Remove kcinit and text-based authentication flows
by Stian Thorgersen
kcinit and it's associated text-based authentication flows adds quite a bit
of complexity. It was never fully completed and we don't have capacity to
complete it.
Text-based authentication flows are also not really all that useful. There
are other better approaches to authenticate devices without a web browser,
and when there is a web browser that should be used rather than cli.
I propose we remove both kcinit as well as the text-based authentication
flows. We also need to revert KeycloakInstalled to how it was prior to this
was added as it is currently fairly broken.
5 years, 4 months
keycloak.js: updateToken creates invalid url
by Weber, Wolfgang
Hi!
Our customer uses our application (running with Keycloak 6.0.1) with multiple tabs open. We recognized that there's a scenario where keycloak.js generates invalid urls in updateToken method where parameter refresh_token is undefined:
"postData": {
"mimeType": "application/x-www-form-urlencoded",
"text": "grant_type=refresh_token&refresh_token=undefined&client_id=r6-ui",
....
})
We can reproduce this behaviour on our customers environment with:
* enable SSO
* with a Kerberos plugin for automatic login
* open multiple tabs from within tab 1
* refresh tab 1 or wait for session timeout
So it look like, that we can manage it in the multi tab scenario, to call clearToken while a updateToken request is processed.
Is there anything we can do to overcome this issue?
Kind regards,
Wolfgang
<!--- har snipped -->
{
"startedDateTime": "2019-08-27T15:12:12.434Z",
"time": 5.363002419471741,
"request": {
"method": "POST",
"url": "http://host/auth/realms/R6/protocol/openid-connect/token",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Origin",
"value": "http://host"
},
{
"name": "Accept-Encoding",
"value": "gzip, deflate"
},
{
"name": "Host",
"value": "host"
},
{
"name": "Accept-Language",
"value": "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"
},
{
"name": "User-Agent",
"value": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
},
{
"name": "Content-type",
"value": "application/x-www-form-urlencoded"
},
{
"name": "Accept",
"value": "*/*"
},
{
"name": "Referer",
"value": "http://host/r6-ui/client/index"
},
{
"name": "Cookie",
"value": "AUTH_SESSION_ID=73fa22f1-b574-4714-abe1-42fce5f900db.dev-06; KEYCLOAK_IDENTITY=..."
},
{
"name": "Connection",
"value": "keep-alive"
},
{
"name": "Content-Length",
"value": "64"
}
],
"queryString": [],
"cookies": [
{
"name": "AUTH_SESSION_ID",
"value": "73fa22f1-b574-4714-abe1-42fce5f900db.dev-06",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "KEYCLOAK_IDENTITY",
"value": "....",
"expires": null,
"httpOnly": false,
"secure": false
},
{
"name": "KEYCLOAK_SESSION",
"value": "R6/a5f78b44-bcaa-4b88-bd48-298c57a8f9f2/73fa22f1-b574-4714-abe1-42fce5f900db",
"expires": null,
"httpOnly": false,
"secure": false
}
],
"headersSize": 1310,
"bodySize": 64,
"postData": {
"mimeType": "application/x-www-form-urlencoded",
"text": "grant_type=refresh_token&refresh_token=undefined&client_id=r6-ui",
"params": [
{
"name": "grant_type",
"value": "refresh_token"
},
{
"name": "refresh_token",
"value": "undefined"
},
{
"name": "client_id",
"value": "r6-ui"
}
]
}
},
"response": {
"status": 400,
"statusText": "Bad Request",
"httpVersion": "HTTP/1.1",
"headers": [
{
"name": "Pragma",
"value": "no-cache"
},
{
"name": "Date",
"value": "Tue, 27 Aug 2019 15:10:40 GMT"
},
{
"name": "Server",
"value": "Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fips"
},
{
"name": "Content-Type",
"value": "application/json"
},
{
"name": "Access-Control-Allow-Origin",
"value": "http://host"
},
{
"name": "Access-Control-Expose-Headers",
"value": "Access-Control-Allow-Methods"
},
{
"name": "Cache-Control",
"value": "no-store"
},
{
"name": "Access-Control-Allow-Credentials",
"value": "true"
},
{
"name": "Connection",
"value": "close"
},
{
"name": "Content-Length",
"value": "69"
}
],
"cookies": [],
"content": {
"size": 69,
"mimeType": "application/json",
"compression": 0
},
"redirectURL": "",
"headersSize": 395,
"bodySize": 69,
"_transferSize": 464
},
"cache": {},
"timings": {
"blocked": 1.3490057005882263,
"dns": -1,
"ssl": -1,
"connect": -1,
"send": 0.07300000000000001,
"wait": 3.2689990525245665,
"receive": 0.6719976663589478,
"_blocked_queueing": 1.0850057005882263
},
"serverIPAddress": "10.1.85.183",
"_initiator": {
"type": "script",
"stack": {
"callFrames": [
{
"functionName": "exec",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1812461
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1812565
},
{
"functionName": "setSuccess",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1792930
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1794553
}
],
"parent": {
"description": "postMessage",
"callFrames": [
{
"functionName": "",
"scriptId": "506",
"url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html",
"lineNumber": 109,
"columnNumber": 25
},
{
"functionName": "checkCookie",
"scriptId": "506",
"url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html",
"lineNumber": 31,
"columnNumber": 20
},
{
"functionName": "req.onreadystatechange",
"scriptId": "506",
"url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html",
"lineNumber": 61,
"columnNumber": 28
}
],
"parent": {
"description": "XMLHttpRequest.send",
"callFrames": [
{
"functionName": "checkState",
"scriptId": "506",
"url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html",
"lineNumber": 69,
"columnNumber": 16
},
{
"functionName": "receiveMessage",
"scriptId": "506",
"url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html",
"lineNumber": 108,
"columnNumber": 8
}
],
"parent": {
"description": "postMessage",
"callFrames": [
{
"functionName": "checkLoginIframe",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1795110
},
{
"functionName": "Keycloak.kc.updateToken",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1812527
},
{
"functionName": "R6AuthenticationHolderImpl.updateToken",
"scriptId": "498",
"url": "http://host/r6-ui/client/resources/lib.js",
"lineNumber": 0,
"columnNumber": 1061095
},
{
"functionName": "R6SessionHandlerImpl.check",
"scriptId": "498",
"url": "http://host/r6-ui/client/resources/lib.js",
"lineNumber": 0,
"columnNumber": 1287472
},
{
"functionName": "R6SessionHandlerImpl.updateTimeout",
"scriptId": "498",
"url": "http://host/r6-ui/client/resources/lib.js",
"lineNumber": 0,
"columnNumber": 1287221
},
{
"functionName": "R6SessionInterceptor.response",
"scriptId": "498",
"url": "http://host/r6-ui/client/resources/lib.js",
"lineNumber": 0,
"columnNumber": 1286496
},
{
"functionName": "response",
"scriptId": "498",
"url": "http://host/r6-ui/client/resources/lib.js",
"lineNumber": 0,
"columnNumber": 1285688
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1176239
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1176524
},
{
"functionName": "$digest",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1187078
},
{
"functionName": "$apply",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1189842
},
{
"functionName": "done",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1143003
},
{
"functionName": "completeRequest",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1147207
},
{
"functionName": "xhr.onload",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1148651
}
],
"parent": {
"description": "load",
"callFrames": [
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1148435
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1145310
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1145529
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1176239
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1176524
},
{
"functionName": "$digest",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1187078
},
{
"functionName": "$apply",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1189842
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1062210
},
{
"functionName": "invoke",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1076174
},
{
"functionName": "doBootstrap",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1062104
},
{
"functionName": "bootstrap",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1062580
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 160729
},
{
"functionName": "mightThrow",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 223677
},
{
"functionName": "process",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 224305
}
],
"parent": {
"description": "setTimeout",
"callFrames": [
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 224612
},
{
"functionName": "fire",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 221268
},
{
"functionName": "add",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 221726
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 224812
},
{
"functionName": "Deferred",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 225492
},
{
"functionName": "then",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 224663
},
{
"functionName": "jQuery.fn.ready",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 226629
},
{
"functionName": "jQuery.fn.init",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 218206
},
{
"functionName": "jQuery",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 180073
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 160702
},
{
"functionName": "tryCatcher",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 104913
},
{
"functionName": "Promise._settlePromiseFromHandler",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 66489
},
{
"functionName": "Promise._settlePromise",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 67772
},
{
"functionName": "Promise._settlePromise0",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 68812
},
{
"functionName": "Promise._settlePromises",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 70495
},
{
"functionName": "Promise._fulfill",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 69308
},
{
"functionName": "PromiseArray._resolve",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 75658
},
{
"functionName": "PromiseArray._promiseFulfilled",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 76061
},
{
"functionName": "Promise._settlePromise",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 67955
},
{
"functionName": "Promise._settlePromise0",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 68812
},
{
"functionName": "Promise._settlePromises",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 70495
},
{
"functionName": "Async._drainQueue",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 3975
},
{
"functionName": "Async._drainQueues",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 4040
},
{
"functionName": "Async.drainQueues",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1696
}
],
"parent": {
"description": "Promise.then",
"callFrames": [
{
"functionName": "schedule",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 89929
},
{
"functionName": "Async._queueTick",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 4229
},
{
"functionName": "AsyncSettlePromises",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 2010
},
{
"functionName": "util.hasDevTools.Async.settlePromises",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 3577
},
{
"functionName": "Promise._fulfill",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 69332
},
{
"functionName": "Promise._resolveCallback",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 64681
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 65941
},
{
"functionName": "setSuccess",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1792677
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1802938
},
{
"functionName": "setSuccess",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1792930
},
{
"functionName": "authSuccess",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1787381
},
{
"functionName": "req.onreadystatechange",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1788403
}
],
"parent": {
"description": "XMLHttpRequest.send",
"callFrames": [
{
"functionName": "processCallback",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1788608
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1806366
},
{
"functionName": "setSuccess",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1792930
},
{
"functionName": "iframe.onload",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1793899
}
],
"parent": {
"description": "load",
"callFrames": [
{
"functionName": "setupCheckLoginIframe",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1793572
},
{
"functionName": "",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1806323
},
{
"functionName": "success",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1793103
},
{
"functionName": "Keycloak.kc.init",
"scriptId": "496",
"url": "http://host/r6-ui/client/resources/vendor.js",
"lineNumber": 0,
"columnNumber": 1806139
},
{
"functionName": "",
"scriptId": "505",
"url": "http://host/r6-ui/client/index",
"lineNumber": 139,
"columnNumber": 17
}
]
}
}
}
}
}
}
}
}
}
},
"_priority": "High",
"_resourceType": "xhr",
"connection": "6236",
"pageref": "page_6"
},
________________________________
BearingPoint Technology GmbH
Sitz: Premst?tten bei Graz
Firmenbuchgericht: Landesgericht f?r ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
5 years, 4 months
Re: [keycloak-user] [keycloak-dev] Unable to connect to an external datasource for a protocol mapper
by Thomas Darimont
Hi Thomas,
I think a more suitable list for this kind of questions is the
keycloak-users Mailinglist.
I think in your case you can reduce your example to a single ejb-jar
deployment.
Furthermore you can refer to a datasource configured in Wildfly via JNDI
instead of providing your own datasource via persistence.xml.
See:
https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc...
The trick to get a custom EntityManager injected into a component is to
turn the component into an EJB and access it via JNDI, e.g.:
...
@Stateless
@Local
public class UserRepository {
@PersistenceContext(unitName = "UserPU")
protected EntityManager entityManager;
public Object getData() {
// implement your query
return entityManager != null ? "data" : null;
}
}
Then you can use JNDI to lookup the bean in your custom ProtocolMapper,
e.g.:
private UserRepository getUserRepository() {
try {
String moduleName = new
File(getClass().getProtectionDomain().getCodeSource().getLocation().getFile()).getName().replaceAll("\\.jar$",
"");
String jndiName = String.format("java:global/%s/%s",
moduleName, UserRepository.class.getSimpleName());
return (UserRepository) new InitialContext().lookup(jndiName);
} catch (NamingException e) {
throw new RuntimeException(e);
}
}
With those changes I could run your example:
https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc...
See:
https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc...
Cheers,
Thomas
On Wed, 11 Sep 2019 at 20:47, Thomas <tlann(a)technoeclectic.com> wrote:
> I'm a little inexperienced when it comes to Java EE. So let me apoligize
> because I'm guessing this will be a small setup mistake. I've setup
> databases for applications but I'm having a really tough time with
> connecting to for a Keycloak module. The database exists separate from
> Keycloak's user db and a LDAP/AD because other services for our application
> need to access the claims database through rabbitmq and rest services.
>
> I'm able to setup a datasource in Wildfly and verify it can connect to the
> database. So I know the connection info is good. The module successfully
> deploys to Keycloak. When the Protocol Mapper is ran, I only try checking
> the nullity of the EntityManager that should be injected as well as one
> that gets created from the PU by hand. The injected em is null and the one
> created on a spot throws an exception about being unable to find the
> persistence.xml file.
>
> What are some good troubleshooting techniques for developing in Keycloak?
> Is it more appropriate to turn up the hibernate logger in Keycloak or
> Wildfly?
>
> Could someone take a look at an exmple give me some advice?
> A code example is at https://github.com/tlann/tokenEnhancer.git
>
> The deployment log and exception are as follows
>
> Thanks,
> Thomas
>
> 17:06:51,406 INFO [org.jboss.as.server.deployment] (MSC service thread
> 1-4) WFLYSRV0027: Starting deployment of
> "token-enhancer-ear-1.0.0-SNAPSHOT.ear" (runtime-name:
> "token-enhancer-ear-1.0.0-SNAPSHOT.ear")
> 17:06:51,493 INFO [org.jboss.as.server.deployment] (MSC service thread
> 1-2) WFLYSRV0207: Starting subdeployment (runtime-name:
> "com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar")
> 17:06:51,497 INFO [org.jboss.as.jpa] (MSC service thread 1-4) WFLYJPA0002:
> Read persistence.xml for UserPU
> 17:06:51,514 INFO [org.jboss.as.jpa] (MSC service thread 1-4) WFLYJPA0002:
> Read persistence.xml for UserPU
> 17:06:51,539 WARN [org.jboss.as.dependency.private] (MSC service thread
> 1-1) WFLYSRV0018: Deployment
> "deployment.token-enhancer-ear-1.0.0-SNAPSHOT.ear.com
> .example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar"
> is using a private module ("org.keycloak.keycloak-services") which may be
> changed or removed in future versions without notice.
> 17:06:51,553 WARN [org.jboss.as.dependency.private] (MSC service thread
> 1-4) WFLYSRV0018: Deployment
> "deployment.token-enhancer-ear-1.0.0-SNAPSHOT.ear" is using a private
> module ("org.keycloak.keycloak-services") which may be changed or removed
> in future versions without notice.
> 17:06:51,555 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 81)
> WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service
>
> 'token-enhancer-ear-1.0.0-SNAPSHOT.ear/com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar#UserPU'
> 17:06:51,555 INFO [org.hibernate.jpa.internal.util.LogHelper]
> (ServerService Thread Pool -- 81) HHH000204: Processing PersistenceUnitInfo
> [
> name: UserPU
> ...]
> 17:06:51,575 INFO [org.jboss.weld.deployer] (MSC service thread 1-3)
> WFLYWELD0003: Processing weld deployment
> token-enhancer-ear-1.0.0-SNAPSHOT.ear
> 17:06:51,599 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 82)
> WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service
> 'token-enhancer-ear-1.0.0-SNAPSHOT.ear#UserPU'
> 17:06:51,599 INFO [org.hibernate.jpa.internal.util.LogHelper]
> (ServerService Thread Pool -- 82) HHH000204: Processing PersistenceUnitInfo
> [
> name: UserPU
> ...]
> 17:06:51,643 INFO
>
> [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
> (MSC service thread 1-3) Deploying Keycloak provider:
> com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar
> 17:06:51,678 WARN [org.keycloak.services] (MSC service thread 1-3)
> KC-SERVICES0047: oidc-token-enhancer-mapper
> (business.KeycloakTokenEnhancer) is implementing the internal SPI
> protocol-mapper. This SPI is internal and may change without notice
> 17:06:51,701 INFO [org.jboss.weld.deployer] (MSC service thread 1-3)
> WFLYWELD0003: Processing weld deployment
> com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar
> 17:06:51,779 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 81)
> WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service
>
> 'token-enhancer-ear-1.0.0-SNAPSHOT.ear/com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar#UserPU'
> 17:06:51,780 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> Pool -- 81) HHH000400: Using dialect:
> org.hibernate.dialect.PostgreSQL95Dialect
> 17:06:51,797 INFO
> [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl]
> (ServerService Thread Pool -- 81) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 17:06:51,797 INFO [org.hibernate.type.BasicTypeRegistry] (ServerService
> Thread Pool -- 81) HHH000270: Type registration [java.util.UUID] overrides
> previous : org.hibernate.type.UUIDBinaryType@3e14892a
> 17:06:51,801 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl]
> (ServerService Thread Pool -- 81) Envers integration enabled? : true
> 17:06:51,820 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,820 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,821 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,821 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,854 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 82)
> WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service
> 'token-enhancer-ear-1.0.0-SNAPSHOT.ear#UserPU'
> 17:06:51,855 INFO [org.hibernate.dialect.Dialect] (ServerService Thread
> Pool -- 82) HHH000400: Using dialect:
> org.hibernate.dialect.PostgreSQL95Dialect
> 17:06:51,868 INFO
> [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl]
> (ServerService Thread Pool -- 82) HHH000424: Disabling contextual LOB
> creation as createClob() method threw error :
> java.lang.reflect.InvocationTargetException
> 17:06:51,869 INFO [org.hibernate.type.BasicTypeRegistry] (ServerService
> Thread Pool -- 82) HHH000270: Type registration [java.util.UUID] overrides
> previous : org.hibernate.type.UUIDBinaryType@3e14892a
> 17:06:51,873 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl]
> (ServerService Thread Pool -- 82) Envers integration enabled? : true
> 17:06:51,882 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,882 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,882 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,883 WARN
> [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory]
> (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not
> supported. The configuration option will be ignored; please unset.
> 17:06:51,982 INFO [io.smallrye.metrics] (MSC service thread 1-1)
> MicroProfile: Metrics activated
> 17:06:52,273 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2)
> WFLYSRV0010: Deployed "token-enhancer-ear-1.0.0-SNAPSHOT.ear" (runtime-name
> : "token-enhancer-ear-1.0.0-SNAPSHOT.ear")
> 17:07:15,373 INFO [stdout] (default task-16)
> ++++++++++++++++++++++++++++++++
> 17:07:15,380 INFO [stdout] (default task-16) entityManager is null
> 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser]
> (default task-16) HHH000318: Could not find any META-INF/persistence.xml
> file in the classpath
> 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser]
> (default task-16) HHH000318: Could not find any META-INF/persistence.xml
> file in the classpath
> 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser]
> (default task-16) HHH000318: Could not find any META-INF/persistence.xml
> file in the classpath
> 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser]
> (default task-16) HHH000318: Could not find any META-INF/persistence.xml
> file in the classpath
> 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser]
> (default task-16) HHH000318: Could not find any META-INF/persistence.xml
> file in the classpath
> 17:07:15,381 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-16) Uncaught server error:
> javax.persistence.PersistenceException: No Persistence provider for
> EntityManager named UserPU
> at
>
> javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:85)
> at
>
> javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:54)
> at
>
> business.KeycloakTokenEnhancer.transformAccessToken(KeycloakTokenEnhancer.java:43)
> at
>
> org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:553)
> at
>
> org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:411)
> at
>
> org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:712)
> at
>
> org.keycloak.services.resources.admin.ClientScopeEvaluateResource.generateToken(ClientScopeEvaluateResource.java:206)
> at
>
> org.keycloak.services.resources.admin.ClientScopeEvaluateResource.generateExampleAccessToken(ClientScopeEvaluateResource.java:178)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372)
> at
>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
> at
>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
> at
>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
> at
>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
> at
>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> at
>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> at
>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
>
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> at
>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
>
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at
>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at
>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at
>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at
>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> at
>
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> at
>
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
> at
>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
> at
>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
> at java.lang.Thread.run(Thread.java:748)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
5 years, 4 months
Re: [keycloak-user] Gatekeeper issue, should I repost or no? I don't want to troll!
by Nick Powers
See reply, my previous response only went to Bruno.
On Wed, Sep 11, 2019 at 2:50 PM Nick Powers <sshscp(a)gmail.com> wrote:
> Thanks for your response Bruno! I understand that this is a community
> mailing list and not a support mailing list. I appreciate the help I do
> get from here and understand that everyone is busy. I'm not sure what
> steps are involved to file a Jira, or even what a Jira is LOL.
>
> I guess I'll give it some more time before re-posting. It's not a
> straightforward question and I know Gatekeeper users are a subset of
> Keycloak users. I really like Keycloak and the benefits it provides and
> hope I can continue using it.
>
> Thanks to all the community members here. You are a great group of people!
>
> Nick
>
> On Wed, Sep 11, 2019 at 1:49 PM Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
>
>> Hi Nick, I'm very sorry if my answer didn't help you at all, but your
>> issue requires further investigation. Please keep in mind that this is
>> a community mailing list, not a support mailing list, we we love to
>> help, but at the same time we also have other tasks in our plate.
>>
>> Whether or not you should repost, troll or anything else. The answer
>> is: it's up to you, I don't think anybody will be upset or pissed off.
>> That's one of the joys of open source, the freedom.
>>
>> As soon as I have the time to investigate your issue, I will be more
>> than happy to attempt to answer your question, but I don't have an ETA
>> for this.
>>
>> If you would like to, feel free to file a Jira, mark as a bug and we
>> can do a proper triage.
>>
>> On Wed, Sep 11, 2019 at 4:40 PM Nick Powers <sshscp(a)gmail.com> wrote:
>> >
>> > I posted a message last Saturday entitled "Gatekeeper failing to proxy
>> for
>> > redirect". I did receive a response the following Monday (Thanks
>> Bruno!)
>> > asking for some more detail, which I replied to shortly after I received
>> > his email but I have not received any replies since then.
>> >
>> > My question now is should I repost it if I do not receive any more
>> > responses? I don't want to troll but there is really not anywhere else
>> I
>> > can ask about this. If I cannot find an answer here, then I guess I
>> won't
>> > find an answer and thus will not be able to continue using
>> > Keycloak/Gatekeeper. :(
>> >
>> > Can someone please advise what I should do? I don't want to piss anyone
>> > off in this group by reposting. I have been helped in the past with
>> this
>> > group and I value the members and I know they are under no obligation
>> but,
>> > I don't know where else I should turn. Are there any other resources
>> for
>> > Keycloak/gatekeeper questions? If I should repost here, then how often
>> do
>> > you suggest? I don't want to upset anyone.
>> >
>> > Thanks
>> >
>> > Nick
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>> - abstractj
>>
>
5 years, 4 months
User cannot assign client Role to user with just
by robrecht anrijs
Hi keycloak users,
We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a user
with the roles 'manage-users' and 'view-users' on the client
'realm-management' cannot see the list of client roles any more. Because of
that, the user cannot assing a specific client role to a group or a user.
Screenshot:
I[image: image.png]
Is this a bug? Or is expected behaviour?
As a workaround I added the role 'view-clients' to that user, but now the
users sees to much. I only want to configure that user, so he can manage
the roles for users & groups. Do I need to enahble the fine-grained
permissions for that (
https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions)
Thx for the answers,
Kind regards,
Robrecht
5 years, 4 months
Can we suppress email verification for a single login?
by Andrew Braae
We are inviting people to our system via email. When someone follows one of
our invite links, we assume their email address is valid.
So when they arrive at Keycloak, we don't want these people to be asked to
do email verification.
For them (only), we want Keycloak to behave as if "Verify email" was turned
off for the realm.
Is there some way to achieve this?
Cheers,
Andrew
5 years, 4 months
Gatekeeper issue, should I repost or no? I don't want to troll!
by Nick Powers
I posted a message last Saturday entitled "Gatekeeper failing to proxy for
redirect". I did receive a response the following Monday (Thanks Bruno!)
asking for some more detail, which I replied to shortly after I received
his email but I have not received any replies since then.
My question now is should I repost it if I do not receive any more
responses? I don't want to troll but there is really not anywhere else I
can ask about this. If I cannot find an answer here, then I guess I won't
find an answer and thus will not be able to continue using
Keycloak/Gatekeeper. :(
Can someone please advise what I should do? I don't want to piss anyone
off in this group by reposting. I have been helped in the past with this
group and I value the members and I know they are under no obligation but,
I don't know where else I should turn. Are there any other resources for
Keycloak/gatekeeper questions? If I should repost here, then how often do
you suggest? I don't want to upset anyone.
Thanks
Nick
5 years, 4 months
random issue with Keycloak 7 clustered and restarting keycloak
by Andrew Schmidt
We've recently setup Keycloak 7 in a clustered environment using multicast. (standalone-ha)
Everything works great most of the time. But randomly, upon restarting Keycloak on one server, keycloak will not be able to find the other instance.
We've called the servers keycloak01 and keycloak02. When the problem occurs, the flow goes something like this:
Keycloak01 running
Keycloak02 running
Restart keycloak02
Keycloak2 reports: no members discovered after 3003 ms: creating cluster as first member
Nothing in keycloak01 logs suggests it knows about keycloak02 anymore
At this point keycloak02 can never talk to keycloak01 until keycloak01 is restarted. After restarting keycloak01, everything is fine again.
Here are the keycloak01 logs when keycloak02 is restarting
<keycloak02 stopping>
2019-09-11 15:09:22,008 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t3) [Context=loginFailures] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,008 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t14) [Context=actionTokens] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,010 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t12) [Context=offlineClientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,010 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t11) [Context=clientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t13) [Context=work] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=authenticationSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=offlineSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,012 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t9) [Context=sessions] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,012 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t3) [Context=client-mappings] ISPN100008: Updating cache members list [keycloak01], topology id 16
2019-09-11 15:09:22,056 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01]
2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01]
2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01]
2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01]
2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:09:22,060 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01]
2019-09-11 15:09:22,060 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
<keycloak02 starting>
2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02]
2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster
2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02]
2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster
2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02]
2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster
On a problematic restart keycloak01 logs are as follows:
<keycloak02 stopping>
2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t14) [Context=offlineClientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=work] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t9) [Context=loginFailures] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=offlineSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t13) [Context=authenticationSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t11) [Context=sessions] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=actionTokens] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=clientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:10:03,902 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t3) [Context=client-mappings] ISPN100008: Updating cache members list [keycloak01], topology id 21
2019-09-11 15:10:03,912 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01]
2019-09-11 15:10:03,913 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:10:03,913 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01]
2019-09-11 15:10:03,914 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:10:03,915 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01]
2019-09-11 15:10:03,915 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01]
2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01]
2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster
<keycloak02 starting>
... no more logs will show up and keycloak02 reports no members
Notice the time between [Context=clientSessions] and [Context=client-mappings] is 20 seconds on this problematic restart vs the successful one.
Anyone have any ideas?
5 years, 4 months
Requesting permission by resource name from another resource server results in "Resource Doesn't exist"
by Or Harary
Hey,
When I'm logged in as a user (grant_type=password), and I'm trying to
request a permission ticket for a resource by its name, and I'm using the
token endpoint and grant type
"urn:ietf:params:oauth:grant-type:uma-ticket", everything works well.
But if I'm using a resource server token (from a login using
client_credentials), and i'm trying to request permissions for a resource
in another resource server, by the resource name, it results with the
following error:
{
error: 'invalid_resource',
error_description: 'Resource with id [my-resource-name] does not exist.'
}
When I'm requesting the resource with its ID, everything works as expected.
In version 3.4 it worked well. I now checked it in version 6.0.1 and
version 7.0.0 and it doesn't work and it seems to be because of this line:
https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a409...
Is this the expected behaviour or a bug?
Thanks in advance,
Or
5 years, 4 months
Re: [keycloak-user] Offline tokens - how to revoke a single token?
by Rivat Olivier
Best practise is to have offline token per user per app.
In the realm setting, you can limit the number of refresh/offline tokens
(by default one, when the this flag is activated)
It is also up to the user to manage/store the current token in user for
a specific app.
Like this, you only have an handful of refresh/offline tokens to deal
with (also one per device).
Regards,
Olivier
Le 11/09/2019 à 11:18, Przemek Bielicki a écrit :
> That would make sense for me if we could only have one offline token
> per user per client.
> If Keycloak allows to have multiple, why can't we revoke one by one? I
> assume it's just a missing feature.
>
> Przemek
>
> On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat(a)janua.fr
> <mailto:orivat@janua.fr>> wrote:
>
> Well, OfflineTokens are jwt tokens. So they always exist in the
> context of a user and application.
> Hence a token is always tied to this tuple (user/client) context.
>
> Revoking single token implies to delete on a per user basis.
>
> Regards,
>
> Olivier
>
>
> Le 11/09/2019 à 11:00, Przemek Bielicki a écrit :
>> Hi,
>>
>> afaik it's only possible to revoke all for given user / client:
>> DELETE
>> http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consen...
>> <http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7...>
>>
>> I could not find REST API do revoke single tokens. Does it exist?
>>
>> Cheers,
>> Przemek
>>
>> On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier <orivat(a)janua.fr
>> <mailto:orivat@janua.fr>> wrote:
>>
>> Hi,
>>
>> Have a look at following blog. With the admin UI or Self
>> self-service
>> you easily revoke offLine Sessions.
>> http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/
>>
>> You should also be able to do it with REST API, but I haven't
>> had time
>> to describe it.
>>
>> Regards,
>> Olivier Rivat
>>
>>
>> Le 11/09/2019 à 10:19, Przemek Bielicki a écrit :
>> > Hi,
>> >
>> > is it possible to revoke single offline token? How?
>> > If not, do you consider adding such feature?
>> > If not, why? Is there any specific reason why it's not
>> possible to revoke
>> > offline tokens one by one?
>> >
>> > Thanks,
>> > Przemek Bielicki
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
5 years, 4 months
