February 2018 - keycloak-user - Jboss List Archives

Testing Keycloak DynamicOP using openid.net

by Carrasco, Jonathan J (173F)

Hello. I’m reaching out to ask about the Conformance Testing Suite, available at http://openid.net/certification/testing/. At this time, we are evaluating Keycloak and some of the available OpenID Connect Libraries and Products, and would like to perform certification testing locally. So, the question is… do you have a breakdown of Keycloak configuration to allow for Conformance Testing in a local dev environment, i.e. localhost. I have tried to test and keep getting a connection refused error when I try the Dynamic Discovery and Registration test. To give some insight… I am using the oidctest repo locally I have keycloak running, no problem I’ve set realm to not require ssl I deleted all anonymous client registration policies But when I run the test, using the issuer ashttp://localhost:8080/auth/realms/master orhttps://localhost:8443/auth/realms/master, I get Discovery:OP-Response-Missing: status=ERROR, message=HTTPSConnectionPool(host='localhost', port=8443): Max retries exceeded with url: /auth/realms/master/.well-known/openid-configuration (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused',)) I also tried setting up a reverse proxy to handle ssl traffic, to no avail. I don’t have a problem, working with keycloak since I can curl most of the commands or use python requests, etc…And, really the point of this is to test(out-of-the-box) without having to alter any source code from Github. Hence, I’m reaching out to the source and I want to ask if you have a setup to allow keycloak to be tested on a local machine. -- Jonathan Carrasco (173F) Jet Propulsion Laboratory – California Institute of Technology

6 years, 10 months

2
1
0 / 0

Multiple 'standalone' in k8s setup

by Rudresh Shashikant

Hello hivemind, I have deployed keycloak at the moment with the following setup: - kubernetes in openshift - 1 pod - RDS (postgres) for database - standalone mode - not across data centre I was exploring the possibility of avoiding single point of failure by simply increasing the number of pods in openshift to 2 or 3 (note, each instance is still in standalone mode). I tested this by increasing the number of pods and ensuring the logs of all the keycloak pods are registering access when I hit the service endpoint with my web browser. Since they are identical replicas of one another, they will all communicate with the same RDS (postgres) endpoint on AWS. The above setup works for me as a proof of concept, ie., im able to login and refresh multiple times to ensure load balancing etc is working across keycloak pods. yay! But I wanted to do due diligence and RTFM [ http://www.keycloak.org/docs/latest/server_installation/index.html#_opera...] upon which I found there was information on how to run in standalone-ha mode and many others as well. This is where the confusion sets in. Isn't Keycloak stateless? Wont the above setup work for me? is there any known issues I will run in to with the above setup (all standalone). What is the need to run in standalone-ha mode given the context of my above deployment environment? Appreciate if someone can point me in the right direction or help provide some answers. Thanks! Regards, Rudy. Regards, Rudy.

6 years, 10 months

1
0
0 / 0

Register custom JAX-RS Providers

by moritz.becker＠gmx.at

How can I register custom JAX-RS providers or filters? And why was this never picked up: http://lists.jboss.org/pipermail/keycloak-dev/2016-September/008164.html ?

6 years, 10 months

2
1
0 / 0

Fine tuning KC for performance

by Upananda Singha

Hi All, I am trying to test a KC cluster (with 2 KC nodes) using standalone-ha mode. I have configured a shared database of PostgreSQL (2ndQuadrant with BDR - having 2 Database nodes and pointing KC nodes pointing to single node). Each of the KC nodes is configured with JAVA_OPTS="-*Xms256m* -*Xmx1024m* -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" And default connection pool size set to 40 each. But when I run traffic I don't see combined throughput going beyond 80/90 per sec when traffic hits both the KC nodes in a round robin fashion. Can anybody give some idea what kind of tuning I can try to increase the throughput. With 2 nodes of KC we are looking for throughput at least 200-300. Thanks & Regds, Upananda

6 years, 10 months

1
1
0 / 0

Missing id_token with Keycloak3.2.1

by Subodh Joshi

Hi All I am using below curl command curl -k https://135.250.139.249:8443/auth/realms/Test123/protocol/openid-connect/... -d "grant_type=client_credentials" -d "client_id=SURE_APP" -d "client_secret=ca3c4212-f3e8-43a4-aa14-1011c7601c67" In the above command's response *id_token* is missing ,which is require for kong to tell who i am? In my keycloak realm->client-> Full Scope Allowed ->True -- Subodh Chandra Joshi <subodh1_joshi82(a)yahoo.co.in> http://www.questioninmind.com

6 years, 10 months

1
1
0 / 0

You cannot set autocommit during a managed transaction

by Daan Zwaenepoel

Hello Everyone In our keycloak project we are using a external database in combination with the keycloak database. In our Registration formaction I need to get some data form the external database and also write some data back. Here for I create a entity manger in my Registration factory and I know that my connection works because I successfully get data from the database but every time I try to write data back ( entityManager.getTransaction().begin(); entityManager.merge(lid); entityManager.getTransaction().commit();) to the database I get the error "You cannot set autocommit during a managed transaction". When I use entityManager.merge(lid); entityManager.flush(); to write data back I get the error " javax.persistence.TransactionRequiredException: no transaction is in progress". What is the problem here or what is the best way to write data to the database. Daan

6 years, 10 months

1
0
0 / 0

A couple of questions on TOTP registration and two stage resource owner auth

by Jason Wang

Hi all, Resource owner auth flow with TOTP enabled works by providing both username, password and totp code in one go. For example, to authenticate user 'test3' on reaml 'test' with totp code 123456, the following HTTP post works well: curl -v \ scope=openid -d grant_type=password \ --data-urlencode client_id=public \ --data-urlencode username=test3 \ --data-urlencode password=test3 \ --data-urlencode totp=123456 \ 127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token It returns two tokens as expected. In my usecase, I would like to do this in 2 stages, similar to how this user would login to Keycloak: he needs to enter username and password first. Only valid credentials will lead him to the totp page. Does keycloak provide APIs to support such way? Interestingly, after totp is set, providing only username and password when calling the API would only result in a generic 401. I have seen quite a few reference to an API endpoint that looks like: $BASE_URL/realms/$REALM/credential-validation which does not seem to exist ( https://gist.github.com/sts/4c6f8fa759cec88197ca6dfcf306c391). The second question is if there an API to set the authenticator for the given user. For example return the long binding code (can be displayed by this link http://127.0.0.1:8080/auth/realms/test/account/totp?mode=manual), which is what the QR code links to. With this API, I can do the registration process outside of Keycloak. The last question is that the Keycloak UI does not seem to be using OCID APIs with the server? I tried to find out which APIs those pages are invoking by debugging in the browser which did not give me Json resources. This is a lazy question to save me looking into the source code which I know I will need to do later ;-). Many thanks, Jason

6 years, 10 months

1
0
0 / 0

Quickstart tutorials (app-angular2 and app-jee-html5) not working

by Viggo Navarsete

Hi, I've deployed the jax-rs service tutorial https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-..., and then tried to run the various quickstart tutorial clients towards it: app-angular2, app-jee-html5: I get the following in the console: errors.ts:42 ERROR SyntaxError: Unexpected end of JSON input The wildfly access log shows me this: 11:13:29,795 INFO [io.undertow.accesslog] (default task-27) 127.0.0.1 [24/Feb/2018:11:13:29 +0100] "OPTIONS /service/secured HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" 11:13:29,831 INFO [io.undertow.accesslog] (default task-25) 127.0.0.1 [24/Feb/2018:11:13:29 +0100] "GET /service/secured HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" But, when I run the app-jee-jsp it works as expected, I can see this in the wildfly access log: public gives 11:18:35,840 INFO [stdout] (default task-22) Service url: http://localhost:8080/service 11:18:35,865 INFO [stdout] (default task-30) Public endpoint called 11:18:35,865 INFO [io.undertow.accesslog] (default task-30) 127.0.0.1 [24/Feb/2018:11:18:35 +0100] "GET /service/public HTTP/1.1" 200 "Apache-HttpClient/4.5 (Java/1.8.0_151)" 11:18:35,867 INFO [io.undertow.accesslog] (default task-22) 127.0.0.1 [24/Feb/2018:11:18:35 +0100] "GET /app-jsp/index.jsp?action=public HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" secured gives 11:19:00,781 INFO [stdout] (default task-21) Service url: http://localhost:8080/service 11:19:00,806 INFO [stdout] (default task-29) Secured endpoint called 11:19:00,807 INFO [io.undertow.accesslog] (default task-29) 127.0.0.1 [24/Feb/2018:11:19:00 +0100] "GET /service/secured HTTP/1.1" 200 "Apache-HttpClient/4.5 (Java/1.8.0_151)" 11:19:00,808 INFO [io.undertow.accesslog] (default task-21) 127.0.0.1 [24/Feb/2018:11:19:00 +0100] "GET /app-jsp/index.jsp?action=secured HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" admin gives 11:19:21,979 INFO [stdout] (default task-26) Service url: http://localhost:8080/service 11:19:22,003 INFO [stdout] (default task-24) Admin endpoint called 11:19:22,003 INFO [io.undertow.accesslog] (default task-24) 127.0.0.1 [24/Feb/2018:11:19:22 +0100] "GET /service/admin HTTP/1.1" 200 "Apache-HttpClient/4.5 (Java/1.8.0_151)" 11:19:22,005 INFO [io.undertow.accesslog] (default task-26) 127.0.0.1 [24/Feb/2018:11:19:22 +0100] "GET /app-jsp/index.jsp?action=admin HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" So, to me it seem like the request reach the REST endpoint at all for the app-angular2 and app-jee-html5 clients ! This is confusing me a lot, and I get into similar issues with my own projects, hence I want to make sure the tutorials at least work properly. I run this on Wildfly 11.0.0.Final and Keycloak 3.4.3.Final. Could there be some issues with Wildfly 11.0.0.Final vs the Wildfly 10.0.0.Final, or the Keycloak versions? Could someone please confirm that they're able to run these tutorials themselves? Best regards, Viggo Navarsete

6 years, 10 months

1
0
0 / 0

Resource owner credential grant & required actions

by Jeroen Muis

Hi, Due to some legacy we have to use (jaas) direct access grants and that’s actually working really well until the account get’s a required action, such as update password, verify email, … Before keycloak 3.4.1 if the credentials are ok we get a 400 response with ‘Account is not fully setup’, but without any details on what actually is the required action. As per “KEYCLOAK-5284: Information disclosure when brute force detection is on using the token endpoint” (1) this behavior has changed and apparently there is no feedback anymore even though the credentials itself are ok. How should we now detect ‘required actions’ to be performed if we can’t even tell the difference anymore between invalid credentials and required actions to be completed. Why is brute force detection done like this when there actually is a brute force detection setting in the realm which by default is switched off? 1. https://issues.jboss.org/browse/KEYCLOAK-5284 Thanks very much. Jeroen Muis

6 years, 10 months

1
0
0 / 0

User session logout in Keycloak Console seems not to work if using User Federation Provider

by Juan Pablo Perata

Hello, This issue seems application specific, but I could not reach to the root yet. I would like to know if someone faced this in Keycloak Admin Console or some tips you could give me to see what is going on. *Environment* Web application running on Wildfly 10.1.0.Final and secured with Keycloak. Keycloak 3.4.3.Final server running in <IP>:<PORT1> Wildfly 10.1.0.Final server running in <IP>:<PORT2> *Description* Found that session logout from Keycloak admin does not have effect for federated users in my web application. Steps: - develop your own user federation provider to connect to internal database (implements interfaces _UserStorageProvider, CredentialInputValidator, UserLookupProvider, OnUserCache_) - properly configured user federation provider in keycloak realm - configure and deploy a JSF based web OIDC client application in Wildfly secured by Keycloak - Go to: _<IP>:<PORT2>/<web-application_uri>_ and authenticate using federation provider Authentication succeeded - Go to Keycloak Console -> Realm -> Sessions -> (select web application client) -> Show sessions. Then select <user-authenticated> from displayed table -> "Sessions" tab - Click "Logout all sessions" or "Logout" the specific session. A success message is displayed and session disappears from table. - Go to _<IP>:<PORT2>/<web-application_uri>_ and check that session is still alive and user is authenticated. - Checked in a Filter in web application that "org.keycloak.KeycloakSecurityContext" security context is present with information from logged in user. *To note:* - (correct behaviour) If logout is performed from web application, single sign on session is logged out properly (HttpRequest.logout()). - (correct behaviour) Tested behaviour with [product-portal sample | https://github.com/keycloak/keycloak/tree/master/examples/demo-template/p...] application and *it works ok as expected*. Tested with users loaded in "demo" json and also using my own user federation provider and works well. Thanks in advance, Juan

6 years, 10 months

1
2
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2018