Custom Required Action
by Bruno Palermo
Hi,
I'm trying to develop a custom required action to verify the user email without relying on the user session and allow the confirmation link to live longer.
Let's say I send the user email as query parameter on the confirmation link.
It's possible to search the database directly using this email and avoid using 'RequiredActionContext getUser()'?
Thanks,
Bruno
8 years, 1 month
keycloak consuming saml
by java_os
Group
Portal where users authenticted in adfs and need to add a link to my
webapp protected by keycloak. Users click on link should trigger a saml
post into keycloak , consume the assertion and let user in.
Given this scenario how could i configure keycloak to receive the
assertion and give my webapp an oidc token. Is this doable? Was looking at
identity brokering, but this triggers request from keycloak to idp. I
think my case is idp initiated saml post . is it possible to use id
brokering in this case, or how does anyone solve this scenario?
Thanks
8 years, 1 month
Admin Client
by Bruno Palermo
Hi,
I'm trying to use the keycloak-admin-client.
Keycloak kc = KeycloakBuilder.builder()
.serverUrl(serverUrl)
.realm("master")
.username("username")
.password("password")
.clientId("admin-cli")
.resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build())
.build();
UserRepresentation user = kc.realm(realm)
.users()
.get("userId")
.toRepresentation();
But returns an error:
Caused by: java.lang.LinkageError: loader constraint violation: loader (instance of org/jboss/modules/ModuleClassLoader) previously initiated loading for a different type with name "org/keycloak/representations/idm/RealmRepresentation"
Any ideas?
Thanks,
Bruno
8 years, 1 month
Hi, can I please ask someone to edit the upgrade notes?
by Kevin Thorpe
Hi, just going through an upgrade from 1.7.0.Final to 2.3.0.Final. Didn't
see anything in the notes but this doesn't do the database upgrade
successfully. It did work going through 2.0.0.Final but there may be more
than one way to do this. It's related to the appearance of the
CLIENT_TEMPLATE table. Can someone please add this information to the
upgrade notes.
*Kevin Thorpe*
8 years, 1 month
password history not always correctly considered
by Bystrik Horvath
Hello,
I have a realm where password history was set to 3. When I try to set the
password for an user too fast (via REST API), I'm able to use one of the
passwords that should be recorded as not usable. When I put a small sleep
between the password changes (aprox. 300 ms), the usecase works fine - so
I'm not allowed to use any of the 3 recorded password from the history. I
tested the case using 1.9.3 Final and 2.2.1 Final with same results.
It looks to me like a bug, isn't it?
Thank you for the answer&best regards,
Bystrik
8 years, 1 month
Stuck in Email Validation question
by Hartmut Benz
Hi all,
I have a question about how I can get (a user) out of a Validate-Email
deadlock that can result in our use case.
Situation:
New users can register with Social Login, Email verification is On,
but for policy reasons, we do not use the incoming email from the
Identity Provider, but require the user type in another email.
Case:
A user registers with (for instance) Google, but puts a typo in the
email address entered in the registration page.
Upon submit, the validation mail goes to Nirvana (the mis-typed email
address) and the user is stuck with no way out I can discover.
He cannot validate the email that he cannot receive.
Every time he logs in (with Google), he gets the page that he needs to
validate the email before proceeding.
Is there a method to get out of this deadlock without involving a
helpdesk call to delete 'stuck' user?
Many thanks in advance
Hartmut
--
Dr. Hartmut Benz +31 (0)6 30 167 093
First8 B.V. Kerkenbos 10-59b +31 (0)24 34 835 70
www.first8.nl 6546BB Nijmegen h.benz(a)first8.nl
8 years, 1 month
Keycloak 2.2.1 and Apache + mod_cluster
by Vincent Sourin
Hello,
I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster).
First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/
I think it's worth mention that :
* Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment)
* mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly
So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak.
Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed.
If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither.
Here a a snippet of my keycloak configuration :
<subsystem xmlns="urn:jboss:domain:undertow:3.0">
<server name="default-server">
<http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>
<https-listener name="https" enabled-protocols="TLSv1.2" security-realm="UndertowRealm" socket-binding="https"/>
[...]
</subsystem>
[...]
<subsystem xmlns="urn:jboss:domain:modcluster:2.0">
<mod-cluster-config advertise-socket="modcluster" connector="default">
<dynamic-load-provider>
<load-metric type="cpu"/>
</dynamic-load-provider>
</mod-cluster-config>
</subsystem>
[...]
<socket-binding-groups>
<socket-binding-group name="ha-sockets" default-interface="public">
[...]
<socket-binding name="proxy-https" port="443"/>
[...]
</socket-binding-group>
</socket-binding-groups>
Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ?
Thanks for your help.
Vincent.
8 years, 2 months
Oracle Database Connection Issues
by Thomas Barcia
I'm experiencing errors with Keycloak connected to an Oracle database. It was working fine and we didn't notice the errors until after upgrading to 2.2.1.
The errors:
2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) SQL Error: 17008, SQLState: 08003
2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) Closed Connection
2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement
at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492)
at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:99)
at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:424)
at org.keycloak.services.scheduled.ClearExpiredEvents.run(ClearExpiredEvents.java:34)
at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:53)
at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:49)
at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90)
at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner.runTask(ClusterAwareScheduledTaskRunner.java:49)
at org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:44)
at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement
at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115)
at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109)
at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182)
at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148)
at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1928)
at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1897)
at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875)
at org.hibernate.loader.Loader.doQuery(Loader.java:919)
at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336)
at org.hibernate.loader.Loader.doList(Loader.java:2611)
at org.hibernate.loader.Loader.doList(Loader.java:2594)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423)
at org.hibernate.loader.Loader.list(Loader.java:2418)
at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501)
at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371)
at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216)
at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326)
at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87)
at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606)
at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483)
... 11 more
Caused by: java.sql.SQLRecoverableException: Closed Connection
at oracle.jdbc.driver.PhysicalConnection.prepareStatement(PhysicalConnection.java:3587)
at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:778)
at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:764)
at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454)
at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146)
at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172)
... 28 more
Here's the datasource config:
<datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:oracle:thin:@dbserver:1550:instance</connection-url>
<driver>oracle</driver>
<pool>
<min-pool-size>5</min-pool-size>
<max-pool-size>200</max-pool-size>
<prefill>true</prefill>
</pool>
<security>
<user-name>KEYCLOAK</user-name>
<password> </password>
</security>
<validation>
<background-validation>true</background-validation>
<check-valid-connection-sql>select 1 from dual</check-valid-connection-sql>
</validation>
</datasource>
The H2 datasource is still in the standalone-ha.xml as is the h2 driver but they've never been used or modified.
As I said, this has been working perfectly but suddenly appears to be closing connections despite having the automatic validation turned on. This only happens with the production environment and experiences no issues in the DEV environment that has the same config except for being connected to a different DB server. The DBAs are seeing only 5 connections in this environment but more in DEV.
Any help would be appreciated.
*** This communication has been sent from World Fuel Services
Corporation or its subsidiaries or its affiliates for the intended recipient
only and may contain proprietary, confidential or privileged information.
If you are not the intended recipient, any review, disclosure, copying,
use, or distribution of the information included in this communication
and any attachments is strictly prohibited. If you have received this
communication in error, please notify us immediately by replying to this
communication and delete the communication, including any
attachments, from your computer. Electronic communications sent to or
from World Fuel Services Corporation or its subsidiaries or its affiliates
may be monitored for quality assurance and compliance purposes.***
8 years, 2 months
