SAML response logs
by robinfernandes .
Hi All,
Is there a way that I can see the SAML response objects in the logs. I was
checking the server logs and they are not showing up there for some reason.
Any help would be appreciated.
Thanks,
Robin
10 years, 2 months
Error while linking 2 Identity Providers
by Helder dos S. Alves
Hi.
I'm using Keycloak 1.7.0.Final and I'm having some troubles:
I logged in using my Facebook account, but when I try to log in using my
Google account (whose email is the same as Facebook's) I am getting the
error:
16:36:58,870 ERROR [io.undertow.request] (default task-54) UT005023:
Exception handling request to
/auth/realms/GJC-Websites/login-actions/first-broker-login:
java.lang.RuntimeException: request path:
/auth/realms/GJC-Websites/login-actions/first-broker-login
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:75)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)
... 29 more
Caused by: java.lang.NoClassDefFoundError:
org/keycloak/broker/provider/BrokeredIdentityContext
at
org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:290)
at
org.keycloak.login.freemarker.FreeMarkerLoginFormsProvider.createIdpLinkConfirmLinkPage(FreeMarkerLoginFormsProvider.java:467)
at
org.keycloak.authentication.authenticators.broker.IdpConfirmLinkAuthenticator.authenticateImpl(IdpConfirmLinkAuthenticator.java:43)
at
org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:57)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:155)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:97)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:652)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:301)
at
org.keycloak.services.resources.LoginActionsService.firstBrokerLogin(LoginActionsService.java:528)
at
org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:487)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
... 37 more
Thanks in advance.
Helder S. Alves
10 years, 2 months
Manage Keycloak token inside of the client applications.
by ha.hamed@gmail.com
Hi,
I made an app use bearer authentication with Keycloak . I have another app
which wants to use this REST api.
As I know until now, It needs to get token from Keycloak server (I use POST
method), then add this token to the request It needs to send.
But, there's one important issue. This client want to have assess hundreds
time each minute. Is there any tools for Keycloak to help me update the
token when it's required? I mean keep the token for example for 15 minutes
(validation time) then renew it when it's required. I made a statefull
class which get configuration and has getToken() method. Then when the
other classes ask for new token, if it expired this method synchronously
will get new one and return it (Direct grant). Is it right? Is there
anything standard inside of the Keycloak lib already?
Best regards,
Hamed
10 years, 2 months
Create A New Group (name is not unique)
by Juraj Janosik
Hi,
is it a correct and expected behaviour in the group concept,
that the name of the group is not unique,
that means, that it is possible to create a new group with the same name?
The same behaviour occurs in Admin console and via REST API too.
[
{
"id": "150a8547-fd3f-4245-ab91-328d8afb83c2",
"name": "group_tests",
"path": "/group_tests",
"subGroups":
[
]
},
{
"id": "bc7969e6-e7c9-4617-b03e-18665293636a",
"name": "group_tests",
"path": "/group_tests",
"subGroups":
[
]
},
{
"id": "5447d305-a47e-4ad9-a29b-f478396accf6",
"name": "group_tests",
"path": "/group_tests",
"subGroups":
[
]
}
]
Thanks.
Best Regards,
Juraj
10 years, 2 months
$urlRouterProvider
by Stuart Jacobs
Good Day,
I currently have a angular application that uses $urlRouterProvider for
it's routing, I can not get the application from performing a infinite loop
on the landing page.
Has anyone experienced this with $urlRouterProvider and is there a solution
to the problem?
Regards,
Stuart Jacobs
--
www.symbiotics.co.za
********************************************************************************
This email and any accompanying attachments may contain confidential and
proprietary information. This information is private and protected by law
and, accordingly, if you are not the intended recipient, you are requested
to delete this entire communication immediately and are notified that any
disclosure, copying or distribution of or taking any action based on this
information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The
sender does not accept any liability or responsibility for any
interception, corruption, destruction, loss, late arrival or incompleteness
of or tampering or interference with any of the information contained in
this email or for its incorrect delivery or non-delivery for whatsoever
reason or for its effect on any electronic device of the recipient.
********************************************************************************
10 years, 2 months
Keycloak as SAML IDP and Identity Broker
by Marcel Dullaart
Hello,
For my current project I want to use Keycloak as identity broker to nicely
decouple the applications from the authentication mechanism.
In production the application will be secured with SAML 2.0, the IDP is
based on E-Directoy.
In our development environment we use keycloak in docker.
My question is can I use Keycloak as IDP in our development enviroment as
well as broker, by starting 2 seperated containers one named idp and the
other named broker?
If so what are the steps I need to take?
Thanks in advance!
Vriendelijke groet, Kind regards, Cordialement,
Marcel Dullaart
10 years, 2 months
Re: [keycloak-user] Different theme for each client
by Travis De Silva
Hi,
My vote is to provide this feature at a client level as per the original
request.
I think realms should be used for completely different domains when we want
to isolate users etc. Should not try and use it for something that it was
not intended in the design.
The reason why you might need theming at client level is iif you really
think that clients which are essentially different applications most of the
time and each of these applications might have different look and feel
themes (either due to different development teams or vendors building
different applications).
So when someone logins via KeyCloak, its true that we are logging into a
realm but for an end user, it is really logging into a application and
there is a need for the login page theme to look similar to the application
look and feel.
Also I have a use case where I have a back office application that requires
login for admin users and then I have the front office of this application
where in addition to the admin users, you also can have other users as well
who can self register and login to the front end which is a consumer facing
site.
How I handle this is by having two clients in the same realm. This works
fine if you are happy with the same backend login theme to be there for the
consumer facing frontend. But we cannot do that as the front end is a
consumer facing SaaS site, so each front end needs to have the client's
website theme. This becomes very hard to do if we don't have theming at a
client level.
I came across this post from Bill a few months ago
http://lists.jboss.org/pipermail/keycloak-user/2015-July/002537.html
I am thinking to make use of the client variable that is available in
login.ftl and load different freemarker fragments that will then theme it
differently for each client. As mentioned by Bill, having many if
conditions might not be ideal but it might meet the requirement.
Cheers
Travis
10 years, 2 months
When using Keycloak as SP in SAML via filter i.e. SamlFilter, we get exception (details inside)
by Akshay Kini
Hi Folks,
We have configured Keycloak as an SP via filter.
Keycloak Version 1.7.0
We get this exception:
ERROR
[org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/].[AppName]]
Servlet.service() for servlet NasDefault threw exception:
java.lang.RuntimeException: This method is not supported in a restored
authenticated request
at
org.keycloak.adapters.servlet.FilterSessionStore$1.getDateHeader(FilterSessionStore.java:178)
[:1.7.0.CR1]
at
org.apache.catalina.servlets.DefaultServlet.checkIfModifiedSince(DefaultServlet.java:1731)
[:]
at
org.apache.catalina.servlets.DefaultServlet.checkIfHeaders(DefaultServlet.java:608)
[:]
at
org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:714)
[:]
at
org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:368)
[:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
[:1.0.0.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[:1.0.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324)
[:]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
[:]
... (trimmed)
...
at
org.keycloak.adapters.saml.servlet.SamlFilter.doFilter(SamlFilter.java:125)
[:1.7.0.CR1]
...(trimmed)
...
etc.
Any ideas on what this error means?
Thanks,
Regards,
Akshay
10 years, 2 months
