November 2016 - keycloak-user - Jboss List Archives

by Georgobasiles, Georgios (AMOS SE)

Dear all, I’m trying out a scenario where users are forced into different login flows depending on their browser’s user agent HTTP header: all users have to log in over a SAML IP and, in addition, users who don’t use IE need to go through an OTP form. I’ve set up a SAML IP with a post login flow that consists of a single “Conditional OTP Form” execution. For test purposes, the only condition in that execution is a “Skip OTP for Header” which is “User-Agent:.*MSIE.*” with a fallback OTP handling to “force”. I noticed that when the execution is marked as “required”, an OTP form is always shown to the user regardless of their browser’s user agent and when it’s marked as “optional”, the user never gets to see the OTP form, so it looks like the condition on the HTTP header is always ignored. What am I missing? version: 2.3.0 final

9 years, 5 months

3
2
0 / 0

Jackson Exception updating user password via REST

by Edem Morny

Hi, I recently upgraded from Keycloak 1.5 to 2.3.0.Final, and my previously working invocations of the "update password" REST API now fails on the Keycloak server with the following exception on the keycloak output. 16:09:50,970 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-65) RESTEASY002005: Failed executing PUT /admin/realms/caewex/users/011aa181-45cd-4e34-95c1-5f0f23674b42/reset-password: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "config" (class org.keycloak.representations.idm.CredentialRepresentation), not marked as ignorable (12 known properties: "period", "hashIterations", "digits", "hashedSaltedValue", "algorithm", "value", "temporary", "device", "createdDate", "salt", "type", "counter"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@157c188d; line: 1, column: 213] (through reference chain: org.keycloak.representations.idm.CredentialRepresentation["config"]) Any idea what I might be doing wrong?

9 years, 5 months

1
0
0 / 0

Client Registration and OpenShift

by Juraci Paixão Kröhling

Hello, Has anyone performed any work around automating client registrations in the context of OpenShift applications? I'm automating the setup of Hawkular APM for OpenShift, and I would like to add an option to "plug" Keycloak to the mix. The first idea is to create a Keycloak server on the namespace/project and use a wrapper script on APM's standalone.sh to call /auth/realms/master/clients-registrations/default, saving the client information then to the standalone.xml. If someone has done something like this before, I'd like to chat a bit before I go forward with this option. - Juca.

9 years, 5 months

1
0
0 / 0

Infinispan state transfer timeout on startup + Serialization exception on the other node

by Gabriel Lavoie

Hi Stian, during load/crash tests, we've encountered a few times the Infinispan error described in the following ticket when restarting the "failed" node: https://issues.jboss.org/browse/JBEAP-6002 As this would require an Infinispan update, do you think changing the distributed cache to replicated caches could be an acceptable/tested workaround? Thanks! Gabriel -- Gabriel Lavoie glavoie(a)gmail.com

9 years, 5 months

3
3
0 / 0

Access token does not contain permissions key

by Cristi Cioriia

Hi guys, I've introspected an access key for one of my Keycloak applications and noticed that it does not contain a permissions key in it (as decribed in here: https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.2/t...), but instead it contains a resource_access/Vertx-server/roles key. My question is:what do I need to do in order to receive a permissions object in the access token as described in the above document? The url I used for retrieving the access token looks like this: http://localhost:9090/auth/realms/master/protocol/openid-connect/token/in... My use case looks like this: I do have in my Vertx-server application a role based policy that uses a role named "employee" and a permission that protects one of my resources using that role based policy. Then when my client application named Vert-x client requests an access token to access the protected resource from the Vertx-server, the access token looks like this: { "jti": "565fbecf-1ef5-4059-9309-fe3fca5d74bd", "exp": 1478699031, "nbf": 0, "iat": 1478695431, "iss": "http://localhost:9090/auth/realms/master", "aud": "Vertex-client", "sub": "0ba24c3e-2fe6-49f2-80b1-08023a236cd6", "typ": "Bearer", "azp": "Vertex-client", "auth_time": 1478695431, "session_state": "6e262177-dfd3-498f-a1f2-7a09bd04ff42", "name": "", "preferred_username": "admin", "acr": "1", "client_session": "9fc92504-a541-4757-8960-19d7f5457384", "allowed-origins": [ "http://localhost:8282" ], "realm_access": { "roles": [ "create-realm", "admin", "uma_authorization" ] }, "resource_access": { "Vertex-server": { "roles": [ "employee" ] }, "master-realm": { "roles": [ "view-identity-providers", "view-realm", "manage-identity-providers", "impersonation", "create-client", "manage-users", "view-authorization", "manage-events", "manage-realm", "view-events", "view-users", "view-clients", "manage-authorization", "manage-clients" ] }, "account": { "roles": [ "manage-account", "view-profile" ] } }, "client_id": "Vertex-client", "username": "admin", "active": true } Thanks, Cristi

9 years, 5 months

1
0
0 / 0

Possible to create a SecurityIdentityProviderFactory with custom provider?

by Ben Pittman

I'm running Keycloak 1.9.8.Final. I just want to add another social provider with some custom logic (boilerplate OpenID won't work in my case). I've registered my module that overrides SecurityIdentityProviderFactory and provided my own Provider and Factory classes but get a 'resource not found' when I try and access the provider from the Keycloak UI. I've also tried adding my own LoginProtocolFactory module and I see it get registered on startup but there is no item for it in the 'add provider' identity drop-down..... Is what I'm trying to do just not possible? Or is there something obvious I'm missing outside of registering modules above to get this to work? Regards, Ben

9 years, 5 months

2
3
0 / 0

Is it possible to pass the keycoak headers back to NGINX reverse proxy

by Guy Bowdler

Hi, We have an NGINX proxy in DMZ sending requests back to a Keycloak Security Proxy protecting an app in trust. We previously had this the other way round with the keycloak proxy in front of NGINX and were able to log the keycloak headers in the NGINX access logs. However, we've since had to reverse this situation and the browser only seems to have the keycloak cookie, hence the NGINX reverse proxy can't log the usernames any more. Is there a way to make the nginx reverse proxy aware of the keycloak headers? Ideally I'd prefer to get NGINX to redirect to keycloak, instead of the keycloak security proxy but it's a bit beyond me at the moment. thanks Guy

9 years, 5 months

1
0
0 / 0

High Utilization with Keycloak Spring Boot adapter

by Alan Gibson

Hello all, During load testing the REST API of a Spring Boot based microservice, we noticed that Keycloak was forming a huge bottleneck. We had 3 instances of Keycloak (running in clustered mode), each of which was consuming 100% of 8 Xeon CPUs, while only hitting about 80 API calls per second. The load test itself used 800 concurrent users, each doing 1 HTTP request every 100 milliseconds. It looks like every time a POST is made to the REST API, Spring Boot makes a call to Keycloak to (re)authenticate the user. The Keycloak logs are filled with: 2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-74) RESTEASY002315: PathInfo: /realms/proxy/protocol/openid- connect/token 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) AUTHENTICATE CLIENT 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) client authenticator: client-secret 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) client authenticator SUCCESS: client-secret 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) Client devicereportreceiver authenticated by client-secret 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) AUTHENTICATE ONLY 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) processFlow 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) check execution: direct-grant-validate-username requirement: REQUIRED 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) authenticator: direct-grant-validate-username 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74) invoke authenticator.authenticate 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74) authenticator SUCCESS: direct-grant-validate-username 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74) check execution: direct-grant-validate-password requirement: REQUIRED 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74) authenticator: direct-grant-validate-password 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74) invoke authenticator.authenticate 2016-11-06 11:48:07,821 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (default task-74) begin 2016-11-06 11:48:07,821 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-74) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo@25df8309[userName=postgres]) [0/20] 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74) authenticator SUCCESS: direct-grant-validate-password 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74) check execution: direct-grant-validate-otp requirement: OPTIONAL 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74) authenticator: direct-grant-validate-otp 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74) invoke authenticator.authenticate 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74) authenticator ATTEMPTED: direct-grant-validate-otp 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74) Using full scope for client 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74) Using full scope for client 2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74) type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED, ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED, grant_type=password, refresh_token_type=Refresh, refresh_token_id=REMOVED, client_auth_method=client-secret, username=REMOVED 2016-11-06 11:48:09,739 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (default task-74) committing 2016-11-06 11:48:09,751 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20] The Spring Boot application.properties looks like keycloak.realm=REMOVED keycloak.realmKey=REMOVED keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER} keycloak.ssl-required=none keycloak.resource=REMOVED #keycloak.use-resource-role-mappings=true keycloak.enable-basic-auth=true keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET} keycloak.cors=true keycloak.cors-allowed-headers=x-requested-with,origin,content-type,accept, authorization keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS keycloak.cors-max-age=3600 keycloak.expose-token=true keycloak.bearer-only=true keycloak.securityConstraints[0].securityCollections[0].name=REMOVED keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/REMOVED keycloak.securityConstraints[1].securityCollections[0].name=REMOVED keycloak.securityConstraints[1].securityCollections[0].authRoles[0]=DEVICE keycloak.securityConstraints[1].securityCollections[0]. patterns[0]=/REMOVED/* So my questions are: 1. Would you expect to see this kind of high utilization with my test scenario? 2. Should the Keycloak Spring Boot adapter be reauthenticating with every request, as opposed to caching the authentication results for a short period of time, or just relying on normal HTTP sessions? Br, Alan

9 years, 5 months

3
5
0 / 0

Can not authenticate user using Spring Security Adapter

by Michael Furman

Hi, I will appreciate your help on the issue below. I try to configure Spring Security Adapter (version 2.3.0.Final): https://keycloak.gitbooks.io/securing-client-applications-guide/content/t... I suppose that Keycloak uses the static client registration since when I tries to connect without the client configuration in Keycloak I get the following: 16:15:43,174 WARN [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=st_1, userId=null, ipAddress=192.168.111.33, error=client_not_found Please note that I was able to connect to Keycloak using non Keycloak OIDC client using the following configuration: a) clientId b) clientSecret c) Scopes d) redirectUris Therefore I have configured the client at Keycloak using the same information. I am not sure what is "Valid Redirect URIs" and I have configured the following value: http://192.168.110.2:8081/app/sso/login Now client redirects to Keycloak IDP using this URL http://192.168.110.2:8080/auth/realms/master/protocol/openid-connect/auth... I authenticate the user and IDP returns URL back to the client using this URL: http://192.168.110.2:8081/app/sso/login?state=14%2F9a4376fa-06e2-4188-a61... Unfortunately then I have the endless loop. While I debug KeycloakAuthenticationProcessingFilter I see that AuthOutcome get value NOT_ATTEMPTED and it cause additional redirect to IDP. What I missed? I have opened the bug https://issues.jboss.org/browse/KEYCLOAK-3868 with attached json file and Spring Security configuration. Best regards, Michael

9 years, 5 months

1
1
0 / 0

Keycloak Commercial support

by Michael Furman

Dear people, How can we get the Keycloak Commercial support? Can not find any information except this: http://blog.keycloak.org/2016/03/commercial-support.html <http://blog.keycloak.org/2016/03/commercial-support.html> What the commercial support will include? Will it support faster answer on the questions? Faster bug resolution? Thank you in advance, Michael

9 years, 5 months

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2016