TokenService is not visible from class loader
by Pavel Drankov
Hi,
I'm trying to delete a user during a new user registration process if the
previous account was not confirmed.
And I decided to use Admin REST API with keycloak-admin-client, but, when
using, the following exception is thrown:
16:59:56,028 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
MSC000001: Failed to start service
jboss.deployment.unit."keycloak-sms-authenticator-fat-1.1.0.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.unit."keycloak-sms-authenticator-fat-1.1.0.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of deployment
"keycloak-sms-authenticator-fat-1.1.0.jar"
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:151)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
at
org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: interface
org.keycloak.admin.client.token.TokenService is not visible from class
loader
at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581)
at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557)
at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230)
at java.lang.reflect.WeakCache.get(WeakCache.java:127)
at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419)
at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719)
at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:85)
at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:152)
at
org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:93)
at org.keycloak.admin.client.token.TokenManager.<init>(TokenManager.java:55)
at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:59)
at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:87)
at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:103)
at my.plugin.postInit(plugin.java:line)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:138)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:55)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:144)
... 8
How this error can be fixed?
Best wishes,
Pavel
5 years, 8 months
Keycloak in Azure cloud
by Harrie Hoogeveen - BVA
Hello,
I am Harrie working for a auction company and we are trying to do a POC with running Keycloak in the cloud. We face the problem that a sync network between node is not really a cloud friendly solution (costs and scalabillety) and we have been trying to to run Keycloak (5) in high availability mode with shared caches.
So far we ported the old redis cache driver to the new Keycloak / infinispan version by loading it as a JBoss module. It seemed very successful at first. Loading of the store works:
<local-cache name="sessions" module="tbacachestore">
<store class="com.tbauctions.tbacachestore.TbaCacheStoreConf" shared="true" passivation="false"/>
</local-cache>
And if we put passivation=true and shared=false, it actually writes to it when it shutsdown and reads the sessions again when starting up. But that of course does not leave us with a realtime shared cache. When we configure it as a write through cache. It also actually starts doing live reads and deletes, but somehow it never writes to the cache store. We tried many different overwrites, took a look at the casandara implementation and tried al kinds of cache configs. local-cache, replicated-cache, distrubed-cache with different amounts of owners. But so far no luck and we got stuck. We read about successful implementations like this, but always on older versions that do not apply to the current version. So I have some questions.
1) Is this actually a approach that is still supported, and if not, what is your advice on running in the cloud to make sure on node lost or restart we do not loose the active sessions?
2) Is there a good example / documentation on how to implement a shared cache on which multiple nodes read and write so they share sessions for the current 5.0.0 version, without using the cache sync network?
Also, if I am not complying with any netiquettes, please let me know. Its been a while after the last time I used a mailing list.
Best regards,
Harrie Hoogeveen
Met vriendelijke groet,
Kind regards,
Harrie Hoogeveen
________________________________
Harrie Hoogeveen - BVA [cid:BVA_logo_28399888-555e-4d9d-9d46-bb4fa642bca0.png] <https://www.bva-auctions.com/>
E. H.Hoogeveen(a)bva-auctions.com
T.
PO Box 1838
3800 BV Amersfoort
the Netherlands
Kryptonweg 8
3812 RZ Amersfoort
the Netherlands
https://www.bva-auctions.com<http://www.bva-auctions.com/>
________________________________
This email and any attachments may contain confidential material and is solely for the use of the intended recipient(s). If you have received this email in error, please notify the sender immediately and delete this email. If you are not the intended recipient(s), you must not use, retain or disclose any information contained in this email. BVA Auctions does not guarantee that this email or any attachments are free from viruses or 100% secure. Unless expressly stated in the body of the text of the email, this email is not intended to form a binding contract. The general terms and conditions of BVA Auctions, which include a limitation of liability, are applicable to all work and services. Contact information and the terms and conditions are available on request and can also be found on https://www.bva-auctions.com. 12/04/2019 16:11 UTC+02:00
________________________________
5 years, 8 months
Lookup user during registration
by Pavel Drankov
Hi,
What I have to do if I want to check if a user with a specific email
already exists during the registration flow? How can I do this on the SPI
module side?
Best wishes,
Pavel
5 years, 8 months
Keycloak support for one realm on a domain name while serving on multiple domains simultaneously
by Yervand Aghababyan
I've also posted this question on stackoverflow. So if you want to you can
answer there so it'll be easier to find for anyone looking. Here it is:
https://stackoverflow.com/questions/55634962/keycloak-support-for-one-rea...
I'm building an ecosystem of applications on kubernetes with keycloak as
authentication/authorization provider. I am(or probably was) planning for
everything to be integrated with it via OpenId(OAuth2) and for user
credentials and other private information never to leave the keycloak
instance in an unencrypted form.
I was trying to implement the whole authentication scheme with the
following configurations in mind.
Realms
myservice: Realm containing the public and back-office users of my application.
All microservices that I have are authenticating users
against this realm.
master: Contains admins, keycloak administrators and other resources which
should not be ever exposed to the public or intranet users.
No microservice
ever performs authentication on this realm.
Domains
1. domain: account.myservice.com
access: public
cors: allow requests from app.myservice.com
config: kubernetes-ingress
exposes: configured themes to support login, registration, etc.. Endpoints
for public front-end application token validation
description: Only exposes access to a realm called "myservice" in keycloak.
No users from other realms can login or interact.
2. domain: account.internal.myservice.com
access: intranet/admins
cors: allow requests from back-office.internal.myservice.com
config: kubernetes-ingress
exposes: configured themes to support login, registration, etc.. Endpoints
for back-end front-end application token validation
description: Exposes all the realms and provides access to keycloak
administrative UI.
3. domain: keycloak (keycloak.default.svc.cluster.local)
access: cluster-internal
cors: none
config: kubernetes service, visible only inside the cluster
exposes: endpoints for back-end application token validation
description: Only exposes realm "myservice" and is used for other
services to
validate user tokens and similar stuff.
I did come across a number of issues when trying to implement the above
configuration scheme. If I do SSL termination inside Keycloak I won't be
able to configure the different domains via a reverse proxy or similar
approach which, in turn, means that Keycloak should provide a feature to
listen on a separate SSL encrypted port and only make one realm available
there. Which it does not. So do I want something weird here? Are the best
practices different from what I want?
--
Best Regards,
Yervand
5 years, 8 months
Re: [keycloak-user] Java 11 (Docker container base)
by Chris Brandhorst
Sebastian,
The link [1] only shows support on RHEL and Windows environments. Do you mean to say the 2023 date is also valid for OpenJDK running in the Docker-version of Keycloak, regardless of underlying architecture?
[1] https://access.redhat.com/articles/1299013
Chris
> >From the support perspective, Red Hat offers extended support till June
> 2023 [1].
>
> Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess we
> still have plenty of time to do the switch, so I wouldn't rush things too
> much.
>
> BTW, why do you need JDK11, especially in the container?
>
> [1] https://access.redhat.com/articles/1299013
>
>> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka at zoomint.com> wrote:
>>
>> Sorry, end of january (my fault):
>> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java
>> and OpenJDK will most probably start to diverge, as OpenJDK will not have
>> access to Oracle repos (afaik). So the speed of security fixes will depend
>> on willigness of community to fix the upcomming issues.
>>
>> Pavel
>>
>>
>> From: Meissa M'baye Sakho <msakho at redhat.com>
>> Sent: Tuesday, October 23, 2018 11:04 AM
>> To: Pavel Micka <Pavel.Micka at zoomint.com>
>> Cc: keycloak-user <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] Java 11 (Docker container base)
>>
>> Hello,
>> Pavel, where did you get the information that the official Java 8 support
>> will cease at the end of december?
>> https://access.redhat.com/articles/1299013
>> https://www.oracle.com/technetwork/java/javase/eol-135779.html
>> Meissa
>>
>> Le lun. 22 oct. 2018 à 16:33, Pavel Micka <Pavel.Micka at zoomint.com<mailto:
>> Pavel.Micka at zoomint.com>> a écrit :
>> Hello everyone,
>>
>> What is the plan for Java 11 support? The point is that current versions
>> of Docker containers are based on OpenJDK 8, but the official Java 8
>> support will cease at the end of December. Will Keycloak use Java 11 by
>> that time or will it rely on updates provided by the community.
>>
>> This is important to us, as Keycloak is important part of our app security.
>>
>> Thanks,
>>
>> Pavel
>>
>> // I have found this ticket in Jira, but it does not provide too many
>> details: https://issues.jboss.org/browse/KEYCLOAK-7811
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years, 8 months
Managing differents timeout between keycloak and application
by cedric@couralet.eu
Hi,
When using keycloak-servlet-filter-adapter, we saw that the http session expires at the same time the keycloak sso idle timeout occurs.
Going through the code in OIDCSessionFilterStore, those lines seems to be the cause:
// Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
//log.fine("Cleanup and expire session " + httpSession.getId() + " after failed refresh");
cleanSession(httpSession);
httpSession.invalidate();
Is there a way to have different timeouts between the 2 ? We may want to keep the session alive in our app for longer than in keycloak (to be the same as the servlet container in our case).
Cédric
5 years, 8 months
Keycloak and shared JWT secrets
by Nolan Darilek
Apologies if the answer to this is simple. I've poured through every doc
I can get my hands on and am a bit overwhelmed.
I'm trying to set up a shared account service that works across my
static website, forum, and eventually on mobile apps. Given that
security isn't a core competency, I decided to try using Keycloak for this.
My first goal is to require authentication to example.com/members. I'm
using the Caddy web server which has a JWT-based protection scheme
built-in. Keycloak is running at example.com/auth.
What I *thought* I'd do is set up my website as a confidential client
with authorization enabled. Caddy needs a shared secret for the JWT, so
I thought this would be the client secret. Also, since my website and
Keycloak are on the same domain, I thought that if they shared a secret
and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that authentication
would just work. Alas, no. Here's my Caddy JWT configuration block:
jwt {
path /members
redirect /auth/realms/myrealm/account
token_source header
token_source cookie KEYCLOAK_IDENTITY
}
Visiting /members just redirects me to my account page again and again,
even if I'm logged in.
Am I completely off the rails here? I thought about using the client
library, but I don't know if that works for confidential authorization
setups. I don't even know if I *need* a confidential authorization setup
here, or if I'm completely misunderstanding. It also occurs to me that
I'm redirecting to /auth/realms/myrealm/account. There's nothing in that
URL indicating which client to use, and as such, which secret to
generate the JWT with. So before I go too much further down this rabbit
hole, I wanted to check my assumptions.
Thanks for any help.
5 years, 8 months
Issue in importing realm from old version to version 5
by valsaraj pv
Hi,
We need to export & import configuration from an old version 3.4 to new
Keycloak version 5. But it shows error on import:
{"errorMessage":"App doesn't exist in role definitions: realm-management"}
Is there any option to import realm to new version?
Thanks!
5 years, 8 months
Keycloak Remember me
by Pulkit Srivastava
Hi All,
I was wondering if authentication through external IDP(google, facebook,
saml etc) supports remember me functionality.
I know it works for internal keycloak authentication.
Thanks in advance.
Thank,
Pulkit
5 years, 8 months
Remove check for redirect_uri
by vasleon
Hello everyone
it is required to specify a valid redirect_uri for each client in order
for the login form to appear.
how could I remove the check that verifies the redirect_uri exists? I
would like to make it possible to be able for an application to redirect
anywhere. ( it is for educational purposes)
thank you
5 years, 8 months
