Note about the documentation - Valid account guessing with the "forgot password" feature in Keycloak
by Tomás García
Hi,
In this url:
http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.ht...
, it says:
"This form *WILL NOT* re-ask the user to enter in an email or username if
the previous email or username did not exist. You need to prevent attackers
from being able to guess valid users. So, if
AuthenticationFlowContext.getUser() returns null, you should proceed with
the flow to make it look like a valid user was selected."
And I totally agree with that, but it doesn't apply to all cases
unfortunately. If the admin enables "User registration", the user
registration form will tell the a possible malicious guy if the email
combinations she's trying already exists, invalidating what the above
paragraph says. And I don't think there's a way to do the same as in the
"forgot password" feature with the registration form, because after
registration, there's an autologin.
Actually it's confusing for users telling them an email was sent event if
it's not... People sometimes can forget that they're not registered in the
Keycloak system, so the "forgot password" feature as it is today will make
them wait forever. At least, sending them an email telling them "You're not
registered. You can register visiting this link." if "User registration" is
enabled or "Ask your admin to register your email in the system" if it's
not, would be definitely better.
Thanks.
--
*Tomás García Pérez*
*Software Developer*
*IntraHouse*
9 years, 10 months
Display all password rule failures at once
by Everson, David (MNIT)
Hi,
Our users are User Acceptance Testing a Keycloak secured website. We have defined strong password rules.
Our users reported:
"Staff have requested some modifications to how password validation is presented to the user. Right now if a user submits a password that does not meet all criteria, such as requiring both an Upper case letter and a number, it will not tell you that both are required, just that and Upper case letter is required. When that is added, THEN it will notify you that a number is also needed.
Staff would like the error message to note all issues with the submitted password, or otherwise note somewhere on the Change Password screen what all the criteria for a proper password are, so the user does not have to guess."
We could update the template to include all the rules. That is probably the quickest.
Is it possible for Keycloak to return all the unsuccessful rules when it validates a password?
Thanks!
Dave
Dave Everson | DIVISION OF ENVIRONMENTAL HEALTH
MN.IT Services @ mINNESOTA dEPARTMENT OF hEALTH
651-201-5146 (w) | david.everson(a)state.mn.us<mailto:david.everson@state.mn.us>
[cid:image001.jpg@01CE4005.70B223E0]<http://www.mn.gov/oet>
Information Technology for Minnesota Government | mn.gov/oet<http://www.mn.gov/oet>
9 years, 10 months
Help regarding Picketlink Feature Migration
by Shaun Willows
We are evaluating security frameworks for new application(s) within our organisation. Picketlink provides a number of features that are desirable to us as an organisation. However, as I understand, Picketlink is being migrated into Keycloak, and this process started in March 2015. Is it possible to provide any updates regarding the migration of the following features:
* Picketlink's Java EE integration (particularly its integration with the DeltaSpike security interceptor) is especially useful to us. Will Keycloak provide similar CDI / Java EE integration? The FAQ at http://picketlink.org/keycloak-merge-faq/ indicates that this was planned to be the case, but I cannot see any progress on this issue in the Keycloak Github or JIRA.
* Picketlink's IDM capabilities included a JPA IDM and the ability to easily create new IDMs. How can this be achieved in Keycloak?
* Picketlink's capability to provide custom authenticators and token providers is also useful to us. How can this be achieved in Keycloak?
I appreciate the need to consolidate projects within Red Hat, however as Picketlink is not being actively developed and there is no clear migration path from Picketlink to Keycloak for a number of features, users of both frameworks are left with no interim solution.
Thanks for any help in this regard
Shaun Willows
9 years, 10 months
Problem Saml IdP
by Sjef Hoeks
Hi,
I'm trying to integrate Keycloak with a SAML SP, but unfortunately it is not working yet. I created a Identity Provider in the admin interface.
I guess the problem is that in the AuthnRequest which is send by a http post to the SP the AuthnRequest contains a NameIDPolicy:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
....
<samlp:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
/>
</samlp:AuthnRequest>
But according to the documentation of the SP I must send
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
....
<samlp:RequestedAuthnContext Comparison="minimum">
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Is this possible with Keycloak? And if so, how can this be done?
Kind regards,
Sjef Hoeks
Sjef Hoeks
Technisch Architect
[cid:GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg]
Gouw Informatie Technologie bv
Hogeweg 5, 5301 LB Zaltbommel
Postbus 98, 5300 AB Zaltbommel
T 0418 511 522
M
E s.hoeks(a)gouwit.nl
I www.gouwit.nl
9 years, 10 months
ClassCastException on UsersResource search API
by Haim Vana
Hi,
We are using KeyCloak 1.9.3, when trying to search a user with the API (usersResource.search) we are getting ClassCastException.
The problem is that KeyCloak resteasy (version 3.0.16) ClientWebTarget is explicitly using ResteasyUriBuilder and at runtime we are getting our Jersey JerseyUriBuilder.
Any idea how to overcome it ? assuming we can't remove the Jersey dependency.
Exception stack trace:
java.lang.ClassCastException: org.glassfish.jersey.uri.internal.JerseyUriBuilder cannot be cast to org.jboss.resteasy.specimpl.ResteasyUriBuilder
at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.queryParamNoTemplate(ClientWebTarget.java:289)
at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:23)
at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:12)
at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.AbstractCollectionProcessor.buildIt(AbstractCollectionProcessor.java:76)
at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.AbstractWebTargetCollectionProcessor.build(AbstractWebTargetCollectionProcessor.java:22)
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
9 years, 10 months
SAML request signature
by lrxw
Hi all,
I’m new to keycloak, but managed to set up keycloak (1.9.2) and realm
with a SAML identidy provider. Everything seems fine, but the SAML
Request sent to my IDP is signed with a RSAKeyValue instead of X509Data.
Can anyone help me how to configure keycloak to use a X.509 certificate?
Greetings
9 years, 10 months
Basic auth and Authentication popup
by Dragan Jotanovic
Hi there,
I have a war application deployed to tomcat that is currently secured with
BASIC authentication through tomcat's realm. When I try to access secured
page, the authentication popup appears.
I would like to switch to keycloak securitu but I'm not sure if it is
possible to configure keycloak to force this authentication popup.
I tried setting it up but when I try to access the secured page, instead of
authentication popup I am redirected to keycloak page "Client is not
allowed to initiate browser login with given response_type. Standard flow
is disabled for the client."
I've followed the instructions from
https://github.com/keycloak/keycloak/tree/master/examples/basic-auth and
http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#t...
.
Is it possible to setup tomcat and keycloak so that the authentication
popup would be forced to appear?
Thanks
9 years, 10 months
Re: [keycloak-user] Performance issues with Federation provider enabled
by Thomas Connolly
Hi Marek
I'm working with Fabricio on the federation performance issues with Keycloak.
In answer to your question we are using the latest KC 1.9.7 version (we upgraded this week from 1.9.2).
To give you some indication of the running a gatling direct access login test (results below).
As you can see below in (1) using KC out of the box. Great performance - we saw 110 tx per sec on a 4 core system.
In scenario (2) using a stubbed federator (simply an echo plugin not connecting to any back end services), performance is unacceptable.
1) Not using the federator - Stub federator (disabled) - while 29 tx per second we could easily get to a stable 110 tx per second.
300 Users (hitting single server)
---- Global Information --------------------------------------------------------
> request count 9185 (OK=9185 KO=0 )
> min response time 18 (OK=18 KO=- )
> max response time 723 (OK=723 KO=- )
> mean response time 27 (OK=27 KO=- )
> std deviation 44 (OK=44 KO=- )
> response time 50th percentile 20 (OK=20 KO=- )
> response time 75th percentile 21 (OK=21 KO=- )
> mean requests/sec 29.626 (OK=29.626 KO=- )
---- Response Time Distribution ------------------------------------------------
> t < 800 ms 9185 (100%)
> 800 ms < t < 1200 ms 0 ( 0%)
> t > 1200 ms 0 ( 0%)
> failed 0 ( 0%)
2) Stub federator (enabled)- if we brought test down to 12 tx per second (about 90 users) the response times dropped to < 1200 ms response times, however not even close to meeting out acceptance creteria.
300 Users (hitting single server)
---- Global Information --------------------------------------------------------
> request count 8496 (OK=8496 KO=0 )
> min response time 511 (OK=511 KO=- )
> max response time 11191 (OK=11191 KO=- )
> mean response time 6832 (OK=6832 KO=- )
> std deviation 2329 (OK=2329 KO=- )
> response time 50th percentile 7194 (OK=7194 KO=- )
> response time 75th percentile 8690 (OK=8690 KO=- )
> mean requests/sec 27.404 (OK=27.404 KO=- )
---- Response Time Distribution ------------------------------------------------
> t < 800 ms 154 ( 2%)
> 800 ms < t < 1200 ms 85 ( 1%)
> t > 1200 ms 8257 ( 97%)
> failed 0 ( 0%)
This is currently a show stopper for us and is blocking our path to production.
Do you run similar tests and how can we help you optimise the performance?
Regards
Tom.
Date: Wed, 8 Jun 2016 12:28:19 +0200
From: Marek Posolda <mposolda(a)redhat.com>
Subject: Re: [keycloak-user] Performance issues with Federation
provider enabled
To: Fabricio Milone <fabricio.milone(a)shinetech.com>, keycloak-user
<keycloak-user(a)lists.jboss.org>
Message-ID: <5757F343.1040803(a)redhat.com>
Content-Type: text/plain; charset="windows-1252"
Hi,
what's the keycloak version used? Could you try latest keycloak and
check if performance is still the issue?
Marek
On 08/06/16 01:30, Fabricio Milone wrote:
> Hi all,
>
> I sent this email yesterday with 5 or more attachments, so I think it
> was blocked or something... here I go again :)
>
> I've been running load tests on our application during the last few
> weeks, and having some performance issues when my custom federator is
> enabled.
>
> The performance issue does not exist when the federator is disabled.
> *Configuration*:
>
> I have a cluster of 2 instances of Keycloak, with a standalone DB,
> we've verified the DB isn't an issue when the federator is disabled.
> Both instances have a quad core CPU and they are in the same network.
> We?ve left the memory at 512MB. The test script, database and API that
> connects to the federator are in separate machines.
> *Federator*:
>
> We have a simple custom federator that makes calls to a very
> performant api, which has been tested and is ok. Additionally, we've
> tested stubbing the API so the performance is not a problem there.
> This federator is using a jaxb marshaller to create a request, again
> tested in isolation and is performing well.
>
> As the federator is doing a lot of calls to the API (3 per login
> request), I've implemented a httpclient that uses a
> PoolingHttpClientConnectionManager with 1000 connections available to
> use, instead of using the standard apache httpclient from http
> components. That hasn't improved a bit the performance of the system.
> *Tests*:
> It is a gatling scala script that could generate around ~300 (or more)
> requests/second to the direct grants login endpoint using random
> usernames from a list (all of them already registered using KC). The
> script is doing a round robin across both instances of Keycloak with
> an even distribution to each KC instance.
> The idea is simulate a load of 300 to 1500 concurrent users trying to
> login into our systems.
> *Problem*:
>
> If I run the tests without using a federation I can see a very good
> performance, but when I try to run the tests with the custom
> federation code, the performance drops from ~150 requests/second to 22
> req/sec using both instances.
> Memory wise, it seems to be ok. I've never seen an error related to
> memory with this configuration, also if you take a look at the
> attached visualVM screenshot you'll see that memory is not a problem
> or it seems not to be.
> CPU utilisation is very low to my mind, I'd expect more than 80% of
> usage or something like that.
> There is a method that is leading the CPU samples on VisualVM called
> Semaphore.tryAcquire(). Not quite sure what's that for, still
> investigating.
>
> I can see that a lot of new threads are being created when the test
> starts, as it creates around 60requests/second to the direct grants
> login call, but it seems to be a bottleneck at some point.
>
> So I'm wondering if there is some configuration I'm missing on
> Keycloak side that could be affecting the cluster performance when a
> federator is enabled. Maybe something related to jpa connections,
> infinispan configuration or even wildfly.
>
> I'd really appreciate your help on this one as I'm out of ideas.
>
> I've attached some screenshots of visualVM and tests results from my
> last run today.
>
>
> Sorry for the long email and please let me know if you need further
> information.
>
> Thank you in advance,
>
> Regards,
> Fab
>
> --
> *Fabricio Milone*
> Developer
9 years, 10 months
Error enabling 'Sync Registrations' for LDAP (FreeIPA) User Federation
by Rafael Soares
I'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].
The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:
KC server.log in TRACE mode:
"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1(a)example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
... 57 more"
FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid"
not allowed
""
----
It appears FreeIPA LDAP server is refusing the attribute 'UID'
Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:
I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:
"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]
Add a new user.
Options:
-h, --help show this help message and exit
--first=STR First name
--last=STR Last name
--cn=STR Full name
--displayname=STR Display name
--initials=STR Initials
--homedir=STR Home directory
--gecos=STR GECOS
--shell=STR Login shell
--principal=STR Kerberos principal
--principal-expiration=DATETIME
Kerberos principal expiration
--email=STR Email address
--password Prompt to set the user password
--random Generate a random user password
--uid=INT User ID Number (system will assign one if not
provided)
--gidnumber=INT Group ID Number
--street=STR Street address
--city=STR City
--state=STR State/Province
--postalcode=STR ZIP
--phone=STR Telephone Number
--mobile=STR Mobile Telephone Number
--pager=STR Pager Number
--fax=STR Fax Number
--orgunit=STR Org. Unit
--title=STR Job Title
--manager=STR Manager
--carlicense=STR Car License
--sshpubkey=STR SSH public key
--user-auth-type=['password', 'radius', 'otp']
Types of supported user authentication
--class=STR User category (semantics placed on this attribute
are
for local interpretation)
--radius=STR RADIUS proxy configuration
--radius-username=STR
RADIUS proxy username
--departmentnumber=STR
Department Number
--employeenumber=STR Employee Number
--employeetype=STR Employee Type
--preferredlanguage=STR
Preferred Language
--certificate=BYTES Base-64 encoded server certificate
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is attr=value.
The
attribute must be part of the schema.
--noprivate Don't create user private group
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
[root@ipa /]# ipa user-add ipa_user3 --first 'IPA
3' --last 'User3' --email 'ipa_user3(a)example.test' --all --raw
----------------------
Added user "ipa_user3"
----------------------
dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
uid: ipa_user3
givenname: IPA 3
sn: User3
cn: IPA 3 User3
initials: IU
homedirectory: /home/ipa_user3
gecos: IPA 3 User3
loginshell: /bin/sh
mail: ipa_user3(a)example.test
uidnumber: 753200006
gidnumber: 753200006
has_password: FALSE
has_keytab: FALSE
displayName: IPA 3 User3
ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
krbPrincipalName: ipa_user3(a)EXAMPLE.TEST
memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
objectClass: ipaSshGroupOfPubKeys
objectClass: ipaobject
objectClass: mepOriginEntry
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
"
Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?
Thanks in advance.
[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/
--
___
Rafael T. C. Soares
9 years, 10 months
Send verify email message
by LEONARDO NUNES
Hi everyone,
How can I send an email verification with the email verification message?
I'm using /send-verify-email service to send email verification to users after I create their account from Rest API.
The problem is that the email sent goes with the message "executeActionsBodyHtml" not the "emailVerificationBodyHtml" as I would expect.
The message "executeActionsBodyHtml" is generic and can be used for password update also.
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
9 years, 10 months
clustering error
by Snehalata Nagaje
Hi All,
I have set up keycloak cluster.
But somehow it is not working giving error as
type=LOGIN_ERROR, realmId=TESTAUTH, clientId=null, userId=null, ipAddress=10.0.13.44, error=expired_code, restart_after_timeout=true
error=expired_code, restart_after_timeout=true
Thanks,
Snehalata
9 years, 10 months
Keycloak cluster question
by Snehalata Nagaje
Hi All,
I am setting up keycloak cluster.
As we are running the keycloak server in full-ha profile with domain mode, there is by default configuration for hornet queue cluster, do we need this for keycloak?
Can we remove it?
Thanks,
Snehalata
9 years, 10 months
Re: [keycloak-user] Keycloak OAuth High CPU usage
by Stian Thorgersen
Again, CPU load is expected to be high while having 20 threads send as many
requests as they can. It's the total throughput that matters here.
There are loads of tuning you can do, but you should be able to get decent
numbers without any tuning.
On 26 May 2016 at 07:09, Vaibhav Naldurgkar <
vaibhav_naldurgkar(a)persistent.com> wrote:
> I still wondering what odd configuration I am following on my RHEL VM
> which is not sustaining few user request when checked from the output of
> top command. Could you please suggest if there are any Java specific
> parameters needs to be tuned for performance improvement. If needed I will
> share my configuration files for reference.
>
>
>
> Below is the screenshot of top output during one of the load test.
>
>
>
>
>
>
>
>
>
> *Thanks, Vaibhav*
>
>
>
>
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Wednesday, May 25, 2016 12:40 PM
> *To:* Vaibhav Naldurgkar
> *Cc:* Herzberg, Manuel; keycloak-user(a)lists.jboss.org
>
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> I did some tests with Linux VM when investigating how Keycloak scales. I
> had Keycloak running on a VM that was permitted 50% of a single core and
> had a throughput of 50 scenarios. Where a scenario includes a login
> request, a code to token request and a logout request. In our performance
> lab with a single node and a not particularly beefy machine we're seeing
> 150+ scenarios/second.
>
>
>
> On 24 May 2016 at 16:05, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hello,
>
>
>
> What are the tests results on a Linux VM ? I just done same jmeter tests
> on AWS m4.xlarge instance; however far behind than the laptop tests results.
>
> @Stian – have you done tests using Linux VM ?
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
> *From:* Herzberg, Manuel [mailto:manuel.herzberg@atos.net]
> *Sent:* Tuesday, May 24, 2016 5:52 PM
> *To:* stian(a)redhat.com; Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* RE: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Hello,
>
> I am evaluating the Keycloak performance. Here my practical experience. My
> scenario is the same as Vaibhav’s:
>
>
>
> · Large amount of token have to be generated. This is done by
> requesting the Keycloak token REST endpoint via http. The different realms
> I am using have 1k 2k 3k and 4k keys for signing the tokens. (RSA) Longer
> keys result to longer runtime to generate these tokens.
>
>
>
> · I have more than 10k user each realm. Each request includes a
> new user.
> Requests look like this:
> host1:8080/auth/realms/demo-3072/protocol/openid-connect/token/
> with data:
>
> username=testuser1&password=password&client_id=customer-portal&grant_type=password
>
>
>
> · The response includes 3 tokens(access, refresh and id). In
> total more than 30 000 token have to be generated and signed.
>
>
>
> @Stian. You wrote you are able to invoke 10000 token refreshes in under 60
> seconds. A token refresh includes access, refresh and id token right? Can
> you explain us your scenario? How do you get such a high number?
>
> Some more results: just signing 3000 Token (800 Byte each) with a 2k key
> takes me 20 seconds (laptop i5-4310U, 12gb ram). I am doing this outside
> Keycloak with my own java program, but with the same implementation
> Keycloak is using. (sign() method in RSAProvider).
>
> The Keycloak implementation is signing tokens with RSA. HMAC and ECC are
> implemented as well as I saw in the code. Changing from RSA to HMAC or ECC
> is not possible in current release as i experienced. Are there plans to
> provide this in future? Defining this in a configuration file or via
> parameters would be nice.
>
> Best regards, Manuel Herzberg
>
>
>
>
>
> *From:* keycloak-user-bounces(a)lists.jboss.org [
> mailto:keycloak-user-bounces@lists.jboss.org
> <keycloak-user-bounces(a)lists.jboss.org>] *On Behalf Of *Stian Thorgersen
> *Sent:* Tuesday, May 24, 2016 8:31 AM
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
>
>
>
>
> On 23 May 2016 at 10:02, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Yes, the direct access grant is ON for this client. I am trying to
> understand what you mean by “not planning on using web based flow?” Could
> you provide more clarification on this.
>
>
>
> If you are planning to do the web based flow (authorization code grant
> flow) you should test with that rather than direct grant. That being said
> the direct grant should still perform as well.
>
>
>
>
>
> This is what the scenario I am trying to execute and still have high CPU
> usages for KeyCloak Java process.
>
>
>
> · The end point URL
> /auth/realms/master/protocol/openid-connect/token has been called by Jmeter
> for 20 concurrent users per seconds to generate the tokens.
>
> · Even if used with crul command like “*curl -X POST -d
> "=admin&password=admin&password&client_id=HelloTest&grant_type=password"
> http://localhost:8080/auth/realms/master/protocol/openid-connect/token
> <http://localhost:8080/auth/realms/master/protocol/openid-connect/token>*”
> , in this case also the CPU utilizations goes around 100%.
>
> · After around 3 seconds of the test, in the output of top
> command on the KeyCloak server the CPU% for keycloak java process goes
> beyond 100%.
>
>
>
> Would it be possible for you to have a quick call for faster fix of this
> issue. This performance issue is holding to move KeyCloak to use as OAuth
> provider. If any other way is convenient for you please let me know for
> further discussion.
>
>
>
> Your JMeter test is using 20 concurrent threads to send as many requests
> to the direct grant api as it can. This will obviously cause Keycloak to
> consume a high percentage of the CPU. Especially if you are running
> everything on localhost as the network isn't going to be a bottleneck.
> Neither will the database as Keycloak caches everything in memory. The
> bottleneck will be the CPU.
>
>
>
> Authenticating users and obtaining a token requires password hashing as
> well as signing tokens, both are mainly CPU intensive. As you are using the
> direct grant api there's also less network traffic.
>
>
>
> You need to add some reports to your JMeter test so you can see how many
> requests Keycloak can handle. That way you can find out how many users can
> be authenticated per-second on your machine.
>
>
>
> If you only have 500 users remember they won't all login at the same time
> (seconds). Even if they all login at 9am sharp they will be spread out over
> 10 minutes or so, which would only be 1.2 logins/second.
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Monday, May 23, 2016 12:01 PM
>
>
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> You are using direct grant to authenticate a user and obtain a token in
> the example above. This authenticates and creates a new session for each
> request. Are you not planning on using web based flow?
>
>
>
> What do you have password hashing intervals set to? Verifying password is
> CPU intensive, more than signing tokens.
>
>
>
> It shouldn't matter that user is stored in RedHat IdM as the user would be
> cached in Keycloak after first authentication, but it may be an idea to
> just double check by trying to authenticate to a user in Keycloak and not
> RH IdM.
>
>
>
> What results are you actually getting?
>
>
>
>
>
>
>
> On 20 May 2016 at 11:27, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hi Stian,
>
>
>
> After reading your tests results of 10000 token refreshes in under 60
> seconds on your laptop, I am sure I am not following correct configuration
> and the documents are missing for reference.
>
>
>
> Could you please verify the below steps along with the screen-shots for
> the steps which I am following for the adding client and testing the Load
> performance using Jmeter. Please suggest if any changes are needed in the
> client configuration. In this case we are obtaining the token for user from
> KeyCloak.
>
>
>
> In my case the user have been stored on RedHat IdM which has been
> federated using KeyCloak.
>
>
>
>
>
> Step 1. Create new client called “LoadTest” , use the Client Protocol as
> “Openid-connect”.
>
> Used all defaults values post save of the client action.
>
>
>
> Step 2. Start the load tests using Jmeter and using the path as
> *“/auth/realms/master/protocol/openid-connect/token”* . Used 20 Number of
> Threads and used Post method.
>
>
>
>
>
> Below is the screen-shot for the step 1 related to Add Client.
>
>
>
>
>
>
>
>
>
> Below is the screen shot for the load test using Jmeter. In this case the
> Client ID was used as HelloTest.
>
>
>
>
>
>
>
> Http requests.
>
>
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Friday, May 20, 2016 1:01 PM
>
>
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Can you please elaborate a bit more on how your are testing scenario is?
> I'm a bit confused to what you are testing when you are talking about
> generating new tokens. Are you using OIDC or SAML? Are you talking about
> code->token exchanges, refresh token requests, or what?
>
>
>
> To test if your hardware is capable to deal with the load you need to test
> logins (verifying passwords are CPU intensive) as well as obtaining tokens
> (both code->token, done after login, and refreshing token, done ~1 min or
> so by active users, but most users won't continuously use the application).
>
>
>
> 500 users should be no problem at all. As an example with a single thread
> (which will use a single core) I could invoke 10000 token refreshes in
> under 60 seconds on my laptop. So a single core on my laptop should be able
> to handle 500 users.
>
>
>
> On 20 May 2016 at 08:00, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hi Stian,
>
> Thank you for your reply.
>
>
>
> The new tokens needs to be generated for each user, which is needed from
> security point of view. The performance tests were also conducted using
> single Admin user and token for admin user; however in that case the
> performance was not good. In between 15th to 20th admin token access
> requests – the CPU usage of keycloak Java process was crossing 90 to 120%
> mark.
>
>
>
>
>
> As you have mentioned, Creating tokes are expected to be a bit CPU
> intensive – what should be the server configuration in terms of CPU to deal
> with more than 500 users to use keycloak as OAuth provider.
>
>
>
>
>
> Thanks, Vaibhav
>
>
>
>
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger@redhat.com]
> *Sent:* Thursday, May 19, 2016 6:28 PM
> *To:* Vaibhav Naldurgkar
> *Cc:* keycloak-user(a)lists.jboss.org
> *Subject:* Re: [keycloak-user] Keycloak OAuth High CPU usage
>
>
>
> Creating tokes are expected to be a bit CPU intensive as they need to be
> signed. When you say you try to generate tokens for 10-20 users are you
> doing performance tests and having 10-20 threads generating tokens? It
> shouldn't make any difference if you have 10 or if you have 200 users, it's
> the total number of tokens that can be generated that's an issue. Having
> 200 concurrent users with a access token timeout of 60 seconds should mean
> that you need to be able to generate roughly 200/60 tokens = 3.3 tokens/sec.
>
>
>
> On 19 May 2016 at 13:24, Vaibhav Naldurgkar <
> vaibhav_naldurgkar(a)persistent.com> wrote:
>
> Hi All,
>
>
>
> I am using Keycloak 1.9.3 with default configuration. Keycloak server is
> installed on RHEL 6.5 virtual image with 4 CPU , 8 GB RAM and java version
> is jdk1.8.0_73 We are trying to use keycloak as a OAuth provider. But when
> we try and generate token(
> http:///auth/realms/master/protocol/openid-connect/token
> <http://auth/realms/master/protocol/openid-connect/token>) for more than
> 10-20 users the server gets too slow and cpu usage goes over 100%.
>
> Any pointers on how to improve performance of keycloak OAuth provider. We
> need to support at least 200 concurrent users.
>
>
>
>
>
> Thanks, Vaibhav
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
>
>
> DISCLAIMER ========== This e-mail may contain privileged and confidential
> information which is the property of Persistent Systems Ltd. It is intended
> only for the use of the individual or entity to which it is addressed. If
> you are not the intended recipient, you are not authorized to read, retain,
> copy, print, distribute or use this message. If you have received this
> communication in error, please notify the sender and delete all copies of
> this message. Persistent Systems Ltd. does not accept any liability for
> virus infected mails.
>
9 years, 10 months
New user, same e-mail
by Felipe Braun Azambuja
Hello all,
We have Keycloak connected to our Active Directory (read only),
everything working correctly, authenticating our employees. But there is
a case that is a little complicated.
When someone starts working here as a intern, the user has an employee
ID with four digits. If a person is a regular employee, it has five
digits. Windows login is made of the first 2 letters of the name, and
then the ID number, zero padded, as in *fe001173*. But there are times
that these interns are hired as employees, so the previous account is
*disabled* in AD and a new one is created.
The problem is that the e-mail address is the same. When this happens, I
can't even search the user in Keycloak admin interface, because it says
that it already has a user with the same e-mail. The old one is still
there, though; but if I go to its details, I can't change the e-mail
address, since it tries to sync it back to AD.
So far, the solution was changing it directly in the database and
restarting Keycloak, which is *not* a good thing to do.
Any thoughts on what we could do?
Thanks !
--
Felipe Braun Azambuja
DBA
Tecnologia da Informação e Comunicação
(48) 3281 9577
felipe.braun(a)intelbras.com.br
Esta mensagem, incluindo seus anexos, contém informações protegidas por lei, sujeitas a privilégios e/ou confidencialidades, não podendo ser retransmitida, arquivada, divulgada ou copiada sem autorização do remetente. O remetente utiliza o correio eletrônico no exercício do seu trabalho ou em razão dele, eximindo esta instituição de qualquer responsabilidade por utilização indevida. Caso tenha recebido esta mensagem por engano, por favor informe o remetente respondendo imediatamente a este e-mail, e em seguida apague-a do seu computador.
The information contained in this e-mail and its attachments are protected by law, subjected to privilege and/or confidentiality and cannot be retransmitted, filed, disclosed or copied without authorization from the sender. The sender uses the electronic mail in the exercise of his/her work or by virtue thereof, and the institution accepts no liability from its undue use. If you have received this message by mistake, please notify us immediately by returning the e-mail and deleting this message from your system.
9 years, 10 months
Fwd: Multi-org salesforce with single realm keycloak
by Anthony Fryer
Why do you say "very hard to get App1 to support multiple realms (no
adapter or keycloak support)"?
Keycloak does provide multi-tenancy support via the
KeycloakConfigResolver. See
https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant.
The issue would be if your app can't use a keycloak adapter.
On Thu, Jun 9, 2016 at 10:05 AM, Jesse Chahal <jessec(a)stytch.com> wrote:
> Hi,
>
> I'm back again. I'm trying to figure out how scale Identity Providers.
> We are planning on trying to integrate our App1 with salesforce. A
> user who logs into salesforce should be able to have a native feel of
> our App1 within it. Todo this we'll probably have to end up building
> salesforce native apps. For every salesforce organization/licensee we
> will have to register an Identity provider with keycloak to make sure
> they can correctly use App1. Some configuration options we came up
> with are listed below. Has anyone else solved a similar problem?
>
> OPTION 1
> ########################################################
> # Keycloak
> #
> # ---> master realm
> #
> # ---> realm 1
> #
> # --- ---> app1_client (open ID)
> #
> # --- ---> salesforce_org1_saml2.0_identity_provider
> #
> # --- ---> salesforce_org2_saml2.0_identity_provider
> #
> #
> #
> # Salesforce
> #
> # ---> org1
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---> org 2
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---- ----> salesforce_appY (uses App1)
> #
> # .....
> #
> #
> #
> # App 1
> #
> # ---> OpenID to realm1 (using adapter)
> #
> ########################################################
> benefits
> - single login page
> - single realm
> cons
> - login page with infinite number of identity provider buttons present
>
>
> OPTION 2
> ########################################################
> # Keycloak
> #
> # ---> master realm
> #
> # ---> realm 1
> #
> # --- ---> app1_client (open ID)
> #
> # --- ---> salesforce_org1_saml2.0_identity_provider
> #
> # ---> realm 2
> #
> # --- ---> app1_client (open ID)
> #
> # --- ---> salesforce_org2_saml2.0_identity_provider
> #
> #
> #
> # Salesforce
> #
> # ---> org1
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---> org 2
> #
> # ---- ----> salesforce_appX (uses App1)
> #
> # ---- ----> salesforce_appY (uses App1)
> #
> # .....
> #
> #
> #
> # App 1
> #
> # ---> OpenID to realm1, realm2, realm#.... (using adapter)
> #
> ########################################################
> benefits
> - single salesforce button per login page
> - users are more isolated in single realm
> cons
> - very hard to get App1 to support multiple realms (no adapter or
> keycloak support)
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
9 years, 10 months
Re: [keycloak-user] How to apply updates to keycloak instances
by Stian Thorgersen
Adding list back..
I don't see much value in a solution that doesn't also consider changes
done directly through admin console and/or admin endpoints. A proper
solution would use something along the lines of Liquibase/Git to have all
changes versioned and applied serially. That way they can be reproduced
fully.
On 10 June 2016 at 21:03, Jesse Chahal <jessec(a)stytch.com> wrote:
> I've been thinking about this problem for awhile and so far the
> solutions that I come up with all require that keycloak keeps tracks
> of changes in a database table (exactly how it works for liquibase).
> The GUI has a partial import feature. I haven't used it too
> extensively but I believe it probably does some sort of JSONtoPOJO
> serialization in order to figure out what the partial update it needs
> to be doing. Maybe we could add unique id identifiers to the
> existing/exported JSON files and have keycloaks import features
> determine whether the JSON file had already been applied or not. If
> there is a rest api for this as well then building an external cli or
> GUI tool would be much more feasible. Scott's solution requires either
> the external app to know the state of keycloak or keycloak's state to
> be blank. Its the best that could have been done with keycloak as it
> is now. Anyone have any comments regarding this possible solution?
>
> On Thu, May 26, 2016 at 11:19 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
> > Can you give me some examples of issues around Dockerized deployments and
> > services that are located at runtime (do you mean services that are
> > provisioned at runtime?)?
> >
> > On 26 May 2016 at 19:47, Scott Rossillo <srossillo(a)smartling.com> wrote:
> >>
> >> Stian, that’s fair, it does solve the OP's CI/CD problem when moving in
> >> the dev -> stage -> prod direction.
> >>
> >> Scott Rossillo
> >> Smartling | Senior Software Engineer
> >> srossillo(a)smartling.com
> >>
> >> On May 26, 2016, at 1:41 PM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
> >>
> >>
> >>
> >> On 26 May 2016 at 19:11, Scott Rossillo <srossillo(a)smartling.com>
> wrote:
> >>>
> >>> I guess it’s a matter of requirements, but with micro service
> >>> architectures there’s usually some sort of discovery mechanism
> required to
> >>> locale services at runtime. Netflix offers Eureka and then there’s
> etcd from
> >>> CoreOS that’s being used by Kubernetes. My point is that even if
> Keycloak
> >>> devs build some sort of way of picking up changes from the filesystem
> on
> >>> startup, that doesn’t solve all use cases.
> >>
> >>
> >> The problem is continuous integration right, and pushing changes from a
> >> test environment into production? So you need a reliable way to apply
> >> changes to both environments.
> >>
> >>>
> >>>
> >>> It doesn’t solve issues with Dockerized deployments and it doesn’t
> solve
> >>> the issue where services have to be located at runtime
> >>
> >>
> >> What are the issues it doesn't solve?
> >>
> >>>
> >>>
> >>> Scott Rossillo
> >>> Smartling | Senior Software Engineer
> >>> srossillo(a)smartling.com
> >>>
> >>> On May 26, 2016, at 2:27 AM, Stian Thorgersen <sthorger(a)redhat.com>
> >>> wrote:
> >>>
> >>>
> >>>
> >>> On 26 May 2016 at 02:15, Jesse Chahal <jessec(a)stytch.com> wrote:
> >>>>
> >>>> @Stian
> >>>> The approach described sounds similar to liquibase to me but with json
> >>>> and specific to keycloak. I feel like a lot of possible bugs could
> >>>> arise from this approach or at least quite a few feature requests.
> >>>> Would each json file only contain a single change? Would order matter
> >>>> in how they get applied if you put a bunch of json files in this
> >>>> directory at once? Can the same file be applied multiple times? These
> >>>> are the kind of issues I would expect to come up with this type of
> >>>> change management system. When I mentioned write our own tool/script
> >>>> to do it I was kind of thinking of a writing a liquibase like system
> >>>> that calls keycloak's rest api.
> >>>
> >>>
> >>> We haven't figured out all the details, but what you are proposing
> sounds
> >>> better. A single document that lists all changes, that can also import
> other
> >>> files, sorts out the ordering and we could add same type of ids as
> Liquibase
> >>> does to changesets.
> >>>
> >>> You could write it to use the rest api, then use a separate db to store
> >>> what changes have been applied, but would be better if Keycloak deals
> with
> >>> loading the changes directly as it can write to the db what changes
> have
> >>> been applied.
> >>>
> >>> One big issue is what happens if manual changes are done through the
> >>> admin console. One though (although probably very tricky to get right)
> is
> >>> that changes done through the admin console is added to the changeset.
> >>>
> >>>>
> >>>>
> >>>> @ Scott
> >>>> If I would compare the solution you mentioned to one of the options I
> >>>> listed in my original question "I've also considered writing my own
> >>>> updater tool using a scripting language (python/ruby) that calls
> >>>> keycloak's rest api." The worrying thing to me is that there is
> >>>> another piece of code that needs to maintained by our company and
> >>>> requires quite a bit of knowledge of keycloak's rest api. There would
> >>>> probably need to be some serious thought put into the architecture of
> >>>> the tool as well. Without a doubt it does provide the most control. We
> >>>> also live by a different methodology in regards to updating production
> >>>> clusters. From our perspective it is more of an issue to update
> >>>> manually as it becomes much easier to miss a step or in someway screw
> >>>> up if steps are performed manually. I'm not sure what the security
> >>>> implications would be from it occurring automatically, especially if
> >>>> during each step there is thorough testing (including from a security
> >>>> team). For our CI/CD pipeline our goal is to have it so every commit
> >>>> can automagically end up on production without human intervention.
> >>>>
> >>>> Currently we use a combination of an initial realm file to be included
> >>>> on startup and also use jq to modify the keycloak-server.json for new
> >>>> keycloak clusters. We don't need to generate realm or client keys as
> >>>> it is included in the initial realm file. That doesn't work for
> >>>> existing systems backed by a database that cannot be thrown away. That
> >>>> kind of leave me with the original option (and hardest) of "write a
> >>>> proprietary liquibase like system built ontop of keycloaks rest api".
> >>>> This is a hard problem to solve
> >>>
> >>>
> >>> Why proprietary? If we can agree on a design we'll happily accept a
> >>> contribution and maintain it as well.
> >>>
> >>>>
> >>>>
> >>>> On Mon, May 23, 2016 at 1:49 PM, Anthony Fryer <
> anthony.fryer(a)gmail.com>
> >>>> wrote:
> >>>> > Thanks, I'll check it out.
> >>>> >
> >>>> >
> >>>> > On 05:38, Tue, 24/05/2016 Scott Rossillo <srossillo(a)smartling.com>
> >>>> > wrote:
> >>>> >>
> >>>> >> We use Jose4J[0] to create the keys and then jq[1] to modify the
> >>>> >> realm
> >>>> >> file.
> >>>> >>
> >>>> >> See the first line of code here for a super simple example of how
> to
> >>>> >> generate realm keys:
> >>>> >> https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
> >>>> >>
> >>>> >> PS - this may be doable with Keycloak but Jose4J is very
> lightweight
> >>>> >> for
> >>>> >> writing a simple script on a CI server.
> >>>> >>
> >>>> >> [0]: https://bitbucket.org/b_c/jose4j
> >>>> >> [1]: https://stedolan.github.io/jq/
> >>>> >>
> >>>> >>
> >>>> >> Scott Rossillo
> >>>> >> Smartling | Senior Software Engineer
> >>>> >> srossillo(a)smartling.com
> >>>> >>
> >>>> >> On May 21, 2016, at 10:20 PM, Anthony Fryer <
> anthony.fryer(a)gmail.com>
> >>>> >> wrote:
> >>>> >>
> >>>> >> Hi Scott,
> >>>> >>
> >>>> >> How do you generate the realm keys when creating the new keycloak
> dev
> >>>> >> instances? Do you use a keycloak api or some other way? I'm
> >>>> >> interested in
> >>>> >> having a standard realm template that is used to create new realms
> >>>> >> but would
> >>>> >> need to change the realm keys when importing this template into
> >>>> >> keycloak.
> >>>> >>
> >>>> >> Cheers,
> >>>> >>
> >>>> >> Anthony
> >>>> >>
> >>>> >> On Sat, May 21, 2016 at 3:43 AM, Scott Rossillo
> >>>> >> <srossillo(a)smartling.com>
> >>>> >> wrote:
> >>>> >>>
> >>>> >>> We’re using Keycloak on production, stage/QA, development
> >>>> >>> environments
> >>>> >>> and every developer’s workstation / laptop.
> >>>> >>>
> >>>> >>> While there will always be differing options on how to
> successfully
> >>>> >>> do
> >>>> >>> change management, we’ve found a very effective method for
> handling
> >>>> >>> Keycloak
> >>>> >>> provisioning in all environments so that developers don’t need to
> >>>> >>> mess
> >>>> >>> around with. We’re a continuous integration / deployment shop
> using
> >>>> >>> micro
> >>>> >>> services and everything has to “just work” … I’ll give an overview
> >>>> >>> of our
> >>>> >>> process here but please keep in mind a few things:
> >>>> >>>
> >>>> >>> 1. This approach works for us, I’m not saying it’s the best way
> >>>> >>> 2. We do _not_ allow production config changes to be automated due
> >>>> >>> to
> >>>> >>> security implications
> >>>> >>> 3. We're very opinionated in our approach to configuration
> >>>> >>> management and
> >>>> >>> we don’t ever modify 3rd party software databases directly. We
> >>>> >>> always use
> >>>> >>> APIs.
> >>>> >>>
> >>>> >>> We deploy Keycloak to all environments using Docker images. On
> >>>> >>> developer
> >>>> >>> workstations we use Docker Compose to orchestrate bringing up all
> >>>> >>> services a
> >>>> >>> developer may need, including Keycloak.
> >>>> >>>
> >>>> >>> We have 4 docker images for Keycloak:
> >>>> >>> - Keycloak Base
> >>>> >>> \- Keycloak HA
> >>>> >>> \- Keycloak Dev
> >>>> >>> - Keycloak config manager*
> >>>> >>>
> >>>> >>> The base image includes all customizations necessary to bring up a
> >>>> >>> Keycloak instance configured with our modules and themes
> installed.
> >>>> >>> The HA instance builds off base and configures Keycloak to run as
> a
> >>>> >>> cluster node. This is used on stage and prod.
> >>>> >>> The dev instance builds off base and includes our realm file. On
> >>>> >>> startup,
> >>>> >>> this instance loads our realm configuration if it’s not already
> >>>> >>> loaded.
> >>>> >>>
> >>>> >>> All docker images are built and published by the CI server and
> >>>> >>> Keycloak
> >>>> >>> HA can be deployed to stage and prod after a clean CI build.
> >>>> >>>
> >>>> >>> Developers are free to add clients for testing, do whatever they
> >>>> >>> want,
> >>>> >>> etc. to their running dev instance. If they want to get back to
> our
> >>>> >>> stock
> >>>> >>> build, they pull the latest Docker image from our private Docker
> >>>> >>> repo and
> >>>> >>> restart it.
> >>>> >>>
> >>>> >>> Adding clients to stage and prod requires approval and is done by
> a
> >>>> >>> hand.
> >>>> >>> This is for security reasons. Once a configuration change is
> >>>> >>> detected on
> >>>> >>> stage - say a client is added - our CI server exports the realm
> from
> >>>> >>> stage,
> >>>> >>> changes the realm keys, and creates a new Keycloak Dev instance
> with
> >>>> >>> the
> >>>> >>> updated realm file.
> >>>> >>>
> >>>> >>> *A word about configuration management:
> >>>> >>>
> >>>> >>> Obviously, the realm file we generate knows the URLs of staging
> >>>> >>> services,
> >>>> >>> not local or development environment URLs. To overcome this we
> >>>> >>> introduced
> >>>> >>> another Docker based service called the Keycloak configuration
> >>>> >>> manger. It
> >>>> >>> runs on development environments and workstations. It’s
> responsible
> >>>> >>> for
> >>>> >>> discovering running services and updating Keycloak via its admin
> >>>> >>> endpoints
> >>>> >>> to reflect the proper configuration for the given environment.
> >>>> >>>
> >>>> >>> That’s it. The whole process is automated with the exception of
> >>>> >>> configuration changes to stage and prod which require a security
> >>>> >>> review.
> >>>> >>>
> >>>> >>> Hope this helps. Let me know if you’d like me to elaborate on
> >>>> >>> anything.
> >>>> >>>
> >>>> >>> Best,
> >>>> >>> Scott
> >>>> >>>
> >>>> >>> Scott Rossillo
> >>>> >>> Smartling | Senior Software Engineer
> >>>> >>> srossillo(a)smartling.com
> >>>> >>>
> >>>> >>> On May 20, 2016, at 1:46 AM, Stian Thorgersen <
> sthorger(a)redhat.com>
> >>>> >>> wrote:
> >>>> >>>
> >>>> >>> Firstly, just wanted to highlight that core Keycloak team are
> devs,
> >>>> >>> not
> >>>> >>> sysadmins/ops guys, so we have limited experience in continuous
> >>>> >>> delivery and
> >>>> >>> maintenance of real production systems. Hence, we'd love input
> from
> >>>> >>> the
> >>>> >>> community on this.
> >>>> >>>
> >>>> >>> As it stands we don't really have a proper solution. I believe the
> >>>> >>> best
> >>>> >>> you can do at the moment is either using import feature, partial
> >>>> >>> import or
> >>>> >>> admin rest endpoints. Import is not going to work IMO as it
> requires
> >>>> >>> re-creating the whole realm. Partial import may work, but would
> work
> >>>> >>> best
> >>>> >>> for new resources rather than modifying existing resources as it
> >>>> >>> does a
> >>>> >>> delete/create operation rather than attempt to modify. With the
> >>>> >>> admin rest
> >>>> >>> endpoints you'd get the best control of what's going on, but
> >>>> >>> obviously that
> >>>> >>> leaves a fair amount of the work.
> >>>> >>>
> >>>> >>> In the future we have an idea of introducing an "import directory"
> >>>> >>> it
> >>>> >>> would be possible to drop json files in here that would add,
> modify
> >>>> >>> or
> >>>> >>> delete resources (realms, clients, roles, users, whatever). This
> >>>> >>> would allow
> >>>> >>> dropping json files before the server starts and the server would
> >>>> >>> then
> >>>> >>> import on startup. It would also be possible to do this at runtime
> >>>> >>> and new
> >>>> >>> files would be detected at runtime. Finally, we also had an idea
> of
> >>>> >>> an
> >>>> >>> offline mode to run import of this (it would basically start the
> >>>> >>> server
> >>>> >>> without http listener, import files, then stop, so it could be
> used
> >>>> >>> in a
> >>>> >>> script/tool). Import is probably not the best name for it, as it
> >>>> >>> would
> >>>> >>> support modify and delete as well as "importing" new things.
> >>>> >>>
> >>>> >>> On 19 May 2016 at 19:53, Jesse Chahal <jessec(a)stytch.com> wrote:
> >>>> >>>>
> >>>> >>>> Following some of the best practices for continuous Integration
> and
> >>>> >>>> continuous delivery there needs to be environments for build,
> test,
> >>>> >>>> and production. This would mean that following these practices
> >>>> >>>> would
> >>>> >>>> require you to have multiple versions of keycloak at different
> >>>> >>>> stages
> >>>> >>>> of development cycle. Some of these environments might not have
> >>>> >>>> important persistent data while others might. In order to have
> >>>> >>>> builds
> >>>> >>>> transition from one environment to another there may be
> >>>> >>>> configuration
> >>>> >>>> changes required for a build to be valid. This is especially true
> >>>> >>>> when
> >>>> >>>> new services (openid clients) are being added or "default"
> >>>> >>>> accounts.
> >>>> >>>> I'm trying to come up with a scripted way of updating keycloak
> >>>> >>>> instances that are backed up by an RDMS. This may include adding
> >>>> >>>> new
> >>>> >>>> clients, adding new users, updating realm config, etc...
> Originally
> >>>> >>>> I
> >>>> >>>> was planning on simply exporting the realm config and importing
> it
> >>>> >>>> every time keycloak starts. If I enabled the OVERWRITE option I
> >>>> >>>> might
> >>>> >>>> overwrite things that I do not want overridden. This is
> especially
> >>>> >>>> true if there is some config that differ's based on whether it
> is a
> >>>> >>>> build, test, or production instance. If I don't enable it then it
> >>>> >>>> is
> >>>> >>>> only useful for new/blank keycloak environments. I considered
> using
> >>>> >>>> liquibase but since I do not have control of schema changes
> created
> >>>> >>>> by
> >>>> >>>> the keycloak team I might run into issues with my liquibase file
> >>>> >>>> not
> >>>> >>>> being valid after a migration/liquibase update by the keycloak
> team
> >>>> >>>> as
> >>>> >>>> my liquibase file would run after keycloak's does. There might
> also
> >>>> >>>> be
> >>>> >>>> some other unknown issues our liquibase changes conflicting
> somehow
> >>>> >>>> with keycloak's liquibase changes. I've also considered writing
> my
> >>>> >>>> own
> >>>> >>>> updater tool using a scripting language (python/ruby) that calls
> >>>> >>>> keycloak's rest api. The issues with this mechanism is it feels
> >>>> >>>> like I
> >>>> >>>> am recreating the wheel as well as not being able to find good
> >>>> >>>> documentation on keycloak's openid endpoints/url's used for
> >>>> >>>> different
> >>>> >>>> oauth2 flows. Even if I did find this documentation it would also
> >>>> >>>> require me to find a good openid client for the scripting
> language.
> >>>> >>>> This doesn't matter for our normal clients as they simply use the
> >>>> >>>> keycloak subsystems and adapters instead. I've also looked at
> >>>> >>>> commonly
> >>>> >>>> used server configuration software such as chef, puppet, and
> >>>> >>>> ansible.
> >>>> >>>> I don't see a good solution using any of those tools yet either.
> >>>> >>>> What
> >>>> >>>> have other people done for cases like this? Please don't tell me
> >>>> >>>> there
> >>>> >>>> is someone who is doing this all manually because that doesn't
> work
> >>>> >>>> in
> >>>> >>>> modern software development.
> >>>> >>>>
> >>>> >>>> - doesn't accidentally delete users
> >>>> >>>> - doesn't accidentally delete clients
> >>>> >>>> - doesn't invalidate sessions (optional)
> >>>> >>>> - works to bring up new, correctly configured, keycloak instances
> >>>> >>>> - handles applying updates to existing keycloak instances
> >>>> >>>> - can handle minor differences between keycloak instances (build,
> >>>> >>>> test, production) when updating
> >>>> >>>> - preferably can work well in rolling deployment scenario's.
> >>>> >>>> -- I hope the keycloak team is taking these into consideration
> when
> >>>> >>>> doing database migration between 1-2 releases. It would be nice
> if
> >>>> >>>> they set some specific rules for rolling updates between versions
> >>>> >>>> (aka
> >>>> >>>> backwards breaking changes)
> >>>> >>>> _______________________________________________
> >>>> >>>> keycloak-user mailing list
> >>>> >>>> keycloak-user(a)lists.jboss.org
> >>>> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> >>>
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> keycloak-user mailing list
> >>>> >>> keycloak-user(a)lists.jboss.org
> >>>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> >>>
> >>>> >>>
> >>>> >>>
> >>>> >>> _______________________________________________
> >>>> >>> keycloak-user mailing list
> >>>> >>> keycloak-user(a)lists.jboss.org
> >>>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>> >>
> >>>> >>
> >>>> >>
> >>>> >
> >>>
> >>>
> >>>
> >>
> >>
> >
>
9 years, 10 months
Error enabling 'Sync Registrations' for LDAP (FreeIPA) User Federation
by Rafael Soares
'm testing Keycloak LDAP User Federation with FreeIPA iDM Server.
I'm using the same environment used by @mposolda [1] with the @adelton's
FreeIPA Docker container image [2].
The integration (KC and FreeIPA) worked fine except for the sync for new
users created on KC side (new registrations). When I enable the 'Sync
Registrations' on the 'freeipa-ldap' User Federation and then try to add a
new user using the KC Web Console I get the following error:
KC server.log in TRACE mode:
"
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: master
2016-06-11 22:33:37,568 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
token active - active: true, issued-at: 1,465,684,397, not-before: 0
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getuserById 6f358dd3-3c20-4a84-b0b5-b02c77747a5a
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
returning new cache adapter
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by name cache hit: security-admin-console
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5)
authenticated admin access for: admin
2016-06-11 22:33:37,569 DEBUG [org.keycloak.services] (default task-5) No
origin returning
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
realm by name cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: freeipa
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
by id cache hit: master
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: freeipa-realm
2016-06-11 22:33:37,569 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: freeipa-realm
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
getUserByUsername: kc_user1
2016-06-11 22:33:37,570 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
query null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default task-5)
model from delegate null
2016-06-11 22:33:37,571 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search: (&(uid=kc_user1)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,575 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-5) Using filter for LDAP search:
(&(mail=kc_user1(a)example.test)(objectclass=person))
. Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-06-11 22:33:37,577 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getRealmRoles cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClients cache hit: freeipa
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: broker
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: realm-management
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: liferay-saml-idp
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: security-admin-console
2016-06-11 22:33:37,578 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: kitchensink
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: admin-cli
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
client by id cache hit: account
2016-06-11 22:33:37,579 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,580 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-5)
getClientRoles cache hit: account
2016-06-11 22:33:37,581 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) Creating entry
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test] with attributes: [
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) objectclass = person
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) givenname =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) sn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) cn =
2016-06-11 22:33:37,583 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default
task-5) ]
2016-06-11 22:33:37,607 ERROR [io.undertow.request] (default task-5)
UT005023: Exception handling request to /auth/admin/realms/freeipa/users:
org.jboss.resteasy.spi.UnhandledException:
org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.models.ModelException: Error creating subcontext
[uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test]
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:442)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.add(LDAPIdentityStore.java:92)
at
org.keycloak.federation.ldap.LDAPUtils.addUserToLDAP(LDAPUtils.java:71)
at
org.keycloak.federation.ldap.LDAPFederationProvider.register(LDAPFederationProvider.java:171)
at
org.keycloak.models.UserFederationManager.registerWithFederation(UserFederationManager.java:72)
at
org.keycloak.models.UserFederationManager.addUser(UserFederationManager.java:64)
at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:213)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Caused by: javax.naming.directory.SchemaViolationException: [LDAP: error
code 65 - attribute "uid" not allowed
]; remaining name 'uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3166)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3081)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812)
at
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268)
at
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:256)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:197)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:434)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$7.execute(LDAPOperationManager.java:431)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536)
at
org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.createSubContext(LDAPOperationManager.java:431)
... 57 more"
FreeIPA Server ldap srv log:
""
tail -f /data/var/log/dirsrv/slapd-EXAMPLE-TEST/errors
[11/Jun/2016:22:33:37 +0000] - Entry
"uid=kc_user1,cn=users,cn=accounts,dc=example,dc=test" -- attribute "uid"
not allowed
""
----
It appears FreeIPA LDAP server is refusing the attribute 'UID'
Interesting is that the FreeIPA 'user_add' API operation states the 'uid'
attributes is required:
I tried to add a new user manually using the FreeIPA CLI and it worked
fine. See the FreeIPA CLI output:
"
[root@ipa /]# ipa help user-add
Usage: ipa [global-options] user-add LOGIN [options]
Add a new user.
Options:
-h, --help show this help message and exit
--first=STR First name
--last=STR Last name
--cn=STR Full name
--displayname=STR Display name
--initials=STR Initials
--homedir=STR Home directory
--gecos=STR GECOS
--shell=STR Login shell
--principal=STR Kerberos principal
--principal-expiration=DATETIME
Kerberos principal expiration
--email=STR Email address
--password Prompt to set the user password
--random Generate a random user password
--uid=INT User ID Number (system will assign one if not
provided)
--gidnumber=INT Group ID Number
--street=STR Street address
--city=STR City
--state=STR State/Province
--postalcode=STR ZIP
--phone=STR Telephone Number
--mobile=STR Mobile Telephone Number
--pager=STR Pager Number
--fax=STR Fax Number
--orgunit=STR Org. Unit
--title=STR Job Title
--manager=STR Manager
--carlicense=STR Car License
--sshpubkey=STR SSH public key
--user-auth-type=['password', 'radius', 'otp']
Types of supported user authentication
--class=STR User category (semantics placed on this attribute
are
for local interpretation)
--radius=STR RADIUS proxy configuration
--radius-username=STR
RADIUS proxy username
--departmentnumber=STR
Department Number
--employeenumber=STR Employee Number
--employeetype=STR Employee Type
--preferredlanguage=STR
Preferred Language
--certificate=BYTES Base-64 encoded server certificate
--setattr=STR Set an attribute to a name/value pair. Format is
attr=value. For multi-valued attributes, the command
replaces the values already present.
--addattr=STR Add an attribute/value pair. Format is attr=value.
The
attribute must be part of the schema.
--noprivate Don't create user private group
--all Retrieve and print all attributes from the server.
Affects command output.
--raw Print entries as stored on the server. Only affects
output format.
[root@ipa /]# ipa user-add ipa_user3 --first 'IPA
3' --last 'User3' --email 'ipa_user3(a)example.test' --all --raw
----------------------
Added user "ipa_user3"
----------------------
dn:
uid=ipa_user3,cn=users,cn=accounts,dc=example,dc=test
uid: ipa_user3
givenname: IPA 3
sn: User3
cn: IPA 3 User3
initials: IU
homedirectory: /home/ipa_user3
gecos: IPA 3 User3
loginshell: /bin/sh
mail: ipa_user3(a)example.test
uidnumber: 753200006
gidnumber: 753200006
has_password: FALSE
has_keytab: FALSE
displayName: IPA 3 User3
ipaUniqueID: 65f3f702-3021-11e6-b62c-0242ac110001
krbPrincipalName: ipa_user3(a)EXAMPLE.TEST
memberof:
cn=ipausers,cn=groups,cn=accounts,dc=example,dc=test
mepManagedEntry:
cn=ipa_user3,cn=groups,cn=accounts,dc=example,dc=test
objectClass: ipaSshGroupOfPubKeys
objectClass: ipaobject
objectClass: mepOriginEntry
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
"
Can someone help me find what is wrong on KC side? Maybe the KC mappers
mechanism?
Thanks in advance.
[1] https://github.com/mposolda/keycloak-freeipa-docker
[2] https://hub.docker.com/r/adelton/freeipa-server/
--
___
Rafael T. C. Soares
9 years, 10 months
Google Login Email Verification Error on Sending
by Harits Elfahmi
Hello all,
We tried to integrate keycloak with google login, and to reauthenticate we
send email verification to the user email. But when we tried the google
login process: login --> add existing user --> email failed to send with
the following error:
http://pastebin.com/eqytRtFp
Anyone know why this happens? Tried to find similar problems on google but
can't find any.
We use sendpulse.com as the SMTP server (with SSL), and in the login
setting we use enable request SSL for all requests, if that matters.
Thanks!
--
Cheers,
*Harits* Elfahmi
9 years, 10 months
When using Social Identity Provider, it failed with failure "Connection timed out"
by LI Ming
Hi,
When I setup social identity provider (GitHub) to authenticate the user, it always failed with the below error:
2016-06-07 00:49:05,349 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: java.net.ConnectException: Connection timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at sun.security.ssl.BaseSSLSocketImpl.connect(BaseSSLSocketImpl.java:173)
at sun.net.NetworkClient.doConnect(NetworkClient.java:180)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1283)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1258)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:141)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
2016-06-07 00:49:05,355 WARN [org.keycloak.events] (default task-9) type=LOGIN_ERROR, realmId=demo, clientId=null, userId=null, ipAddress=135.252.159.35, error=identity_provider_login_failure
Can you help to identity the failure reason?
Thanks,
Ming Li
9 years, 11 months
Does Keycloak have any provision for defining role based user associations ?
by Andrew Voumard
Hi,
Suppose I have the following user / role model:
1. A user can have a role of: regular, admin, or super
2. There must be 1 super, and there can be 0..n admin and 0..m regular users
3. A regular user is associated with 1 admin user
For this usage model, would there be any way in Keycloak, that I could arbitrarily associate a regular user with an admin user, and then perform REST queries such as "find all regular users for a given admin user", and "find the admin user for a given regular user"?
Thanks
9 years, 11 months
Multi-org salesforce with single realm keycloak
by Jesse Chahal
Hi,
I'm back again. I'm trying to figure out how scale Identity Providers.
We are planning on trying to integrate our App1 with salesforce. A
user who logs into salesforce should be able to have a native feel of
our App1 within it. Todo this we'll probably have to end up building
salesforce native apps. For every salesforce organization/licensee we
will have to register an Identity provider with keycloak to make sure
they can correctly use App1. Some configuration options we came up
with are listed below. Has anyone else solved a similar problem?
OPTION 1
########################################################
# Keycloak
#
# ---> master realm
#
# ---> realm 1
#
# --- ---> app1_client (open ID)
#
# --- ---> salesforce_org1_saml2.0_identity_provider #
# --- ---> salesforce_org2_saml2.0_identity_provider #
#
#
# Salesforce
#
# ---> org1
#
# ---- ----> salesforce_appX (uses App1)
#
# ---> org 2
#
# ---- ----> salesforce_appX (uses App1)
#
# ---- ----> salesforce_appY (uses App1)
#
# .....
#
#
#
# App 1
#
# ---> OpenID to realm1 (using adapter)
#
########################################################
benefits
- single login page
- single realm
cons
- login page with infinite number of identity provider buttons present
OPTION 2
########################################################
# Keycloak
#
# ---> master realm
#
# ---> realm 1
#
# --- ---> app1_client (open ID)
#
# --- ---> salesforce_org1_saml2.0_identity_provider #
# ---> realm 2
#
# --- ---> app1_client (open ID)
#
# --- ---> salesforce_org2_saml2.0_identity_provider #
#
#
# Salesforce
#
# ---> org1
#
# ---- ----> salesforce_appX (uses App1)
#
# ---> org 2
#
# ---- ----> salesforce_appX (uses App1)
#
# ---- ----> salesforce_appY (uses App1)
#
# .....
#
#
#
# App 1
#
# ---> OpenID to realm1, realm2, realm#.... (using adapter) #
########################################################
benefits
- single salesforce button per login page
- users are more isolated in single realm
cons
- very hard to get App1 to support multiple realms (no adapter or
keycloak support)
9 years, 11 months
Shibboleth IdP configuration issues with Keycloak as SP
by robinfernandes .
Hi All,
We have a situation where the customer is using Shibboleth IdP and sending
the NAMEID in the transient format to Keycloak which acts as an SP.
However, we use one of the SAML attributes which is email to store that as
the username for the user.
However, after the first login, all subsequent logins fail with the error
"User with username already exists." I presume that this is because the
NAMEID which is transient is associated with that user somehow, and since
it is transient it is not able to associate that user correctly even though
we use email as the username?
Any insights on this would be helpful.
Thanks,
Robin
9 years, 11 months
Redirection issue with proxy behind keycloak
by Aritz Maeztu
I'm using keycloak to securize some Spring based services (with the
keycloak spring security adapter). The adapter creates a `/login`
endpoint in each of the services which redirects to the keycloak login
page and then redirects back to the service when authentication is done.
I also have a proxy service which I want to publish in the 80 port and
will take care of routing all the requests to each service. The proxy
performs a plain FORWARD to the service, but the problem comes when I
securize the service with the keycloak adapter.
When I make a request, the adapter redirects to its login endpoint and
then to the keycloak auth url. When keycloak sends the redirection, the
url shown in the browser is the one from the service and not the one
from the proxy. Do I have some choice to tell the adapter I want to
redirect back to the first requested url?
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/profile/preview?vpa=pub&locale=es_ES>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf.: 948 21 40 40
Fax.: 948 21 40 41
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
9 years, 11 months
Performance issues with Federation provider enabled
by Fabricio Milone
Hi all,
I sent this email yesterday with 5 or more attachments, so I think it was
blocked or something... here I go again :)
I've been running load tests on our application during the last few weeks,
and having some performance issues when my custom federator is enabled.
The performance issue does not exist when the federator is disabled.
*Configuration*:
I have a cluster of 2 instances of Keycloak, with a standalone DB, we've
verified the DB isn't an issue when the federator is disabled. Both
instances have a quad core CPU and they are in the same network. We’ve left
the memory at 512MB. The test script, database and API that connects to the
federator are in separate machines.
*Federator*:
We have a simple custom federator that makes calls to a very performant
api, which has been tested and is ok. Additionally, we've tested stubbing
the API so the performance is not a problem there. This federator is using
a jaxb marshaller to create a request, again tested in isolation and is
performing well.
As the federator is doing a lot of calls to the API (3 per login request),
I've implemented a httpclient that uses a
PoolingHttpClientConnectionManager with 1000 connections available to use,
instead of using the standard apache httpclient from http components. That
hasn't improved a bit the performance of the system.
*Tests*:
It is a gatling scala script that could generate around ~300 (or more)
requests/second to the direct grants login endpoint using random usernames
from a list (all of them already registered using KC). The script is doing
a round robin across both instances of Keycloak with an even distribution
to each KC instance.
The idea is simulate a load of 300 to 1500 concurrent users trying to login
into our systems.
*Problem*:
If I run the tests without using a federation I can see a very good
performance, but when I try to run the tests with the custom federation
code, the performance drops from ~150 requests/second to 22 req/sec using
both instances.
Memory wise, it seems to be ok. I've never seen an error related to memory
with this configuration, also if you take a look at the attached visualVM
screenshot you'll see that memory is not a problem or it seems not to be.
CPU utilisation is very low to my mind, I'd expect more than 80% of usage
or something like that.
There is a method that is leading the CPU samples on VisualVM called
Semaphore.tryAcquire(). Not quite sure what's that for, still investigating.
I can see that a lot of new threads are being created when the test starts,
as it creates around 60requests/second to the direct grants login call, but
it seems to be a bottleneck at some point.
So I'm wondering if there is some configuration I'm missing on Keycloak
side that could be affecting the cluster performance when a federator is
enabled. Maybe something related to jpa connections, infinispan
configuration or even wildfly.
I'd really appreciate your help on this one as I'm out of ideas.
I've attached some screenshots of visualVM and tests results from my last
run today.
Sorry for the long email and please let me know if you need further
information.
Thank you in advance,
Regards,
Fab
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
9 years, 11 months
Swedish translation
by Thomas Raehalme
Hi!
We need to translate Keycloak user interface (excluding admin console) to
the Swedish language. I was wondering if anyone has already done the
translation and would be willing to share it?
We have already translated Keycloak to Finnish and hope to share the
translation with the community in the near future.
Best regards,
Thomas
9 years, 11 months
Keycloak behind firewall
by Kevin Hirschmann
Hello,
when sending an authentication request it seems, that the keycloak
application uses the server url (from the request) to issue a request to
obtain a token.
The server sends a request to itself. I am running a wildfly instance behind
a transparent proxy and the firewall blocks requests from the wildfly server
to the IP address of the proxy. Is there a way to configure keycloak to send
intern requests to a different IP address?
Thx for your help
Kind regards
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
An der Königsbach 8
56075 Koblenz
Sitz und Registergericht: Koblenz HRA 5329
Persönlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857
Geschäftsführung:
Frank Hüttmann; Michael Biemer
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.
9 years, 11 months
Correct setup of clientID
by Helio Frota
Hi,
1. Is correct to manually add clientID on keycloak.json ?
2. I found this email from archives:
>* > I was hoping this would Just Work, but I quickly discovered that some
of*
>* > the properties are "renamed" after the HTTP request:
*>* >
*>* > kc.authServerUrl = config['auth-server-url'];
*>* > kc.realm = config['realm'];
**>** > kc.clientId = config['resource'];*>* > kc.clientSecret
= (config['credentials'] || {})['secret'];*
*http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html
<http://lists.jboss.org/pipermail/keycloak-user/2016-April/005802.html>*
clientId is now called 'resource' ?
thanks
9 years, 11 months
tomcat 7 SAMl adapter and <login-config> question
by David Guerra
Hi,
I am updating an old struts 1.3 web app and integrating our SAML - SSO
service with help of keycloak adapter for SAML.
I have some issues with that development on Tomcat 7: in the "web.xml"
file, the following lines are suppose to be add
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
Reading the other options, in the Wildfly the following code must be add:
<login-config>
<auth-method>KEYCLOAK-SAML</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
And, googling a like, I found that, on Tomcat 7, the correct configuration
must be:
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>this is ignored currently</realm-name>
</login-config>
My question is: "BASIC" for tomcat 7 and SAML adapter is correct for my
development?
Thanks!!!
9 years, 11 months
Revoking individual refresh tokens
by Peter Nalyvayko
Hello,Is there a way to revoke/invalidate a refresh token issued to a specific user? My understanding is that I can revoke all of the previously issued refresh tokens using 'Revocation' and setting Not Before to Now; this is good but it would be great if I can revoke individual tokens as well.Thx--Peter
9 years, 11 months
impossible to get logs from adapter-saml
by David Guerra
Hi,
I am updating an old struts 1.3 web app and integrating our SAML - SSO
service with help of keycloak adapter for SAML.
I am facing a problem (perhaps a silly problem): I am using Tomcat 7 and I
try to get logs from the keycload saml adapter as said in:
http://keycloak.github.io/docs/userguide/saml-client-adapter/html/debuggi...
with "log4j.logger.org.keycloak.saml=DEBUG" in my log4j.properties.
But there are no 'debug' info in the console. I have other debug info for
my application bat none for keycloak adapter.
I am doing something wrong?
Thanls for the help.
9 years, 11 months
Custom page for not found realm (tenant)
by Haim Vana
Hi,
We are using KeyCloak with multi-tenancy, each realm represents a tenant (customer).
Sometimes due to setup issue or typo in the realm name we are getting 404 page, is there a custom page or a way to customize a page for missing realm scenario ?
For example something like - Realm <name> doesn't exist...
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
9 years, 11 months
Can't access admin console with realm admin (from 1.9.4 version and above)
by Haim Vana
Hi,
>From version 1.9.4 and above I can't access the admin console with realm admin user.
The realm admin user is a specific realm admin, it was created in the master realm and his only roles are the client (the realm) roles.
I am getting the below exception and it look like it's not a bug (see RealmsAdminResource.java line 114), if so how am I supposed to create an admin only for a realm ?
Also what about realm admins created in versions 1.9.3 could they still access the admin console if KeyCloak will be upgraded ?
2016-06-07 17:09:09,962 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-79) RESTEASY002005: Failed executing GET /admin/realms: org.keycloak.services.ForbiddenException
at org.keycloak.services.resources.admin.RealmsAdminResource.addRealmRep(RealmsAdminResource.java:114)
at org.keycloak.services.resources.admin.RealmsAdminResource.getRealms(RealmsAdminResource.java:102)
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
9 years, 11 months
Re: [keycloak-user] Email internationalization
by Stian Thorgersen
If you change the PR to use MimeMessage#setSubject(subject, charset) we
should just add it. It's better to have it just work rather than require
changing default system encoding or using -Dfile.encoding.
On 7 June 2016 at 08:18, Nekrasov Aleksandr <a.nekrasov(a)ftc.ru> wrote:
> I`m configured new allocated standalone keycloak server with your note and
> it was very helpful in all my cases.
>
>
>
> Should we add a note to the documentation about this issue?
>
>
>
> I`m already create issue https://issues.jboss.org/browse/KEYCLOAK-3089
> and PR https://github.com/keycloak/keycloak/pull/2918 for it. Do you need
> to reject it?
>
>
>
> *From:* Tair Sabirgaliev [mailto:tair.sabirgaliev@gmail.com]
> *Sent:* Tuesday, June 07, 2016 11:52 AM
> *To:* keycloak-user(a)lists.jboss.org; Некрасов Александр Сергеевич; Stian
> Thorgersen
> *Subject:* RE: [keycloak-user] Email internationalization
>
>
>
> Did you try specifying default encoding for Java?
>
>
>
> in bin/standalone.conf: JAVA_OPTS=“….. -Dfile.encoding=UTF-8"
>
>
>
> --
> Tair Sabirgaliev
>
>
>
> On 7 June 2016 at 11:48:03, Nekrasov Aleksandr (a.nekrasov(a)ftc.ru) wrote:
>
> Hello.
>
> I have installed Wildfly10 on SunOS 5.10.
>
>
>
> I am using Microsoft Outlook as a client and it shows header Subject as
>
>
>
> Subject:
> =?ISO646-US?B?Pz8/Pz8/Pz8/Pz8/PyA/Pz8/Pz8gPz8/Pz8/Pz8/Pz8gPz8/Pz8=?=
>
>
>
> System encoding for some reasons is ISO646-US, which is diffefent with
> encoding, what I needed.
>
>
>
> *From:* Tair Sabirgaliev [mailto:tair.sabirgaliev@gmail.com]
> *Sent:* Tuesday, June 07, 2016 11:25 AM
> *To:* keycloak-user(a)lists.jboss.org; Некрасов Александр Сергеевич; Stian
> Thorgersen
> *Subject:* Re: [keycloak-user] Email internationalization
>
>
>
> Hi Aleksandr!
>
>
>
> What is your Wildfly version?
>
>
>
> Wildfly 8 has buggy Java Mail API. In Wildfly 9 and later proper encoding
> is done automatically, no need to `encodeText` manually.
>
>
>
> See my answer here:
> http://stackoverflow.com/questions/35010796/wildfly-9-x-fails-encoding-gr...
>
>
>
> --
> Tair Sabirgaliev
>
>
>
> On 7 June 2016 at 11:03:50, keycloak-user-request(a)lists.jboss.org (
> keycloak-user-request(a)lists.jboss.org) wrote:
>
> Message: 1
> Date: Mon, 6 Jun 2016 12:12:26 +0000
> From: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
> Subject: [keycloak-user] Email internationalization
> To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a(a)nut-mbx-4.win.ftc.ru>
> Content-Type: text/plain; charset="koi8-r"
>
> Hello everyone.
> I found a bug when trying to send email from keycloak to users with
> encoding against English.
> For example, when I try to send Russian message with subject "????????
> ???? ??????? ??????" I see "????????????? ?????? ??????????? ?????" in my
> email.
>
> I think you should update org.keycloak.email.DefaultEmailSenderProvider
> class with line
> msg.setSubject(subject);
> to
> msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));
>
> Thanks.
>
> Nekrasov Aleksander,
> Developer,
> Center of Financial Techologies
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f...
>
> ------------------------------
>
> Message: 2
> Date: Mon, 6 Jun 2016 19:38:59 +0200
> From: Stian Thorgersen <sthorger(a)redhat.com>
> Subject: Re: [keycloak-user] Email internationalization
> To: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
> Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> Message-ID:
> <CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw(a)mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Please create a JIRA. If you want to submit a PR that would be welcome as
> well.
>
> On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov(a)ftc.ru> wrote:
>
> > Hello everyone.
> >
> > I found a bug when trying to send email from keycloak to users with
> > encoding against English.
> >
> > For example, when I try to send Russian message with subject ?????????
> > ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in
> my
> > email.
> >
> >
> >
> > I think you should update org.keycloak.email.DefaultEmailSenderProvider
> > class with line
> >
> > msg.setSubject(subject);
> >
> > to
> >
> > msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));
> >
> >
> >
> > Thanks.
> >
> >
> >
> > Nekrasov Aleksander,
> >
> > Developer,
> >
> > Center of Financial Techologies
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c20...
>
> ------------------------------
>
>
9 years, 11 months
keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
by jazz
Hi,
I have wildfly 10 installed using nginx as https proxy server [1,
standalone-full.xml]. Works great when using weak ciphers in nginx. In
that case keycloak can connect back to the app after authentication
(redirect SSL). When using strong ciphers in nginx [2] is fails the ssl
handshake [4]. JCE seems enabled since the deployed app reports 2016-
04-13 21:41:33,304 INFO [stdout] (ServerService Thread Pool -- 83) max
allowed keylength = 2147483647
My question is: does keycloak use a limited set of ciphers? SNI works
fine according to the log. I was digging in the code, but could not
find something obvious [5]
Best regards, Jazz
[1] wildfly standalone-full.xml
<subsystem xmlns="urn:jboss:domain:undertow:3.0"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/> [... snip ...] <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
<socket-binding name="http" port="${jboss.http.port:8080}"/>
<socket-binding name="https" port="${jboss.https.port:8444}"/>
<socket-binding name="proxy-https" port="443"/>
[2] nginx ssl.conf
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-
ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
[3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service
[4]
2016-04-13 21:41:46,495 INFO [stdout] (default task-7) default task-7,
setSoTimeout(0) called
2016-04-13 21:41:46,498 INFO [stdout] (default task-7) Allow unsafe
renegotiation: false
2016-04-13 21:41:46,500 INFO [stdout] (default task-7) Allow legacy
hello messages: true
2016-04-13 21:41:46,502 INFO [stdout] (default task-7) Is initial
handshake: true
2016-04-13 21:41:46,503 INFO [stdout] (default task-7) Is secure
renegotiation: false
2016-04-13 21:41:46,505 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,506 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,508 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,509 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 21:41:46,511 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,512 INFO [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,514 INFO [stdout] (default task-7) %% No cached
client session
2016-04-13 21:41:46,518 INFO [stdout] (default task-7) ***
ClientHello, TLSv1.2
2016-04-13 21:41:46,522 INFO [stdout] (default task-7)
RandomCookie: GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130,
99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12,
171, 41, 74, 46, 186, 180, 88 }
2016-04-13 21:41:46,523 INFO [stdout] (default task-7) Session ID: {}
2016-04-13 21:41:46,525 INFO [stdout] (default task-7) Cipher Suites:
[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-04-13 21:41:46,526 INFO [stdout] (default task-7) Compression
Methods: { 0 }
2016-04-13 21:41:46,527 INFO [stdout] (default task-7) Extension
signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
2016-04-13 21:41:46,529 INFO [stdout] (default task-7) Extension
server_name, server_name: [type=host_name (0),
value=keycloak.example.com]
2016-04-13 21:41:46,530 INFO [stdout] (default task-7) ***
2016-04-13 21:41:46,531 INFO [stdout] (default task-7) default task-7,
WRITE: TLSv1.2 Handshake, length = 138
2016-04-13 21:41:46,533 INFO [stdout] (default task-7) default task-7,
READ: TLSv1.2 Alert, length = 2
2016-04-13 21:41:46,534 INFO [stdout] (default task-7) default task-7,
RECV TLSv1.2 ALERT: fatal, handshake_failure
2016-04-13 21:41:46,535 INFO [stdout] (default task-7) default task-7,
called closeSocket()
2016-04-13 21:41:46,536 INFO [stdout] (default task-7) default task-7,
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
2016-04-13 21:41:46,537 INFO [stdout] (default task-7) default task-7,
called close()
2016-04-13 21:41:46,538 INFO [stdout] (default task-7) default task-7,
called closeInternal(true)
2016-04-13 21:41:46,539 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
failed to turn code into token: javax.net.ssl.SSLHandshakeException:
Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.ja
va:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:543)
at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFac
tory.java:109)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:409)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnectio
n(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java
:144)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooled
ConnAdapter.java:131)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRe
questDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReque
stDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpCl
ient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:107)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:55)
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReque
st.java:107)
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthReques
tAuthenticator.java:314)
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReque
stAuthenticator.java:260)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenti
cator.java:112)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloa
kAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(Ser
vletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:233)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:250)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
SecurityContextImpl.java:219)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Sec
urityContextImpl.java:121)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityCo
ntextImpl.java:96)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityCont
extImpl.java:89)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.
handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCa
cheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleReq
uest(AuthenticationConstraintHandler.java:51)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequ
est(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintH
andler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.
handleRequest(ServletSecurityConstraintHandler.java:56)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReq
uest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler
.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest
(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler
.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handl
eRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleReque
st(ServletPreAuthActionsHandler.java:69)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(S
ervletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Serv
letInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIn
itialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Serv
letInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793
)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.ja
va:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.j
ava:617)
at java.lang.Thread.run(Thread.java:745)
[5] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adap
ter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
9 years, 11 months
How to get specific client role programmatically
by Haim Vana
Hi,
I am using the KeyCloak API to create admin users and update their roles, I am able to add to an admin user all the available client roles, however how can I add a specific one ?
This is my code to get all the available client roles:
userResource.roles().clientLevel(userRealmClientId).listAvailable()
How can I get specific one and not all ?
Any advice will be appreciated,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
9 years, 11 months
Performance issues with Federation provider enabled
by Fabricio Milone
Hi all,
I've been running load tests on our application during the last few weeks,
and having some performance issues when my custom federator is enabled.
The performance issue does not exist when the federator is disabled.
*Configuration*:
I have a cluster of 2 instances of Keycloak, with a standalone DB, we've
verified the DB isn't an issue when the federator is disabled. Both
instances have a quad core CPU and they are in the same network. We’ve left
the memory at 512MB. The test script, database and API that connects to the
federator are in separate machines.
*Federator*:
We have a simple custom federator that makes calls to a very performant
api, which has been tested and is ok. Additionally, we've tested stubbing
the API so the performance is not a problem there. This federator is using
a jaxb marshaller to create a request, again tested in isolation and is
performing well.
As the federator is doing a lot of calls to the API (3 per login request),
I've implemented a httpclient that uses a
PoolingHttpClientConnectionManager with 1000 connections available to use,
instead of using the standard apache httpclient from http components. That
hasn't improved a bit the performance of the system.
*Tests*:
It is a gatling scala script that could generate around ~300 (or more)
requests/second to the direct grants login endpoint using random usernames
from a list (all of them already registered using KC). The script is doing
a round robin across both instances of Keycloak with an even distribution
to each KC instance.
The idea is simulate a load of 300 to 1500 concurrent users trying to login
into our systems.
*Problem*:
If I run the tests without using a federation I can see a very good
performance, but when I try to run the tests with the custom federation
code, the performance drops from ~150 requests/second to 22 req/sec using
both instances.
Memory wise, it seems to be ok. I've never seen an error related to memory
with this configuration, also if you take a look at the attached visualVM
screenshot you'll see that memory is not a problem or it seems not to be.
CPU utilisation is very low to my mind, I'd expect more than 80% of usage
or something like that.
There is a method that is leading the CPU samples on VisualVM called
Semaphore.tryAcquire(). Not quite sure what's that for, still investigating.
I can see that a lot of new threads are being created when the test starts,
as it creates around 60requests/second to the direct grants login call, but
it seems to be a bottleneck at some point.
So I'm wondering if there is some configuration I'm missing on Keycloak
side that could be affecting the cluster performance when a federator is
enabled. Maybe something related to jpa connections, infinispan
configuration or even wildfly.
I'd really appreciate your help on this one as I'm out of ideas.
I've attached some screenshots of visualVM and tests results from my last
run today.
Sorry for the long email and please let me know if you need further
information.
Thank you in advance,
Regards,
Fab
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
9 years, 11 months
Re: [keycloak-user] keycloak-user Digest, Vol 30, Issue 24
by Tair Sabirgaliev
Hi Aleksandr!
What is your Wildfly version?
Wildfly 8 has buggy Java Mail API. In Wildfly 9 and later proper encoding
is done automatically, no need to `encodeText` manually.
See my answer here:
http://stackoverflow.com/questions/35010796/wildfly-9-x-fails-encoding-gr...
--
Tair Sabirgaliev
On 7 June 2016 at 11:03:50, keycloak-user-request(a)lists.jboss.org (
keycloak-user-request(a)lists.jboss.org) wrote:
Message: 1
Date: Mon, 6 Jun 2016 12:12:26 +0000
From: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
Subject: [keycloak-user] Email internationalization
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a(a)nut-mbx-4.win.ftc.ru>
Content-Type: text/plain; charset="koi8-r"
Hello everyone.
I found a bug when trying to send email from keycloak to users with
encoding against English.
For example, when I try to send Russian message with subject "???????? ????
??????? ??????" I see "????????????? ?????? ??????????? ?????" in my email.
I think you should update org.keycloak.email.DefaultEmailSenderProvider
class with line
msg.setSubject(subject);
to
msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));
Thanks.
Nekrasov Aleksander,
Developer,
Center of Financial Techologies
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f...
------------------------------
Message: 2
Date: Mon, 6 Jun 2016 19:38:59 +0200
From: Stian Thorgersen <sthorger(a)redhat.com>
Subject: Re: [keycloak-user] Email internationalization
To: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Please create a JIRA. If you want to submit a PR that would be welcome as
well.
On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov(a)ftc.ru> wrote:
> Hello everyone.
>
> I found a bug when trying to send email from keycloak to users with
> encoding against English.
>
> For example, when I try to send Russian message with subject ?????????
> ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in my
> email.
>
>
>
> I think you should update org.keycloak.email.DefaultEmailSenderProvider
> class with line
>
> msg.setSubject(subject);
>
> to
>
> msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));
>
>
>
> Thanks.
>
>
>
> Nekrasov Aleksander,
>
> Developer,
>
> Center of Financial Techologies
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c20...
------------------------------
9 years, 11 months
Re: [keycloak-user] Email internationalization
by Tair Sabirgaliev
Hi Aleksandr!
What is your Wildfly version?
Wildfly 8 has buggy Java Mail API. In Wildfly 9 and later proper encoding is done automatically, no need to `encodeText` manually.
See my answer here: http://stackoverflow.com/questions/35010796/wildfly-9-x-fails-encod...
--
Tair Sabirgaliev
On 7 June 2016 at 11:03:50, keycloak-user-request(a)lists.jboss.org (keycloak-user-request(a)lists.jboss.org) wrote:
Message: 1
Date: Mon, 6 Jun 2016 12:12:26 +0000
From: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
Subject: [keycloak-user] Email internationalization
To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID: <59219ba4c1b449d0a2bded5436b8ca6a(a)nut-mbx-4.win.ftc.ru>
Content-Type: text/plain; charset="koi8-r"
Hello everyone.
I found a bug when trying to send email from keycloak to users with encoding against English.
For example, when I try to send Russian message with subject "???????? ???? ??????? ??????" I see "????????????? ?????? ??????????? ?????" in my email.
I think you should update org.keycloak.email.DefaultEmailSenderProvider class with line
msg.setSubject(subject);
to
msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));
Thanks.
Nekrasov Aleksander,
Developer,
Center of Financial Techologies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/bea2f...
------------------------------
Message: 2
Date: Mon, 6 Jun 2016 19:38:59 +0200
From: Stian Thorgersen <sthorger(a)redhat.com>
Subject: Re: [keycloak-user] Email internationalization
To: Nekrasov Aleksandr <a.nekrasov(a)ftc.ru>
Cc: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
Message-ID:
<CAJgngAeDFzb96dtFGgz59_RE-A3oGAJUNsNFPA-xXjxvYWipGw(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Please create a JIRA. If you want to submit a PR that would be welcome as
well.
On 6 June 2016 at 14:12, Nekrasov Aleksandr <a.nekrasov(a)ftc.ru> wrote:
> Hello everyone.
>
> I found a bug when trying to send email from keycloak to users with
> encoding against English.
>
> For example, when I try to send Russian message with subject ?????????
> ???? ??????? ??????? I see ?????????????? ?????? ??????????? ?????? in my
> email.
>
>
>
> I think you should update org.keycloak.email.DefaultEmailSenderProvider
> class with line
>
> msg.setSubject(subject);
>
> to
>
> msg.setSubject(MimeUtility.*encodeText*(subject, *"utf-8"*, *"B"*));
>
>
>
> Thanks.
>
>
>
> Nekrasov Aleksander,
>
> Developer,
>
> Center of Financial Techologies
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160606/21c20...
------------------------------
9 years, 11 months
Email internationalization
by Nekrasov Aleksandr
Hello everyone.
I found a bug when trying to send email from keycloak to users with encoding against English.
For example, when I try to send Russian message with subject "Обновите вашу учётную запись" I see "????????????? ?????? ??????????? ?????" in my email.
I think you should update org.keycloak.email.DefaultEmailSenderProvider class with line
msg.setSubject(subject);
to
msg.setSubject(MimeUtility.encodeText(subject, "utf-8", "B"));
Thanks.
Nekrasov Aleksander,
Developer,
Center of Financial Techologies
9 years, 11 months
Understanding Realm vs. Client roles
by Rafael T. C. Soares
Hi.
I'm trying to understand how a standard Java web app (client) deal with
keycloak roles mechanism.
...
<security-constraint>
<web-resource-collection>
<web-resource-name>App</web-resource-name>
<url-pattern>/some-context/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>some-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>demo</realm-name>
</login-config>
<security-role>
<role-name>some-role</role-name>
</security-role>
...
Keycloak has two different role levels: Realm roles and Client roles.
When I create a new user it can automatically inherit default roles from
its realm.
But I can't refer to realm roles from my client app because by default
there is no relationship between realm roles and client apps.
I mean a client under the realm is not aware of realm roles. Right?
From the client app user perspective, I have to create the roles for a
specific client app and then associate that role(s) with a given user
(who wants to have access to that client app). Ok! But what can I do to
associate realm roles with a given client app?
I can create a composite role inside the client and associate it with
some realm roles. But I still have to explicitly associate that client
role with each user I want to grant access to that client app.
Imagine a scenario where you imported thousands of users from a LDAP
server (through User Federation).
Let me explain my scenario:
I'm federating users and roles from an MS AD server. I created a Role
Mapper to import AD groups as Keycloak roles and automatically create
realm roles.
Keycloak imported LDAP groups as realm roles and associated that
roles with each user (according to the group/user association on LDAP)
But in this scenario the association roles/client app on Keycloak is
missing. Ok, I could choose to import LDAP groups as Client roles on the
LDAP Role Mapper configuration. But I prefer to import as realm roles.
Thus all client app create under this realm will inherit that roles.
The role mapper worked perfectly! The problem is: How can I use that
roles (imported to realm and associated with each imported user) to
restrict access to a specific client app?
Can some one point me what would be the correct understanding and the
right approach to use imported AD roles into my realm?
--
___
Rafael T. C. Soares | Solution Architect
JBoss Enterprise Middleware | Red Hat Brazil
Mobile: +55 71 98181-3636
Phone: +55 11 3529-6096
9 years, 11 months
Classification all email that sent from keycloak as SPAM on GMAIL
by Yasser El-ata
Hello,
I have an issue , all the emails that send by keycloak are classified as
spam just on gmail.
the email that sends to Yahoo and Hotmail are received in the inbox.
i'am using Amazon SMTP and i already use certificates from amazon to make
sure all emails will not send as spam.
Any ideas please?
Thanks
--
Yasser El-Ata
Java Developer
BluLogix
737 Walker Rd Ste 3, Great Falls, VA 22066
t: 443.333.4100 | f: 443.333.4101
*www.blulogix.com <http://www.blueoss.com/>*
The information transmitted is intended only for the person(s) to whom it
is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon, this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer.
9 years, 11 months
Fw: Are there plans to implement PK Certificate user authentication?
by Peter Nalyvayko
Hello,
Cross-posting...We are considering using keycloak as an STS (Secure Token Service). One of the requirements is PK certificate user authentication. It seems the only supported user authentication mechanism in keycloak is user credentials (user name / password). Before rolling out our own implementation, I just want to make sure I am not missing something obvious and that PK authentication is indeed not supported in keycloak yet. Regards,Peter
9 years, 11 months
keycloak catridge and extra modules
by Simon Gordon
Hey all
Another simple one from me I think!
I'm looking to add a userFederation provider, plus a new theme. I am using
the keycloak cartridge, which is very convenient - but maybe I should
resort to a .war to add modules? Or is there a way to add modules to the
keycloak cartridge?
Thanks,
Simon
9 years, 11 months
