Authenticator SPI dependencies NoClassDefFoundError
by Schaar, Andrew
Hello,
I have a custom Authenticator SPI where we are trying to extend AbstractIdpAuthenticator.java with our own authenticate implementations.
I am putting the jar in /standalone/deployments as per https://www.keycloak.org/docs/latest/server_development/index.html#using-...
When the provider is called, we get a NoClassDefFoundError for AbstractIdpAuthenticator. It seems classes from the keycloak-services dependency are not available to this jar. Why might that be the case?
13:58:16,447 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-13) Uncaught server error: java.lang.NoClassDefFoundError: Failed to link com/bsb/user/authenticator/BsbAuthenticator (Module "deployment.bsb-user-authenticator-spi-0.1.0-dev.10.uncommitted+bsb-user-authentication-spi.2a2cc9d.jar" from Service Module Loader): org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:77)
at org.jboss.modules.Module.loadModuleClass(Module.java:713)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
at com.bsb.user.authenticator.BsbAuthenticatorFactory.create(BsbAuthenticatorFactory.java:27)
at com.bsb.user.authenticator.BsbAuthenticatorFactory.create(BsbAuthenticatorFactory.java:16)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:164)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:127)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:286)
at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:753)
at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:669)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Thanks!
Andy
7 years, 2 months
Re: [keycloak-user] Does Keycloak need sticky session at the load balancer?
by Sebastian Laskawiec
Great write-up! Bookmarked!
On Thu, Aug 23, 2018 at 4:36 PM Bela Ban <bban(a)redhat.com> wrote:
> Have you checked
>
> https://github.com/belaban/workshop/blob/master/slides/admin.adoc#problem...
> ?
>
> On 23/08/18 13:53, Sebastian Laskawiec wrote:
> > +Bela Ban <mailto:bban@redhat.com>
> >
> > As I expected, the cluster doesn't form.
> >
> > I'm not sure where and why those UDP discovery packets are rejected. I
> > just stumbled upon this thread [1], which you may find useful. Maybe
> > Bela will also have an idea what's going on there.
> >
> > If you won't manage to get UDP working, you can always fall back into
> > TCP (and MPING).
> >
> > [1]
> https://serverfault.com/questions/211482/tools-to-test-multicast-routing
> >
> > On Thu, Aug 23, 2018 at 1:26 PM Rafael Weingärtner
> > <rafaelweingartner(a)gmail.com <mailto:rafaelweingartner@gmail.com>>
> wrote:
> >
> > Thanks for the reply Sebastian!
> >
> >
> > Note, that IP Multicasting is disabled in many data centers (I
> > have never found out why they do it, but I've seen it many, many
> > times). So make sure your cluster forms correctly (just grep
> > logs and look for "view").
> >
> >
> > I thought about that. Then, I used tcpdump, and I can see the
> > multicast packets from both Keycloak replicas. However, it seems
> > that these packets are being ignored.
> >
> > root@Keycloak01:/# tcpdump -i eth0 port 7600 or port 55200 or
> > port 45700 or port 45688 or port 23364 or port 4712 or port 4713
> > tcpdump: verbose output suppressed, use -v or -vv for full
> > protocol decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size
> > 262144 bytes
> > 11:13:36.540080 IP keycloak02.local.55200 > 230.0.0.4.45688:
> > UDP, length 83
> > 11:13:41.288449 IP keycloak02.local.55200 > 230.0.0.4.45688:
> > UDP, length 83
> > 11:13:46.342606 IP keycloak02.local.55200 > 230.0.0.4.45688:
> > UDP, length 83
> >
> >
> > root@keycloak02:/# tcpdump -i eth0 port 7600 or port 55200 or
> > port 45700 or port 45688 or port 23364 or port 4712 or port 4713
> > tcpdump: verbose output suppressed, use -v or -vv for full
> > protocol decode
> > listening on eth0, link-type EN10MB (Ethernet), capture size
> > 262144 bytes
> > 11:12:14.218317 IP Keycloak01.local.55200 > 230.0.0.4.45688:
> > UDP, length 83
> > 11:12:23.146798 IP Keycloak01.local.55200 > 230.0.0.4.45688:
> > UDP, length 83
> > 11:12:27.201888 IP Keycloak01.local.55200 > 230.0.0.4.45688:
> > UDP, length 83
> >
> >
> >
> > Here go the log entries. I filtered by “view”. This is from
> Keycloak01.
> >
> > ^[[0m^[[0m11:16:57,896 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-4) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak01|0] (1) [keycloak01]
> > ^[[0m^[[0m11:16:57,896 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-2) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak01|0] (1) [keycloak01]
> > ^[[0m^[[0m11:16:57,897 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-1) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak01|0] (1) [keycloak01]
> > ^[[0m^[[0m11:16:57,898 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-3) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak01|0] (1) [keycloak01]
> > ^[[0m^[[0m11:16:57,962 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-1) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak01|0] (1) [keycloak01]
> >
> >
> > I expected it to be only one. I mean, I first started Keycloak01,
> > and just then Keycloak02. Next, we have the logs from Keycloak02.
> >
> > ^[[0m^[[0m11:17:34,950 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-3) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak02|0] (1) [keycloak02]
> > ^[[0m^[[0m11:17:34,952 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-4) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak02|0] (1) [keycloak02]
> > ^[[0m^[[0m11:17:34,957 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-1) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak02|0] (1) [keycloak02]
> > ^[[0m^[[0m11:17:34,957 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-2) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak02|0] (1) [keycloak02]
> > ^[[0m^[[0m11:17:35,052 INFO
> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport]
> > (MSC service thread 1-1) ISPN000094: Received new cluster view
> > for channel ejb: [keycloak02|0] (1) [keycloak02
> >
> >
> > They are similar. It seems that both applications are not seeing
> > each other. At first, I thought that the problem was caused by
> > “owners=1” configuration (the lack of data synchronization between
> > replicas). I then changed it to “owners=2”, but still, if I log in
> > the Keycloak01 and then force my request to go two Keycloak02, my
> > session is not there, and I am requested to log in again.
> >
> > Do you need some other log entries or configuration files?
> >
> > Again, thanks for your reply and help!
> >
> > On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec
> > <slaskawi(a)redhat.com <mailto:slaskawi@redhat.com>> wrote:
> >
> >
> >
> > On Wed, Aug 22, 2018 at 10:24 PM Rafael Weingärtner
> > <rafaelweingartner(a)gmail.com
> > <mailto:rafaelweingartner@gmail.com>> wrote:
> >
> > Hello Keycloakers,
> >
> > I have some doubts regarding Keycloak and load balancers. I
> > set up two
> > keycloak replicas to provide HA. To start them I am using
> > “./standalone.sh
> > --server-config=standalone-ha.xml”. I am assuming that they
> > will use
> > multicast to replicate information between nodes, right?
> >
> >
> > That is correct. It uses PING protocol, which in turn uses IP
> > Multicasting for discovery.
> >
> > Note, that IP Multicasting is disabled in many data centers (I
> > have never found out why they do it, but I've seen it many, many
> > times). So make sure your cluster forms correctly (just grep
> > logs and look for "view").
> >
> > Then, I set up a load balancer layer using Apache HTTPD and
> > AJP connector
> > via 8009 port. To make everything work I needed to use
> > sticky session;
> > otherwise, the login would never happen. I am fine with the
> > sticky session,
> > however, if I stop one of the replicas where the user is
> > logged in, when
> > the user access Keycloak again, he/she is asked to present
> > the credentials
> > as if he/she was not logged in the other Keycloak replica.
> > Is that the
> > expected behavior?
> >
> >
> > My intuition tells me that your cluster didn't form correctly
> > (as I mentioned before, grep the logs and look for "view"
> > generated by JGroups). Therefore, if you enable sticky session,
> > all your requests get to the same Keycloak instance, which has
> > everything in the local cache. That's why it works fine.
> >
> >
> > Is there some troubleshooting or test that I can perform to
> > check if
> > replication is being executed?
> >
> >
> > Let's start with investigating the logs. Later on we can check
> JMX.
> >
> >
> > --
> > Rafael Weingärtner
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > <mailto:keycloak-user@lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> >
> > --
> > Rafael Weingärtner
> >
>
> --
> Bela Ban | http://www.jgroups.org
>
>
7 years, 2 months
Fw: Single Logout not working with multiple applications
by Triveni Chegireddy
Regards
Triveni Chegireddy
Tata Consultancy Services Limited
Mailto: triveni.chegireddy(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
----- Forwarded by Triveni Chegireddy/LATAM/TCS on 08/29/2018 12:58 PM
-----
From: Triveni Chegireddy/LATAM/TCS
To: keycloak-user(a)lists.jboss.org
Date: 08/29/2018 12:31 PM
Subject: Single Logout not working with multiple applications
Hi,
I am securing many tools using Keycloak for Single sign on and Single
Logout. We are securing tools like Jira, Confluence using Miniorange
plugin. We have few Spring boot applications which are to be secured. They
are secured using Spring Boot with KeycloakWebSecurityConfigurerAdapter.
Single Sign on is working fine. The landing application is spring boot web
application, which is accessed by giving LDAP credentials. From that
application, we will be accessing the Jira, Confluence. They are opened
without asking me for credentials. But Single Logout is not working. In
Spring boot application, on click of Logout, I am calling
HttpServletRequest.logout(), which is logging me out of Spring boot
application successfully. But the sessions in Jira and Confluence are not
killed. Similarly once I open the tools from Spring boot application, on
logout of any tools both Jira and confluence are logging out using Single
Logout but session in Spring boot application is not killed.
Could you please help us resolving this issue.
Regards
Triveni Chegireddy
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
7 years, 2 months
Message could not be delivered
by Post Office
The original message was received at Wed, 29 Aug 2018 14:39:26 +0800 from 113.215.213.214
----- The following addresses had permanent fatal errors -----
keycloak-user(a)lists.jboss.org
7 years, 2 months
keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit
by keycloak demo
With all the configuration(shared below), when I test using the evaluate
option under authorization tab, result is permit:
*But when I make a request to this resource through postman, I get 403.*
*Which part of configuration is wrong which is leading to 403 error?*
CONFIGURATION:
*Detailed configuration with images shown here:*
*https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api
<https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error...>*
*1.* Following the <goog_1387888133>
https://www.keycloak.org/docs/4.2/authorization_services/ , I created a
realm role : *role_special_user* and created a user : *user_special* with
this role and role *user*.
*2.* Next, my resource server / client is with *full scope enabled*:
*3.* Under authorization tab, I created a resource with the role based
policy is.
*4.* Now, keycloak json is:
{
"realm": "demo12",
"auth-server-url": "http://localhost:8180/auth",
"ssl-required": "none",
"resource": "server12",
"credentials": {
"secret": "XXXXXXX"
},
"confidential-port": 0,
"policy-enforcer": {}}
*5.* And Keycloak Jetty adapter configuration is:
final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH;
InputStream is =
Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig
keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new
SystemPropertiesJsonParserFactory());
mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
keyCloakConfig = mapper.readValue(is, AdapterConfig.class);
KeycloakJettyAuthenticator kcAuthenticator =
KeyCloakConfig;if(kcAuthenticator != null) {
ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler();
ConstraintMapping constraintMapping = new ConstraintMapping();
constraintMapping.setPathSpec("/*");
Constraint constraint = new Constraint();
constraint.setAuthenticate(true);
constraint.setRoles(new String[]{"**"});
constraintMapping.setConstraint(constraint);
securityHandler.addConstraintMapping(constraintMapping);
securityHandler.setAuthenticator(kcAuthenticator);
context.setSecurityHandler(securityHandler);}
*6.* Also, the decoded jwt token sample is:
{
"jti": "XXXXXXX",
"exp": 1533798704,
"nbf": 0,
"iat": 1533798404,
"iss": "http://localhost:8180/auth/realms/demo12",
"aud": "server12",
"sub": "XXXXXXX",
"typ": "Bearer",
"azp": "server12",
"auth_time": 1533798404,
"session_state": "XXXXXX",
"acr": "1",
"allowed-origins": [],
"realm_access": {
"roles": [
"role_special_user",
"offline_access",
"uma_authorization",
"user"
]
},
"resource_access": {
"server12": {
"roles": [
"uma_protection"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"preferred_username": "user_special"}
7 years, 2 months
OIDC Servlet filter not redirect to to login screen after admin kick user out by KC admin console
by Nhut Thai Le
Hello,
I'm using the OIDC Servlet filter to protect my app and it works when the
user first come to the site. However after the user successfully login and
using the app, if the admin use the keycloak admin console to kick the
user out (use logout all button on the realm sessions tab) I expect the
user will be redirected to the login page on his next request but he is
still able to continue working as if the keycloak oidc servlet filter think
the session is still valid. Is this behavior normal? If it is, what can be
done to force user logout? If it is not, what would be the possible cause?
Thank you
Thai
7 years, 2 months
Keycloak wth aerogear + wamarin
by Christophe Lehingue
Hello,
I use keycloak as an identity manager.
I am developing mobile versions of my apps using xamarin and aerogear.
In the aerogear documentation it is mentioned to install "OpenShift".
Is it mandatory to use OpenShift?
Can we only use aerogear directly with a keycloak instance? If so, how
should you configure keyclok and what should the config.json file look
like to make it work?
Thank you and have a good day.
====== IN FRENCH ====
Bonjour,
J'utilise keycloak comme gestionnaire d'identité.
Je suis en train de developpé les versions mobile de mes applications
à l'aide de xamarin et aerogear.
Dans la documentation de aerogear il est mentionné d'installer "OpenShift".
Est-il obligatoire d'utilisaer OpenShift ?
Peut on utiliser uniquement aerogear directement avec une instance
keycloak ? Si oui, comment doit on configurer keyclok et à quoi doit
ressembler le fichier config.json pour que cela fonctionne ?
Merci à vous et bonne journée.
7 years, 2 months
Build Failure
by JIA Pei
I'm using OpenJDK 10.0.2 ...
Can anybody help please?
[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 03:48 min
[INFO] Finished at: 2018-08-28T10:01:37-07:00
[INFO] Final Memory: 140M/298M
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-compiler-plugin:3.1:compile
(default-compile) on project keycloak-saml-core: Compilation failure:
Compilation failure:
[ERROR]
....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/api/util/KeyInfoTools.java:[51,70]
incompatible types: java.util.List<javax.xml.crypto.XMLStructure> cannot be
converted to java.lang.Iterable<java.lang.Object>
[ERROR]
....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/api/util/KeyInfoTools.java:[55,70]
incompatible types: java.util.List<javax.xml.crypto.XMLStructure> cannot be
converted to java.lang.Iterable<java.lang.Object>
[ERROR]
....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/api/util/KeyInfoTools.java:[60,58]
incompatible types: java.util.List<capture#1 of ?> cannot be converted to
java.lang.Iterable<java.lang.Object>
[ERROR]
....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java:[757,42]
incompatible types: java.util.List<java.lang.Object> cannot be converted to
java.util.List<? extends javax.xml.crypto.XMLStructure>
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e
switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions,
please read the following articles:
[ERROR] [Help 1]
http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the
command
[ERROR] mvn <goals> -rf :keycloak-saml-core
--
Pei JIA, Ph.D.
Email: jp4work(a)gmail.com
cell in Canada: +1 778-863-5816
cell in China: +86 186-8244-3503
Welcome to Vision Open
http://www.visionopen.com
7 years, 2 months
Mutual SSL between keycloak and Postgresql
by hugh shangguan
Hi there,
I was interested in Keycloak work on SSL client certs for JDBC to connect
PostgreSQL. I hope someone can
give me some help, because i've been banging my head against this
all day.
First of all, I should mention that my client cert authentication is
working fine with psql in both 1-way and 2-way(mutual ssl authentication)
ssl authentication. So I am satisfied with the certs and keys. There are
two servers, one is keycloak server, another is postgresql server.
postgresql.crt
postgresql.key / postgresql.pk8
root.crt
Those files located in ${user.home}/.postgresql/ in my postgresql server.
In my PostgreSQL server, if I configure like this.
hostssl all all 0.0.0.0/0 md5
It is fine. My keycloak server will connect with my postgresql server very
well.
However when I configure like this.
hostssl all all 0.0.0.0/0 md5 clientcert=1
The connection will fail. The log is below.
Caused by: java.lang.RuntimeException: Failed to connect to database
Caused by: java.sql.SQLException: javax.resource.ResourceException:
IJ000453: Unable to get managed connection for
java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ000453: Unable to get
managed connection for java:jboss/datasources/KeycloakDS
Caused by: javax.resource.ResourceException: IJ031084: Unable to create
connection
Caused by: org.postgresql.util.PSQLException: FATAL: connection
requires a valid client certificate"}}
*"connection requires a valid client certificate".*
I don't know how to config the client certificate in
keycloak (standalone.xml). At the meantime, I still can use 'psql' connect
my postgresql server in my keycloak server.
Questions:
1. Does keycloak support mutual authentication in ssl, when I try to
connect postgresql by 2-way authentication? (I guess so. This should be
JDBC's problem. But I am not sure. And I trid the instructions form
Postgresql JDBC Driver Doc.
https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still
doesn't work.)
2. Could someone help me out, please?
Thank you for your time!
Cheers!
--
Hugh
Zhaohui Shangguan
7 years, 2 months
