Keycloak 1.8.1 JMeter Performance Test - Login, Refresh Token
by Mustafa Kuru
Hi,
I am testing Keycloak's Login and Refresh Token with JMeter but getting
errors (~1.50% of responses) by refreshing token.
Login responses are ok.
Path:{server}:8080/auth/realms/customer/protocol/openid-connect/token
The JMeter configuration: 20 Threads, Ramp-Up Period: 5
Responses looks like:
{"error_description":"Client session not active","error":"invalid_grant"}
{"error_description":"Session not active","error":"invalid_grant"}
Keycloak is clustered on the server and has 3 nodes.
Do you have any idea?
Thanks,
Kind regards
Mustafa Kuru
7 years, 6 months
Performance issues with large number of realms (500+)
by Gabriel Lavoie
Hi,
our Keycloak setup is being used in a multi-tenant fashion with a
large number of realms assigned to different instances of our application
(multiple customers). We are now seeing a few performance issues with the
startup and administration.
First question: Do you have guidelines on a maximum number of realms that
Keycloak should support before we split in smaller clusters?
I traced at least 2 things in the KC code that could be improved. Should I
open tickets for both?
1 - Slow startup (5 minutes with 500 realms):
In the KeycloakApplication class constructor, the "isNewInstall()" test to
check if the master realm must be created triggers the loading and caching
of all realms. This loading seems to be hit with a similar issue that I had
in the past with realm export: https://issues.jboss.org/browse/KEYCLOAK-2413
The named query that gets executed a lot of times in
RealmAdapter.getAuthenticationExecution() triggers a flush within Hibernate
every times. If the flush mode gets set to "COMMIT" (can't be changed by
default but I tested it), the loading time goes down to approximately 30
secs which is acceptable.
It would likely be a good idea to create a read-only transaction with the
flush mode set to COMMIT during startup to pre-fill the cache, then
continue with the rest of the initialization. When the cache is filled,
accessing info on all realms seems to be fine.
2 - Slow display of the master realm admin screen.
When accessing the admin screen, AdminConsole.whoAmI() eventually process
all the roles on all the realm for the admin
user. KeycloakModelUtils.searchFor() gets called a lot of times to navigate
through all the composite permissions. With 500 realms, the user has about
6500 total permissions available. This part of the code would likely
benefit a lot from a cache of the exploded composite permissions.
Thanks,
Gabriel
--
Gabriel Lavoie
glavoie(a)gmail.com
7 years, 6 months
Custom Registration Form
by Bruno Palermo
Hi,
I'm developing a custom theme for Keycloak, and would like to know if it's possible to bring the registration form pre-filled with some information, like an affiliation code, from the query string?
Thanks,
Bruno Palermo
7 years, 6 months
method level role based authorization
by java_os
Question to the group,
I want to do method level role based authorization (aka @RolesAllowed)
with the constraint that i cannot use sprig security(broken in jboss
eap7).
Anyone has done this ? I want to do it by annotations at method level,
instead of cluttring the code checking the role and send 403 if role not
allowed,ugly.
Thanks
7 years, 6 months
Keycloak AuthZ Client - Link resource/scope to policy/permission via API
by FREIMUELLER Christian
Dear all,
I've a question regarding the authZ client.
Is there a way to connect the resources created with the client with policies/permissions via the API, or is there only the HMI (Admin Console) to make this connection?
The thing is we would like to use Keycloak for defining the access rights on thousands of resources (objects like database entries, files) and it would be very cumbersome to do this by hand for each single resource.
Or is this authorization service meant to be used in another way (protecting URI for applications) only?
Best regards,
Christian
7 years, 6 months
Null pointer in keycloak saml adapter
by Pulkit Gupta
Hi Everyone,
I am seeing something unusual.
We have multiple Keycloak configured applications on a 2 LB Jboss boxes.
One application is working perfectly fine. However in the other application
I am getting the below error. As per the resolution on access.redhat.com it
seems that this issue is related to some Jboss version and needs an upgrade.
However I am not convinced as if this is the case then how the other
application is working fine.
>From the below code it seems this is a bug in the keycloak itself.
Can you please check if indeed this is correct. Also in case this is a bug
then how can we proceed.
**CODE SNIPPET**
org.keycloak.adapters.saml.CatalinaSamlSessionStore
Line number 155-156
GenericPrincipal principal = (GenericPrincipal) session.getPrincipal();
if (samlSession.getPrincipal().getName().equals(*principal.getName()*))
// in clustered environment in JBossWeb, principal is not serialized or saved
if (principal == null) {...
We are first using principle to get the name and then checking if the
principle is null.
**ERROR**
2016-10-18 23:11:37,695 [ajp-/10.7.24.224:8009-21] ERROR
[org.apache.catalina.connector] JBWEB001018: An exception or error occurred
in the container during the request processing:
java.lang.NullPointerException
at org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLogged
In(CatalinaSamlSessionStore.java:156)
at org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.
invoke(AbstractSamlAuthenticatorValve.java:183)
at org.jboss.as.web.security.SecurityContextAssociationValve.
invoke(SecurityContextAssociationValve.java:169)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
stValve.java:145)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
rtValve.java:97)
at org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredS
ingleSignOn.java:356)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559)
at org.apache.catalina.core.StandardEngineValve.invoke(Standard
EngineValve.java:102)
at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26)
at com.redhat.container.redirect.RedirectToInternalValve.invoke
(RedirectToInternalValve.java:61)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
apter.java:336)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.
process(AjpProtocol.java:420)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
at java.lang.Thread.run(Thread.java:745)
--
Thanks,
Pulkit
AMS
7 years, 6 months
Keycloak angular SPA example does not work against an external Keycloak server - browser reject server response XHR
by Niels Bertram
Hi guys,
I have configured the keycloak angular example
<https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a...>
to utilise a production grade setup Keycloak server and the example ends up
in an endless redirect loop.
I can see that the Keycloak server POST response in the authorization code
exchange contains 2 identical Access-Control-Allow-Credentials headers,
which the Chrome browser cannot understand and then subsequently fails the
XHR request. I included the full HTTP trace below for reference.
Keycloak server is 1.9.8 (RH SSO 7.0.0) and I tried 1.9.8 and 2.2.1
Keycloak JavaScript clients but given the browsers refuse to accept the
server response headers the client is pretty much irrelevant.
Did anyone of you ever came across this issue?
Cheers,
Niels
*Request*
URL:
https://sso.server.com/auth/realms/[redacted]/protocol/openid-connect/token
Request Method:POST
Status Code:200 OK
Remote Address:[redacted]:8080
*Request Headers*
POST /auth/realms/[redacted]/protocol/openid-connect/token HTTP/1.1
Host: sso.server.com
Connection: keep-alive
Content-Length: 205
Pragma: no-cache
Cache-Control: no-cache
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X)
AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143
Safari/601.1
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: http://localhost:8080/angular-product/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,de;q=0.6
Cookie:
KEYCLOAK_STATE_CHECKER=[redacted];KC_RESTART=[redacted];KEYCLOAK_IDENTITY=[redacted];KEYCLOAK_SESSION=[redacted]
*Form Data*
code=[redacted]&grant_type=authorization_code&client_id=example-spa-app&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fangular-product%2F
*Response Headers*
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 06:13:24 GMT
*Access-Control-Allow-Credentials: true <-- Chrome cannot understand this*
*Access-Control-Allow-Credentials: true** <-- Chrome cannot understand
this*
Access-Control-Allow-Origin: http://localhost:8080
Access-Control-Expose-Headers: Access-Control-Allow-Methods
Content-Type: application/json
Content-Length: 3795
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
7 years, 6 months
Scope based roles
by Stadin, Benjamin
Hi,
I want to keep my roles and permissions simple, but I have some specific requirements and I’m struggling to map these to Keycloak groups or roles. For an example, I need to assign users to predefined roles based on their current „location“. Instead of describing the actual roles of my portal, I’ll use a student portal to give an example of what I’m looking for. It should be more self-explanatory.
Think of a student portal where there is a „global“ area where students can see the courses they are enrolled in, and „course“ areas for each of the courses with course material etc:
* Students can sign in to the student portal with their student id. They can see their courses on the „global“ page, but not others.
* Students can’t create courses, but they can be administrators within selected courses (think of tutors which get another role assigned by a course’s professor)
* Professors can see all courses, and create new ones. They can enroll students into courses and assign them a specific role for this course (e.g. tutor, guest, „normal student“).
* Professors have no permissions to courses they don’t own
Roles and permissions.
As mentioned above, there are two scopes global and course. A user has one role at a time, depending on his/her current location.
* GLOBAL_PROFESSOR: This is the role a professor has on the global scope. Here she/he can create new courses, and administer (create, delete, open, close) his own courses. Has otherwise no permissions for courses of other professors.
* COURSE_PROFSSOR: This is the role a professor has on the course scope. Here she/he has admin rights, can assign course roles to students etc. as explained above.
* GLOBAL_STUDENT: The role a student has on the global scope. Here she/he can see courses, but can’t do much else.
* COURSE_STUDENT: The role a student has within the scope of a particular course. E.g. See all course materials, upload new stuff, post messages in a course forum, etc.
* COURSE_TUTOR: Same as student, plus they can e.g. Enroll students to the course, delete assets of other students of this course, etc.
* COURSE_GUEST: Can view course content, but can’t upload files or do much else but view and download stuff
I could create groups for each of the courses and each role – but that is actually what I’d rather want to avoid for maintenance reasons and simplicity.
What group and role definition model would you suggest me with Keycloak?
Cheers
Ben
7 years, 6 months
