kcadm full stacktrace and logging
by Diana Maria Bratu
Hi,
I am using Keycloak 4.8.3.Final and trying to import a keystore using the
kcadm.sh script.
It is failing with a generic error "500 Internal Server Error" and because
I have no clue about what's wrong, I would like to see the full stacktrace.
However seems that it is cut.
Do you know how can I get the full stacktrace?
$ ./kcadm.sh create components -r testrealm -s name=java-keystore -s
providerId=java-keystore -s providerType=org.keycloak.keys.KeyProvider -s
parentId=78db13f6-9dd0-4d5d-95c0-341873969890 -s 'config.priority=["101"]'
-s 'config.enabled=["true"]' -s 'config.active=["true"]' -s
'config.keystore=["/keycloak/keystore.jks"]' -s
'config.keystorePassword=["Passw0rd"]' -s 'config.keyPassword=["Passw0rd"]'
-s 'config.alias=["secure-key"]'
HTTP error - 500 Internal Server Error
org.keycloak.client.admin.cli.util.HttpResponseException: HTTP error - 500
Internal Server Error
at
org.keycloak.client.admin.cli.util.HeadersBodyStatus.checkSuccess(HeadersBodyStatus.java:61)
at
org.keycloak.client.admin.cli.util.HttpUtil.checkSuccess(HttpUtil.java:329)
at
org.keycloak.client.admin.cli.commands.AbstractRequestCmd.process(AbstractRequestCmd.java:363)
at
org.keycloak.client.admin.cli.commands.AbstractRequestCmd.execute(AbstractRequestCmd.java:126)
at
org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63)
at
org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48)
at
org.keycloak.client.admin.cli.aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.RuntimeException:
... 11 more
I've checked the logging config
(/keycloak/bin/jboss-cli-logging.properties) and tried to change values to
DEBUG but not sure how to edit it in order to see the full stacktrace.
Could you please help me?
# Additional logger names to configure (root logger is always configured)
loggers=org,javax,org.jboss.as.cli,org.aesh
logger.org.level=OFF
logger.javax.level=OFF
# assign a lower level to enable CLI logging
logger.org.jboss.as.cli.level=OFF
# assign a lower level to enable aesh logging
logger.org.aesh.level=OFF
# Root logger level
logger.level=${jboss.cli.log.level:INFO}
# Root logger handlers
# uncomment to enable logging to the file
logger.handlers=FILE
# File handler configuration
handler.FILE=org.jboss.logmanager.handlers.FileHandler
handler.FILE.level=DEBUG
handler.FILE.properties=autoFlush,fileName
handler.FILE.autoFlush=true
handler.FILE.fileName=${jboss.cli.log.file:jboss-cli.log}
handler.FILE.formatter=PATTERN
# Formatter pattern configuration
formatter.PATTERN=org.jboss.logmanager.formatters.PatternFormatter
formatter.PATTERN.properties=pattern
formatter.PATTERN.pattern=%d{HH:mm:ss,SSS} %-5p [%c] %s%e%n
Thank you.
5 years, 1 month
Keycloak SpringBoot Adapter: CORS Preflight requests allowed from every Origin
by Skorupa, Sascha
Hi,
we have a BearerOnly SpringBoot REST service that does authentication and authorisation with the keycloak springboot adapter. So, we use PolicyEnforcer and
the Keycloak Authorisation Services to perform the authz process. Spring Security is not enabled and is also not part of the classpath.
Everything works as it is expected, except some CORS functionalities. Usually, we configured the allowed origins, methods, headers by using the Spring
features (CorsFilter). But since we integrated the PolicyEnforcer, it was necessary to set the "keycloak.cors" property to true as well, because otherwise the
PolicyEnforcer was rejecting all Preflight (HTTP Options) requests.
But now, the problem is that all Preflight requests are answered with HTTP 200, although the included Origin in the HTTP request Header is not allowed. I do not
know if this behaviour is intended, but without the KC adapter Spring usually rejects these kind of requests with a 403. I take a look in the class "PreAuthActionsHandler"
and found that the Origin Header is just copied to the response without being checked. Allowed methods and headers are configurable in the KeycloakDeployment, but allowed
origins not.
Is it a bug or a missing feature? In my understanding such requests should be rejected like in the Spring filters.
A workaround would be to disable the keycloak.cors property and let spring do the cors stuff. But unfortunately the policy enforcement denies all options
requests without token.
Cheers,
sascha
5 years, 1 month
how to register keycloak event Listener provider SysoutEventListenerProvider
by vinayak kelapkar
Hi ,
I just wanted to read events generate by keycloak in my spring boot
application .
e.g. Any new user recently added /removed or deleted from keycloak should
emit an event and
fire an my Spring Boot application API so that I can update the user
information in to my application.
I just wanted to know how do I register e.g. SysoutEventListenerProvider in
keycloak ?
as I do not see a UI provision in
I came across the git code @
https://github.com/keycloak/keycloak-quickstarts/blob/latest/event-listen...
But not really sure where do I put below SysoutEventListenerProvider class
in keycloak so that
onEvent would automatically gets triggered where I can write my custom
logic to hit my Spring Boot API for further action
5 years, 1 month
Do We have a solution for this?
by Vishal Komma Reddy
Hi,
Do we have a solution for this issue yet? If so can you let us know what exatly needs to be done because we have all the certs in the keystore and also the trusted certs in the trust store and the SPI we are adding in the standalone.xml :
<spi name="truststore">
<provider name="file" enabled="true">
<properties>
<property name="file" value="/opt/jboss/keycloak/standalone/configuration/xxx.keystore" />
<property name="password" value="xxx" />
<property name="hostname-verification-policy" value="WILDCARD"/>
<property name="disabled" value="false"/>
</properties>
</provider>
</spi>
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:443)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 88 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 101 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
Thanks & Regards,
Vishal Reddy
Validus Research Inc.
Aws Devops Developer
55 York St Suite 802
Toronto, Ontario, Canada
M5J 1R7
Tel +1 647-253-3751|mobile: +1 226-929-6868
Vishal.kommareddy(a)validusresearch.com<mailto:Vishal.kommareddy@validusresearch.com> |validusresearch.com
This communication and any attachment thereto may contain confidential and proprietary material of Validus Group or others, the unauthorized disclosure of which to third parties may cause permanent and irremediable damage. If you believe you received this communication in error, please contact the sender and delete it from any computer and other electronic devices on which it may have been stored. Thank you.
5 years, 1 month
Slave in Domain mode saying "missing/unavailable dependencies org.wildfly.undertow.listener.https is missing [org.wildfly.core.management.security.realm.ssl-realm]"
by JTK
Hello,
I have a successful dev system stood-up with a 2 node cluster using AWS and
working 100% using Active Directory as the back-end via LDAPS.
We are moving it to production and automation as much of the process as
possible via Cloud Formation, bootstraps with S3 buckets and scripts. So
it's not just a fork lift.
We are on the home stretch with the Master up and running in Domain mode
using TCCPING (We might go to Native S3 Ping) and when I bring up one
Slave, it launches all services and clusters up, but port https errors out
so port 443 does not start up and it looks like 8080 is missing along with
7600, yet it is clustering, per the logs on the Master. Here is the output
of running services.
tcp 0 0 127.0.0.1:42363 0.0.0.0:* LISTEN
31686/java
tcp 0 0 10.122.160.37:3456 0.0.0.0:* LISTEN
31701/java
tcp 0 0 0.0.0.0:8259 0.0.0.0:* LISTEN
31782/java
tcp 0 0 127.0.0.1:7850 0.0.0.0:* LISTEN
31782/java
tcp 0 0 0.0.0.0:8330 0.0.0.0:* LISTEN
31782/java
tcp 0 0 127.0.0.1:38507 0.0.0.0:* LISTEN
31782/java
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
1413/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
1397/master
tcp6 0 0 :::22 :::* LISTEN
1413/sshd
tcp6 0 0 ::1:25 :::* LISTEN
1397/master
Here is what is used to launch the Slave:
/opt/keycloak/bin/domain.sh --host-config=host-slave.xml
-Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=10.122.160.37
-Djboss.bind.address:10.122.160.37
-Djboss.bind.address.private:10.122.160.37 -Djboss.https.port=443
-Djboss.domain.master.address=10.122.160.147 -Djboss.tx.node.id
<http://djboss.tx.node.id/>=prod-slave-a -Djboss.node.name
<http://djboss.node.name/>=prod-slave-a
-Djava.security.egd=file:/dev/./urandom
This is the actual script which is used to launch it. I've manually added
the IPs and Hostname of the Slave above.
#!/bin/bash
myip=$(ip addr show eth0 | grep -Po 'inet \K[\d.]+')
echo $myip
echo $HOSTNAME
/opt/keycloak/bin/domain.sh --host-config=host-slave.xml
-Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=${myip}
-Djboss.bind.address=${myip} -Djboss.bind.address.private=${myip}
-Djboss.https.port=443 -Djboss.domain.master.address=10.122.160.147 -
Djboss.tx.node.id <http://djboss.tx.node.id/>=${hostname} -Djboss.node.name
<http://djboss.node.name/>=${hostname}
-Djava.security.egd=file:/dev/./urandom &
The Master Address above is hardcoded for the time being until we work out
getting that automated as well.
Below is the error where is says there are missing dependencies. This is
the exact same configuration for our dev environment. That information is
only found in the domain.xml configuration file.
Here is the actual start-up from the debug logs:
[Server:prod-slave-a] 14:47:05,630 DEBUG [org.jboss.as.config] (MSC service
thread 1-1) VM Arguments: -D[Server:prod-slave-a] -D[pcid:1223106776]
-Xms64m -Xmx512m -XX:MetaspaceSize=96m -XX:MaxMetaspaceSize=256m
-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true
-Djava.security.egd=file:/dev/./urandom -Djboss.bind.address=0.0.0.0
-Djboss.bind.address.management=10.122.160.37
-Djboss.bind.address.private:10.122.160.37=true
-Djboss.bind.address:10.122.160.37=true
-Djboss.cluster.tcp.initial_hosts=10.122.160.147[7600],10.122.160.37[7600]
-Djboss.domain.master.address=10.122.160.147 -Djboss.home.dir=/opt/keycloak
-Djboss.https.port=443 -Djboss.modules.system.pkgs=org.jboss.byteman -
Djboss.node.name <http://djboss.node.name/>=prod-slave-a -Djboss.tx.node.id
<http://djboss.tx.node.id/>=prod-slave-a
-Djboss.server.log.dir=/opt/keycloak/domain/servers/prod-slave-a/log
-Djboss.server.temp.dir=/opt/keycloak/domain/servers/prod-slave-a/tmp
-Djboss.server.data.dir=/opt/keycloak/domain/servers/prod-slave-a/data
-Dlogging.configuration=file:/opt/keycloak/domain/servers/prod-slave-a/data/logging.properties
[Server:prod-slave-a] 14:34:26,278 INFO [org.wildfly.extension.undertow]
(ServerService Thread Pool -- 50) WFLYUT0021: Registered web context:
'/auth' for server 'default-server'
[Server:prod-slave-a] 14:34:26,290 ERROR
[org.jboss.as.controller.management-operation] (Controller Boot Thread)
WFLYCTL0013: Operation ("add") failed - address: ([
[Server:prod-slave-a] ("subsystem" => "undertow"),
[Server:prod-slave-a] ("server" => "default-server"),
[Server:prod-slave-a] ("https-listener" => "https")
[Server:prod-slave-a] ]) - failure description: {
[Server:prod-slave-a] "WFLYCTL0412: Required services that are not
installed:" => ["org.wildfly.core.management.security.realm.ssl-realm"],
[Server:prod-slave-a] "WFLYCTL0180: Services with missing/unavailable
dependencies" => ["org.wildfly.undertow.listener.https is missing
[org.wildfly.core.management.security.realm.ssl-realm]"]
[Server:prod-slave-a] }
[Server:prod-slave-a] 14:34:26,358 INFO [org.jboss.as.server]
(ServerService Thread Pool -- 40) WFLYSRV0010: Deployed
"keycloak-server.war" (runtime-name : "keycloak-server.war")
[Server:prod-slave-a] 14:34:26,364 INFO [org.jboss.as.controller]
(Controller Boot Thread) WFLYCTL0183: Service status report
[Server:prod--slave-a] WFLYCTL0184: New missing/unsatisfied dependencies:
[Server:prod-slave-a] service
org.wildfly.core.management.security.realm.ssl-realm (missing) dependents:
[service org.wildfly.undertow.listener.https]
[Server:prod-slave-a]
[Server:prod-slave-a] 14:34:26,402 INFO [org.jboss.as.server] (Controller
Boot Thread) WFLYSRV0212: Resuming server
[Server:prod-slave-a] 14:34:26,407 ERROR [org.jboss.as] (Controller Boot
Thread) WFLYSRV0026: Keycloak 7.0.1 (WildFly Core 9.0.2.Final) started
(with errors) in 16346ms - Started 656 of 962 services (1 services failed
or missing dependencies, 690 services are lazy, passive or on-demand)
Some of the output from the Master showing that it is clustering:
tail -n 50 -f /opt/keycloak/domain/servers/prod-a/log/server.log
2019-11-19 14:46:32,379 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN100001: Node prod-sentinel-slave-a left the
cluster
2019-11-19 14:46:32,379 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN000094: Received new cluster view for channel
ejb: [true|16] (1) [true]
2019-11-19 14:46:32,379 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN100001: Node prod-sentinel-slave-a left the
cluster
2019-11-19 14:47:10,566 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN000094: Received new cluster view for channel
ejb: [true|17] (2) [true, prod-slave-a]
2019-11-19 14:47:10,567 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN100000: Node prod-sentinel-slave-a joined the
cluster
2019-11-19 14:47:10,567 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN000094: Received new cluster view for channel
ejb: [true|17] (2) [true, prod-slave-a]
2019-11-19 14:47:10,567 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN100000: Node prod-sentinel-slave-a joined the
cluster
2019-11-19 14:47:10,567 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN000094: Received new cluster view for channel
ejb: [true|17] (2) [true, prod-slave-a]
2019-11-19 14:47:10,567 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN100000: Node prod-sentinel-slave-a joined the
cluster
2019-11-19 14:47:10,568 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN000094: Received new cluster view for channel
ejb: [true|17] (2) [true, prod-slave-a]
2019-11-19 14:47:10,568 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN100000: Node prod-sentinel-slave-a joined the
cluster
2019-11-19 14:47:10,568 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN000094: Received new cluster view for channel
ejb: [true|17] (2) [true, prod-slave-a]
2019-11-19 14:47:10,568 INFO [org.infinispan.CLUSTER]
(thread-303,ejb,true) ISPN100000: Node prod-sentinel-slave-a joined the
cluster
Any help would be appreciated. I never did encounter this error in dev,
although we had numerous ones.
Thanks
>
5 years, 1 month
Additional paramters to Authentication Request
by iljkr@tiscali.it
Hello all,
I have a keycloak linked with two external idp, one
OIDC "IDP-A" and one SAML2 "IDP-B".
The two external IDP have these
constraints:
*
IDP-A wants an additional parameter called
"acr_values" in the authentication request that can take one or more of
these values "level_1", "level_2", "level_3"
*
In a similar way
IDP-B expect in the saml request the same information about "level_1",
"level_2", "level_3 in an attribute like this:
level_1
I have three
keycloak clients, Client-01, Client-02, Client-03.
Client-01, is a OIDC
client and is about a web application secured with the keycloak oidc
TOMCAT adapter.
Client-02, is a SAML2 client and is about a web
application secured with the keycloak saml TOMCAT adapter.
Client-03,
is a OIDC client for a java web application (for test purpose only)
without a keycloak adapter.
Keycloak offers the possibility of
defining mappers to manage the conversion of attributes from IDP-A and
IDP-B, but it is a feature that concerns the "return path", ie the
mapping of attributes in the response from external IDPs to client
through brokering.
What I need for is a mapping in the other direction,
a mapping of the parameters in client requests, in particular this is
what I would like to get:
What I need for is a mapping in the other
direction, a mapping of the parameters in client requests, in particular
this is what I would like to get:
*
OIDC TO OIDC BROKERING .
Client-01 adds to the Authentication Request the parameter "acl_values =
level_1" (for example), if the user chooses IDP-A this parameter must be
propagated as it is in the Authentication Request to IDP-A
*
OIDC
TO SAML2 BROKERING. Client-01 adds to the Authentication Request the
parameter "acl_values = level_1" (for example), if the user chooses
IDP-B this parameter must be propagated in samlp: AuthnRequest to IDP-B
in the form :
level_1
*
SAML2 TO SAML2 BROKERING. Client-02 adds
the parameter to samlp: AuthnRequest:
level_1
If the user chooses
IDP-B, the parameter must be propagated as it is in samlp: AuthnRequest
to IDP-B
*
SAML2 TO OIDC BROKERING. Client-02 adds the parameter to
samlp: AuthnRequest:
level_1
If the user chooses IDP-A, the
parameter must be converted to a parameter "acl_values =level_1" in the
Authentication Request oidc to IDP-A
In Client-03, for test purpose,
I wrote the code that makes the authentication call via oidc and then
"manually" added the "acl_values =level_1" parameter in the
Authentication Request. This is a piece of my code:
StringBuilder
stringBuilder = new StringBuilder();
stringBuilder.append(this.authorizationUri);
stringBuilder.append(addFirstParam("client_id",client_id));
stringBuilder.append(addParam("response_type", "code"));
STRINGBUILDER.APPEND(ADDPARAM("ACR_VALUES","LEVEL_1"));
stringBuilder.append(addParam("redirect_uri",redirect_uri));
stringBuilder.append(addParam("scope", "openid"));
loginUrl =
stringBuilder.toString();
response.sendRedirect(loginUrl);
_MY FIRST
DOUBT IS HOW TO ADD THESE ADDITIONAL AND ARBITRARY PARAMETERS THROUGH
THE ADAPTERS? I WANT DO THE SAME OF THIS CODE BUT WITH THE TOMCAT
ADAPTER OR OTHER._
>From my tests the "acl_values = level_1"
parameter added in the client-03 request is propagated as is in the
request to IDP-A by KEYCLOAK. This is what I want for brokering oidc to
oidc.
I have not yet tested a similar scenario for brokering saml to
saml, but I suppose it works similarly by propagating the attribute as
it is.
_MY SECOND DOUBT: IN THE CASE OF BROKERING OIDC TO SAML OR
BROKERING SAML TO OIDC, HOW CAN I MAP "ACL_VALUES = LEVEL_1" IN ITS
ANALOGUE IN THE REQUEST SAML AND VICE VERSA?_ Thanks to all,
Jcappaerre.
Con Tiscali Mobile Smart 30 hai minuti illimitati, 30 Giga e 100 SMS a soli 7,99€ al mese. L'attivazione è gratis e disdici quando vuoi. http://tisca.li/smart30
5 years, 1 month
All realms will all linked entities being read at bootstrap
by Мартынов Илья
KC startups longer then default JBoss 5 min limit and got rolled back.
>From jstack, I see application is busy with multiple queries initiated by
all realms fetch
from org.keycloak.services.managers.UserStorageSyncManager#bootstrapPeriodic
Sequence is following:
1. KeycloakApplication.setupScheduledTasks is called on bootstrap
2. All realms are fetched inside UserStorageSyncManager#bootstrapPeriodic
3. During each realm fetch, RealmEntity is wrapped to CachedRealm by
RealmCacheSession#getRealm
4. In CachedRealm constructor, it reads all RealmEntity collections
5. Sql selects fired for all RealmEntity collections
(RealmAttributeEntity, AuthenticationFlowEntity, RequiredCredentialEntity,
etc)
I see there was optimization to fetch only realms with user storages:
https://issues.jboss.org/browse/KEYCLOAK-8555. This didn't help me because
I have user federation provider in each realm.
Also I see hibernate 1st level cache clear was advised here:
https://github.com/keycloak/keycloak/pull/6012. This also did not help,
probably because too much data is being read.
I suggest to modify realm-extraction code at
UserStorageSyncManager#bootstrapPeriodic so it will select only required
info from DB. I am ready to develop this change, what do you think about it?
5 years, 1 month
token endpoint auth signing alg values supported
by Dingwell, Robert A.
Hi,
I from looking at the configuration endpoint I see that the only value in the token_endpoint_auth_signing_alg_values_supported field is RS256. Is keycloak configurable to support other algorithms? I’m looking for RS384 in particular to align with a specification that I am working off of.
Thanks
5 years, 1 month
IDPSSODescriptor not available in UI
by Lucas Sikina
Hello,
When I select a client and navigate to the installation tab, and then
select a format, I do not see the IDPSSODescriptor option, but the
SPSSODescriptor is still there. I am using version 7.0.1.
I know this information is still available via a URL, but I am concerned
that its absence from the UI suggests it may be becoming deprecated. My
questions are as follows:
1. Why is the IDPSSODescriptor not available in the UI?
2. Will the IDPSSODescriptor eventually not be available via the API?
Thank you!
Luke
5 years, 1 month
