Refresh token - should it expire?
by Juraci Paixão Kröhling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello,
I'm building a secret store application that will sit in front of
Hawkular and will be responsible for replacing API keys into actual
Keycloak authentication data.
Based on the suggestions from Stian, the current code does the following
:
- - User logs in Hawkular via Keycloak
- - Once the user wants to create a new application key/secret, the user
is redirected to /secret-store/tokens/create , which takes the KC
authentication data and stores the refresh_token into the database,
creating a new key/secret
- - User configures an external application (like a monitoring agent in
a server), adding this key/secret to its configuration
- - The agent makes a call to the Hawkular backend, sending this key/secre
t
- - An undertow filter gets this key/secret from the request, fetches
the refresh_token from the database, gets a bearer token from Keycloak
based on this refresh_token and sets it to the request's context (ie:
replacing the Authorization header)
- - Keycloak uses this bearer token to perform what it needs to do
- - Request reaches the Hawkular backend
It all works, but the session from the *user* (second step) eventually
expires, causing the refresh_token to be invalid[1].
So, the question is whether this token is indeed supposed to be
attached to an user session, or if it's a bug. If the behavior I'm
seeing is the correct one, what could be a proper way to store a token
so that it can be replaced at a later time?
1 - http://git.io/vLAtF
Best,
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/
j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk
SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa
f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ
WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7
1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI=
=EA+F
-----END PGP SIGNATURE-----
10 years
Different token timeouts for clients under the same realm
by robinfernandes .
Hi All,
Is there a possibility where we can set different token timeouts for
clients under the same realm?
The use case why we are trying to achieve this is basically we have 2
applications which require 2 different timeout settings.
We want the web client timeouts to be short since there would be human
intervention there always, however we want our Agent timeouts to be very
large since there might not be anyone to log into it again.
Using Keycloak we have seen that the timeout settings can be applied only
at the realm level though, which forces us to have each application in a
different realm.
Can we have the timeout settings at the client(application) level rather
than the realm level so that we can put both the applications in the same
realm?
Thanks & Regards,
Robin
10 years, 1 month
Query regarding import multiple realms through single json file
by Nangunoori, Srinivas
Hi Experts,
I am trying to import multiple relams info through single json file using following command, here pass.json has multiple realm info. But, only last realm is getting imported in keycloak
bin/standalone.sh -c standalone-ha.xml -b=<server name> -bmanagement=<server name> -Djboss.node.name=<server name> -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=paas.json
Here pass.json has multiple realm info. But, only last realm is getting imported in keycloak.
JSON has info.,
[
{
"realm" : "Test1",
-----
},
{
"realm" : "Test2",
-----
}
]
In this case, always "Test2" is getting imported not the "Test1".
Regards,
Srini
10 years, 1 month
UserFederation - post process steps
by Kevin Hirschmann
Hello,
I am using the LDAP Federation Provider to sync users from an AD server and keycloak (unidirectional AD => keycload).
For every newly imported user I want to auto-add one keycloak role. What is the recommended way to implement this?
Should I write a second Provider/ ProviderFactory and do a second sync run ?
Subclassing LDAPFederationProviderFactory doesn't have the desired result, since the administration doesn't show the ldap properties.
I can only assume, that there is some special treatment for the LDAPFederationProviderFactory (the buttons to check the connection indicate that).
Kind regards
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.
10 years, 1 month
javax.persistence.PessimisticLockException: could not extract ResultSet
by Bhanu Kiran
Hi team,
I am implementing own user federation.
As part of this implementing my class is UserFederationProvider.
1. In method public UserModel getUserByUsername(RealmModel realm, String
username) {
//Own code which authenticates the user in DB
Returning user model
UserModel userModel = session.userStorage().addUser(realm, username);
userModel.setEnabled(true);
userModel.setFederationLink(model.getId());
return userModel
}
2. Below exception is generated after UserModel in returned.
Please let me know if i missed anything.
============================================================================
11:22:01,438 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
(default task-10) SQL Error: 50200, SQLState: HYT00
11:22:01,439 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper]
(default task-10) Timeout trying to lock table "USER_ENTITY"; SQL statement:
select userentity0_.ID as ID1_47_, userentity0_.CREATED_TIMESTAMP as
CREATED_2_47_, userentity0_.EMAIL as EMAIL3_47_,
userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_47_, userentity0_.EMAIL_VERIFIED
as EMAIL_VE5_47_, userentity0_.ENABLED as ENABLED6_47_,
userentity0_.federation_link as federati7_47_, userentity0_.FIRST_NAME as
FIRST_NA8_47_, userentity0_.LAST_NAME as LAST_NAM9_47_,
userentity0_.REALM_ID as REALM_I10_47_,
userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_47_,
userentity0_.TOTP as TOTP12_47_, userentity0_.USERNAME as USERNAM13_47_
from USER_ENTITY userentity0_ where userentity0_.ID=? and
userentity0_.REALM_ID=? [50200-173]
11:22:01,442 ERROR [org.keycloak.authentication.AuthenticationProcessor]
(default task-10) failed authentication:
javax.persistence.PessimisticLockException: could not extract ResultSet
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.wrapLockException(AbstractEntityManagerImpl.java:1831)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1720)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1677)
at
org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:458)
at
org.keycloak.models.jpa.JpaUserProvider.getUserById(JpaUserProvider.java:228)
at
org.keycloak.models.cache.DefaultCacheUserProvider.getUserById(DefaultCacheUserProvider.java:132)
at
org.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:111)
at
org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:134)
at
org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:162)
at
org.keycloak.models.sessions.mem.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:192)
at
org.keycloak.authentication.AuthenticationProcessor$Result.getUser(AuthenticationProcessor.java:301)
at
org.keycloak.authentication.authenticators.browser.AbstractFormAuthenticator.validatePassword(AbstractFormAuthenticator.java:176)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:46)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:39)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:59)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:54)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:533)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:306)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:287)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:333)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.hibernate.PessimisticLockException: could not extract
ResultSet
at org.hibernate.dialect.H2Dialect$2.convert(H2Dialect.java:342)
at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:49)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:126)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:112)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:91)
at org.hibernate.loader.Loader.getResultSet(Loader.java:2066)
at
org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1863)
at
org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1839)
at org.hibernate.loader.Loader.doQuery(Loader.java:910)
at
org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:355)
at org.hibernate.loader.Loader.doList(Loader.java:2554)
at org.hibernate.loader.Loader.doList(Loader.java:2540)
at
org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2370)
at org.hibernate.loader.Loader.list(Loader.java:2365)
at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:497)
at
org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:387)
at
org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:236)
at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1300)
at org.hibernate.internal.QueryImpl.list(QueryImpl.java:103)
at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:573)
at
org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:449)
... 63 more
Caused by: org.h2.jdbc.JdbcSQLException: Timeout trying to lock table
"USER_ENTITY"; SQL statement:
select userentity0_.ID as ID1_47_, userentity0_.CREATED_TIMESTAMP as
CREATED_2_47_, userentity0_.EMAIL as EMAIL3_47_,
userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_47_, userentity0_.EMAIL_VERIFIED
as EMAIL_VE5_47_, userentity0_.ENABLED as ENABLED6_47_,
userentity0_.federation_link as federati7_47_, userentity0_.FIRST_NAME as
FIRST_NA8_47_, userentity0_.LAST_NAME as LAST_NAM9_47_,
userentity0_.REALM_ID as REALM_I10_47_,
userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_47_,
userentity0_.TOTP as TOTP12_47_, userentity0_.USERNAME as USERNAM13_47_
from USER_ENTITY userentity0_ where userentity0_.ID=? and
userentity0_.REALM_ID=? [50200-173]
at
org.h2.message.DbException.getJdbcSQLException(DbException.java:331)
at org.h2.message.DbException.get(DbException.java:171)
at org.h2.message.DbException.get(DbException.java:148)
at org.h2.table.RegularTable.doLock(RegularTable.java:521)
at org.h2.table.RegularTable.lock(RegularTable.java:455)
at org.h2.table.TableFilter.lock(TableFilter.java:145)
at org.h2.command.dml.Select.queryWithoutCache(Select.java:611)
at org.h2.command.dml.Query.query(Query.java:314)
at org.h2.command.dml.Query.query(Query.java:284)
at org.h2.command.dml.Query.query(Query.java:36)
at org.h2.command.CommandContainer.query(CommandContainer.java:91)
at org.h2.command.Command.executeQuery(Command.java:195)
at
org.h2.jdbc.JdbcPreparedStatement.executeQuery(JdbcPreparedStatement.java:106)
at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:462)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:82)
... 79 more
==========================================================================================
10 years, 1 month
Fwd: Native Android/iOS Keycloak Login
by Nino Nano
Hi, i am a newbie in Keycloak, i read that keycloak is very customizable, i
would like to know if i can code an Android/iOS application to login to
keycloak. The problem is, that, the examples i found always use a browser
to input the user credentials.
Is there a way to use some Keycloak API, to code a web service that
receives [username, password] and retrieve Keycloak user data
information(i.e. Roles, etc)?
!!Thanks for any help!!
10 years, 1 month
custom persistence.xml
by Kevin Hirschmann
Hello,
the docs state: unitName -Allow you to specify name of persistence unit if
you want to provide your own persistence.xml file for JPA configuration.
Where do I have to put my own persistence.xml file so that it is picked up
by keycloak?
Kind regards
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.
10 years, 1 month
Refill custom attributes in registration template
by Klemen Ferjančič
Hi
Sorry if this is a duplicate, seems like last email was lost in moderation.
I can't seem to customize the keycloak registration page with
custom attributes that would refill upon failure. Regular fields have
the value set like: value="${(register.formData.email!'')?html}" so I
tried the same approach for the custom fields. I tried:
value="${(register.formData.user.attributes.mobile!'')?html}"
value="${((user.attributes.mobile)!'')?html}"
value="${(user.attributes.mobile)!''}"
..and probably 10 other combinations but nothing works. I also did not
find anything in the documentation. What is the correct value expression
that would refill custom attributes upon POST failure?
Best regards, cen
10 years, 1 month
Issue with multi tenancy
by Satyajit Das
>
> Hi Team,
>
> I have configured PathBasedKeycloakConfigResolver in my package:
> com.demo.util.
>
> The context param has been set on web.xml
> <context-param>
> <param-name>keycloak.config.resolver</param-name>
>
> <param-value>org.keycloak.example.PathBasedKeycloakConfigResolver</param-value>
> </context-param>
>
> I deployed the application on Tomcat. I have registered the context.xml in
> meta-inf with the required adapter.
>
> Tomcat lib directory has all the required keycloak jar files.
>
> But PathBasedKeycloakConfigResolver never gets called on any request to
> the url.
> One strange thing i find that in eclipse if I remove the maven dependency
> from deployment assembly(right click on project-> properties->deployment
> assembly) it works But if i put it back it fails. Maven dependency is a
> must.
>
After debugging String configResolverClass =
context.getServletContext().getInitParameter("keycloak.config.resolver");
of AbstractKeycloakAuthenticatorValve class
Got the following error: when PathBasedKeycloakConfigResolver is being
instantiated.
java.lang.ClassCastException:
org.keycloak.example.PathBasedKeycloakConfigResolver cannot be cast to
org.keycloak.adapters.KeycloakConfigResolver
But PathBasedKeycloakConfigResolver implements
org.keycloak.adapters.KeycloakConfigResolver.
Regards,
Satya.
10 years, 1 month
