October 2016 - keycloak-user - Jboss List Archives

StaleCodeMessage on IDP Initiated SAML SSO

by Chris Brandhorst

I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should. However, I can’t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name” field with a name (say “bbbbb”) in A. When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb i always end up with the following logging: 22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null 22:42:02,994 WARN [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage 22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that’s the whole idea of IDP Initiated SSO, no? What must I do to get this to work? Thanks, Chris Brandhorst

7 years, 3 months

2
4
0 / 0

ECP example?

by Carlos Villegas

I want to secure a servlet REST application. My client is java, so far I've been using apache httpclient. The Keycloak docs mention SAML ECP binding is supported, but I don't see an example. The admin pages seems to assume only POST or redirect binding. Does the client adapter support ECP binding. Any pointers or help on how to go about it? I need help on both the client adapter and how to use Keycloak as a SAML ECP IDP. Thanks, Carlos

7 years, 4 months

5
7
0 / 0

Keycloak with EZproxy

by Bill Kuntz

Has anyone successfully used Keycloak with OCLC's EZProxy? We have been experimenting with Keycloak, and have been able to get it working with other SPs, but not EZProxy. OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO systems if and only if that system uses an authentication sequence identical to a standard Shibboleth Identity Provider (IDP)." Thanks, Bill

7 years, 5 months

3
8
0 / 0

Out of memory error on Keycloak cluster

by robinfernandes .

Hi, We are using Keycloak 1.9.2.Final and have a cluster with an hap and 3 keycloak nodes behind it. For the first time in about 4-6 months we received errors that java heap space out of memory and the nodes just went down. We had around 100k users as well as 35k active connections at the time. We have around 512MB heap space assigned. I am not able to reproduce it after restarting the nodes. Is there any reason that this could happen?

7 years, 5 months

3
4
0 / 0

Creation UI for new authentication schema configuration.

by Michael Furman

Hi all, I want to add support for the new authentication schema. How can I add UI for new authentication schema configuration? For example, I want to add the TACACS authentication schema. Therefore I need to configure the TACACS server IP and the secret. May be I have missed but I can not find it here: https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s... Thank you in advance for your help. Best regards, Michael

7 years, 5 months

4
14
0 / 0

Having difficulty logging out in a 2 client scenario

by Chris Savory

Our application has 2 clients: 1. A Confidential Client that uses the Spring Security Adapter 2. A Public Client that uses the JavaScript Adapter for an Angular SPA app. Everything between the two is working fine until I try to logout under certain conditions. Logout works fine if I first: deep link into a protected page in my app. The SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in and sends me back to my app where my token was issued for client #1. If I logout under this scenario via the SpringSecurity adapter it works fine. In Scenario #2 I first hit an Angular page in my app. Then I log in from the JS Adapter in client #2. Then through a Rest call to my Spring App (which a Bearer token is passed) a java session is established on Tomcat. When I put some break points in the Keycloak Adapter classes I can see that the KeycloakToken only contains the token in this scenario, but not the refresh token. I can also see that the token was issued for client #2. When I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and keycloak returns a 400 error, thus nullifying the logout. I also tried another scenario where use the JS Adapter get the logout URL and logout directly to Keycloak via “window.location = keycloak.createLogoutUrl({ redirectUri: “/site-url”) }). This actually logs out the user from all clients (which is what I want), but the problem here is on the next request to the Spring app I think there is still an HttpSession alive and I’m running into the check in SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is already an (old) token inside the SecurityContextHolder. Any advice on how to proceed from either of these two scenarios? -- Christopher Savory Software Engineer | EdLogics

7 years, 6 months

2
4
0 / 0

Redirect Issue with keycloak behind proxy and app behind Keycloak security proxy

by Guy Bowdler

hi all, We have the following set up with two DMZ boxes, one running a single KeyCloak security proxy and sending requests to a local NGINX proxy which farms out requests to internal applications. This should allow us to maintain a single namespace for all applications (<hostname>/appname redirects to appname.local) and gives authenticated visibility of who's accessing what at the front end proxy. DMZ: [KeyCloakSecProxy:80 ---> NGINX:8080] ---> TRUST: [Various applications] ---> TRUST: [Various applications] Keycloak runs on its own server and is published via an NGINX proxy in the DMZ DMZ: [NGINX:80] ---> TRUST: [Keycloak:8080] So clients hit the KeyCloak security Proxy, are redirected to KeyCloak and then after logging in, we get an "invalid Redirect URI" error from Keycloak. We've found that for some reason, the redirect URL from KeyCloak is appending the :8080 port value from the KeyCloak Security proxy (verified as if we change this port number, the value changes in the redirect URL). It's like KeyCloak is redirecting back to the NGINX:8080 proxy direct rather than back to the KeyCloak security proxy, which is what we were expecting. This is possibly by design, or possibly a bug, or possibly a side effect of our configuration. Has anyone tried using the KeyCloak security proxy in this manner? It's clear that the intended use is as a single instance adapter for a single local application, whereas our application happens to be an nginx proxy redirecting to different applications using location directives.

7 years, 6 months

3
4
0 / 0

Backend to Backend Call

by Morse, Alexander (US - Newton)

Hi, Want to know the recommended approach for having asynchronous backend services that are secured through bearer tokens call each other. We have an interactive web application that calls a backend service. The JavaScript adapter places the access token in the Authorization header. This backend services starts an asynchronous job that then calls another backend service, passing along the same Access Token. The problem arises when the access token has expired while the first job was processing. Seems like one relatively straight forward approach would be to have the front end pass a refresh token to the backend, which it can use to obtain a new access token. Are there better approaches? The adapters do not seem to natively support this. Thanks, Alex This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1

7 years, 6 months

2
3
0 / 0

Creating the UI using REST API

by Michael Furman

Hi all, We need to create our own UI using REST API. I have authenticated a user in UI (http://localhost:8080/auth/admin/master/console/#/realms/master ) and then I have tried to open some REST API from a browser in the new tab (for example http://localhost:8080/auth/admin/realms/master/clients). Unfortunately I get HTTP 401 barrier error. I see that I need the barrier token if I access REST API from the command line: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/... What UI should do to access REST API? Also to allocate the barrier token and then to access REST API? Do you have any JS lib that make the process easier? Thank you in advance for your help. Best regards, Michael

7 years, 6 months

2
3
0 / 0

Exception with User Storage SPI priority configuration

by Niko Köbler

Hi, I just implemented the User Storage SPI as replacement for our User Federation SPI. Creating the User-Storage Provider works w/o errors, but not Priority value will be saved. When updating the Provider with a value for Priority, it will fail with an exception (see below), updating the Provider without setting a value for Priority works. Do I have to implement/configure something special to get it work? I based my implementation on the user-storage-jpa-example, provided with Keycloak. Or is it a general error? Should a create a Jira issue for it? The exception/stack trace: 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-31) RESTEASY002005: Failed executing PUT /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"]) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184) at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"]) at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26) at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523) at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285) at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61) at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) ... 48 more Regards, - Niko

7 years, 6 months

3
11
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2016