Using remote-store within a single DC
by D V
Hi list,
I'm trying to run several instances of keycloak using a standalone-ha
configuration within the same datacenter. At the same time I'd like to be
able to offload both `sessions` and `clientSessions` caches to a remote
infinispan cluster within the same datacenter in order to minimize user
logouts when keycloak instances are restarted. Eventually, I plan to set up
a Cassandra store on the remote ISPN side to persist sessions. At the
moment, though, I can't even get Keycloak to start.
The configuration for the two caches in the keycloak config looks like this:
<replicated-cache name="sessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<remote-store remote-servers="ispn-socket" passivation="false"
cache="sessions" shared="true" purge="false"/>
</replicated-cache>
<replicated-cache name="clientSessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<remote-store remote-servers="ispn-socket" cache="clientSessions"
passivation="false" shared="true" purge="false"/>
</replicated-cache>
The remote cache container configuration:
<remote-cache-container name="ispn-remote"
default-remote-cluster="ispn-cluster">
<remote-clusters>
<remote-cluster name="ispn-cluster" socket-bindings="ispn-socket" />
</remote-clusters>
</remote-cache-container>
The socket binding is:
<outbound-socket-binding name="ispn-socket">
<remote-destination host="${env.ISPN_HOST:ispn}"
port="${env.ISPN_PORT:11222}" />
</outbound-socket-binding>
$ISPN_HOST points to a load balancer that's proxying each ISPN node in a
round-robin fashion.
On the remote Infinispan side I'm using a slightly modified version of
their clustered.xml configuration and have set up the cache-container as
follows:
<cache-container name="clustered" default-cache="default" statistics="true">
<transport lock-timeout="3600000"/>
<distributed-cache name="default"/>
<replicated-cache name="sessions" statistics="true">
<state-transfer timeout="3600000"/>
</replicated-cache>
<replicated-cache name="clientSessions" statistics="true">
<state-transfer timeout="3600000"/>
</replicated-cache>
</cache-container>
The ISPN nodes are clustered using a UDP-based JGroups stack. They form a
cluster successfully. I can add a cache entry manually with ispn-cli.sh on
one node and have it appear on another. Keycloak can connect to the remote
Infinispan cluster with hotrod. However, at start-up it seems to hang after
the following point in the logs:
...
ISPN004006: Server sent new topology view (id=9, age=0) containing 3
addresses: [10.39.32.74:11222, 10.39.32.73:11222, 10.39.32.72:11222]
WFLYCLINF0002: Started work cache from keycloak container
WFLYCLINF0002: Started sessions cache from keycloak container
WFLYCLINF0002: Started clientSessions cache from keycloak container
...
HHH000397: Using ASTQueryTranslatorFactory
Remote store configured for cache 'sessions'
Remote store configured for cache 'clientSessions'
There's a sleeping thread at this point:
"ServerService Thread Pool -- 59" #148 prio=5 os_prio=0
tid=0x00000000032e7800 nid=0xfc waiting on condition [0x00007f6d9928f000]
java.lang.Thread.State: TIMED_WAITING (sleeping)
at java.lang.Thread.sleep(Native Method)
at
org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:36)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:317)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:306)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:298)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$500(InfinispanUserSessionProviderFactory.java:68)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.lambda$onEvent$0(InfinispanUserSessionProviderFactory.java:127)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1$$Lambda$1162/1971420018.run(Unknown
Source)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransactionWithTimeout(KeycloakModelUtils.java:268)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:121)
at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:69)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:174)
...
The code appears to be looking for a coordinator on the work cache, but
never finds one. Am I missing some configuration to achieve my goals, or is
this particular use case not supported?
Thanks for any help!
D
5 years, 9 months
Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS (JSF/Primefaces behind KC Adapter)
by Sebastien Blanc
Indeed it's weird that it tries to do an OPTIONS. I just tried with a
simple JSP app with WF 15 and the WF Elytron adapter and I can not
reproduce it.
Maybe the best is to open a ticket and also add a reproducer.
Also instead of using + or * , could you try by entering the entire domain
name like "http://localhost:8080" ?
On Mon, Mar 25, 2019 at 8:29 AM Raul Fechete <rfechete(a)grid-applications.com>
wrote:
> Yes I have (both * and +), but it makes no difference. Making a HTTP
> OPTIONS call on KeyCloak always returns 204 No Content, regardless of the
> URL I’m using. I can even manually call OPTIONS on
> http://localhost:8180/auth/admin/master/console, which has nothing to do
> with the authentication flow and the answer is still 204.
>
>
>
> The URL used during the authentication flow is:
>
>
>
>
> http://localhost:8180/auth/realms/<REALM>/protocol/openid-connect/auth?response_type=code&client_id=<CLIENT_ID>&redirect_uri=<URL>&state=c01faac4-d083-401f-b906-b8b775297ee2&login=true&scope=openid
>
>
>
> This URL works perfectly fine when the browser uses GET, but returns 204
> when the browser uses OPTIONS.. After the 204, the browser just doesn’t do
> anything else.
>
>
>
> Am I missing something?
>
>
>
> Thank you very much!
>
>
>
> *From:* Sebastien Blanc <sblanc(a)redhat.com>
> *Sent:* 21 March 2019 17:45
> *To:* Raul Fechete <rfechete(a)grid-applications.com>
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] KeyCloak Server and HTTP OPTIONS
> (JSF/Primefaces behind KC Adapter)
>
>
>
> Have you put a value for the Web Origin property in the client
> configuration on the KC Console ?
>
>
>
> On Thu, Mar 21, 2019 at 12:46 PM Raul Fechete <
> rfechete(a)grid-applications.com> wrote:
>
> Hello,
>
> I'm trying to build what should be a trivial setup, but I'm having trouble
> getting to work properly.
>
> I have a JSF Application running on JBoss EAP 7.2, secured by the KC Java
> Adapter. The initial login flow works perfectly fine (browser asks for
> website, adapter intercepts and redirects to KC, user logs in with KC and
> is being redirected back to the website).
>
> Now, the JSF application often uses POST requests. If the user has been
> logged out (e.g. in KC directly), clicking anywhere on the website triggers
> a POST request to the application, which is being intercepted by the KC
> Adapter and redirected (302) to KC. This would be fine, but the problem is,
> the browser then performs a HTTP *OPTIONS* call to KC instead of HTTP GET,
> and the KC just returns 204 without any further information. I also noticed
> that the KC Server *always* replies with an empty 204 to a HTTP OPTIONS
> call, even if there is nothing else in the request.
>
> Is there any way to configure the handling of the OPTIONS requests in KC?
> Alternatively, is it possible to configure the adapter to send a 303 and
> thereby force the browser to perform a GET request? Or am I doing something
> conceptually wrong?
>
> Any help would be appreciated!
> Thank you very much!
>
> Cheers, Raul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
5 years, 9 months
RE : Keycloak cluster communication not working properly
by Madhu
Hi, I am not an expert, to best of my knowlege, the mping,jdbc ping etc is for the node discovery alone.internode communication happens through other protocols configured in your standalone-ha.xml/domain.xml
a) i guess you will need to open up 7600 (default port for members to chit chat/talk) so that one node can pull the auth session/token from another node.b) you can make stuff sticky in your reverse proxy so that request always goes to correct nodec) you can enable multiple copies of the cache by chaning the owners to replicate the cached info (tokens,userino) .
We presently make stuff sticky in one of our prod deployments, but i am exploring the other alternatives as well. ( we are not on docker though).
Regards,Madhu
5 years, 9 months
How to gracefully delete /clean up key-cloak with large number of realms
by Madhu
Hi,
I am using keycloak 4.5.0.Final and 4.7.0.Final.I have about 600+ realms, and i am looking for a graceful way to delete realms from al ive system (without bringing down keycloak nodes)
I have a cluster set up(standalone-ha.xml), with 3 or 4 nodes and i use jdbc ping for cluster discovery.
I need to know, whats the safest way to delete/clean up realms in such a setup.
I tried deleting the tenants using a shell script, which invokes /opt/softwareag/keycloak-4.7.0.Final/bin/kcadm.sh delete realms/$realm_name in a loop.
The realm deletion is slow ( which is ok),,but mostly i see that the cluster node becomes un responsive after running this command, i see large number of
" Uncaught server error: javax.persistence.OptimisticLockException: org.hibernate.exception.LockAcquisitionException: could not execute statement"
exceptions.
The worst part of the problem is that the node does not go down completely and is still part of the cluster but un-responsive. So any info cached in the node becomes inaccessible (user, realm token info mostly) and impacts the logon/login to a set of realms owned by this node :(
If i gracefully shutdown the node (manually) using jboss-cli , the node goes down and allows the other cluster nodes to rebalance.
But until i take manual action, this sick node remains part of the cluster and makes a part of realm/users totally un usable..
I tried doing the same with REST APIs instead of kcadm and the effect is same (node becomes unresponsive and but does not leave cluster)
Any idea, how can i gracefully delete realms from a live system ,without bring down keycloak??
I am thinking of :a) bringing up a temporary node to cluster , run the delete command from there, and shutdown this node, but what i am not sure is , when i add another node, will rebalance cause a part of data which is already stored in existing cluster nodes to be transferred to this node, if yes, then clearly this solution will not work..
b) is there a way to bring another node in standalone mode and delete but that may cause dead lock, as the cluster is unware of this new node and does not coordinate (compete with it).
c) can i delete the unwanted realms directly from database and clean up the cache in all cluster nodes? will that impact live traffic, if so how??
Regards,Madhu
5 years, 9 months
Resending multiple emails via Keycloak and Missing Brute Force Detection message
by Katarzyna Sycz
Hello,
We started using the Keycloak lately and we want to implement and adjust it
for our clients. However, we found two issues and I would like to ask you
for an answer. Unfortunately, I was not able to find a solution or
information in the docs.
1. The issue concerns emails sent from Keycloak (for example, password
reset, verification email) - now a user can keep clicking "Resend" link as
many times as he wants. Are we able to limit it somehow to prevent spamming?
2. Brute Force Detection - it seems to be working (user is blocked after
5 attempts of inserting incorrect password as I see in the event log) but
no message is shown, so a user can keep trying to log in because he is not
informed he has been blocked. Can we somehow set an interface message for
that?
I would appreciate any help.
Kind regards,
Katarzyna Sycz
--
[image: Eventival logo] <https://www.eventival.com/>
*Katarzyna Sycz*
Junior Software Developer
katarzyna.sycz(a)eventival.com
+420 <+420608632508>773 978 859
www.eventival.com
5 years, 9 months
How to secure JAX-WS SOAP services with Keycloak
by Tihomir Mescic
Hi all,
I have some SOAP services running on WildFly 13. These services are
implemented by using the @javax.jws.WebService annotation, and are deployed
as JAR file containing the services and the EJBs with the backing
implementation. The services are currently unsecured (public). I also have
Keycloak 5.0 running on a different server.
What I want to achieve:
- add Keycloak integration to my SOAP layer, so that every SOAP request is
validated - ie. JWT token that is sent in the Authorization header is
validated
- the validation is done offline (i.e. Keycloak REST endpoint for token
validation is not called every time)
I tried using the WildFly Keycloak adapter:
https://www.keycloak.org/docs/5.0/securing_apps/index.html#jboss-eap-wild...
However, it looks like this adapter can only work with WAR deployments (I
have a JAR file and don't have the web.xml file at all).
I'm also aware that I could use a SOAP Interceptor and validate the token
online (by calling the REST endpoint on Keycloak), however, I'd like to
avoid this for performance reasons.
My question is:
1. Is it possible to achieve what I need using the WildFly keycloak adapter?
2. If not, what would be the preferred way to do ti?
Thanks in advance,
Tihomir
5 years, 9 months
Update Password from API
by rishabh jain
Hi Team,
My requirement is to create a form where user can update his keycloak
password. Is there any API available which I could implement to update the
password?
Thanks and Regards
Rishabh
5 years, 9 months
Re: [keycloak-user] Document how to generate a custom signed JWT when user is authenticated
by HILEM Youcef
Hi,
You did not understand my use case.
OAuth 2.0 authorization servers provide support for four main grant types
according to the OAuth 2.0 specification. It also has the flexibility to
support any custom grant types.
I do not find documentation that provides instructions on how to implement
a custom grant type for Keycloack OAuth 2.0 authorization server and how to
extend the behavior of default grant types.
My clients are OAuth2 Clients.
I want use a custom grant type to generate a Google JWT Token.
I found this (https://github.com/looorent/keycloak-configurable-token-api) and
I think it looks like what I'm looking for.
Thanks
Youcef HILEM
5 years, 9 months
Availability of 5.0.0.Final?
by Mandy Fung
Hi,
I was just wondering if anyone knows when Keycloak 5.0.0.Final will be
available? I see that currently version 5.0.0 is released (without the
final tag), but there is a bug fix in Keycloak 5.0.0.Final that we would
like to consume.
Best regards,
Mandy
--
*Mandy Fung **|* Software Engineer 1 *| *Tasktop
*email: *mandy.fung(a)tasktop.com
5 years, 9 months
How do you handle authorization and authentication in Microservices?
by Pål Fossmo
At my company, we are building an application on top of microservices. We are struggling with deciding how to handle authorization and authentication. We are thinking of going down the path where we use OpenId Connect to authenticate the users, but when it comes to authorization, we need some advice.
Let me explain how to solution works: A user can have different roles in different departments, and the number of departments can exceed 200. In each department, the user can have multiple roles. We understand that the recommended way of handling roles is to put them in the token sent from the client to the server (JWT). But, we are worried that this will make the token payload too big. As far as I know, a browser can hold headers up to 5KB of data. In our case, this means around 50 departments with two roles (uncompressed). The pros of doing it this way are that the user is authorized and authenticated when he/she enters the microservice. The cons are, as I mentioned, the large payload in the token.
We are also looking at a different option where we keep the JWT to a minimum (userid and departmentid) and query Keycloak for the user rights on every request (maybe add some caching mechanism with a short lifespan). This approach will generate a lot of request to the authorization server.
What I'm looking for is some advice/experience of how others have solved this. I'm happy to provide more information if needed.
To make it easier for you to give your advice, here are a short description of the two choices:
1) Use JWT to handle authentication and authorization?
2) Keep JWT light and make requests to the authorization server in every microservice?
Cheers,
Paul
5 years, 9 months
