Exclude a user with realm-management role from keycloak's password policy
by Fateh
Problem: I have a user with Client Roles realm-management in a realm called
xx which
contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API
and I don't want all the operation to stop until we update the user password
when the password policy triggered
Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm
I would appreciate any Help or ideas?
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
5 years, 10 months
Docker Image for Keycloak 5.0.0
by Chris Savory
I'm getting the following build error when I try to build a docker container using keycloak 5.0.0
build 14-Mar-2019 21:35:54 Sending build context to Docker daemon 6.952MB
build 14-Mar-2019 21:35:54
build 14-Mar-2019 21:35:54 Step 1/20 : FROM jboss/keycloak:5.0.0
error 14-Mar-2019 21:35:54 manifest for jboss/keycloak:5.0.0 not found
When I go to https://hub.docker.com/r/jboss/keycloak/tags, I do not see 5.0.0 listed there. When should we expect it?
-Chris
5 years, 10 months
Deprecating/Removing keycloak-servlet-oauth-client
by Marek Posolda
We plan to deprecate and then eventually remove
keycloak-servlet-oauth-client. We don't officially support this client
(it is not documented and tested) and it is additional maintenance
overhead to have it in our codebase. Is someone around, who uses this
client? Do you want to become a maintainer of it? If yes, let us know.
You can fork it to your repository and we will reference it from the
"Extensions" page [1].
Some more details about the client:
AFAIR it is one of the very early-days keycloak features and the
use-case behind this was, that you have web frontend java application,
which is not secured by Keycloak and doesn't use adapter. But you still
want to have a way to invoke the REST services from this application,
which are secured by Keycloak. So you want to trigger the OAuth flow
manually from the Java without having the adapter to do it for you -
that's what this client is doing.
I think that this client can be almost always replaced by adapter or by
the servlet filter. The only case when it couldn't be replaced by
servlet filter is, when you have non-servlet java application.
This OAuth client is unmaintained and it is missing lot of features,
which were recently added to the adapter.
[1] https://www.keycloak.org/extensions.html
Marek
5 years, 10 months
Database backend issue
by Andrew Meyer
Hello,
I am trying to setup Keycloak on CentOS 7 (latest). This is a standalone machine.
My remote MariaDB server is running 10.2.x latest.
I was trying to run Keycloak latest with mysql-java-connector-5.1.46 and got the following results:
Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:381) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:678) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:148) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:141) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:154) ... 31 moreCaused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) at javax.naming.InitialContext.lookup(InitialContext.java:417) at javax.naming.InitialContext.lookup(InitialContext.java:417) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:374) ... 43 more
I have tried using newer versions of the connector with the same result.
5 years, 10 months
Encoded URL does not work as redirect_uri
by Schaar, Andrew
Hello,
We just upgraded from 3.4.2.Final to 4.8.3.Final. After doing so, users can no longer reach the login page when redirect_uri has an encoded space.
This happens at RedirectUtils.java:182 when constructing a new URI from the redirect_uri parameter. The issue seems to stem from the fact that when retrieving query parameters, they are decoded. Do you have any suggestions on a work around beyond changing the urls on our website?
To reproduce, create a new realm named ‘my-realm’
Create a public client named ‘web-client’
Add valid redirect url: http://localhost:8888/*
Navigate to the following in a browser: http://localhost:8888/auth/realms/my-realm/protocol/openid-connect/auth?r...
Stack trace:
14:47:36,092 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-9) Uncaught server error: java.lang.IllegalArgumentException: Invalid URL syntax: Illegal character in path at index 26: http://localhost:8888/some category
at org.keycloak.protocol.oidc.utils.RedirectUtils.normalizeUrl(RedirectUtils.java:185)
at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:83)
at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:52)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkRedirectUri(AuthorizationEndpoint.java:371)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:120)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:108)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
Thank you!
Andrew Schaar
5 years, 10 months
Scalability with a lot of clients
by El-Himoud Nils (INST/ECS2)
Hi everyone,
In our project we are creating lots of clients in Keycloak. In our loadtests with ~6000 clients we found very slow response times.
For example average response times during load tests:
23.9 sec / admin/realms/{realm}/users/{id}/role-mappings (GET)
28.2 sec /admin/realms/{realm}/clients (POST)
20.2 sec /admin/realms/{realm}/clients/{id} (DELETE)
By debugging Keycloak we found that the server is iterating over all clients in the realm. For this finding we opened ticket https://issues.jboss.org/browse/KEYCLOAK-9553. Initially after Keycloak startup this could take up to 5 minutes but was much faster for subsequent requests. We assume due to local caches. The variance of the response times is very high. They range from <1s to timeouts after 5 minutes.
What we´ve tried so far:
First we scaled up the Keycloak instances because we thought it might be a load problem. Turned out that it doesn´t need load to reproduce the slow responses, just enough clients.
Then we tried to warmup the caches by running the loadtests for a longer time but couldn´t see improvements.
We found that there are configuration options for the caches and tried to gain some insight on the runtime behavior via jboss cli by enabling the cache statistics
/subsystem=infinispan/cache-container=keycloak/local-cache=realms:write-attribute(name=statistics-enabled,value=true)
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=statistics-enabled, value=true)
:reload
With no success. Statistics keep showing only zeros.
[standalone@localhost:9990 /] ls subsystem=infinispan/cache-container=keycloak/local-cache=realms
component elapsed-time=0 module=undefined stores=0
memory hit-ratio=0.0 number-of-entries=0 time-since-reset=0
store hits=0 passivations=0 eviction={"EVICTION" => undefined}
activations=0 indexing=NONE read-write-ratio=0.0 expiration={"EXPIRATION" => undefined}
average-read-time=0 indexing-properties=undefined remove-hits=0 locking={"LOCKING" => undefined}
average-write-time=0 invalidations=0 remove-misses=0 transaction={"TRANSACTION" => undefined}
batching=false jndi-name=undefined start=LAZY
cache-status=RUNNING misses=0 statistics-enabled=false
At last we tried to manipulate the cache settings for the realms cache
# default 10000
/subsystem=infinispan/cache-container=keycloak/local-cache=realms/memory=object:write-attribute(name=max-entries, value=80000)
# default 10000
/subsystem=infinispan/cache-container=keycloak/local-cache=realms/memory=object:write-attribute(name=size, value=80000)
This also had no noticeable effect on the response times.
Ah! The connection pool size for the db was also something that we tried to increase.
Setup
Keycloak is running in standalone HA mode with jgroups on Kubernetes (3 replicas). The database is AWS RDS.
Next we want to test the scalability of Keycloak with respect to the number of clients.
Do we miss something about the cache configuration. Is the realm cache the correct one to optimize the problematic endpoints? How can we get the cache statistics working?
resources:
request:
mem: 4Gi
cpu: 1
limit:
mem: 6Gi
cpu: 3
Java memory parameters are set
/usr/lib/jvm/java/bin/java -D[Standalone] -server -Xms3276m -Xmx4914m -javaagent:/opt/jboss/newrelic/newrelic.jar -Djboss.modules.system.pkgs
Mit freundlichen Grüßen / Best regards
Nils El-Himoud
INST-IOT/ESW-Imb
5 years, 10 months
Client of mine is looking for Keycloak expert
by Andy Alexander
My client has a Keycloak setup from a previous developer, and we are
having some trouble setting up a token exchange to work with new
Facebook compliance standards for iOS login.
I've asked one of the mods of this mailing list if I can send an email
for anyone who might be interested in working on this - most of the work
should be done (I think), it should mostly be a matter of correctly
setting client policies.
If you're interested feel free to contact me with an idea of what you
think this will cost.
5 years, 10 months
Attribute tab for Client
by Celso Agra
Hi all,
Just to start a discussion here...
What about to create an Attribute tab for Clients? I believe it would be
interested, if you are planning to add more info about your Client.
Best regards,
--
---
*Celso Agra*
5 years, 10 months
