Cluster Configuration
by Samuel Lewis
Have the setup steps for clustering with Docker changed since the April
2015 blog post?
When I go through those instructions with version 2.0.0.Final I'm not
getting anything like 'Received new cluster view: [b5356f1050cc/keycloak|1]
(2) [b5356f1050cc/keycloak, f25f922ce14d/keycloak]' in the logs. I only
ever see a single node being listed.
7 years, 4 months
Error while loading the application
by Pulkit Gupta
Hi All,
We are using Keycloak SAML adapters to authenticate our applications with
Keyclaok.
The setup was working fine and the applications were able to authenticate
the users.
However since today we are getting the below error while loading the
application and this is resulting in a black page for the client.
Can you please check in case anyone has seen this issue before. Is this
related to java versions as I have not changed anything in the environments
recently.
2016-12-09 08:08:08,875 [ajp-/10.7.24.224:8009-2] ERROR
[org.apache.catalina.connector] JBWEB001018: An exception or error occurred
in the container during the request processing:
java.lang.AbstractMethodError:
javax.xml.transform.TransformerFactory.setFeature(Ljava/lang/String;Z)V
at
__redirected.__TransformerFactory.setFeature(__TransformerFactory.java:161)
at
org.keycloak.saml.common.util.TransformerUtil.getTransformerFactory(TransformerUtil.java:113)
at
org.keycloak.saml.common.util.TransformerUtil.getTransformer(TransformerUtil.java:81)
at
org.keycloak.saml.common.util.DocumentUtil.getDocumentAsString(DocumentUtil.java:238)
at
org.keycloak.saml.common.util.DocumentUtil.asString(DocumentUtil.java:454)
at
org.keycloak.saml.processing.core.util.XMLSignatureUtil.sign(XMLSignatureUtil.java:340)
at
org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.sign(SAML2Signature.java:143)
at
org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature.signSAMLDocument(SAML2Signature.java:160)
at
org.keycloak.saml.BaseSAML2BindingBuilder.signDocument(BaseSAML2BindingBuilder.java:266)
at
org.keycloak.saml.BaseSAML2BindingBuilder$BasePostBindingBuilder.<init>(BaseSAML2BindingBuilder.java:145)
at
org.keycloak.saml.BaseSAML2BindingBuilder.postBinding(BaseSAML2BindingBuilder.java:208)
at org.keycloak.adapters.saml.SamlUtil.sendSaml(SamlUtil.java:38)
at
org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler$5.sendAuthnRequest(AbstractSamlAuthenticationHandler.java:463)
at
org.keycloak.adapters.saml.AbstractInitiateLogin.challenge(AbstractInitiateLogin.java:60)
at
org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.executeAuthenticator(AbstractSamlAuthenticatorValve.java:247)
at
org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.authenticateInternal(AbstractSamlAuthenticatorValve.java:222)
at
org.keycloak.adapters.saml.jbossweb.SamlAuthenticatorValve.authenticate(SamlAuthenticatorValve.java:41)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
at
org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve.invoke(AbstractSamlAuthenticatorValve.java:184)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
at
org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredSingleSignOn.java:384)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26)
at
com.redhat.container.redirect.RedirectToInternalValve.invoke(RedirectToInternalValve.java:61)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
at
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
at java.lang.Thread.run(Thread.java:745)
--
Thanks,
Pulkit
AMS
7 years, 4 months
Re: [keycloak-user] Offline tokens clients best practice
by keith.hudson@hudzinga.com
If you want to use on client-id, I would recommend that you use one client-id to represent your suite of applications and then use security realms and roles to segregate your applications and the corresponding access that your users are granted.
The one disadvantage to this is that if your retire an application or need to make security requirements different on a "per application" basis, you will have a tough time managing that with all of your applications using a single client-id.
Depending on the number of applications you are talking about here, I would recommend using separate client-ids per application. Of course, this is based on our own personal configuration where we have a few separate client-ids (less than 5). Perhaps someone with a more extensible setup could offer you a better recommendation.
-----Original Message-----
From: "Haim Vana" <haimv(a)perfectomobile.com>
Sent: Sunday, December 18, 2016 5:28am
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Subject: [keycloak-user] Offline tokens clients best practice
Hi,
We noticed that when working with offline tokens the same client that generated the offline token must be the one that will generate an access token from it, if we use different client we getting an error message.
This approach might be problematic since we have users that want to use multiple applications and the shouldn't be aware of the client id or from which application they generated the offline token.
So we would like to use single client for generating the offline tokens and generating access tokens from them for all of our applications, is it the best practice ? any known disadvantages to that approach ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 4 months
Share resources with other users
by Richard van Duijn
I'm looking into the possiblity to share resources created in the client
application to another registered user.
Does keycloak provide support for that?
Using the authz cient i cannot detect any attributes or fields to set
besides the owner. I was hoping to set a custom attribute on the
ResourceRepresentation object and use that in the policy evaluation.
It should IMHO also be possible to create seperate resources for the shared
resource with the user to share to as owner. But wouldn't that pollute te
resources too much?
I also found this feature request by Pedro Igor which might be related:
https://issues.jboss.org/browse/KEYCLOAK-3169
Thanks again!
/Richard
7 years, 4 months
Offline tokens clients best practice
by Haim Vana
Hi,
We noticed that when working with offline tokens the same client that generated the offline token must be the one that will generate an access token from it, if we use different client we getting an error message.
This approach might be problematic since we have users that want to use multiple applications and the shouldn't be aware of the client id or from which application they generated the offline token.
So we would like to use single client for generating the offline tokens and generating access tokens from them for all of our applications, is it the best practice ? any known disadvantages to that approach ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
7 years, 4 months
Spring sec - roles - how?
by java_os
Hi All,
I put up this question a while back and now back to it since no answer,
this time with some hope.
I have this SPA (keycloak.js) calling into Rest api bearer protected by KC
- all good.
I use KC brokering, so on the Idp side ADFS . User logs in against idp,
where in ADFS is configured with a claim that acts as a role. On SPA I can
map out that claim from the token.
The rest api is protected by kc spring sec. I want (and this is what I do
not know) to configure spring sec to react when the call is made to a
specific rest endpoint when the user does not have a specific role
(returning 401).
How can I do this spring sec way - how can I configure spring sec to say
check at runtime the users's role for a specific endpoint and deny access
to the resource.
The big un-known to me is: how does KC client role (which is some static
config) relates to the runtime user's role coming from Idp.
Anyone has done this - am sure this is a common use case.
Whoever knows this please share.
Thank you and appreciate it.
7 years, 4 months
Re: [keycloak-user] What the URI of the Refresh Token HTTP request for Java Adapters?
by Michael Furman
Hi,
Additional question: according to my understanding in case a user works (performs http requests) on some client the Refresh Token HTTP request comes to other OIDC clients.
In case a user does not work on any client the Refresh Token HTTP request does not appear at all.
Will happy for the confirmation.
Michael
On Dec 15, 2016 7:26 PM, Michael Furman <michael_furman(a)hotmail.com> wrote:
Hi,
We use the SpringSecurity adapter.
I need to handle some internal application logic when the URI of the Refresh Token HTTP request comes to the adapter.
Can you tell me the URI of the Refresh Token HTTP request for Java Adapters?
Best regards,
Michael
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 4 months
problems to configure trustStore and certification path in keycloak
by Celso Agra
Hi all,
I was trying to configure a LDAP connection, but I got an error about my
certification path. I believe I should set this on standalone.xml but I
don't know how to do that. How can I configure this for my LDAP server.
Also, I did the keytool import from LDAP to my server, and I'm using ldap
slave connection.
Here is the error below:
Caused by: javax.naming.CommunicationException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target]; remaining name
'XXXXXXXXXXXXXX'
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:2002)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:168)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:165)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:535)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:165)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:159)
... 61 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at
sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:555)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
... 73 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 85 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 91 more
Best regards,
--
---
*Celso Agra*
7 years, 4 months
Exclude users from password policy
by marcelo.miura
Hi,
I was wondering if that's possible to exclude a user from the password
policies set on keycloak.
Problem: I have an admin user used on my API to create new users, reset
password and exclude users from keycloak. But as there's a password
policy to expire the password within 30 days, this user cannot be used
until we reset his password manually.
Any ideas?
Thanks in advance.
7 years, 4 months
