Keycloak 1.4.0.Final - new schema (defined in file keycloak-server.json)
by Emil Posmyk
Hi all
I did upgrade from keycloak 1.1.0.Final to 1.4.0.Final, but I had some
issue.
When I tried to add "schema": "security" in section "connectionsJpa" to
file keycloak-server.json and run first time server to create everything on
database. I recived an error related with liquibase, "REALM" etc.
Second time i solved it becouse I created default schema and after it I
changed to schema "security" manually on database and later in file
keycloak-server.json.
It is possible to change the schema without changing manually schema on
database ?
*thanks*
*--*
*Emil Posmyk*
9 years, 4 months
WG: AW: AW: multi tenant configuration with 1.3.1?
by Hipfinger Martin (BCC.ÖBB.TicketShop.MA)
In our current setup, each tenant is using several realms. Each tenant is using it’s own database. This setup fits exactly to our needs. However, we’d need 1.3.1 features, so I’m searching for the best fitting new setup.
@ multi-tenancy example: after following the steps mentioned in the example, I see the urls configured in the “tenant-realm”
[cid:image001.png@01D0C52C.EADCB4B0]
The url of the client-id multi-tenant brings 404
The url of the client-id security-admin-console and account brings the login page, but the user user-tenant1 cannot login (we’re sorry – no access)
-----Ursprüngliche Nachricht-----
Von: Stian Thorgersen [mailto:stian@redhat.com]
Gesendet: Mittwoch, 22. Juli 2015 13:46
An: Hipfinger Martin (BCC.ÖBB.TicketShop.MA)
Betreff: Re: AW: AW: [keycloak-user] multi tenant configuration with 1.3.1?
Yes, multi-tenancy is based on realms. Why would we need two levels of multi-tenancy?
I'd need more info about what your problem is to be able to help you out with the multi-tenancy example
----- Original Message -----
> From: "Hipfinger Martin (BCC.ÖBB.TicketShop.MA)"
> <Martin.Hipfinger(a)oebb.at<mailto:Martin.Hipfinger@oebb.at>>
> To: "Stian Thorgersen" <stian(a)redhat.com<mailto:stian@redhat.com>>
> Sent: Wednesday, 22 July, 2015 1:41:05 PM
> Subject: AW: AW: [keycloak-user] multi tenant configuration with 1.3.1?
>
> But i don't understand the multi tenancy concept then - is it based
> just on realms? However, I couldn't get this example working either
> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>
> -----Ursprüngliche Nachricht-----
> Von: Stian Thorgersen [mailto:stian@redhat.com]
> Gesendet: Mittwoch, 22. Juli 2015 13:34
> An: Hipfinger Martin (BCC.ÖBB.TicketShop.MA)
> Betreff: Re: AW: [keycloak-user] multi tenant configuration with 1.3.1?
>
> Ah, sorry thought you where talking about providers. We don't support
> overlays and really never have, it was an experimental feature. You
> should configure Keycloak through standalone/configuration/keycloak-server.json.
>
> ----- Original Message -----
> > From: "Hipfinger Martin (BCC.ÖBB.TicketShop.MA)"
> > <Martin.Hipfinger(a)oebb.at<mailto:Martin.Hipfinger@oebb.at>>
> > To: "Stian Thorgersen" <stian(a)redhat.com<mailto:stian@redhat.com>>
> > Sent: Wednesday, 22 July, 2015 1:30:12 PM
> > Subject: AW: [keycloak-user] multi tenant configuration with 1.3.1?
> >
> > Hi,
> >
> > i've already done that for sure - but cannot see the necessary
> > steps; would you please be so kind and point me to the right direction?
> >
> > br,
> > Martin
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Stian Thorgersen [mailto:stian@redhat.com]
> > Gesendet: Mittwoch, 22. Juli 2015 13:23
> > An: Hipfinger Martin (BCC.ÖBB.TicketShop.MA)
> > Cc: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> > Betreff: Re: [keycloak-user] multi tenant configuration with 1.3.1?
> >
> > Read the manual:
> > http://keycloak.github.io/docs/userguide/html/Migration_from_older_v
> > er
> > sions.html#d4e3319
> >
> > ----- Original Message -----
> > > From: "Hipfinger Martin (BCC.ÖBB.TicketShop.MA)"
> > > <Martin.Hipfinger(a)oebb.at<mailto:Martin.Hipfinger@oebb.at>>
> > > To: keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> > > Sent: Wednesday, 22 July, 2015 1:07:54 PM
> > > Subject: [keycloak-user] multi tenant configuration with 1.3.1?
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > > we’re running keycloak 1.1 with several overlays – in detail:
> > >
> > >
> > >
> > > - A new datasource per overlay
> > >
> > > /opt/keycloak/bin/jboss-cli.sh --commands="connect, data-source
> > > add --name= xxx DS --connection-url=jdbc:oracle:thin:@
> > > xxxxx:1522:xxxxx --jndi-name=java:jboss/datasources/ xxx DS
> > > --driver-name=ojdbc --password= xxx --user-name= XXX "
> > >
> > >
> > >
> > > - A new auth-server entry
> > >
> > > /opt/keycloak/bin/jboss-cli.sh --commands="connect,
> > > /subsystem=keycloak/auth-server= xxx -server/:add(web-context= xxx
> > > , enabled=true)"
> > >
> > >
> > >
> > > - An own keycloak-server.json
> > >
> > > "connectionsJpa": {
> > >
> > > "default": {
> > >
> > > "dataSource": "java:jboss/datasources/ xxx DS",
> > >
> > > "databaseSchema": "update"
> > >
> > > }
> > >
> > > }
> > >
> > > "connectionsInfinispan": {
> > >
> > > "default" : {
> > >
> > > "cacheContainer" : "java:jboss/infinispan/ xxx Keycloak"
> > >
> > > }
> > >
> > >
> > >
> > > /opt/keycloak/bin/jboss-cli.sh --commands=”connect,
> > > /subsystem=keycloak/auth-server= xxx
> > > -server:update-server-config(bytes-to-upload=/opt/keycloak/standal
> > > on
> > > e/
> > > configuration/keycloak-server-
> > > xxx .json,overwrite=true)”
> > >
> > >
> > >
> > > This configuration isn’t supported anymore with 1.3.1 - do you
> > > have any hint for me, how to achieve a similar config with 1.3.1?
> > >
> > >
> > >
> > > br,
> > >
> > > Martin
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
9 years, 4 months
JBoss BPM Suite integration with Keycloak
by Paulo Jerônimo
Hello!
I need to make the Business Center and the Dashbuilder (JBoss BPM Suite) to
authenticate using a realm created in Keycloak. I have all the necessary
settings. My steps can be reproduced with an script. The Keycloak 1.4.0
examples are successfully executed in this instance configured JBoss BPM
Suite. It is configured with patches for JBoss EAP 6.4.2 and, also, with
patches for JBoss BPM Suite 6.1.1. The datasources are configured for a
Oracle instance. I exported the realm for myapp-realm.json file and I'm
starting the JBoss BPM Suite. I can log into Dashbuilder but in the Central
Business I am getting the following error:
https://github.com/paulojeronimo/gerador-jboss-bpmsuite-keycloak/blob/mas...
My JBoss BPM Suite integration project with Keycloak is public and
available:
https://github.com/paulojeronimo/gerador-jboss-bpmsuite-keycloak
Can help me solve this problem?
9 years, 4 months
Distributed Keycloak user sessions using Infinispan
by Nair, Rajat
Hi,
I'm in the process of setting up distributed user sessions using Infinispan on my Keycloak cluster. This is the configuration I use -
<cache-container name="keycloak" jndi-name="java:jboss/infinispan/Keycloak">
<transport lock-timeout="60000"/>
<invalidation-cache name="realms" mode="SYNC"/>
<invalidation-cache name="users" mode="SYNC"/>
<distributed-cache name="sessions" mode="SYNC" owners="2"/>
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
</cache-container>
And in server.logs, I can see my servers communicate -
2015-07-27 10:27:24,662 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t7) ISPN000310: Starting cluster-wide rebalance for cache users, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t10) ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=57, rebalanceId=17, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[test-server-110: 60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[test-server-110: 30, test-server-111: 30]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,665 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000310: Starting cluster-wide rebalance for cache loginFailures, topology CacheTopology{id=57, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,669 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000310: Starting cluster-wide rebalance for cache sessions, topology CacheTopology{id=56, rebalanceId=17, currentCH=DefaultConsistentHash{ns=80, owners = (1)[test-server-110: 80+0]}, pendingCH=DefaultConsistentHash{ns=80, owners = (2)[test-server-110: 40+0, test-server-111: 40+0]}, unionCH=null, actualMembers=[test-server-110, test-server-111]}
2015-07-27 10:27:24,808 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t9) ISPN000336: Finished cluster-wide rebalance for cache loginFailures, topology id = 57
2015-07-27 10:27:24,810 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id = 56
2015-07-27 10:27:24,988 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t12) ISPN000336: Finished cluster-wide rebalance for cache realms, topology id = 57
2015-07-27 10:27:25,530 INFO [org.infinispan.CLUSTER] (remote-thread--p3-t8) ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 57
I can successfully login, get a token and fetch user details with this token.
Problem is, if one of the nodes on the cluster goes down and if we try to reuse a token which was already issued (so workflow is - user logins in, get token, (a node in the cluster goes down) and then fetch user details using token) - we see an internal server exception. From the logs -
2015-07-27 10:24:25,714 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /auth/realms/scaletest/protocol/openid-connect/userinfo: java.lang.RuntimeException: request path: /auth/realms/scaletest/protocol/openid-connect/userinfo
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:54)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.MetricsHandler.handleRequest(MetricsHandler.java:62)
at io.undertow.servlet.core.MetricsChainHandler.handleRequest(MetricsChainHandler.java:59)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:274)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:253)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
... 31 more
Caused by: java.lang.NullPointerException
at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfo(UserInfoEndpoint.java:128)
at org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint.issueUserInfoGet(UserInfoEndpoint.java:101)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
... 42 more
The user guide says -
If you need to prevent node failures from requiring users to log in again, set the owners attribute to 2 or more for the sessions cache
Questions -
1. Have we configured Infinispan incorrectly? We don't want the users to login again if any of the nodes in the cluster go down.
2. Will changing distributed-cache to replicated-cache help in this scenario?
3. Any way we can see the contents of the cache?
-- Rajat
9 years, 4 months
Upgrade Keycloak 1.3.1 to 1.4.0
by Carlos German Tejero
I have installed Keycloak 1.3.1 as a subsystem, on a Wildfly 9.0.1.
How is the procedure for upgrade it to 1.4.0?
Tanks to all!
--
Carlos Germán Tejero
9 years, 4 months
Direct access (keycloak migration from 1.1.0 to 1.4.0)
by Emil Posmyk
Hi all
I have a problem with direct access. I try to use similar code like is on
page:
http://keycloak.github.io/docs/userguide/html/direct-access-grants.html
but every time I'm reciving bad request: status 400.
There is one change comparing version 1.4.0.Final with version 1.1.0.Final:
formparams.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE,
passwordValue));
I added into passwordValue password for user which was created in auth app
before (not "secret").
My code looks like this:
HttpPost post = new HttpPost(KeycloakUriBuilder.fromUri("
http://IPIPIPIP:8080/auth
").path(ServiceUrlConstants.TOKEN_PATH).build(realmName));
List <NameValuePair> formparams = new ArrayList <NameValuePair>();
formparams.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE,
passwordValue));
formparams.add(new BasicNameValuePair("username", "userName"));
formparams.add(new BasicNameValuePair("password", passwordValue));
try {
/*String authorization =
BasicAuthHelper.createHeader("appNameId", secretAppName);//secretAppName
post.setHeader("Authorization", authorization);*/
formparams.add(new
BasicNameValuePair(OAuth2Constants.CLIENT_ID, "appNameId"));
UrlEncodedFormEntity form = new
UrlEncodedFormEntity(formparams, "UTF-8");
post.setEntity(form);
final HttpClient client = new
HttpClientBuilder().disableTrustManager().build();
HttpResponse response = client.execute(post);
int status = response.getStatusLine().getStatusCode();
HttpEntity entity = response.getEntity();
if (status != 200) {
throw new IOException("Bad status: " + status);
}
Any ideas how to solve it ?
*thanks*
*regards*
*--*
*Emil Posmyk*
9 years, 4 months
Custom Authentication and Registration flow
by Tair Sabirgaliev
Hi,
2 questions here:
- How can we add custom authentication mechanisms?
- How to customize registration flow?
Are they pluggable now? Do you plan to implement SPIs?
Thanks!
--
Tair Sabirgaliev
Bee Software, LLP
9 years, 4 months
Fwd: Keycloak in Azure VM?
by Ed Hillmann
That was it! I passed it -b 0.0.0.0 and I'm getting through. Thanks heaps!
On Thu, Aug 6, 2015 at 11:45 AM, Greg Jones <gregj(a)thesoftwarecottage.com.au
> wrote:
> Hi Ed,
>
> Make sure the Keycloak server is running on your public IP address, not
> just localhost. This can be forced by using the -b <IP Address> flag on the
> standalone.sh command. You can use -b 0.0.0.0 to tell it to use all
> available IP addresses.
>
> Regards,
> Greg Jones
>
>
> > On 6 Aug 2015, at 11:34 am, Ed Hillmann <ed.hillmann(a)gmail.com> wrote:
> >
> > Hi. Has anyone had luck accessing Keycloak in a VM in Azure? I've got
> it running, I believe. But I cannot access it all from my browser. What I
> have done
> >
> > - Created a VM in Azure (Ubuntu 15), and this created an equivalent
> Cloud Service in Azure
> > - Installed a Java8 JDK to the VM
> > - Installed Keycloak 1.4.0 Final, standalone
> > - Created a self-signed certificate in a Keystore (as per the doco)
> > - Configured the standalone config to use the keystore (as per the doco)
> > - Started keycloak using standalone.sh
> >
> > At this point, the log file looks like instances I have run on my local
> PC. There's nothing in there that looks any difference.
> >
> > For the Azure VM, I've added the following endpoints
> >
> > public 80 maps to private 8080
> > public 443 maps to private 8443
> > public 9990 maps to private 9990
> > public 9993 maps to private 9993
> >
> > Any attempt to access the instance from my browser, however, ends up
> pwith a connection refused error. I can't even get to the launching page,
> let alone the admin console.
> >
> > Are there additional ports that need to be opened? If anyone has done
> this and can point out a missing step, I'd be very happy to have the help.
> >
> > Thanks,
> > Ed
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
9 years, 4 months
