JavaScript client, iframe and IE
by Thomas Raehalme
Hi!
Has anyone encountered any problems with a JavaScript client running on
Internet Explorer?
It seems that IE applies some restrictions regarding <iframe /> and
cookies. Unless the Keycloak server in question returns a P3P header, IE
does not allow any cookies to be set by Keycloak inside the <iframe> on a
JavaScript client.
Here's Microsoft's blog post regarding the issue:
https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/
If I have understood correctly IE doesn't really care about the header's
value as long as it has been set. For example Google returns:
P3P: CP="This is not a P3P policy! See
https://www.google.com/support/accounts/answer/151657?hl=en for more info."
What do you think, should Wildfly in the Keycloak distribution add the P3P
header by default?
Best regards,
Thomas
7 years, 9 months
External Username, Password, Email... dataset with Keycloak
by Reed Lewis
Hi,
We are examining KeyCloak (It looks like it can do what we want), but we have the need to have an external lookup of accounts who are not in KeyCloak in an external database which is accessible via a REST call. I know about federation, but would prefer to only check the external datasource if the user is not in KeyCloak, but from then on have all the data “live” in KeyCloak and never refer to the external datasource again once the account is “migrated” into KeyCloak.
Can this be done with some modification of federation?
We do not want to add the user accounts directly into KeyCloak as there are many more there than will ever be in KeyCloak.
Thank you,
Reed Lewis
7 years, 11 months
Token generation: possibilities to improve performance
by Matuszak, Eduard
Hello
Motivated by considerations on how to improve the performance of the token generation process I have two questions:
- I noticed that Keycloak's token generation via endpoint "auth/realms/ccp/protocol/openid-connect/token" generates a triple of tokens (access-, refresh- and id-token). Is there any possibility to dispense with the id-token generation?
- Is there a possibility to cause Keycloak to generate more "simple" bearer tokens then complex jwt-tokens?
Best regards, Eduard Matuszak
8 years, 5 months
Re: [keycloak-user] Keycloak OAuth High CPU usage
by Stian Thorgersen
Again, CPU load is expected to be high while having 20 threads send as many
requests as they can. It's the total throughput that matters here.
There are loads of tuning you can do, but you should be able to get decent
numbers without any tuning.
On 26 May 2016 at 07:09, Vaibhav Naldurgkar <
vaibhav_naldurgkar(a)persistent.com> wrote:
> I still wondering what odd configuration I am following on my RHEL VM
> which is not sustaining few user request when checked from the output of
> top command. Could you please suggest if there are any Java specific
> parameters needs to be tuned for performance improvement. If needed I will
> share my configuration files for reference.
>
>
>
> Below is the screenshot of top output during one of the load test.
>
>
>
>
>
>
>
>
>
> *Thanks, Vaibhav*
>
>
>
>
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Wednesday, May 25, 2016 12:40 PM
> *To:* Vaibhav Naldurgkar
> *Cc:* Herzberg, Manuel; keycloak-user(a)lists.jboss.org
>
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> I did some tests with Linux VM when investigating how Keycloak scales. I
> had Keycloak running on a VM that was permitted 50% of a single core and
> had a throughput of 50 scenarios. Where a scenario includes a login
> request, a code to token request and a logout request. In our performance
> lab with a single node and a not particularly beefy machine we're seeing
> 150+ scenarios/second.
>
>
>
> On 24 May 2016 at 16:05, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hello,
>
>
>
> What are the tests results on a Linux VM ? I just done same jmeter tests
> on AWS m4.xlarge instance; however far behind than the laptop tests results.
>
> @Stian – have you done tests using Linux VM ?
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
> *From:* Herzberg, Manuel [mailto:manuel.herzberg@atos.net]
> *Sent:* Tuesday, May 24, 2016 5:52 PM
> *To:* stian(a)redhat.com; Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* RE: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Hello,
>
> I am evaluating the Keycloak performance. Here my practical experience. My
> scenario is the same as Vaibhav’s:
>
>
>
> · Large amount of token have to be generated. This is done by
> requesting the Keycloak token REST endpoint via http. The different realms
> I am using have 1k 2k 3k and 4k keys for signing the tokens. (RSA) Longer
> keys result to longer runtime to generate these tokens.
>
>
>
> · I have more than 10k user each realm. Each request includes a
> new user.
> Requests look like this:
> host1:8080/auth/realms/demo-3072/protocol/openid-connect/token/
> with data:
>
> username=testuser1&password=password&client_id=customer-portal&grant_type=password
>
>
>
> · The response includes 3 tokens(access, refresh and id). In
> total more than 30 000 token have to be generated and signed.
>
>
>
> @Stian. You wrote you are able to invoke 10000 token refreshes in under 60
> seconds. A token refresh includes access, refresh and id token right? Can
> you explain us your scenario? How do you get such a high number?
>
> Some more results: just signing 3000 Token (800 Byte each) with a 2k key
> takes me 20 seconds (laptop i5-4310U, 12gb ram). I am doing this outside
> Keycloak with my own java program, but with the same implementation
> Keycloak is using. (sign() method in RSAProvider).
>
> The Keycloak implementation is signing tokens with RSA. HMAC and ECC are
> implemented as well as I saw in the code. Changing from RSA to HMAC or ECC
> is not possible in current release as i experienced. Are there plans to
> provide this in future? Defining this in a configuration file or via
> parameters would be nice.
>
> Best regards, Manuel Herzberg
>
>
>
>
>
> *From:* keycloak-user-bounces(a)lists.jboss.org [
> mailto:keycloak-user-bounces@lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org>] *On Behalf Of *Stian Thorgersen
> *Sent:* Tuesday, May 24, 2016 8:31 AM
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
>
>
>
>
> On 23 May 2016 at 10:02, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Yes, the direct access grant is ON for this client. I am trying to
> understand what you mean by “not planning on using web based flow?” Could
> you provide more clarification on this.
>
>
>
> If you are planning to do the web based flow (authorization code grant
> flow) you should test with that rather than direct grant. That being said
> the direct grant should still perform as well.
>
>
>
>
>
> This is what the scenario I am trying to execute and still have high CPU
> usages for KeyCloak Java process.
>
>
>
> · The end point URL
> /auth/realms/master/protocol/openid-connect/token has been called by Jmeter
> for 20 concurrent users per seconds to generate the tokens.
>
> · Even if used with crul command like “*curl -X POST -d
> "=admin&password=admin&password&client_id=HelloTest&grant_type=password"
> http://localhost:8080/auth/realms/master/protocol/openid-connect/token
> <http://localhost:8080/auth/realms/master/protocol/openid-connect/token>*”
> , in this case also the CPU utilizations goes around 100%.
>
> · After around 3 seconds of the test, in the output of top
> command on the KeyCloak server the CPU% for keycloak java process goes
> beyond 100%.
>
>
>
> Would it be possible for you to have a quick call for faster fix of this
> issue. This performance issue is holding to move KeyCloak to use as OAuth
> provider. If any other way is convenient for you please let me know for
> further discussion.
>
>
>
> Your JMeter test is using 20 concurrent threads to send as many requests
> to the direct grant api as it can. This will obviously cause Keycloak to
> consume a high percentage of the CPU. Especially if you are running
> everything on localhost as the network isn't going to be a bottleneck.
> Neither will the database as Keycloak caches everything in memory. The
> bottleneck will be the CPU.
>
>
>
> Authenticating users and obtaining a token requires password hashing as
> well as signing tokens, both are mainly CPU intensive. As you are using the
> direct grant api there's also less network traffic.
>
>
>
> You need to add some reports to your JMeter test so you can see how many
> requests Keycloak can handle. That way you can find out how many users can
> be authenticated per-second on your machine.
>
>
>
> If you only have 500 users remember they won't all login at the same time
> (seconds). Even if they all login at 9am sharp they will be spread out over
> 10 minutes or so, which would only be 1.2 logins/second.
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Monday, May 23, 2016 12:01 PM
>
>
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> You are using direct grant to authenticate a user and obtain a token in
> the example above. This authenticates and creates a new session for each
> request. Are you not planning on using web based flow?
>
>
>
> What do you have password hashing intervals set to? Verifying password is
> CPU intensive, more than signing tokens.
>
>
>
> It shouldn't matter that user is stored in RedHat IdM as the user would be
> cached in Keycloak after first authentication, but it may be an idea to
> just double check by trying to authenticate to a user in Keycloak and not
> RH IdM.
>
>
>
> What results are you actually getting?
>
>
>
>
>
>
>
> On 20 May 2016 at 11:27, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hi Stian,
>
>
>
> After reading your tests results of 10000 token refreshes in under 60
> seconds on your laptop, I am sure I am not following correct configuration
> and the documents are missing for reference.
>
>
>
> Could you please verify the below steps along with the screen-shots for
> the steps which I am following for the adding client and testing the Load
> performance using Jmeter. Please suggest if any changes are needed in the
> client configuration. In this case we are obtaining the token for user from
> KeyCloak.
>
>
>
> In my case the user have been stored on RedHat IdM which has been
> federated using KeyCloak.
>
>
>
>
>
> Step 1. Create new client called “LoadTest” , use the Client Protocol as
> “Openid-connect”.
>
> Used all defaults values post save of the client action.
>
>
>
> Step 2. Start the load tests using Jmeter and using the path as
> *“/auth/realms/master/protocol/openid-connect/token”* . Used 20 Number of
> Threads and used Post method.
>
>
>
>
>
> Below is the screen-shot for the step 1 related to Add Client.
>
>
>
>
>
>
>
>
>
> Below is the screen shot for the load test using Jmeter. In this case the
> Client ID was used as HelloTest.
>
>
>
>
>
>
>
> Http requests.
>
>
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Friday, May 20, 2016 1:01 PM
>
>
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Can you please elaborate a bit more on how your are testing scenario is?
> I'm a bit confused to what you are testing when you are talking about
> generating new tokens. Are you using OIDC or SAML? Are you talking about
> code->token exchanges, refresh token requests, or what?
>
>
>
> To test if your hardware is capable to deal with the load you need to test
> logins (verifying passwords are CPU intensive) as well as obtaining tokens
> (both code->token, done after login, and refreshing token, done ~1 min or
> so by active users, but most users won't continuously use the application).
>
>
>
> 500 users should be no problem at all. As an example with a single thread
> (which will use a single core) I could invoke 10000 token refreshes in
> under 60 seconds on my laptop. So a single core on my laptop should be able
> to handle 500 users.
>
>
>
> On 20 May 2016 at 08:00, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hi Stian,
>
> Thank you for your reply.
>
>
>
> The new tokens needs to be generated for each user, which is needed from
> security point of view. The performance tests were also conducted using
> single Admin user and token for admin user; however in that case the
> performance was not good. In between 15th to 20th admin token access
> requests – the CPU usage of keycloak Java process was crossing 90 to 120%
> mark.
>
>
>
>
>
> As you have mentioned, Creating tokes are expected to be a bit CPU
> intensive – what should be the server configuration in terms of CPU to deal
> with more than 500 users to use keycloak as OAuth provider.
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Thursday, May 19, 2016 6:28 PM
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Creating tokes are expected to be a bit CPU intensive as they need to be
> signed. When you say you try to generate tokens for 10-20 users are you
> doing performance tests and having 10-20 threads generating tokens? It
> shouldn't make any difference if you have 10 or if you have 200 users, it's
> the total number of tokens that can be generated that's an issue. Having
> 200 concurrent users with a access token timeout of 60 seconds should mean
> that you need to be able to generate roughly 200/60 tokens = 3.3 tokens/sec.
>
>
>
> On 19 May 2016 at 13:24, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hi All,
>
>
>
> I am using Keycloak 1.9.3 with default configuration. Keycloak server is
> installed on RHEL 6.5 virtual image with 4 CPU , 8 GB RAM and java version
> is jdk1.8.0_73 We are trying to use keycloak as a OAuth provider. But when
> we try and generate token(
> http:///auth/realms/master/protocol/openid-connect/token
> <http://auth/realms/master/protocol/openid-connect/token>) for more than
> 10-20 users the server gets too slow and cpu usage goes over 100%.
>
> Any pointers on how to improve performance of keycloak OAuth provider. We
> need to support at least 200 concurrent users.
>
>
>
>
>
> Thanks, Vaibhav
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
8 years, 6 months
Redirection issue with proxy behind keycloak
by Aritz Maeztu
I'm using keycloak to securize some Spring based services (with the
keycloak spring security adapter). The adapter creates a `/login`
endpoint in each of the services which redirects to the keycloak login
page and then redirects back to the service when authentication is done.
I also have a proxy service which I want to publish in the 80 port and
will take care of routing all the requests to each service. The proxy
performs a plain FORWARD to the service, but the problem comes when I
securize the service with the keycloak adapter.
When I make a request, the adapter redirects to its login endpoint and
then to the keycloak auth url. When keycloak sends the redirection, the
url shown in the browser is the one from the service and not the one
from the proxy. Do I have some choice to tell the adapter I want to
redirect back to the first requested url?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 7 months
Swedish translation
by Thomas Raehalme
Hi!
We need to translate Keycloak user interface (excluding admin console) to
the Swedish language. I was wondering if anyone has already done the
translation and would be willing to share it?
We have already translated Keycloak to Finnish and hope to share the
translation with the community in the near future.
Best regards,
Thomas
8 years, 7 months
keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
by jazz
Hi,
I have wildfly 10 installed using nginx as https proxy server [1,
standalone-full.xml]. Works great when using weak ciphers in nginx. In
that case keycloak can connect back to the app after authentication
(redirect SSL). When using strong ciphers in nginx [2] is fails the ssl
handshake [4]. JCE seems enabled since the deployed app reports 2016-
04-13 21:41:33,304 INFO [stdout] (ServerService Thread Pool -- 83) max
allowed keylength = 2147483647
My question is: does keycloak use a limited set of ciphers? SNI works
fine according to the log. I was digging in the code, but could not
find something obvious [5]
Best regards, Jazz
[1] wildfly standalone-full.xml
<subsystem xmlns="urn:jboss:domain:undertow:3.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/> [... snip ...] <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8444}"/>
<socket-binding name="proxy-https" port="443"/>
[2] nginx ssl.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-
ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
[3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service
[4]
2016-04-13 21:41:46,495 INFO [stdout] (default task-7) default task-7,
setSoTimeout(0) called
2016-04-13 21:41:46,498 INFO [stdout] (default task-7) Allow unsafe
renegotiation: false
2016-04-13 21:41:46,500 INFO [stdout] (default task-7) Allow legacy
hello messages: true
2016-04-13 21:41:46,502 INFO [stdout] (default task-7) Is initial
handshake: true
2016-04-13 21:41:46,503 INFO [stdout] (default task-7) Is secure
renegotiation: false
2016-04-13 21:41:46,505 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,506 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,508 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,509 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 21:41:46,511 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,512 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,514 INFO [stdout] (default task-7) %% No cached
client session
2016-04-13 21:41:46,518 INFO [stdout] (default task-7) ***
ClientHello, TLSv1.2
2016-04-13 21:41:46,522 INFO [stdout] (default task-7)
RandomCookie: GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130,
99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12,
171, 41, 74, 46, 186, 180, 88 }
2016-04-13 21:41:46,523 INFO [stdout] (default task-7) Session ID: {}
2016-04-13 21:41:46,525 INFO [stdout] (default task-7) Cipher Suites:
[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-04-13 21:41:46,526 INFO [stdout] (default task-7) Compression
Methods: { 0 }
2016-04-13 21:41:46,527 INFO [stdout] (default task-7) Extension
signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
2016-04-13 21:41:46,529 INFO [stdout] (default task-7) Extension
server_name, server_name: [type=host_name (0),
value=keycloak.example.com]
2016-04-13 21:41:46,530 INFO [stdout] (default task-7) ***
2016-04-13 21:41:46,531 INFO [stdout] (default task-7) default task-7,
WRITE: TLSv1.2 Handshake, length = 138
2016-04-13 21:41:46,533 INFO [stdout] (default task-7) default task-7,
READ: TLSv1.2 Alert, length = 2
2016-04-13 21:41:46,534 INFO [stdout] (default task-7) default task-7,
RECV TLSv1.2 ALERT: fatal, handshake_failure
2016-04-13 21:41:46,535 INFO [stdout] (default task-7) default task-7,
called closeSocket()
2016-04-13 21:41:46,536 INFO [stdout] (default task-7) default task-7,
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
2016-04-13 21:41:46,537 INFO [stdout] (default task-7) default task-7,
called close()
2016-04-13 21:41:46,538 INFO [stdout] (default task-7) default task-7,
called closeInternal(true)
2016-04-13 21:41:46,539 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
failed to turn code into token: javax.net.ssl.SSLHandshakeException:
Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.ja
va:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:543)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFac
tory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnectio
n(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java
:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooled
ConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRe
questDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReque
stDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpCl
ient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReque
st.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthReques
tAuthenticator.java:314)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReque
stAuthenticator.java:260)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenti
cator.java:112)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloa
kAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(Ser
vletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:233)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:250)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
SecurityContextImpl.java:219)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Sec
urityContextImpl.java:121)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityCo
ntextImpl.java:96)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityCont
extImpl.java:89)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.
handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCa
cheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleReq
uest(AuthenticationConstraintHandler.java:51)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequ
est(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintH
andler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.
handleRequest(ServletSecurityConstraintHandler.java:56)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReq
uest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler
.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest
(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler
.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handl
eRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleReque
st(ServletPreAuthActionsHandler.java:69)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(S
ervletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Serv
letInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIn
itialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Serv
letInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793
)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.ja
va:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.j
ava:617)
at java.lang.Thread.run(Thread.java:745)
[5] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adap
ter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
8 years, 7 months
How to get specific client role programmatically
by Haim Vana
Hi,
I am using the KeyCloak API to create admin users and update their roles, I am able to add to an admin user all the available client roles, however how can I add a specific one ?
This is my code to get all the available client roles:
userResource.roles().clientLevel(userRealmClientId).listAvailable()
How can I get specific one and not all ?
Any advice will be appreciated,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 7 months
keycloak catridge and extra modules
by Simon Gordon
Hey all
Another simple one from me I think!
I'm looking to add a userFederation provider, plus a new theme. I am using
the keycloak cartridge, which is very convenient - but maybe I should
resort to a .war to add modules? Or is there a way to add modules to the
keycloak cartridge?
Thanks,
Simon
8 years, 7 months
Re: [keycloak-user] KC 1.9.4 Error during
by Marek Posolda
Does your keycloak server have certificate signed by known CA authority
or are you using some self-signed? If you have self-signed, you also
need to configure truststore. See
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#a...
and especially properties related to truststore.
Marek
On 31/05/16 15:00, Emil Posmyk wrote:
> sorry, i forgot to finish title
>
> {
> "realm": "Brandpath",
> "realm-public-key": "key.....",
> "auth-server-url": "https://sabdev_oms.brandpath.net/auth",
> "ssl-required": "external",
> "resource": "oms-web",
> "credentials": {
> "secret": "secret"
> },
> "use-resource-role-mappings": true
> }
>
>
>
> regards
> /--/
> /Emil Posmyk
>
> /
>
> 2016-05-31 14:26 GMT+02:00 Marek Posolda <mposolda(a)redhat.com
> <mailto:mposolda@redhat.com>>:
>
> How is "auth-server-url" in your keycloak.json configured? If
> you're using relative URI, then you can maybe try to use absolute
> URI and see if it help?
>
> Marek
>
>
> On 31/05/16 14:19, Emil Posmyk wrote:
>> Hello
>>
>> I'm reciving error when I try login to our application:
>> ClientProtocolException: URI does not specify a valid host name:
>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>> Http protocol is working fine, no errors, but using https I
>> recive each time uri without host name.
>> Auth page is working fine.
>>
>> What can cause that error ?
>>
>>
>> 14:59:22,937 ERROR
>> [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-2) failed to turn code into token:
>> org.apache.http.client.ClientProtocolException: URI does not
>> specify a valid host name:
>> https:/auth/realms/Brandpath/protocol/openid-connect/token
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.determineTarget(CloseableHttpClient.java:94)
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>> [Server:ms-server1] at
>> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>> [Server:ms-server1] at
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>> [Server:ms-server1] at
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
>> [Server:ms-server1] at
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
>> [Server:ms-server1] at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
>> [Server:ms-server1] at
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>> [Server:ms-server1] at
>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>> [Server:ms-server1] at
>> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> [Server:ms-server1] at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> org.wildfly.mod_cluster.undertow.metric.RunningRequestsHttpHandler.handleRequest(RunningRequestsHttpHandler.java:69)
>> [Server:ms-server1] at
>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>> [Server:ms-server1] at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> [Server:ms-server1] at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>> [Server:ms-server1] at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> [Server:ms-server1] at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>> [Server:ms-server1] at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> [Server:ms-server1] at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> [Server:ms-server1] at java.lang.Thread.run(Thread.java:745)
>>
>> /
>> regards/
>> /--/
>> /Emil Posmyk
>> /
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
8 years, 7 months
