Commercial/Enterprise/Stable support
by Jorge Solórzano
Hi Keycloak community...
Keycloak looks as a really promising project, but what it worry me, is
that as a community project, it takes a ultra-fast development cycle.
>From a commercial stand point, it feels that it never finish to
stabilize, if for example I implement in production the version 1.5
and found a bug, it will be fixed until 1.6 is released with probably
more new features and changes in database schema wich can introduce
more bugs...
How can be handled an enviroment that need a more slow but stable
approach, will there be a a "JBoss Keycloak EAP"?, what are the
chances that the project is discontinued (somewhat like Picketlink)?
Is this project apropiate for "Enterprise" use?
cheers,
Jorge Solórzano
http://www.jorsol.com
8 years, 7 months
UT010039: Unknown authentication mechanism KEYCLOAK
by Hristo Stoyanov
Hi all I am getting the below message with KeyCloak 1.5.0/WF9.0.1 overlay
installation. My configuration file looks exactly the same as the stock
one, e.g: <extensions> ... <extension
module="org.keycloak.keycloak-server-subsystem"/> ... </extensions> ...
<profile> ... <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context> </subsystem> </profile> The module jars are
properly put in the WF folders My web.xml also seems right too:
========================================= <web-app xmlns="
http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" version="3.1"> <!--
Default page to serve --> <welcome-file-list>
<welcome-file>index.jsp</welcome-file> </welcome-file-list> <!-- This error
page rule responds with the GWT Host page for pushstate Errai Navigation
URLs --> <error-page> <error-code>404</error-code> <location>/</location>
</error-page> <!-- Erray Keycloak security --> <filter>
<filter-name>ErraiLoginRedirectFilter</filter-name> <init-param>
<param-name>redirectLocation</param-name>
<param-value>/index_draft.jsp</param-value> </init-param> </filter> <!--
JAX-RS configuration--> <servlet-mapping>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<url-pattern>/rest/*</url-pattern> </servlet-mapping> <filter-mapping>
<filter-name>ErraiUserCookieFilter</filter-name>
<url-pattern>/index_draft.jsp</url-pattern> </filter-mapping>
<filter-mapping> <filter-name>ErraiLoginRedirectFilter</filter-name>
<url-pattern>/app-login</url-pattern> </filter-mapping>
<security-constraint> <web-resource-collection>
<web-resource-name>Login</web-resource-name>
<url-pattern>/app-login</url-pattern> </web-resource-collection>
<auth-constraint> <role-name>*</role-name> </auth-constraint>
</security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method>
<realm-name>whatever</realm-name> </login-config> <security-role>
<role-name>user</role-name> </security-role> <security-role>
<role-name>admin</role-name> </security-role> </web-app> I can access the
KC admin console and configure realms/users/roles no problem in the WF
9.0.1 server, np. I am out of ideas of what could be causing it. Any hints?
Thanks
==========================================================================================================
11:47:54,444 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 78) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.de fault-host./draft:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./draft:
java.lang.RuntimeException: jav a.lang.RuntimeException: UT010039: Unknown
authentication mechanism KEYCLOAK at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at
java.util.concurrent.FutureTask.run(Unknown Source) at
java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at
java.lang.Thread.run(Unknown Source) at
org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by:
java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown
authentication mechanism KEYCLOAK at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:224)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more Caused by: java.lang.RuntimeException: UT010039: Unknown
authentication mechanism KEYCLOAK at
io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:326)
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:200)
... 8 more 11:47:54,471 ERROR
[org.jboss.as.controller.management-operation] (management-handler-thread -
2) WFLYCTL0013: Operation ("deploy") failed - address: ([("deploy ment" =>
"draft.war")]) - failure description: {"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./draft" =>
"org.jboss. msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./draft:
java.lang.RuntimeException: java.lang.RuntimeException: UT01 0039: Unknown
authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException:
java.lang.RuntimeException: UT010039: Unknown authentication mechanism
KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown
authentication mechanism KEYCLOAK"}} 11:47:54,478 ERROR
[org.jboss.as.server] (management-handler-thread - 2) WFLYSRV0021: Deploy
of deployment "draft.war" was rolled back with the following failur e
message: {"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./draft" =>
"org.jboss.msc.service.StartException in service jboss.und
ertow.deployment.default-server.default-host./draft:
java.lang.RuntimeException: java.lang.RuntimeException: UT010039: Unknown
authentication mechanism KEYCLOAK Caused by: java.lang.RuntimeException:
java.lang.RuntimeException: UT010039: Unknown authentication mechanism
KEYCLOAK Caused by: java.lang.RuntimeException: UT010039: Unknown
authentication mechanism KEYCLOAK"}} 11:47:54,488 INFO [org.jboss.as.jpa]
(ServerService Thread Pool -- 79) WFLYJPA0011: Stopping Persistence Unit
(phase 2 of 2) Service 'draft.war#s4g'
/Hristo Stoyanov
8 years, 7 months
Performance numbers for Keycloak
by Anunay Sinha
Hi
I am interested in some performance numbers for keycloak
I am setting it up to test locally and just wondering is some has done this
already.
I would like to know how well it will scale up
How many request it can handle and if it becomes the bottle neck for our
application.
Thnaks
--
- Anunay
8 years, 7 months
"Invalid_grant" error when trying to login with the user created from Rest API
by Anunay Sinha
Hi
I am using keycloak 1.4
When am trying to create a new user using rest api, I am getting 201
User shows under the list of users on the Keycloak admin panel as well as
when I query it from the API
I have reset the password of the user using the following call
http://127.0.0.1:8080/auth/admin/realms/TAHITI/users/29e18054-2fc6-41fc-a...
{"type":"password","value":"asdf123","temporary":false}
Am getting 204 for this request.
When am trying to login with this user, am getting the erro
Status Code 401
{
"error_description": "Invalid user credentials",
"error": "invalid_grant"
}
If however I go and edit my user from admin console, it starts working.
Can you help me with this issue
--
- Anunay
8 years, 7 months
Can not create using API
by H Mahey
Hi all,I am trying to create a user in keycloak via api and getting 401.Can you please help in finding what am i doing wrong.
ThanksHarsh
8 years, 7 months
association of application user an keycloak user
by Matuszak, Eduard
Hello,
Is there any concept or standard way on how to link/associate users residing in an applications own DB to the users registered in the keycloak database (residing in keycloaks USRR_ENTITY table), e.g. something like the good old JDBC-realm?
Best regards, Eduard Matuszak
Dr. Eduard Matuszak
Worldline, an atos company
T +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak(a)atos.net<mailto:eduard.matuszak@atos.net>
Max-Stromeyer-Straße 116
78467 Konstanz
Germany
de.worldline.com<http://worldline.com/de/1/Home.html>
worldline.jobs.de<http://worldline.jobs.de>
facebook.com/WorldlineKarriere<http://www.facebook.com/WorldlineKarriere>
Worldline GmbH
Geschäftsführer: Wolf Kunisch
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
8 years, 7 months
Re: [keycloak-user] Keycloak Demo Application
by Walker, Charles
It's not that the docs are bad, this is just a complex app with a lot of
different touch points.
but....
* More details on individual options would be nice though, I scoured the
examples and read through a ton of source for answers to different things
* updated video tutorials. what's out there is helpful but dated
* move away from liquibase to manage the database schema. it's a nice tool
but i haven't ran into many dba's that allow an application to "alter" the
database. that meant i just had to go figure out another technology just
to tease the sql out of it
* better realm management tools. the current import and export tools work
but are crude. some type of jboss-cli support would be nice (i guess the
wildfly folks have spoiled me)
but things get better every single release! thanks and keep up the good
work.
On Thu, Sep 24, 2015 at 2:19 PM, Bill Burke <bburke(a)redhat.com> wrote:
> Any suggestions for making things easier? (Other than "your
> documentation sucks!") ;)
>
>
> On 9/24/2015 1:47 PM, Walker, Charles wrote:
> > I see a lot of folks struggling with some of the same things I've
> > encountered. I've been working on a more complete app while testing
> > keycloaks capabilities. It is currently:
> > * an ubuntu vagrant vm
> > * ansible setup
> > * keycloak 1.5
> > * separate wildfly 9 server
> > * openldap server used for user federation
> > * jee rest application showing both url protection and programatic ejb
> > authorization
> > * angularjs web app
> > * nginx ssl reverse proxy
> >
> > I'll keep improving it as I go along but I thought I would share and it
> > might help others.
> >
> > It's at "https://github.com/cwalker67/keycloak_demo"
> >
> > thanks,
> > charlie
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8 years, 7 months
Keycloak Demo Application
by Walker, Charles
I see a lot of folks struggling with some of the same things I've
encountered. I've been working on a more complete app while testing
keycloaks capabilities. It is currently:
* an ubuntu vagrant vm
* ansible setup
* keycloak 1.5
* separate wildfly 9 server
* openldap server used for user federation
* jee rest application showing both url protection and programatic ejb
authorization
* angularjs web app
* nginx ssl reverse proxy
I'll keep improving it as I go along but I thought I would share and it
might help others.
It's at "https://github.com/cwalker67/keycloak_demo"
thanks,
charlie
8 years, 7 months
Having a public and a private 'face' to Keycloak
by Kevin Thorpe
I, and others are having problems using this in the real world because of
the 'identity' of Keycloak.
I'm running Keycloak in a Docker(Rancher) container. Alongside it are my
backend containers holding
the internal components of the application. On top of the application is an
nginx container containing
an AngularJS application and proxying Angular's service calls to the
backend container.
The problem comes when I sit an external load balancer/SSL layer in front
of the application. The
user is now contacting the application on its external hostname in our DMZ.
Authentication then has
to be performed against Keycloak on a DMZ IP/URL. Easy enough to arrange,
just use Nginx again
as a proxy for Keycloak. This all works for the frontend and the user can
log in.
The problem occurs when the backend service containers try and validate the
user token. They
cannot do this directly to Keycloak inside the Docker ecosystem. All I get
in that case is this
token was issued by <external hostname:port> and you are presenting it to
<internal hostname:port>
(can't remember the exact wording).
I can get this to work by getting my backend containers to authenticate
against <external hostname>
but that is creating traffic out of the docker LAN and back in again, not
the most efficient way to
do things.
Would this be a good use case for Keycloak aliases? Then I can present a
token issued by
<external URL> to <internal URL> and Keycloak will understand that it was
actually issued by
itself under a different identity. Better still I could proxy Keycloak
within the URL of the front-end
application which would place the whole application; website, service and
authentication under the
one hostname.
*Kevin Thorpe*
CTO
8 years, 7 months
Help understanding Bearer-only
by Mai Zi
Hi, there, Here is the metaphor about we are working on.
Suppose we are a primary school. We'd like to offer a sports club card for our teachers so they can go to excise in weekend. The workflow is simple, 1) we apply a card from the club.2) we give the card to the teacher.3) The teacher takes the card to the club to do whatever.
With keycloak , we think
1)The card is the token2) We, the school, are the oauth client 3) The teacher and the club go with bearer-only .
Based on the understanding above,
1) By admin restful endpoints, we( the school) create a user account , reset a whatever password, set the role for the user , and finally acquire this user's access token . In this step. the user is not involved at all.
2) We transfer this access token to the user .
3) The user now visits the club 's restful endpoints with this token carrying on.
Unfortunately, we can not reach the club's resource . The code is 403 forbidden.
I am not sure whether we get the right idea on bearer-only model or not. Or we missed something
Any help will be appreciated.
Mai
8 years, 7 months