External Username, Password, Email... dataset with Keycloak
by Reed Lewis
Hi,
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
7 years, 10 months
Assign Role Fails Just After Creating the Role
by Malmi Samarasinghe
Hi Everyone,
In my application we create retrieve and assign role subsequently and it
seems that even for a small load (2-3 threads) with realm cache enabled
option, assign realm role call fails due to role not exist error and 404 is
returned from keycloak.
With the realm cache disabled option the load works fine.
Please get back to me if you have any information on any other option we
can follow to get this issue sorted or on what action the realm cache will
be persisted to DB.
Regards,
Malmi
8 years, 9 months
ZipException: Unsupported compression method
by Juraci Paixão Kröhling
We are seeing this exception "from time to time" on the logs.
Unfortunately, I don't have much information about it, as I couldn't
reproduce it consistently (yet), but perhaps someone has also seen this
before? We are using KC 1.8.0.CR1.
http://fpaste.org/314926/45382345/
ERROR [stderr] (default task-62) java.util.zip.ZipException: Unsupported
compression method
ERROR [stderr] (default task-62) at
java.util.zip.GZIPInputStream.readHeader(GZIPInputStream.java:169)
ERROR [stderr] (default task-62) at
java.util.zip.GZIPInputStream.<init>(GZIPInputStream.java:79)
ERROR [stderr] (default task-62) at
java.util.zip.GZIPInputStream.<init>(GZIPInputStream.java:91)
ERROR [stderr] (default task-62) at
org.keycloak.common.util.Base64.decode(Base64.java:1274)
ERROR [stderr] (default task-62) at
org.keycloak.common.util.Base64.decode(Base64.java:1224)
ERROR [stderr] (default task-62) at
org.keycloak.common.util.Base64Url.decode(Base64Url.java:35)
ERROR [stderr] (default task-62) at
org.keycloak.jose.jws.JWSInput.<init>(JWSInput.java:35)
ERROR [stderr] (default task-62) at
org.keycloak.RSATokenVerifier.toAccessToken(RSATokenVerifier.java:52)
ERROR [stderr] (default task-62) at
org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:22)
ERROR [stderr] (default task-62) at
org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:18)
- Juca.
8 years, 10 months
Is there a REST Admin API to initiate the Reset Password flow?
by Lohitha Chiranjeewa
Hi,
There are a few clients of ours who use the Direct Grants API to
authenticate their users. A requirement has come up to provide the Reset
Password flow to those clients. From what I've checked and gathered,
there's no REST API to initiate this flow (sending the Keycloak password
reset email + resetting the password through the UI); only way to do is
through the browser.
If it's actually there somewhere, can someone point me to it?
Regards,
Lohitha.
8 years, 10 months
Social login error message
by Martin Min
Hello, I am configuring the social login with google, twitter and github.
Everything else works fine until this point, namely, after it's authorized,
at the "update account information" page, after I fill out the fields on
this page, clicked the "submitted" and I received this error message.
What could cause this? I followed the instruction carefully, but not sure
what caused this.
Context Path:
/auth
Servlet Path:
Path Info:
/realms/myproject/login-actions/first-broker-login
Query String:
code=Rp6yjxlbY0_IIjk8_-IpyOy_x8m_hC0d8zz4t-hp7vI.9ea99589-bf8d-4a13-930a-c58661dfb925
*Stack Trace*
java.lang.RuntimeException: request path:
/auth/realms/myproject/login-actions/first-broker-login
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext
8 years, 11 months
Realm Certificate from commercial Vendors
by Raghuram Prabhala
I have a question about the Certificate/private key which is generated today by Keycloak. But rather than use that certificate ,is there any way we can use a commercial Certificate from Vendors like Verisign? When that certificate expires, how do we generate/upload a new certificate (lifecycle) and handle the switch over to a new certificate with minimal impact to any of the client who will have to download the new certificate and use it when KC starts using the new one?
8 years, 11 months
Google social login in
by Martin Min
Hi, I am configuring Keycloak google login. On Google Developer Console,
there is a field: Authorized redirect URI with the format: http://
{host}:{port}/auth/realms/{realm}/broker/{provider_alias}.
I am testing my KeyCloak server on my local computer, with IP 127.0.0.1. So
here this IP or "localhost" probably doesn't work in this field. I have to
use a real public IP address. Right? How can I testing social login in
KeyCloak without using a real IP address.
Thank you.
Martin
8 years, 11 months
keycloak + nginx reverse proxy + too many redirects issue
by Adrian Matei
Hi everyone,
I am experimenting "too many redirects"/infinite loops issues in the
browser when I try to connect with social providers. I am also getting
internal server error on Chrome via google account (Caused by:
java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext). It might be my
configuration, but I did everything "by the book":
# realm Require SSL:none
#nginx
http {
gzip on;
gzip_proxied any;
#gzip_proxied no-cache no-store private expired auth;
gzip_types text/plain text/html text/css application/json
application/x-javascript application/xml application/xml+rss
text/javascript application/javascript text/x-js;
#gzip_min_length 1000;
server_tokens off; #hides nginx version and OS running on
include /etc/nginx/mime.types;
upstream tomcat_server {
server localhost:8080;
}
upstream keycloak_server {
server localhost:8180;
}
server {
listen 80;
server_name podcastmania.ro;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name podcastmania.ro www.podcastmania.ro;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
location / {
root /opt/tomcat/webapps/ROOT;
try_files $uri /maintenance.html @tomcat;
}
location @tomcat {
proxy_pass http://tomcat_server;
proxy_set_header Host $host; #to change the "Host" header
set by default to $proxy_host to $host - the originating host request
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /auth/ {
root
/opt/keycloak/standalone/configuration/themes/keycloak/;
try_files $uri @keycloak;
}
location @keycloak {
proxy_pass http://keycloak_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port 443;
}
}
# standalone.xml
<subsystem xmlns="urn:jboss:domain:undertow:2.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http"
*redirect-socket="proxy-https"
proxy-address-forwarding="true"*/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:100}">
<socket-binding name="management-http" interface="management"
port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management"
port="${jboss.management.https.port:9993}"/>
<socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8443}"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
* <socket-binding name="proxy-https" port="443"/>*
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
# app:spring security configuration
<context:component-scan base-package="org.keycloak.adapters.springsecurity" />
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="keycloakAuthenticationProvider" />
</security:authentication-manager>
<bean id="adapterDeploymentContext"
class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextBean">
<constructor-arg value="classpath:keycloak.json" />
</bean>
<bean id="keycloakAuthenticationEntryPoint"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationEntryPoint"
/>
<bean id="keycloakAuthenticationProvider"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider"
/>
<bean id="keycloakPreAuthActionsFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter"
/>
<bean id="keycloakAuthenticationProcessingFilter"
class="org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter">
<constructor-arg name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="keycloakLogoutHandler"
class="org.keycloak.adapters.springsecurity.authentication.KeycloakLogoutHandler">
<constructor-arg ref="adapterDeploymentContext" />
</bean>
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg name="logoutSuccessUrl" value="/" />
<constructor-arg name="handlers">
<list>
<ref bean="keycloakLogoutHandler" />
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"
/>
</list>
</constructor-arg>
<property name="logoutRequestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/sso/logout**" />
<constructor-arg name="httpMethod" value="GET" />
</bean>
</property>
</bean>
<security:http auto-config="false" use-expressions="true"
entry-point-ref="keycloakAuthenticationEntryPoint">
<security:custom-filter ref="keycloakPreAuthActionsFilter"
before="LOGOUT_FILTER" />
<security:custom-filter ref="keycloakAuthenticationProcessingFilter"
before="FORM_LOGIN_FILTER" />
<security:intercept-url pattern="/users/registration" access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirm-email"
access="permitAll"/>
<security:intercept-url pattern="/users/registration/confirmed"
access="permitAll"/>
<security:intercept-url pattern="/users/password-forgotten"
access="permitAll"/>
<security:intercept-url
pattern="/users/password-forgotten/confirm-email" access="permitAll"/>
<security:intercept-url
pattern="/users/password-forgotten/confirmed" access="permitAll"/>
<security:intercept-url pattern="/users/**/*" access="hasRole('ROLE_USER')"/>
<security:intercept-url pattern="/**" access="permitAll"/>
<security:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />
</security:http>
Has anyone faced similar issues?
Thanks,
Adrian
8 years, 11 months
Clustering not working properly.
by Revanth Ayalasomayajula
Hi,
I am using keycloak 1.5.0 and i am facing an issue with the clustering of
it.
I have two instances of keycloak behind a load balancer and i made the
following changes to keycloak-server.json on both the instances.
Added:
"realmCache": {
"provider": "infinispan"
},
"userCache": {
"provider": "infinispan"
} ,t
"userSessions": {
"provider": "infinispan"
}
and ran the following command: ./standalone.sh
--server-config=standalone-ha.xml -b=172.31.7.132.
The server is starting but when i try to access admin console, it first
gives me this error:
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=172.31.18.200, error=expired_code, restart_after_timeout=true
and redirects me to the login page again and then if i try to login in
again, it gives me another again:
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=172.31.25.198, error=invalid_code
and exits
saying 'try login using your application'.
What am i doing that is causing this ?? Any config changes i need to do??
8 years, 11 months