Keycloak and Microsoft ADFS
by Maurice Quaedackers
Hello all,
Has anybody experience with the combination keycloak and an SAML2 Identity Provider which is running on Microsoft ADFS?
On both sides I am not able to import the metadata xml files.
- Within keycloak when I try to import the ADFS IDP metadata.xml the message import was succesfull comes but no fields are filled in.
- Within ADFS when I try to import the keycloak SP metadata.xml an message comes that the xml file is not a valid format.
With kind regards / Met vriendelijke groet,
Maurice Quaedackers
Planon Cloud Center
_____________________
Planon B.V.
Postbus 38074
6503 AB Nijmegen
Wijchenseweg 8
6537 TL Nijmegen
Nederland
T: +31 (0) 24 641 3135
F: +31 (0) 24 642 2942
E: maurice.quaedackers(a)planonsoftware.com<mailto:maurice.quaedackers@planonsoftware.com>
W: www.planonsoftware.com<http://www.planonsoftware.com/>
Deze email en alle bijlagen zijn slechts voor gebruik door de beoogde ontvanger. De email kan intellectueel eigendom en/of vertrouwelijke informatie bevatten. Het mag niet worden gekopieerd, openbaar gemaakt, bewaard of gebruikt worden door anderen dan waarvoor deze bestemd is. Bent u niet de beoogde ontvanger,verwijdert u dan deze email met alle bijlagen en kopieën onmiddellijk en informeer de afzender.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender.
8 years, 9 months
Update the user only with required fields
by Chamantha De Silva
Hi Team,
There are situations that we use update user rest API, to update just one element of user (eg: enabled : false etc.) .
This requires a pre fetched user object from the GET user call, other wise rest of the user information tend to be truncated after the update call.
Is there a possibility to update only specific elements of the user instead of sending whole the user object (objective is to avoid the GET call right before the update call and avoid possible tendency of data truncations )? Your kind reply is highly appreciated.
Best regards,
Chamantha
8 years, 9 months
Login problems in cluster mode with keycloak 1.2.0.Final
by Roman Usatenko
Hello,
I have HA set up of keycloak 1.2.0.Final - two instances in cluster behind
load-balancer. Sometimes (not every time) I cannot log in and have this
exception in log file on one of the boxes.
Is this a known issue or did I something wrong?
Thank you,
Roman Usatenko.
=====================================================================================
2015-07-02 23:42:24,811 ERROR [io.undertow.request] (default task-15)
UT005023: Exception handling request to
/realms/master/login-actions/request/login: java.lang.RuntimeException:
request path: /realms/master/login-actions/request/login
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:166)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
[undertow-core-1.1.0.Final.jar:1.1.0.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_79]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_79]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_79]
Caused by: org.jboss.resteasy.spi.UnhandledException:
org.infinispan.commons.CacheException: java.lang.RuntimeException: Failure
to marshal argument(s)
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.10.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.1.0.Final.jar:1.1.0.Final]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
... 28 more
Caused by: org.infinispan.commons.CacheException:
java.lang.RuntimeException: Failure to marshal argument(s)
at
org.infinispan.commons.util.Util.rewrapAsCacheException(Util.java:581)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:141)
at
org.infinispan.remoting.transport.jgroups.JGroupsTransport.invokeRemotely(JGroupsTransport.java:524)
at
org.infinispan.remoting.rpc.RpcManagerImpl.invokeRemotely(RpcManagerImpl.java:281)
at
org.infinispan.interceptors.distribution.BaseDistributionInterceptor.invokeClusterGetCommandRemotely(BaseDistributionInterceptor.java:130)
at
org.infinispan.interceptors.distribution.BaseDistributionInterceptor.retrieveFromRemoteSource(BaseDistributionInterceptor.java:118)
at
org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.remoteGetCacheEntry(NonTxDistributionInterceptor.java:161)
at
org.infinispan.interceptors.distribution.NonTxDistributionInterceptor.visitGetKeyValueCommand(NonTxDistributionInterceptor.java:48)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.EntryWrappingInterceptor.visitGetKeyValueCommand(EntryWrappingInterceptor.java:116)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.locking.NonTransactionalLockingInterceptor.visitGetKeyValueCommand(NonTransactionalLockingInterceptor.java:32)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.base.CommandInterceptor.handleDefault(CommandInterceptor.java:112)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.statetransfer.StateTransferInterceptor.handleTopologyAffectedCommand(StateTransferInterceptor.java:263)
at
org.infinispan.statetransfer.StateTransferInterceptor.handleDefault(StateTransferInterceptor.java:247)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.CacheMgmtInterceptor.visitGetKeyValueCommand(CacheMgmtInterceptor.java:92)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:98)
at
org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:110)
at
org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:73)
at
org.infinispan.commands.AbstractVisitor.visitGetKeyValueCommand(AbstractVisitor.java:74)
at
org.infinispan.commands.read.GetKeyValueCommand.acceptVisitor(GetKeyValueCommand.java:40)
at
org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:333)
at org.infinispan.CacheImpl.get(CacheImpl.java:377)
at org.infinispan.CacheImpl.get(CacheImpl.java:369)
at
org.infinispan.AbstractDelegatingCache.get(AbstractDelegatingCache.java:271)
at
org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserLoginFailure(InfinispanUserSessionProvider.java:283)
[keycloak-model-sessions-infinispan-1.2.0.Final.jar:1.2.0.Final]
at
org.keycloak.services.managers.BruteForceProtector.isTemporarilyDisabled(BruteForceProtector.java:241)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
org.keycloak.services.managers.AuthenticationManager.authenticateForm(AuthenticationManager.java:587)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at
org.keycloak.services.resources.LoginActionsService.processLogin(LoginActionsService.java:345)
[keycloak-services-1.2.0.Final.jar:1.2.0.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_79]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_79]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_79]
at java.lang.reflect.Method.invoke(Method.java:606)
[rt.jar:1.7.0_79]
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
[resteasy-jaxrs-3.0.10.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.10.Final.jar:]
... 39 more
Caused by: java.lang.RuntimeException: Failure to marshal argument(s)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.marshallCall(CommandAwareRpcDispatcher.java:333)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.processCalls(CommandAwareRpcDispatcher.java:407)
at
org.infinispan.remoting.transport.jgroups.CommandAwareRpcDispatcher.invokeRemoteCommands(CommandAwareRpcDispatcher.java:132)
... 91 more
Caused by: org.infinispan.commons.marshall.NotSerializableException:
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey
Caused by: an exception which occurred:
in object
org.keycloak.models.sessions.infinispan.entities.LoginFailureKey@a1289374
in object
org.infinispan.commands.remote.ClusteredGetCommand@a1289374
=====================================================================================
8 years, 10 months
keycloak 1.3.1 OpenID Connect token introspection url
by Niels Bertram
Hi there,
I am trying to configure a server side (RP) client which requires a JWT
introspection URL on the OP. I tried to find such endpoint on the KeyCloak
server without avail neither did I actually find any url of type
"introspect" in the OpenID Connect Specification.
Does anyone know if/how a OAuth2 client can validate a JWT token via a back
channel with the KeyCloak server?
The client I am trying to configure is the MITREid client as per
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki...
Looking at the code, the client will issue a post to the introspection
endpoint with some form data:
POST /auth/realms/myrealm/protocol/openid-connect/introspect HTTP/1.1
Host: localhost:8080
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
client_id=myapp&client_secret=mysupersecret&token=eyJhbGciO[trunkated but
valid access token]
Any pointers are much appreciated.
Kind Regards,
Niels
8 years, 10 months
problem with keycloak on openshift
by Paolo Antinori
Hi guys, I have deployed an instance of keycloak on openshift
following the steps described here:
https://github.com/keycloak/openshift-keycloak-cartridge
The operation apparently went ok and I have been able to login to the
instance and see kc administrative interface.
Problem is that after a while, I am no longer able to login to the
instance. Not even if I restart it.
This is the error I see when trying:
Bad Request
Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.
X-Forwarded-Host
/n
And I get that with both ffox and chromium on linux
this from curl:
$ curl -L -v https://kc-paolo.rhcloud.com/
* Trying 54.89.206.14...
* Connected to kc-paolo.rhcloud.com (54.89.206.14) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
* Server certificate:
* subject: CN=*.rhcloud.com,O=Red Hat Inc.,L=Raleigh,ST=North Carolina,C=US
* start date: Apr 07 00:00:00 2015 GMT
* expire date: Apr 11 12:00:00 2018 GMT
* common name: *.rhcloud.com
* issuer: CN=DigiCert SHA2 High Assurance Server
CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.40.0
> Host: kc-paolo.rhcloud.com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Date: Wed, 01 Jul 2015 08:06:46 GMT
< Server: Apache/2.2.15 (Red Hat)
< Content-Length: 392
< Content-Type: text/html; charset=iso-8859-1
< Connection: close
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
X-Forwarded-Host
</pre>/n</p>
<hr>
<address>Apache/2.2.15 (Red Hat) Server at localhost Port 80</address>
</body></html>
* Closing connection 0
any idea about what's wrong?
thank you
paolo
8 years, 10 months
User Registration using UserFederationProvider
by Greg Jones
Hi Team,
We are implementing Keycloak as an SSO Server, linked to our existing back-end that is currently responsible for maintaining user registration details. We have developed a UserFederationProvider and are able to login correctly and add our existing authentication token to the JSON Web Token.
The next step was to use the back-end server for user registrations and this is where we are having problems.
We have added the desired fields to registration.ftl for our chosen theme and have verified that these fields are being added as attributes. We have the problem that the federation provider’s register(RealmModel realm, UserModel user) method is called before any fields (other than username) are populated from the registration form (See LoginActionsService.java - line 625) and we cannot register the user without these fields being populated.
For our demo to the team, we have found a work-around, whereby we have created an EventListenerProvider that handles the REGISTER event, and performs the user registration at that point. This works since we have all of the information we need by then.
Clearly, Keycloak is expecting to be the primary holder for information collected during the registration process but there are several issues with the way it currently works:
1. There is no way to add validation for any extra fields that are added to the registration page, or to change the validation rules for existing fields on that page. It would be useful to have a Validation SPI for modules to be able to provide their own validation.
2. As mentioned, the federation provider’s register method is called before the additional fields are added to the UserModel.
3. There is no way for the federation provider’s register method to report an error during registration, e.g. a comms error or missing data. Any exception thrown during this call results in a blank page showing “Internal Server Error”.
I am hoping for some guidance here, on whether we have chosen the correct approach to user registration or whether we should be doing it differently.
Thanks in advance,
Greg Jones
8 years, 10 months
Importing an Application (Client) into an Existing Realm
by Lohitha Chiranjeewa
Hi,
We get the need to create applications (clients) from time to time in our
already existing realm. Since these clients have to be created in all the
environments (dev, QA, staging, production) we'd like it to be (partly)
automated rather than creating them through Admin console in each
environment.
We've seen an 'Import Client' option in the Clients section in the Admin
console, but not sure how to create the initial client so that it can be
imported. The only import type is 'SAML 2.0 Entity Descriptor', which we
aren't sure about as well. Can someone point out how we should continue to
build the initial client here?
Also, if there is an option to update the existing realm with the 'Export
Realm' facility, that would do as well. However that's not possible I
suppose?
Regards,
Lohitha.
8 years, 10 months
