Keycloak Forgot Password Auth Flow TOTP
by David Leonard
Hello Everyone,
I’m having an issue getting the Forgot Password Auth Flow to work the way I expect with OTP.
It seems I have 2 options, either I can either leave on Reset OTP and have the user reset it, or turn it off and create a backdoor to my OTP.
My preferred solution would be:
1. User has forgotten their password
2. User selects the forgot password link.
3. User enters their username or email.
4. User receives email from Keycloak.
Then either:
5. The user is required to enter their current OTP.
6. User changes their password
or
5. The changes their password
6. The user is asked to login with the new password and current OTP.
I don’t want a case where the user doesn’t have both their password and their OTP and able to authenticate.
For now I have completely disabled the Forgot Password flow, but if it is possible to make either of those work it would help dramatically. I don’t see in the Auth Flow how to add a OTP Form like is in the Browser flow.
Thanks!
David
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.
5 years, 9 months
Trouble with Keycloak Cluster Mode and Service Accounts
by Chris Savory
We are currently doing some load testing of our application. I have Keycloak configured to run in Standalone Clustered mode. We are running Keycloak 5 in docker containers on AWS ECS. We are using JDBC_PING for jgroups. I have Sticky Sessions enabled on the front end, so logins and token retrievals through our Angular app are working fine.
The problem I am running into right now is that when I go to create users via the service account on our backend API the TokenManager (inside the keycloak-admin-client) has to refresh it's token every 5 minutes. I see a lot of these errors in the logs:
�[0m�[33m23:04:03,349 WARN [org.keycloak.events] (default task-29) type=REFRESH_TOKEN_ERROR, realmId=platform, clientId=elrc, userId=b33ec381-4e8b-425e-81e2-c526859ec7f2, ipAddress=52.4.47.98, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9e6bf90c-aeba-4479-8d25-9b7b954bcb12, client_auth_method=client-secret
All this works fine when we use only one or two keycloaks in the cluster, but as soon as I try to scale to 3 or 4 keycloaks we see all kinds of errors trying refresh tokens. I think this is because when our backend secret clients go to refresh their tokens, they do not have the session affinity to go back to the same keycloak instance where their token was originally generated, whereas front end users do get pinned to the same keycloak instance.
Any ideas how I might solve this problem for our backend apis?
--
Christopher Savory
5 years, 9 months
Keycloak cluster communication not working properly
by Jens Bissinger
Hi,
we have a keycloak instance running as docker container in our AWS ECS docker environment.
For single instance this setup works great, but we failed to enhance it with a second instance for HA.
Problem: We cannot authenticate in one of instances behind the load balancer as soon as we have more than one keycloak instance.
Cluster setup:
- Keycloak v5.0.0 (docker image quay.io/keycloak/keycloak:5.0.0)
- Containers are behind AWS ALB load balancers with round-robin but without sticky sessions (the latter is important for our setup)
- JGroups with JDBC_PING configured and instances properly add/remove themselve from the configured MySQL table
- Containers run on separete EC2 hosts, TCP communication between containers is possible (port 7600 exposed also on hosts)
- Cache owners for all distributed caches are set to 2 (we also tested with 1 but without any different results)
Startup logs from infinispan look fine:
- On startup we see log message that cluster nodes can discover each other
"ISPN000094: Received new cluster view for channel ejb: [ip-10-129-2-31.eu-central-1.compute.internal|1] (2) [ip-10-129-2-31.eu-central-1.compute.internal, ip-10-129-2-54.eu-central-1.compute.internal]"
- After that also infinispan rebalancing happens
"[Context=offlineClientSessions] ISPN100010: Finished rebalance with members [ip-10-129-2-31.eu-central-1.compute.internal, ip-10-129-2-54.eu-central-1.compute.internal]”
Analysis (so far):
- The problem is obviously because authentication starts on node 1. Due to round robin authentication will be continued on node 2 and this fails because node 2 does not know about the authentication session started on node 1.
- According to the documentation there should be a lookup from node 2 in the cluster for started authentication session. Seems like this is not happening, but we cannot see any log related to this.
- Also regular sessions are not distributed in the cache. We tested this running only 1 node to do the authentication and then spinning up a second node and doing a fail-over to the new node. Afterwards the regular session was gone (we are logged out).
Thank you very much.
Regards
Jens Bissinger
5 years, 9 months
Exclude a user with realm-management role from keycloak's password policy
by Fateh
Problem: I have a user with Client Roles realm-management in a realm called
xx which contains password policy.
I want to exclude this user from the password policy since this user
responsible to fetch the roles, users and do some updates via Java API
and I don't want all the operation to stop until we update the user password
when the password policy triggered
Ps. I tried to use the admin user from the master realms I could n't get
data out of the master realm
I would appreciate any Help or ideas?
--
Sent from: http://keycloak-user.88327.x6.nabble.com/
5 years, 9 months
LockAcquisitionException and Lock wait timeout exceeded exception in events
by Madhu
Hi ,
I am using keycloak 4.5.0.Final in one on my projects and i have fairly large number of tenants (> 500).Off late i see frequently lock acquisation related errors and timeout.
I am not able to figure out where and how this is origniating? can you please help?
My suspecion is is this related to events logging? could this be because of farily large number of entrys in the audit/ events table?
Note the thread id default task-19354 in the for event REFRESH_TOKEN_ERROR and corresponding thread throwing LockAcquisitionException
Regards,Madhu
2019-03-17 17:14:47,010 WARN [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress= xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:15:13,183 WARN [org.keycloak.events] (default task-19354) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:24:31,128 WARN [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:46:17,677 WARN [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 17:47:00,850 WARN [org.keycloak.events] (default task-19353) type=REFRESH_TOKEN_ERROR, realmId=*********, clientId=null, userId=null, ipAddress=xx.yy.zz.aaa, error=invalid_client_credentials, grant_type=refresh_token2019-03-17 18:46:48,058 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) SQL Error: 1205, SQLState: 400012019-03-17 18:46:48,059 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-19354) Lock wait timeout exceeded; try restarting transaction2019-03-17 18:46:48,059 INFO [org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] (default task-19354) HHH000010: On release of batch it still contained JDBC statements2019-03-17 18:46:48,077 WARN [com.arjuna.ats.arjuna] (default task-19354) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffffc0a803b1:-a9285f2:5bf97526:bb36de, org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization@5ad70e16 >: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) ... 81 moreCaused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121) at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95) at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066) at com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) ... 92 more
2019-03-17 18:46:48,558 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-19354) Uncaught server error: org.keycloak.models.ModelException: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.JpaExceptionConverter.convert(JpaExceptionConverter.java:31) at org.keycloak.transaction.JtaTransactionWrapper.handleException(JtaTransactionWrapper.java:65) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:94) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.interception.ContainerResponseContextImpl.filter(ContainerResponseContextImpl.java:353) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:207) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:85) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:59) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:530) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:461) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement at org.hibernate.dialect.MySQLDialect$3.convert(MySQLDialect.java:511) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:45) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3013) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3513) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) ... 63 moreCaused by: com.mysql.cj.jdbc.exceptions.MySQLTransactionRollbackException: Lock wait timeout exceeded; try restarting transaction at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:121) at com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:95) at com.mysql.cj.jdbc.exceptions.SQLExceptionsMapping.translateException(SQLExceptionsMapping.java:122) at com.mysql.cj.jdbc.ClientPreparedStatement.executeInternal(ClientPreparedStatement.java:960) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1116) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdateInternal(ClientPreparedStatement.java:1066) at com.mysql.cj.jdbc.ClientPreparedStatement.executeLargeUpdate(ClientPreparedStatement.java:1396) at com.mysql.cj.jdbc.ClientPreparedStatement.executeUpdate(ClientPreparedStatement.java:1051) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) ... 92 more
5 years, 9 months
Listing users with a specific role and group through the admin client on springboot
by Vikram
Hi all,
Versions in use:
Springboot version : 2.1.3 FINAL
Keycloak version : 4.8.2
Springboot adapter version: 4.8.3 FINAL
Keycloak admin client 4.8.2 FINAL
So I am trying to get all the users that have a role "customer" and
belong to a group "group1".
I am using the following code.
RoleResource roleResource = realmResource.roles().get("customer");
Set<UserRepresentation> customers= roleResource.getRoleUserMembers();
ArrayList<UserRepresentation> groupCustomers = new ArrayList<UserRepresentation>();
for (UserRepresentation user: customers) {
if (user.getGroups().contains("group1") { //error
System.out.println("group customer: " + user.getUsername());
groupCustomers.add(user);
}
}
However, I get an error when I loop through the user representations to
read the group names. I do not get the group and roles information. I
get the username, first name and last name though.. Is it a permission
issue ? How can I get around it ?
Regards,
Vikram
5 years, 9 months
Swedish BankID with Keycloak?
by 4integration@gmail.com
Hi,
Anyone that have done integration with Swedish BankID and Keycloak?
We are looking for both authentication and signing using Swedish BankID.
Regards
Joacim
5 years, 9 months
How to deploy new keycloak.json
by Paras Jain
Hi,
I am running keycloak in standalone mode. As per
https://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/java-ada...
I have copied the client config from admin console and created a
keycloak.json. But I don't know where to put this file for it to take
effect. Is there any documentation for that?
--
CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole
use of the intended recipient(s) and may contain confidential and
privileged information or otherwise be protected by law. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender and destroy all copies and
the original message.
5 years, 9 months
How can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP?
by Todd A. Mancini
Loving Keycloak (amazing work) and hoping I'm just missing something obvious. I've got a GitHub identity provider and all is working well except for one thing. My Keycloak server is on HTTP, sitting behind a reverse proxy handling all of the TLS goodness. When I look at the GitHub Identity Provider, it shows http://keycloak/auth/realms/myrealm/broker/github/endpoint. My app server is available at https://example.com, even though it, too, is actually only running HTTP and the rev proxy is doing the TLS. For the most part, everything works as expected. (FYI, the reverse proxy forwards all traffic to https://example.com/auth to http://keycloak/auth.)
The one thing not working 100% properly is the redirect uri sent to GitHub. It's HTTP, not HTTPS.
It is correctly getting the new host name (e.g. it becomes http://example.com/auth/realms/myrealm/broker/github/endpoint), but even though my browser is hitting https://example.com, the redirect uri sent to GitHub is HTTP. GitHub complains that it's not the right redirect url, because on GitHub I've set it to https://example.com/auth/realms/myrealm/broker/github/endpoint. If I change the OAuth redirect URL on GitHub to expect HTTP instead of HTTPS, everything works...except that I'm now doing the final handshake over HTTP. (The rev proxy actually forces a redirect to HTTPS, but, by that point, the damage has been done.)
So my question is, how can I get Keycloak to send an HTTPS Redirect URI to GitHub rather than HTTP? How is KC even deciding to use HTTP v HTTPS? I've tried requiring SSL on the Realm login settings, but that did not seem to impact the generation of the Redirect URI.
Many thanks!
-Todd
5 years, 9 months
