Logout using URL broken in keycloak 1.9.1?
by Jesse Chahal
Hi,
So our company recently upgraded from keycloak 1.5.1 to 1.9.1 We
destroyed the database as we are still evaluating keycloak for the
time being. We are noticing some issues with logout not working
anymore after this upgrade. Currently we have implemented logout using
URL approach as such:
http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=en...
which can be found here:
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d...
We have setup the correct 'Valid Redirect URIs' for the client we are
logging out from. Our client is using the openid-connect protocol and
confidential access.
What we are seeing is keycloak providing us with a blank page and the
session not being destroyed. Our application is built ontop of
Wildfly10 but we were not able to easily implement
HttpServletRequest.logout() way of logging out as when a user logs in
we translate the keycloak principle/user to be a our own
principle/user type. I did not see a bug in Jira for this yet (was
looking at release version 1.9.2) and am having a hard time believing
nobody else has encountered this issue.
I have attached the stacktrace that keycloak is spitting out below. To
me it appears as if this feature was removed while the documentation
still shows it as available.
00:05:46,037 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-78) RESTEASY002010: Failed to execute:
javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource
for full path: http://keycloak.dnbcloud.com:8090/auth/realms/indicee/tokens/logout?redir...
at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114)
at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43)
at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Thanks,
Jesse
8 years
NulPointerException when running oauth-client-cdi-example
by Juan Diego
Hi,
I ran the demo oauth-client-cdi the day before yesterday and it seemed to
work. It had some problems with the database service configuration, and I
fixed that. But then I decided to do a git fetch in order to get latest
repo and I am getting this error.
ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 78)
MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./oauth-client-cdi:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./oauth-client-cdi:
java.lang.RuntimeException: java.lang.NullPointerException
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:231)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.NullPointerException
at
org.keycloak.servlet.ServletOAuthClientBuilder.build(ServletOAuthClientBuilder.java:47)
at
org.keycloak.example.oauth.AppContextListener.contextInitialized(AppContextListener.java:59)
at
io.undertow.servlet.core.ApplicationListeners.contextInitialized(ApplicationListeners.java:187)
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:198)
... 8 more
10:52:00,992 ERROR [org.jboss.as.controller.management-operation]
(DeploymentScanner-threads - 1) WFLYCTL0013: Operation
("full-replace-deployment") failed - address: ([]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./oauth-client-cdi"
=> "org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./oauth-client-cdi:
java.lang.RuntimeException: java.lang.NullPointerException
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
Caused by: java.lang.NullPointerException"}}
The third party app works fine just the cdi doesnt work.
Thanks,
Juan Diego
8 years
Using Keycloak Proxy behind a TLS terminating reverse proxy
by Chris Pitman
Hey everyone,
I'm trying to setup Keycloak Proxy to protect access to a legacy application. Right now we have HTTPD setup as a reverse proxy that terminates TLS and then passes through the request via HTTP to the legacy app. What I want to do is put the Keycloak Proxy in between HTTPD and the app.
I've got it running, but the problem is the URL the proxy passes as the redirect url to keycloak. It is passing an "http://" url, which then doesn't match the configured redirect_urls in Keycloak. I'm assuming it does this since I'm using the HTTP port on the proxy.
How can I get Keycloak Proxy to pass a redirect url with a "https://" scheme, even when not connecting via https to the proxy itself?
Thanks,
Chris Pitman
Architect, Red Hat Consulting
8 years
Display Password policy on Password page
by Bill Simakis
Is there any way to dynamically display the password policy info on the Password page? i.e. show the password policy that is configured for the realm and not just hardcoded into the Theme.
Currently the only time the user knows about the policy is if they submit a password and see the error message.
Thanks,
Bill
8 years
Authentication from embedded webpage
by Subhrajyoti Moitra
Hello Team,
I have a standalone windows desktop application, that authenticates against
an AD/LDAP server. The application popups a username/password box, and
submits it to the LDAP for authentication.
The same AD/LDAP server is also synced with a Keycloak installation.
The windows application embeds the IE browser control and shows a jsp page.
This jsp page is protected using keycloak js adapter. Obviously the user is
re-directed to the keycloak login page. So the user has to login twice,
once using the application popup and other in the embedded jsp, after
getting redirected to the keycloak login page.
I dont want to re-prompt the user for relogin, since he has already
authenticated against the AD server.
Is there a way to not re-prompt the user, when the embedded IE requests the
secure JSP?
Please help, as we are not able to come up with a solution for the same.
Any pointers how we can avoid the 2nd authentication.
Thanks,
Subhro.
8 years
Rest API for create user JSON
by vivek dhayalan
Hi All,
With the help of REST API (/admin/realms/{realm}/users) I'm trying to
create user in a realm. The API creates user in that realm but, credentials
w.r.t the user is not stored properly. I'm using the following JSON to
request body. Please let me know if I'm making some blunder mistake with
respect to credentials part of the JSON.
{
"username": "cjbarker5",
"enabled": true,
"emailVerified": false,
"firstName": "CJ",
"lastName": "Barker",
"credentials": [
{
"type": "password",
"value": "newPas1*",
"temporary": false
}
]
}
--
Thanks & Regards
Vivek Dhayalan
8 years
Issue creating EntityManagerFactory from custom UserFederationProviderFactory
by Anthony Fryer
Hi All,
I'm implementing a UserFederationProviderFactory and want to create an EntityManagerFactory from one of its methods. I have packaged up a persistence.xml in the META-INF folder of the SPI jar file and deployed this as a module to the keycloak standalone server.
My module.xml looks like this...
<module xmlns="urn:jboss:module:1.3" name="acme.keycloak-acme-user-federation">
<resources>
<resource-root path="keycloak-acme-user-federation-1.0.0.jar">
<filter>
<include path="META-INF/**"/>
</filter>
</resource-root>
</resources>
<dependencies>
<module name="org.keycloak.keycloak-core"/>
<module name="org.keycloak.keycloak-server-spi"/>
<module name="javax.api"/>
<module name="javaee.api"/>
<module name="org.hibernate" />
<module name="org.jboss.ws.cxf.jbossws-cxf-client"/>
</dependencies>
</module>
In my UserFederationProviderFactory I have a method like this...
private EntityManagerFactory getEntityManagerFactory(UserFederationProviderModel model) {
if (emf == null) {
logger.trace("Creating entityManagerFactory...");
Map<String, String> config = model.getConfig();
Properties p = new Properties();
// for now just use hibernate built in connection factory
p.put("hibernate.connection.driver_class", config.get(DATABASE_DRIVER_CLASS_NAME));
p.put("hibernate.connection.url", config.get(DATABASE_URL));
p.put("hibernate.connection.username", config.get(DATABASE_USER));
p.put("hibernate.connection.password", config.get(DATABASE_PASSWORD));
p.put("hibernate.show_sql", "true");
p.put("hibernate.format_sql", "true");
emf = Persistence.createEntityManagerFactory("acmeEntities", p);
}
return emf;
}
When this method is called, it always returns the error "No Persistence provider for EntityManager named acmeEntities".
I'm 90% sure this is to do with the ClassLoader being used by Persistence not being able to see the META-INF/persistence.xml packaged up in the keycloak-acme-user-federation-1.0.0.jar. Does anyone have an idea what I need to do to my module configuration to get this working?
Thanks,
Anthony Fryer
The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com
8 years
(no subject)
by Ismen, Peter
Hi,
I get an error trying to use the AS7 adapter on a vanilla AS 7.1.1.Final. Uisng standalone-full.xml configuration. No other configuration.
Installed the adapter without any errors. I find the org.keycloak.keycloak-adapter-subsystem in the extentions on the server.
Deploying my application I get ther following error
11:26:27,682 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC00001: Failed to start service jboss.deployment.unit."cloaked.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."cloaked.war".POST_MODULE: Failed to process phase POST_MODULE of deployment "cloaked.war"
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:119) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_80]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_80]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80]
Caused by: java.lang.NoClassDefFoundError: org/keycloak/adapters/jbossweb/KeycloakAuthenticatorValve
at org.keycloak.subsystem.as7.KeycloakAdapterConfigDeploymentProcessor.addValve(KeycloakAdapterConfigDeploymentProcessor.java:98)
at org.keycloak.subsystem.as7.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:86)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final]
... 5 more
Caused by: java.lang.ClassNotFoundException: org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve from [Module "org.keycloak.keycloak-as7-subsystem:main" from local module loader @5ea6a4a0 (roots: /home/ecmc/servers/jboss-as-7.1.1.Final/modules)]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
... 8 more
I do find the class in modules/org/keycloak/keycloak-as7-adapter/main/keycloak-as7-adapter-1.9.1.Final.jar
All help is appreciated.
Thanks/Peter Ismén
8 years
Server-side validation of custom user attributes
by Guus der Kinderen
Hello,
Chapter 32 of the Keycloak user manual describes how custom user attributes
can be used. Is there a way to validate the user attribute values
server-sided (as opposed to in the theme / client-sided)?
In our case, we'd like to require our users to supply a particular value,
which must match one of many pre-defined values. We do not want to expose
the entire list of valid values publicly though.
Regards,
Guus
8 years
Make keycloak.json configurable
by Yasser El-ata
Hello,
As we know the configuration in keycloak.json is make for a specific realm
and public key , i'am talking here about bearer applications so is there
any way to make the realm name and the public key is configurable ?
My case is : i have multi realm all realm have the same clients by multi
tenancy i wan't to decide every request which is his realm using it's
domain , i got the domains and i can use the keycloak rest to get the realm
name and it's public key , just i wan't when the bearer application make
the request on keycloak it's should use the realm name , public key that i
will get
Thanks
--
Yasser El-Ata
Java Developer
BluLogix
737 Walker Rd Ste 3, Great Falls, VA 22066
t: 443.333.4100 | f: 443.333.4101
*www.blulogix.com <http://www.blueoss.com/>*
The information transmitted is intended only for the person(s) to whom it
is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
8 years
