Issue with Keycloak startup in AWS as a docker
by Jagannadha Rekala
Hello,
We are running Keycloak (database: Oracle 12c) on AWS as a docker in EC2 instance. Keycloak deployment is successful via the cloud formation but the startup failed with Keycloak receiving the TERM signal. We have amazon-agent along with Keycloak's docker to spin a new container of Keycloak. Amazon-agent agent starts a new Keycloak container within a minute. The second time startup of Keycloak fails as well with a different error (where is is not able to create a new table while the name already exists - ORA-00955).
This is happening in random. Sometimes the Keycloak instance at the first time starts well, without any issues. I have attached the logs of Keycloak container starting first time after deployment and the second time the amazon-agent spins up a new container. Keep in mind that the logs are bottom-up, watch from the bottom to up for a sequence. Ultimately, from the logs we understood that it is trying to create the tables the second time but those tables already existing.
Please let us know if you have encounter this kind of issue or any pointers where the issue could be why the first time the container receives a TERM signal and why the second time it cannot overwrite the tables while migration strategy mentioned as update in the standalone.xml. Any help would be appreciated.
Thanks,
Jagan Rekala
7 years, 5 months
Questions about realms
by Known Michael
Hey,
Questions about realms:
Should we use the default master realm or create our own realm?
What is better?
7 years, 5 months
login form action wron protocol
by Uli SE
Hi,
I´m setting up a new keycloak 2.3.0. It´s behind a apache proxy which
terminates ssl.
My only problem is, that in the login-form the action has the wrong
protocol (http instead of https) It has the correct hostname, and my
apache is forwarding all necessary headers correctly (I think).
In
<form id="kc-form-login" class="" action="${url.loginAction}" method="post">
url.loginAction is perfectly build, bus has the wrong protocol.
If I overwrite this in the browser, everything works perfect. Could you
please tell me, which option will setup this uri correctly?
Many thanks,
Uli
7 years, 5 months
ServletFilter Adapter Cookie Token Store
by Laghuvaram, Raghu
I see that cookie token-store would not be supported until 2.x as per the
comments in https://issues.jboss.org/browse/KEYCLOAK-2662, Is it fixed in
any of the recent versions? It seems like its not working in 2.3.0 Final.
Thanks,
Raghu
________________________________
Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices.
7 years, 5 months
Keycloak behind 2 Nginx reverse proxies (HTTPS -> HTTP)
by Andrey Saroul
We have an idea to isolate our application in our internal network so that
all communication in that network can go by HTTP.
So we've set up a public nginx server, witch is responsible for
establishing https connections.
Public nginx server forwards requests to another nginx server in secured
internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
But this configuration is not working because of invalid redirect issue.
In our client's json file we have to define auth-server-url with HTTPS
scheme. When we try to specify HTTP Keycloak no longer works.
So my question: is it possible to make things work by HTTP in internal
private network and HTTPS only remain for public access.
Any guidance will be appreciated.
7 years, 5 months
Re: [keycloak-user] Clarification regarding authentication flows
by Michael Furman
Hi Matt,
The authentication flows are configured here:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/au...
I guess that when I access REST API the request uses the Browser flow but I will happy for the confirmation.
In addition, when I access this API http://localhost:8080/auth/realms/master/protocol/openid-connect/token
what flow is used?
The browser flow?
The Direct Grant Flow?
Regards,
Michael
________________________________
From: Matt H <f14d_tomcat(a)hotmail.com>
Sent: Friday, December 2, 2016 6:16 PM
To: Michael Furman; keycloak-user(a)lists.jboss.org
Subject: Re: Clarification regarding authentication flows
I'm not following exactly. Where are you setting/changing the flows?
This REST API is to make changes in Keycloak like you would do through the UI. If that is what you want to do, you would make a POST like the example shows with the required entries in the form.
By default, the realm Master is there and so is the client_id admin-cli. The only thing that should change in their example is the username and password. For this you use the same username and password you would access the Admin UI with.
If that all worked, you would receive an access token back to make those amdin calls.
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> on behalf of Michael Furman <michael_furman(a)hotmail.com>
Sent: Friday, December 2, 2016 9:13 AM
To: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Clarification regarding authentication flows
Can anybody help?
Regards,
Michael
________________________________
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> on behalf of Michael Furman <michael_furman(a)hotmail.com>
Sent: Thursday, December 1, 2016 9:26 AM
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Clarification regarding authentication flows
Hi,
What type of the authentication flow used for the realm REST API authentication?
The browser flow?
What type of the authentication flow used to obtain the access token? https://keycloak.gitbooks.io/server-developer-guide/content/v/2.3/topics/...
The Direct Grant Flow?
Regards,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
7 years, 5 months
Hard code redirect_uri on timeout?
by Joe Rowe
Hi,
I am working on a jsf application which uses Keycloak for authorisation and
am having an issue regarding session timeouts. Specifically, when a user's
session times out Keycloak captures the uri they were visiting at timeout
and redirects back to it upon the user logging back in from the timeout.
This causes an issue in which session scoped backing beans holding view
data are empty, and on some pages this can cause exceptions.
Is it possible to modify the redirect uri configuration to disregard the
page the user was on and instead always redirect to the index of the
application any time the user's session is interrupted?
I have tried various options in the realm and client settings but without
luck, and have not found a similar question in the archives.
Many thanks,
Joe
7 years, 5 months
Considering removing Mongo support
by Stian Thorgersen
All,
We are considering removing Mongo support from Keycloak in 3.x. The reasons
behind it is that there are a fair few issues in the current
implementation, especially around consistency due to lack of transaction
support in Mongo and often we update multiple documents. In many cases we
rely on transactions to rollback to prevent partial updates, but this
obviously doesn't work in Mongo.
With the fact that Mongo is already partially broken and the constant
maintenance involved we're considering removing it and rather focus purely
on the relational database back-end.
Another point to make is that we are not considering supporting Mongo in
the supported version of Keycloak (Red Hat Single Sign-On). So we are never
able to provide the same level of care and attention to it as we can for
relational databases.
If we do decide to remove it we would make sure we provide a seamless and
easy option to migrate from Mongo to a relational database!
I would like to gather some feedback from the community before doing
anything. So please vote on the following Doodle:
http://doodle.com/poll/nnimebpkx774ppus
Also, comments to this thread is more than welcome!
I'll end with a comment - Time spent by core developer on maintaining Mongo
could be better spent on awesome new features, testing and bug fixing!
7 years, 5 months
Keycloak 2.3.0 Logout on multiple war's
by Jeroen Koek
Hi,
I have deployed multiple wars on jboss eap 6.4.
The war's are running on different url's and are using the same keycloak client ('Athlon').
If I'm logged in I'm able to navigate to the different applications and seemless start a java session; I see multiple JSESSIONID's.
If I logout on one of the wars (session logout) I'm still able to access the other applications to my surprise; e.g. the SSO is not working.
I have configured the admin url to the root of the applications server ("/") where I have one of the application running.
However the adapter is not invalidating all other sessions (for the other applications); I can still navigate to one of the other applications ("/app" for instance).
I have now created a for loop where I'm logging out all applications manually (/logout).
My mind is telling me that I'm doing something completely wrong.
Am I right?
Regards,
Jeroen.
7 years, 5 months
