OOM Error "unable to create new native thread" when keycloak auth
by Chuannan Xiao
Hello All,
When keycloak runs for a while, usually a few days, it will report an error. As follows:
2018-08-01 09:01:08,851 ERROR [io.undertow.request] (default I/O-47) UT005071: Undertow request failed HttpServerExchange{ GET /auth/realms/tenant/protocol/openid-connect/auth request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], Accept-Language=[zh-CN,zh;q=0.9], Accept-Encoding=[gzip, deflate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36], Connection=[keep-alive], Cookie=[AUTH_SESSION_ID=f41059dc-8814-4436-8a8a-40673695da64.10-110-13-175; KEYCLOAK_SESSION=tenant/e57bacd7-0171-418a-b08b-8177b33ce10a/f41059dc-8814-4436-8a8a-40673695da64; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiY2E2OGY2MD; msa=1520826256045_910_1], Referer=[http://10.110.13.180/portal/?realm=tenant], Upgrade-Insecure-Requests=[1], Host=[10.110.13.175:9080]} response {}}: java.lang.OutOfMemoryError: unable to create new native thread
at java.lang.Thread.start0(Native Method)
at java.lang.Thread.start(Thread.java:714)
at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:950)
at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1357)
at org.xnio.XnioWorker.execute(XnioWorker.java:797)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:343)
at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:254)
at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136)
at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:59)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
Would you tell me the solution?
Thanks.
Chuannan
6 years, 5 months
Keycloak Java Servlet Filter Adapter.
by Luis Rodríguez Fernández
Hello there,
I am using the java servlet filter adapter (
http://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet...)
in apache-tomcat 9 and it works like a charm, thanks! The filter class
is org.keycloak.adapters.saml.servlet.SamlFilter
I would like to fully externalize the keycloak configuration from the
deployed applications. I know that I can set the keycloack config file via
the filter config param keycloak.config.file, to some external path like
/usr/local/my-keycloak-saml.xml, brilliant!
In the other hand the SamlFilter(
https://github.com/keycloak/keycloak/blob/master/adapters/saml/servlet-fi...)
looks for the keystores inside of the application context: usually
something like /WEB-INF/my-keystore.jks. This is due the implementation of
the ResourceLoader.getResourceAsStream(String resource) function. It looks
like something like this:
ResourceLoader loader = new ResourceLoader() {
@Override
public InputStream getResourceAsStream(String resource) {
return filterConfig.getServletContext().getResourceAsStream(resource);
}
};
In ServletContext.getResourceAsStream(java.lang.String path) the path param
must begin with a "/" and it is interpreted as relative to the current
context root. I would be in favor of having the possibility of externalize
this resource, perhaps having somethig like:
//First try the original one
InputStream is =
filterConfig.getServletContext().getResourceAsStream(resource);
if(is=null) {
// Try with an external one
try {
is = new FileInputStream(resource);
} catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
}
Any thoughts on this?
Thanks in advance,
Luis
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years, 5 months
Re: [keycloak-user] Implicit flow between two (or more) keycloak instances
by Yann Jouanin
Hello community,
Has anybody a clue on this topic?
Best regards,
Yann
>
> I am currently trying to use implicit flow between two keycloak instances.
> My setup is :
> We have one keycloak used in our cloud and one on customer premise,
> federating the customer's ldap.
>
> Because there is no network connectivity between both the keycloak
> instances I want to use the implicit flow so the customer access our service
> in cloud, get redirected to our keycloak instance for login and then has the
> option to use its on premise instance configured as a OIDC identity provider.
> The setup work in a lab with standard flow, but with implicit flow, I get an
> error message "Standard flow is disabled for the client"
>
> Is implicit flow usable in this case?
>
> Best regards,
> Yann Jouanin
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 5 months
How to add executions to a flow?
by Julien Pivotto
- PART 0 --
When I run:
./bin/kcadm.sh create authentication/flows -r foo -f test.json
with:
{
"id" : "testtest2",
"alias" : "first broker login without review 2",
"description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
"providerId" : "basic-flow",
"topLevel" : true,
"builtIn" : false,
"authenticationExecutions" : [ {
"authenticator" : "idp-create-user-if-unique",
"requirement" : "ALTERNATIVE",
"priority" : 20,
"userSetupAllowed" : false,
"autheticatorFlow" : false
} ]
}
Then the authenticationExecutions is discarded and the flow has no execution.
-- PART 1 --
When I run:
./bin/kcadm.sh create authentication/flows/first%20broker%20login%20without%20review/executions -r foo -f test.json
with:
[ {
"id" : "c0f4ae10-7e26-4566-a113-b1235920f69a",
"requirement" : "ALTERNATIVE",
"displayName" : "Create User If Unique",
"requirementChoices" : [ "ALTERNATIVE", "REQUIRED", "DISABLED" ],
"configurable" : true,
"providerId" : "idp-create-user-if-unique",
"level" : 0,
"index" : 0
}, {
"id" : "31882673-e8fc-4b24-8e11-4dd400acb9c7",
"requirement" : "ALTERNATIVE",
"displayName" : "Link IDP Login",
"requirementChoices" : [ "ALTERNATIVE", "DISABLED" ],
"configurable" : false,
"providerId" : "link-idp-login-authenticator",
"level" : 0,
"index" : 1
} ]
I get a 500
09:36:47,808 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: com.fasterxml.jack
son.databind.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation out of START_ARRAY token
at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@41d5dda8; line: 1, column: 1]
at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270)
at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122)
at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075)
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromArray(BeanDeserializerBase.java:1371)
at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:174)
at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150)
at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583)
at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964)
at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134)
at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:
66)
at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61)
at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:5
6)
at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:
36)
at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:5
9)
at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92)
-- THEREFORE --
How can I create a flow with executions with the cli?
--
(o- Julien Pivotto
//\ Open-Source Consultant
V_/_ Inuits - https://www.inuits.eu
6 years, 5 months
AUTH_SESSION_ID
by priti guleria
Hi All,
Can anyne help me with how to get AUTH_SESSION_ID from Keycloak ?
Thanks in advance.
Priti
6 years, 5 months
Keycloak’s deployment design best practices.
by Rafael Weingärtner
Hello Keycloak community,
Do you happen to know if there is some sort of white paper published online
where I can find the best practices to deploy Keycloak?
--
Rafael Weingärtner
6 years, 5 months
Keycloak running on different domain than application
by Jan Babel
Hi guys
Sorry for long question. Maybe its silly but I have this problem. I
have JBOSS *application * deployed on *domain 1* and *Keycloak *on
*domain 2*.
Both domains are publicly accesible. During the redirection from application
to Keycloak, the redirect url consists from internal name of the domain 1.
Of course the flow works for me, because I have set proxy on my computer so
it can resolve the internal name and redirection happened and I am
succesfully logged in into the application. But that would not work for
customers while they have no proxy set up. The application (simple WAR) is
secured via JBOSS Keycloak Adapter.
The question is how to tell Keycloak Adapter to *resolve the external name
of the domain 1* (f.i. www.portal.com) and not internal name (lp01.tda)
during redirection?
What I tried:
* change etc/host to bind IP address to external name (works only on my
local machine)
* start JBOSS with application with -b parameter (works locally but not in
Red Hat Linux)
* put Apache Balancer between Application and Keycloak and do URL rewriting
rule (redirect URL is rewritten (lp01.tda replaced by www.portal.com) but
redirect back from Keycloak to Application failed saying incorrect
redirect_uri.. probably Keycloak Adapter check the state variable against
what comes back from Keycloak and realize the URL was changed)
I quess itc common scenario that Keycloak (we are using RH-SSO 7.2) resides
in different domain than applications it secures, but I cant figure it out
how to do that.
Many thanks in advance.
6 years, 5 months
Keycloak Login in Main SPA Page
by Philip Lysenko
Hello. We are evaluating Keycloak/OIDC as an authentication solution. Apart from SSO and Multi-Factor-Authentication, one use-case we have is a carousel of login-forms in our SPA:
| User A | <=> | User B | <=> | User C |
| Passwd | <=> | Passwd | <=> | Passwd |
We want our users to quickly switch their sessions at a terminal (running our SPA-client). The main challenge here is to integrate the login form in the parent instance instead of redirecting to a new website. Our findings are that this is possible with the “Password"-flow. But since the recommended flow for SPAs is the “Implicit” one (for obvious security reasons), we would prefer that over Password, if the described carousel is possible with it.
For the Implicit flow there is the possibility to do a silent refresh. It utilizes an invisible iframe for the redirect which provides a new token. Is it possible to do the same trick for the initial log-in? I don’t see how the refresh is different from the login. The way I get is is that for the refresh you inject the old token in the iframe and it delivers the parent app a new one. For the initial login, why would it not work to provide the iframe with credentials instead and trigger the redirect the same way as the refresh?
Is there any other workaround to implement Implicit? If we have to go with the password flow, what are the implications for our security, considering we utilise HTTPS and XSS-/CSRF-measures? The main problem would be old or infected browsers, no? This website here says to use Password flow only for "highly trusted clients”: https://auth0.com/docs/api-auth/which-oauth-flow-to-use <https://auth0.com/docs/api-auth/which-oauth-flow-to-use> And we will be the only ones writing client code, so is Password A-OK for us?
Thank you and Regards, Phil
- - - - - - - - - - - - -
ConceptPeople consulting gmbh
Philip Lysenko
Lead-Developer
ConceptPeople consulting gmbh
Yokohamastraße 2
20457 Hamburg
Tel: 040 - 605 33 83 53
Fax: 040 - 605 33 83 99
www.conceptpeople.de
Geschäftsführer:
Bjarne Jansen, Andreas Rother
Steuer-Nr: 46/712/02908
UID-NR: DE219814648
Registergericht:
Hamburg, HRB 82938
6 years, 5 months
Keycloak adapter with another OpenID Provider
by NOWAK, Adrien
Hello,
I'm trying to use OIDC with some applications on JBoss, and I have seen that I can use a Keycloak adapter.
But it's not clear for me if this adapter can be used as a Resource Provider, and can be connected to another OpenID Provider than Keycloak; or if the adapter is used to delegate the Resource Provider function to Keycloak.
In fact we have already a OpenID Provider, and we want to know if we can use it with a Keycloak adapter.
Thank in advance for your help!
Adrien
6 years, 5 months
