Accounts Logs
by Aaron Echols
Hello All,
I'm been pulling my hair out on this one. I setup a DEV instance of
Keycloak to test some theming and one thing I've noticed, is that when
using a realms account page, Logs is disabled in DEV
I can't figure out how to disable that in my PROD instance. I'd like to
hide that for all users, as my users won't understand what any of that
means.
Currently in PROD, when going to any users account page you see the
following layout:
* Account
* Password
* Authenticator
* Sessions
* Applications
* Logs
In DEV, I see:
* Account
* Password
* Authenticator
* Sessions
* Applications
That's what I'd like to see in PROD as well. I'm hoping it's something
simple I'm missing. Thanks in advance. :)
--
Aaron Echols
5 years, 8 months
Possible to override single messages in theme?
by Craig Setera
Is is possible to override a single message in a theme or is it necessary
to essentially copy the entire messages file and alter the message within
that?
=================================
*Craig Setera*
*Chief Technology Officer*
5 years, 8 months
401 http status instead of 203 in case of unauthorized access to specific route
by Radovan Kuka
Hello all,
I am new to keycloak and I tryed to use keycloak-connect to protect routes on my server. From my SPA, I make a fetch call to the server route that uses protect middleware. In case of unauthenticated user, keycloak-connect returns redirect to login page (302 with location header). Problem is that, original request was fetch and 302 causes that, browser will call GET request for keycloak login page. This will not cause full browser redirect to that login page. Wouldn't it be better to send 401 Unauthorized and let browser to handle redirect itself? Or am I doing something wrong?
This is related part in my code.
const keycloakConfig = {
authServerUrl: application.SERVER_URL,
clientId: application.CLIENT_ID,
realm: application.REALM,
public: true
};
const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
app.use(
keycloak.middleware({
logout: '/logout'
})
);
// Use routes
app.use('/api/v1/', keycloak.protect(), api);
Thank you for any help.
Radovan
5 years, 8 months
How to reduce the size of the access/refresh tokens in Keycloak?
by Safouan BEN JHA
Hi all,
First of all, sorry if this email is not relevant to you. I am using the
keycloak-user(a)lists.jboss.org to ask for support as it was the only email I
could find.
I am setting a keycloack authentication server to allow authorized users to
access a protected resource (OAuth2.0).
The access will be done from an embedded device that has certain
restrictions. The main restriction is that the access and refresh tokens
cannot be saved if they are longer than 256 characters.
While in The OAuth 2.0 Authorization Framework
<https://tools.ietf.org/html/rfc6749> is silent about the token size, all
the identity providers are free to decide about the token size. For
example, Facebook's token is less than 256 bytes, the same for Google. But
for keycloack, I get a token around 850 bytes! I have tried several
encryption algorithms available in the admin console by I still get a large
jwt token. Decoding that jwt gives the following:
{
"jti": "d654564qsd-5fqsdf5-4qsdf-8b25qs-b556456",
"exp": 1556284611,
"nbf": 0,
"iat": 1556270211,
"iss": "http://myadress:myport/auth/realms/myrealm",
"aud": "myapp",
"sub": "45464-445645-4b45641e-456456-45645646",
"typ": "Bearer",
"azp": "myapp",
"auth_time": 1556269490,
"session_state": "cb95519c-0bf8-4b6b-94e4-a10d9000dbd2",
"acr": "0",
"allowed-origins": [],
"realm_access": {
"roles": [
"user"
]
},
"resource_access": {},
"scope": "readwrite"
}
I am actually not interested at all in the data in the tokens and I am not
parsing it. I just need the token to be able to access the resource. Hence,
is there a way to reduce the size of the token to less than 256? if no,
what is the best result I can get?
Thank you in advance
--
Ben Jha Safouan
*Embedded Software Engineer*
*Tel:* (+32) (0)499913560 - (+32) (0)497053670
*Email: *safwen.benjha(a)gmail.com
5 years, 8 months
Unable to integrate SAML 2 provider - Pingfederate
by Bruce Wings
I have successfully integrated OKTA as SAML 2 provider.
Now I am trying to integrate Pingfederate as SAML 2 provider. Pingfederate
successfully redirctes back to keycloak :
( <myhost>/auth/realms/<myRealm>/broker/pingfed/endpoint )
But keycloak gives following error trace:
2019-04-30 13:27:23,196 ERROR
[org.keycloak.services.error.KeycloakErrorHandler] (default task-3)
Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process
response from SAML identity provider.
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:450)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:485)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:243)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401)
at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
5 years, 8 months
Query for a specific page from "get members of group" REST API
by Lengenfeld, Jan
Hi all,
is there a way get the total amount of pages from the API "GET /{realm}/groups/{id}/members" (Get users Returns a list of users, filtered according to query parameters)?
As I see it, I can only specify an offset and a page size and get an JSON array of UserRepresentations. But there is no max count or "maximum pages" value that is returned. That way I cannot query for a specific page.
Am I missing something or is there another way to obtain this information?
Best regards
Jan Lengenfeld
5 years, 8 months
How to dynamically trigger a custom required action in a flow ?
by GESLIN Fabrice
Hi,
We're trying to trigger a custom required action as part of the reset credential.
For this we plan to mimic the implementation of the authenticate method of the org.keycloak.authentication.authenticators.resetcred.ResetPassword.java :
@Override
public void authenticate(AuthenticationFlowContext context) {
if (context.getExecution().isRequired() ||
(context.getExecution().isOptional() &&
configuredFor(context))) {
context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
}
context.success();
}
But the question is what value should we pass to the addRequiredAction() ?
This method seems to only accept the predefined required actions mapped to the values from the UserModel.RequiredAction enum.
Any help is welcome .
Fabrice Geslin
Groupe La Poste
Post-scriptum La Poste
Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
5 years, 8 months
Keycloak with loadbalancer managing SSL
by Sébastien Minne
Hi Everyone,
I'm trying to install a Keycloak cluster which is behind a loadbalancer.
This load balancer expose a certificate.
It seems that my keycloak (jboss) is also exposing a certificate, but I
can't find where it comes from.
First question :
- To me it sounds like a bad idea to have a certificate on the loadbalancer
and another one on the JBoss. right ?
- How can I disable the jboss certificate (or use the one exposed by the
loadbalancer)
Thanks
5 years, 8 months
Infinispan MBean Null Pointer Exception
by Matteo Restelli
Hi all,
We're encountering a NullPointerException during our scraping of JMX
Metrics in Keycloak. More precisely:
- We're exporting the jmx via Prometheus Exporter Agent (javaagent)
- Our additional run params are the following:
"-Djava.util.logging.manager=org.jboss.logmanager.LogManager
-Djboss.modules.system.pkgs=org.jboss.byteman,org.jboss.logmanager
-Xbootclasspath/p:/opt/jboss/keycloak/modules/system/layers/base/org/jboss/logmanager/main/jboss-logmanager-2.1.7.Final.jar
-Xbootclasspath/p:$JBOSS_HOME/modules/system/layers/base/org/wildfly/common/main/wildfly-common-1.4.0.Final.jar
-javaagent:/opt/jboss/keycloak/jmx_prometheus_javaagent.jar=18080:/home/config.yaml"
- Everytime Prometheus scrapes on the 18080 port, we encounter a lot of
Null pointer exceptions related to LockingMetric.java. See the following
error:
12:42:08,318 ERROR [org.jboss.as.controller.management-operation]
(pool-1-thread-3) WFLYCTL0013: Operation ("read-attribute") failed -
address: ([
keycloak_1 | ("subsystem" => "infinispan"),
keycloak_1 | ("cache-container" => "keycloak"),
keycloak_1 | ("local-cache" => "users"),
keycloak_1 | ("component" => "locking")
keycloak_1 | ]): java.lang.NullPointerException
keycloak_1 | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetric$1.execute(LockingMetric.java:41)
keycloak_1 | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetric$1.execute(LockingMetric.java:38)
keycloak_1 | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetricExecutor.execute(LockingMetricExecutor.java:46)
keycloak_1 | at
org.jboss.as.clustering.infinispan.subsystem.LockingMetricExecutor.execute(LockingMetricExecutor.java:37)
keycloak_1 | at
org.jboss.as.clustering.controller.MetricHandler.executeRuntimeStep(MetricHandler.java:75)
keycloak_1 | at
org.jboss.as.controller.AbstractRuntimeOnlyHandler$1.execute(AbstractRuntimeOnlyHandler.java:59)
keycloak_1 | at
org.jboss.as.controller.AbstractOperationContext.executeStep(AbstractOperationContext.java:999)
keycloak_1 | at
org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:743)
keycloak_1 | at
org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:467)
keycloak_1 | at
org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1411)
keycloak_1 | at
org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:423)
keycloak_1 | at
org.jboss.as.controller.ModelControllerImpl.lambda$execute$0(ModelControllerImpl.java:227)
keycloak_1 | at
org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:265)
keycloak_1 | at
org.wildfly.security.auth.server.SecurityIdentity.runAs(SecurityIdentity.java:231)
keycloak_1 | at
org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:227)
keycloak_1 | at
org.jboss.as.jmx.model.ModelControllerMBeanHelper.execute(ModelControllerMBeanHelper.java:555)
keycloak_1 | at
org.jboss.as.jmx.model.ModelControllerMBeanHelper.getAttribute(ModelControllerMBeanHelper.java:316)
keycloak_1 | at
org.jboss.as.jmx.model.ModelControllerMBeanHelper.getAttributes(ModelControllerMBeanHelper.java:294)
keycloak_1 | at
org.jboss.as.jmx.model.ModelControllerMBeanServerPlugin.getAttributes(ModelControllerMBeanServerPlugin.java:146)
keycloak_1 | at
org.jboss.as.jmx.PluggableMBeanServerImpl.getAttributes(PluggableMBeanServerImpl.java:416)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.scrapeBean(JmxScraper.java:151)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.doScrape(JmxScraper.java:117)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.jmx.JmxCollector.collect(JmxCollector.java:460)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.findNextElement(CollectorRegistry.java:183)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:216)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:137)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.client.exporter.common.TextFormat.write004(TextFormat.java:22)
keycloak_1 | at
io.prometheus.jmx.shaded.io.prometheus.client.exporter.HTTPServer$HTTPMetricHandler.handle(HTTPServer.java:59)
keycloak_1 | at
com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
keycloak_1 | at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)
keycloak_1 | at
com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)
keycloak_1 | at
sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675)
keycloak_1 | at
com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
keycloak_1 | at
sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)
keycloak_1 | at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
keycloak_1 | at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
keycloak_1 | at java.lang.Thread.run(Thread.java:748)
We're getting this error on Keycloak 6.0.0, 5.0.0 and 4.8.3Final versions
(we didn't try with previous versions). Is there something we're missing?
Thank you in advance,
Matteo
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
5 years, 8 months
Keycloak in HA mode on Kubernetes fails with "invalid_code" when requesting tokens
by Jody H
Hi,
we have some trouble to generate tokens with the authentication code flow
in our Keycloak 5.0.0 cluster.
Some information about the cluster:
1) We have a cluster with 3 instances in Kubernetes, deployed by the
Keycloak Helm Chart (
https://github.com/helm/charts/tree/master/stable/keycloak)
2) I can see that some Infinispan stuff is going on in the logs when the
cluster is starting up. I have checked that the shell script that is
executed on startup contains the " -c standalone-ha.xml" switch. I can not
find any mentions of the string "standalone-ha.xml" in the log output
though.
3) Our cluster is loadbalanced with a HAProxy
4) The webservice we want to access is secured by Keycloak Gatekeeper (
https://github.com/keycloak/keycloak-gatekeeper)
When using a browser to log in to keycloak-secured websites (i.e. websites
that use the keycloak cluster to perform the OIDC authentication code flow
and authenticate our users), we did not see problems so far. The keycloak
gatekeeper "proxy" is redirecting to keycloak when no cookie is present for
login, trading in the code for id, access and refresh tokens and passing
the access_token to the reverse-proxied website after successful login.
To test our APIs we would like to use Postman.
However, when using Postman with its built-in OAuth 2.0 authentication, we
see a problem that is reproducible on 4 laptops which are in the same LAN
as the keycloak cluster. Postman can request access tokens by using the
authentication code flow in its GUI. In Postmans "Get New Access Token"
window, we use these settings:
1. callback url: the same redirect_uri that is pointing to the Keycloak
gatekeeper callback endpoint (/oauth/callback endpoint)
2. auth url:
https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/auth
3. access token url:
https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/token
4. client-id: client-id from Keycloak
5. client-secet: client-secret from Keycloak
6. scope: openid
7. Client Authentication: "Send as Basic Auth header"
When clicking the "Request Token" button in Postman, we receive the error
"invalid_code" in roughly 9 out of 10 tries. Basically, if we spam the
button, sometimes it works but most of the time it does not. For another
laptop which is connected via VPN and thus has a higher latency, the
requests work just fine.
I am thinking about the following:
Is it possible that the initial request is sent to keycloak-0, then
returned to the client (postman) and then immediately sent back to the
loadbalancer-url to trade in the code for tokens... and then hits another
instance due to loadbalancing, for example keycloak-1, which has no
information about the authentication process that was initiated on
keycloak-0? The invalid_code error is returned after just 4 milliseconds,
which is rather fast. Maybe the cluster is not properly synchronizing in
time? Any idea on how to fix this?
Thanks
Jody
5 years, 8 months