Re: [keycloak-user] kcadm CLI for kerberos user storage API needs updating?

by Ryan Slominski

I figured out why the kerberos component wasn't showing up in the web console. I now see that realm name and realm ID are not identical by default. It might make sense to update the CLI docs to suggest that when creating a realm you explicitly set the ID to be the same as the realm name as the web console automatically does. That is why I was seeing the command line listing the component as part of the realm, but not visible when browsing from the web console. The first part of my question still remains. It seems the kcadm tool cannot be used to create or modify a user storage provider with all of the fields. Some fields seem to cause parsing errors on the server. Including these fields in the initial create command doesn't work. Neither does including them in an update command: kcadm.sh update components/my-kerberos-component-id -r demorealm -s config.kerberosRealm=["my-kerberos-realm-name"] Also results in: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token ----- Original Message ----- From: "Ryan Slominski" <ryans(a)jlab.org> To: "keycloak-user" <keycloak-user(a)lists.jboss.org> Sent: Tuesday, February 6, 2018 2:16:32 PM Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? I'm following the latest CLI documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs... ), but the section about managing Kerberos user storage providers seems to be out-of-date. The related REST API documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs... ) points out major changes occurred after version 2.4.0. In particular the following command no longer works: kcadm.sh create user-federation/instances -r demorealm ... Instead it seems it should be something like the following: kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\ -s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"] However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes: -s config.keyTab=["path-to-keytab"] -s config.kerberosRealm=["kerberos-realm-name"] -s config.cachePolicy=["DEFAULT"] -s config.editMode=["READ_ONLY"] -s config.serverPrincipal=["http-principal-name"] Including any one of them results in the server throwing the following exception: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web. It DOES show up when queried from the command line with: kcadm.sh get components -r demorealm But oddly doesn't show up if you filter as the web does with: kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider Any help is appreciated. Thanks, Ryan _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...

6 years, 11 months

1
0
0 / 0

backup strategy

by Corentin Dupont

Hi guys, I wonder what the backup strategy is? Is it good practice to export regularly all Keycloak configuration? I can export with the command: ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=export-`date +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 It exports the current configuration (realms, users...). I set different ports so it can run concurently with the running instance of keycloak. I can set a cron job with the command, but unfortunately this command need to be stopped by Ctrl-C. -> How to make it stop after the export? Other question, the export need to be run on the same container than Keycloak, but this is not very practical in a Cloud setting. I use Amazon ECS, so I have to log in the VM and then the container. I have then to extract the file with various scp. Is there any way to make this easier (i.e. with an API command)? Cheers Corentin

6 years, 11 months

5
9
0 / 0

Re: [keycloak-user] backup strategy

by Stian Thorgersen

Exporting while live is really not recommended as you can get inconsistent data that you won't be able to use. On 7 Feb 2018 10:46 am, "Knurr, Michael" <Michael.Knurr(a)adesso.ch> wrote: Hi Corentin For my Keycloak installation I am doing daily exports/backups to the file system. Especially the question "how to make it stop" gave me a major headache. In order to work around this problem, I wrote a script which does all the work for me. You can just schedule it in crontab and it will start a second keycloak instance, do the export and eventually kill the second instance. I uploaded it as a gist, so you may also use it if you like: https://gist.github.com/michaelknurr/a8f1941c6f40c0d784b1e467fbc694ba Cheers Michael -----Ursprüngliche Nachricht----- Von: Corentin Dupont [mailto:corentin.dupont@gmail.com] Gesendet: Dienstag, 6. Februar 2018 12:09 An: keycloak-user <keycloak-user(a)lists.jboss.org> Betreff: [keycloak-user] backup strategy Hi guys, I wonder what the backup strategy is? Is it good practice to export regularly all Keycloak configuration? I can export with the command: ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=export-`date +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 It exports the current configuration (realms, users...). I set different ports so it can run concurently with the running instance of keycloak. I can set a cron job with the command, but unfortunately this command need to be stopped by Ctrl-C. -> How to make it stop after the export? Other question, the export need to be run on the same container than Keycloak, but this is not very practical in a Cloud setting. I use Amazon ECS, so I have to log in the VM and then the container. I have then to extract the file with various scp. Is there any way to make this easier (i.e. with an API command)? Cheers Corentin _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

6 years, 11 months

2
2
0 / 0

Disable 'secret question credentials' fails

by BlackBellamy

Hey all, I'm having troubles with the custom authenticator example 'Secret Question'. Setup and workflow works fine, but I cannot disable the credential type for the users once set up. On a users credentials tab I select 'SECRET_QUESTION' and try to disable it, but it throws the following Error: Failed to disable credentials. The wildfly log states a stack overflow: Uncaught server error: java.lang.StackOverflowError at java.util.AbstractCollection.toArray(AbstractCollection.java:136) at java.util.LinkedList.addAll(LinkedList.java:408) at java.util.LinkedList.addAll(LinkedList.java:387) at org.keycloak.services.DefaultKeycloakSessionFactory.getProviderFactories(DefaultKeycloakSessionFactory.java:338) at org.keycloak.credential.UserCredentialStoreManager.getCredentialProviders(UserCredentialStoreManager.java:151) at org.keycloak.credential.UserCredentialStoreManager.disableCredentialType(UserCredentialStoreManager.java:214) at org.keycloak.examples.authenticator.SecretQuestionCredentialProvider.disableCredentialType(SecretQuestionCredentialProvider.java:88) and is repeating from then on. I've created a JIRA ticket that seems to be unnoticed so far https://issues.jboss.org/browse/KEYCLOAK-6308 I built a phone TAN authenticator using it as reference and there I am facing the same problem. I would like to share it as soon as I finish development. I don't know if it is caused by a misconfigured authenticator example or by keycloak itself, but I guess it is Keycloak. Any help is appreciated. Thanks, Benno

6 years, 11 months

1
0
0 / 0

Creating initial admin usr to login to master realm

by Upananda Singha

Hi, Can anybody quickly let me know how to create Keycloak initial admin user/pwd if Keycloak is installed on a remote machine (linux) and can't access locally using localhost:<port>? What is the use of Admin CLI (kcadm.sh)? on executing this script I get Java Major minor version problem. *I am using "jdk1.8.0_121". Does kcadm.sh has any issue with JDK 1.8?* Thanks & Regds, *Upananda Singha*

6 years, 11 months

2
3
0 / 0

avoiding save external-Provider-Users localy

by abdelkader samir

Hi all, We are currently using a Keycloak (3.3.0.Final), there you are binding a external sso Provider as "Identity Providers" Until now everything is working fine. Now we figure out that Keycloak are saving the user in its local database ( see http://www.keycloak.org/docs/3.0/server_admin/topics/identity-broker/firs... )<http://www.keycloak.org/docs/3.0/server_admin/topics/identity-broker/firs...> According to Keyclaok documentation: Keycloak needs the local users, but we don't know why? It is possibile to avoid saving the user in Keycloak? Thanks and regards Adam

6 years, 11 months

2
1
0 / 0

Keycloak OpenShift Template part of the openshift library project

by Charles Moulliard

Hi, The only Openshift Keycloak Template available (i think so) is part of the xpaas project and can be deployed according to this doc [1] on Openshift with the xpaas templates (A-MQ, ....) Is there any plans to have an openshift keycloak template available from the openshift library project [2] Without such info part of the library, then we can't install keycloak as it will not appear when you will browse the openshift catalog of your openshift cluster instance (running using minishift, ....) [1] https://access.redhat.com/documentation/en-us/red_hat_jboss_middleware_fo... [2] https://github.com/openshift/library Regards, Charles

6 years, 11 months

2
3
0 / 0

Hardcoded LDAP group mapper (like hardcoded-ldap-role-mapper)?

by Cedric Thiebault

Hello, With user federation it's possible to automatically add a role to a user imported from LDAP (using hardcoded-ldap-role-mapper) but is it possible to add it to a group? I have no group configured within my LDAP but I'd like to add LDAP users to a specific Keycloak group. Thanks Cedric

6 years, 11 months

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2018