Assign Role Fails Just After Creating the Role
by Malmi Samarasinghe
Hi Everyone,
In my application we create retrieve and assign role subsequently and it
seems that even for a small load (2-3 threads) with realm cache enabled
option, assign realm role call fails due to role not exist error and 404 is
returned from keycloak.
With the realm cache disabled option the load works fine.
Please get back to me if you have any information on any other option we
can follow to get this issue sorted or on what action the realm cache will
be persisted to DB.
Regards,
Malmi
8 years, 11 months
saml client adapter changes incoming in 1.9
by Bill Burke
FYI, heads up:
A major change to our Keycloak saml client adapter is coming (PR
buildling right now). Basically you'll need to register a specific
endpoint with your IDPs. Before it was really any secure URL. You must
now register /saml.
i.e.
https://example.com/<context-root>/saml
The reason for this is that SAML POST binding would eat the HttpRequest
input stream for any secured URL. This can be bad if you are uploading
to a secure URL :)
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 11 months
Passing External URL Bearer Token to Interior Proxy URL in Multi-Hop scenario
by Joe Strathern
Hello Keycloak Community
I am looking for some assistance on how to pass a Keycloak bearer token in
the multi-hop scenario, where the keycloak instance is inside a proxy
environment, the next hop is within the proxy, and the original request
came from outside of that environment.
For instance, the original request goes to http://external-hostname/auth,
where external-hostname is a proxy system. Login is successful, and I
receive a Bearer Token with Token issuer -
http://external-hostname/auth/realms/My_Realm.
Now i need to take that token from the HTTP request, and attach it to a new
request from inside the proxy. I do so, redirecting to
http://interior-hostname/API, secured by the same Keycloak. Using
"external-hostname" as host once more is not an option, as we are within
the proxied environment. However, submitting the hop HTTP request, i am
met with the error:
*Failed to verify token: org.keycloak.common.VerificationException: Token
audience doesn't match domain. Token issuer
is http://external-hostname/auth/realms/My_Realm
<http://external-hostname/auth/realms/My_Realm>, but URL from configuration
is http://internal-hostname/auth/realms/My_Realm
<http://internal-hostname/auth/realms/My_Realm>*
The token is rejected (Since the hostnames are not the exact same), however
external-hostname and internal-hostname are the same machine.
Is there a way that Keycloak can identify these hostnames as equivalent to
accept the token, or another policy that should be followed in this
situation?
Thanks,
Joe
8 years, 11 months
LDAP Federation - synchronization on cluster error
by Łukasz Skierkowski
Hello,
Has anyone have a problem with synchronization on JBoss cluster?
Recently I've noticed that some synchronization ends with error:
*javax.persistence.OptimisticLockException: Batch update returned
unexpected row count from update [0]; actual row count: 0; expected: 1 *
If synchronization is started manually there is no problem with the feature.
I think that it can be a problem with scheduled job synchronization on
cluster. BasicTimerProvider uses simple, not synchronized java timers and
it can cause race condition on database.
Lukasz Skierkowski
8 years, 11 months
Very slow export/import of realms
by Gabriel Lavoie
Hi,
I am currently having issues with very slow export/import of realms
with a large number of users (10K). Both operations take ~10 minutes each.
After digging in the KeyCloak code, I've found out that a lot of "flush" is
done at the Hibernate/JPA level (at least 4-5 times per user).
*Export:*
For the export, there are 4 very slow queries in ExportUtils.exportUser() (
https://github.com/keycloak/keycloak/blob/7895eb6a3dd7e4abc16dd401066bd08...
):
* Set<FederatedIdentityModel> socialLinks =
session.users().getFederatedIdentities(user, realm);
* Set<RoleModel> roles = user.getRoleMappings();
* List<UserConsentModel> consents = user.getConsents();
* for (GroupModel group : user.getGroups()) {
They seem to be caused by Hibernate that forces a flush by default in
"getResultList()". As a workaround I told Hibernate to flush only on commit
of the transaction through "-Dorg.hibernate.flushMode=COMMIT" and the
export time came down to *~20 seconds*.
Could there be any issue of changing the flush mode only for the export?
Data shouldn't change in the database at this moment and queries shouldn't
return stale data.
*Import:*
For the import it seems that changing the flushMode isn't sufficient. It
should likely not be done. However, I found a few places in the
keycloak-model-jpa module where entities are created, persisted, then
em.flush() and em.detatch() is called right away without the entity being
returned (ex: UserAdapter.grantRole() -
https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/...
).
If I remove all those flush/detach calls, the import process goes down to *~50
seconds*. What is the reason for flushing every time an entity is created
rather than letting JPA/Hibernate do it when necessary?
Thank you,
Gabriel
--
Gabriel Lavoie
glavoie(a)gmail.com
8 years, 11 months
Missing client roles to view and manage groups?
by Edgar Vonk - Info.nl
Hi,
(oops, sent this to keycloak-dev mailing this by mistake earlier..)
It seems there are no client roles to view and manage groups in Keycloak? I expected to see view-groups and manage-groups roles just like view-users and view-groups.
Our case is that we want to have ‘functional admin’ users that are allowed to manage users and groups within their realm (and nothing else).
I have now created such a functional admin user with the following client roles in this particular realm:
- view-events
- manage-users
- view-users
- impersonation
When I log in as this functional admin user I can manage users fine, however I cannot manage groups. I do see the ‘Manage Groups’ menu item in the admin console but when I click on it I get a “Forbidden. You don't have access to the requested resource.” and in the logs we see:
4:59:19,950 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms/graydon-customers/groups: org.keycloak.services.ForbiddenException
at org.keycloak.services.resources.admin.RealmAuth.requireView(RealmAuth.java:53)
at org.keycloak.services.resources.admin.GroupsResource.getGroups(GroupsResource.java:72)
at sun.reflect.GeneratedMethodAccessor664.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
Is the absence of roles for viewing and managing groups a shortcoming in Keycloak? If so, shall I create a JIRA ticket for it?
cheers
Edgar
8 years, 11 months
Keycloak - 2FA with SMS
by tech@psynd.net
Dear team,
did anybody try already to implement the 2FA with keycloak? is there any
documentation that could be followed? I need to implement passwd + SMS
token.
Thanks!
8 years, 11 months
Direct Grant and OAuth 2.0 error response
by Fabricio Milone
Hi,
I have a direct grant flow working correctly and returning all the
information I need using Mappers when the response is OK. However, I would
like to include more information in the error response when my Federator
doesn't authenticate the username, specifically, my own federator's error
codes/messages.
I've been reading the RFC and there is a parameter called error_description
in the error response, but not sure how to add a json there (it is
supported by the USASCII chars, afaik).
This is my architecture:
Mobile client ---direct access grant---> Keycloak -------validateUser---->
Federator
If Error
Federator ----response---> MyFederatorProvider (on validate() method, parse
the response and somehow include the error coming from the federator inside
the error_description field of the standard OAuth 2.0 response).
Can someone please give me a hint on this? Is there any other
(better/cleaner) way to do this?
Thanks in advance!
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
8 years, 11 months
