June 2016 - keycloak-user - Jboss List Archives

Note about the documentation - Valid account guessing with the "forgot password" feature in Keycloak

by Tomás García

Hi, In this url: http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.ht... , it says: "This form *WILL NOT* re-ask the user to enter in an email or username if the previous email or username did not exist. You need to prevent attackers from being able to guess valid users. So, if AuthenticationFlowContext.getUser() returns null, you should proceed with the flow to make it look like a valid user was selected." And I totally agree with that, but it doesn't apply to all cases unfortunately. If the admin enables "User registration", the user registration form will tell the a possible malicious guy if the email combinations she's trying already exists, invalidating what the above paragraph says. And I don't think there's a way to do the same as in the "forgot password" feature with the registration form, because after registration, there's an autologin. Actually it's confusing for users telling them an email was sent event if it's not... People sometimes can forget that they're not registered in the Keycloak system, so the "forgot password" feature as it is today will make them wait forever. At least, sending them an email telling them "You're not registered. You can register visiting this link." if "User registration" is enabled or "Ask your admin to register your email in the system" if it's not, would be definitely better. Thanks. -- *Tomás García Pérez* *Software Developer* *IntraHouse*

8 years, 4 months

2
1
0 / 0

Display all password rule failures at once

by Everson, David (MNIT)

Hi, Our users are User Acceptance Testing a Keycloak secured website. We have defined strong password rules. Our users reported: "Staff have requested some modifications to how password validation is presented to the user. Right now if a user submits a password that does not meet all criteria, such as requiring both an Upper case letter and a number, it will not tell you that both are required, just that and Upper case letter is required. When that is added, THEN it will notify you that a number is also needed. Staff would like the error message to note all issues with the submitted password, or otherwise note somewhere on the Change Password screen what all the criteria for a proper password are, so the user does not have to guess." We could update the template to include all the rules. That is probably the quickest. Is it possible for Keycloak to return all the unsuccessful rules when it validates a password? Thanks! Dave Dave Everson | DIVISION OF ENVIRONMENTAL HEALTH MN.IT Services @ mINNESOTA dEPARTMENT OF hEALTH 651-201-5146 (w) | david.everson(a)state.mn.us<mailto:david.everson@state.mn.us> [cid:image001.jpg@01CE4005.70B223E0]<http://www.mn.gov/oet> Information Technology for Minnesota Government | mn.gov/oet<http://www.mn.gov/oet>

8 years, 4 months

2
1
0 / 0

Help regarding Picketlink Feature Migration

by Shaun Willows

We are evaluating security frameworks for new application(s) within our organisation. Picketlink provides a number of features that are desirable to us as an organisation. However, as I understand, Picketlink is being migrated into Keycloak, and this process started in March 2015. Is it possible to provide any updates regarding the migration of the following features: * Picketlink's Java EE integration (particularly its integration with the DeltaSpike security interceptor) is especially useful to us. Will Keycloak provide similar CDI / Java EE integration? The FAQ at http://picketlink.org/keycloak-merge-faq/ indicates that this was planned to be the case, but I cannot see any progress on this issue in the Keycloak Github or JIRA. * Picketlink's IDM capabilities included a JPA IDM and the ability to easily create new IDMs. How can this be achieved in Keycloak? * Picketlink's capability to provide custom authenticators and token providers is also useful to us. How can this be achieved in Keycloak? I appreciate the need to consolidate projects within Red Hat, however as Picketlink is not being actively developed and there is no clear migration path from Picketlink to Keycloak for a number of features, users of both frameworks are left with no interim solution. Thanks for any help in this regard Shaun Willows

8 years, 4 months

1
0
0 / 0

Problem Saml IdP

by Sjef Hoeks

Hi, I'm trying to integrate Keycloak with a SAML SP, but unfortunately it is not working yet. I created a Identity Provider in the admin interface. I guess the problem is that in the AuthnRequest which is send by a http post to the SP the AuthnRequest contains a NameIDPolicy: <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" .... <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /> </samlp:AuthnRequest> But according to the documentation of the SP I must send <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" .... <samlp:RequestedAuthnContext Comparison="minimum"> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </saml:AuthnContextClassRef> </samlp:RequestedAuthnContext> </samlp:AuthnRequest> Is this possible with Keycloak? And if so, how can this be done? Kind regards, Sjef Hoeks Sjef Hoeks Technisch Architect [cid:GOUWit_logo_3612b840-badb-433c-9c06-73aec15567bc.jpg] Gouw Informatie Technologie bv Hogeweg 5, 5301 LB Zaltbommel Postbus 98, 5300 AB Zaltbommel T 0418 511 522 M E s.hoeks(a)gouwit.nl I www.gouwit.nl

8 years, 4 months

1
0
0 / 0

ClassCastException on UsersResource search API

by Haim Vana

Hi, We are using KeyCloak 1.9.3, when trying to search a user with the API (usersResource.search) we are getting ClassCastException. The problem is that KeyCloak resteasy (version 3.0.16) ClientWebTarget is explicitly using ResteasyUriBuilder and at runtime we are getting our Jersey JerseyUriBuilder. Any idea how to overcome it ? assuming we can't remove the Jersey dependency. Exception stack trace: java.lang.ClassCastException: org.glassfish.jersey.uri.internal.JerseyUriBuilder cannot be cast to org.jboss.resteasy.specimpl.ResteasyUriBuilder at org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.queryParamNoTemplate(ClientWebTarget.java:289) at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:23) at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.QueryParamProcessor.apply(QueryParamProcessor.java:12) at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.AbstractCollectionProcessor.buildIt(AbstractCollectionProcessor.java:76) at org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.AbstractWebTargetCollectionProcessor.build(AbstractWebTargetCollectionProcessor.java:22) Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

8 years, 4 months

2
2
0 / 0

Can Keycloak be clustered without multicast?

by Michael Chester

Hi, I would like to deploy a Keycloak cluster in AWS but AWS does not support multicast. There is a note here: https://keycloak.github.io/docs/userguide/keycloak-server/html/clustering... That seems to indicate that Infinispan, Keycloak's shared memory solution, relies on multicast to work. So I have some questions: 1. Is there a standard pattern for clustering deployment to AWS? 2. Can Keycloak support clustering without multicast? 3. Does Keycloak clustering support autoscale groups? Thank you. Regards, Michael Chester

8 years, 4 months

2
1
0 / 0

SAML request signature

by lrxw

Hi all, I’m new to keycloak, but managed to set up keycloak (1.9.2) and realm with a SAML identidy provider. Everything seems fine, but the SAML Request sent to my IDP is signed with a RSAKeyValue instead of X509Data. Can anyone help me how to configure keycloak to use a X.509 certificate? Greetings

8 years, 4 months

2
2
0 / 0

Basic auth and Authentication popup

by Dragan Jotanovic

Hi there, I have a war application deployed to tomcat that is currently secured with BASIC authentication through tomcat's realm. When I try to access secured page, the authentication popup appears. I would like to switch to keycloak securitu but I'm not sure if it is possible to configure keycloak to force this authentication popup. I tried setting it up but when I try to access the secured page, instead of authentication popup I am redirected to keycloak page "Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client." I've followed the instructions from https://github.com/keycloak/keycloak/tree/master/examples/basic-auth and http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#t... . Is it possible to setup tomcat and keycloak so that the authentication popup would be forced to appear? Thanks

8 years, 4 months

2
2
0 / 0

Getting the user email before delete it

by Jairo Henao

Hello community: I have a listener that is pending when an administrator deletes a user. How I can get the user email? Apparently I can only get his ID, but I need his email to delete it in HubSpot. There is something like a pre-delete event? Thanks, Jairo Henao Rojas IT ROI Solutions Software Architect Mobile : 314-738-6032 Office Colombia: + (571) 381-9185 Office Mexico: + 52-81-4624-4468 Office Chile: + 5622-582-2257 Office USA: 954-518-3330 Office Canada: 604-998-2280 jahenao(a)itroisolutions.com<mailto:jahenao@itroisolutions.com> [cid:image001.png@01CFACA6.CA39D4D0] [Description: Description: cid:image002.png@01CD70CF.8782CD50]<https://twitter.com/ITROISolutions>[Description: Description: cid:image003.png@01CD70CF.8782CD50]<http://www.linkedin.com/company/itroi-solutions> [Description: Description: cid:image004.png@01CD70CF.8782CD50] <http://www.facebook.com/pages/IT-ROI-Solutions-CA-Clarity-Consultants/110...> [Description: Description: cid:image005.png@01CD70CF.8782CD50] <http://www.youtube.com/user/ITROISolutions>

8 years, 4 months

2
4
0 / 0

Re: [keycloak-user] Performance issues with Federation provider enabled

by Thomas Connolly

Hi Marek I'm working with Fabricio on the federation performance issues with Keycloak. In answer to your question we are using the latest KC 1.9.7 version (we upgraded this week from 1.9.2). To give you some indication of the running a gatling direct access login test (results below). As you can see below in (1) using KC out of the box. Great performance - we saw 110 tx per sec on a 4 core system. In scenario (2) using a stubbed federator (simply an echo plugin not connecting to any back end services), performance is unacceptable. 1) Not using the federator - Stub federator (disabled) - while 29 tx per second we could easily get to a stable 110 tx per second. 300 Users (hitting single server) ---- Global Information -------------------------------------------------------- > request count 9185 (OK=9185 KO=0 ) > min response time 18 (OK=18 KO=- ) > max response time 723 (OK=723 KO=- ) > mean response time 27 (OK=27 KO=- ) > std deviation 44 (OK=44 KO=- ) > response time 50th percentile 20 (OK=20 KO=- ) > response time 75th percentile 21 (OK=21 KO=- ) > mean requests/sec 29.626 (OK=29.626 KO=- ) ---- Response Time Distribution ------------------------------------------------ > t < 800 ms 9185 (100%) > 800 ms < t < 1200 ms 0 ( 0%) > t > 1200 ms 0 ( 0%) > failed 0 ( 0%) 2) Stub federator (enabled)- if we brought test down to 12 tx per second (about 90 users) the response times dropped to < 1200 ms response times, however not even close to meeting out acceptance creteria. 300 Users (hitting single server) ---- Global Information -------------------------------------------------------- > request count 8496 (OK=8496 KO=0 ) > min response time 511 (OK=511 KO=- ) > max response time 11191 (OK=11191 KO=- ) > mean response time 6832 (OK=6832 KO=- ) > std deviation 2329 (OK=2329 KO=- ) > response time 50th percentile 7194 (OK=7194 KO=- ) > response time 75th percentile 8690 (OK=8690 KO=- ) > mean requests/sec 27.404 (OK=27.404 KO=- ) ---- Response Time Distribution ------------------------------------------------ > t < 800 ms 154 ( 2%) > 800 ms < t < 1200 ms 85 ( 1%) > t > 1200 ms 8257 ( 97%) > failed 0 ( 0%) This is currently a show stopper for us and is blocking our path to production. Do you run similar tests and how can we help you optimise the performance? Regards Tom. Date: Wed, 8 Jun 2016 12:28:19 +0200 From: Marek Posolda <mposolda(a)redhat.com> Subject: Re: [keycloak-user] Performance issues with Federation provider enabled To: Fabricio Milone <fabricio.milone(a)shinetech.com>, keycloak-user <keycloak-user(a)lists.jboss.org> Message-ID: <5757F343.1040803(a)redhat.com> Content-Type: text/plain; charset="windows-1252" Hi, what's the keycloak version used? Could you try latest keycloak and check if performance is still the issue? Marek On 08/06/16 01:30, Fabricio Milone wrote: > Hi all, > > I sent this email yesterday with 5 or more attachments, so I think it > was blocked or something... here I go again :) > > I've been running load tests on our application during the last few > weeks, and having some performance issues when my custom federator is > enabled. > > The performance issue does not exist when the federator is disabled. > *Configuration*: > > I have a cluster of 2 instances of Keycloak, with a standalone DB, > we've verified the DB isn't an issue when the federator is disabled. > Both instances have a quad core CPU and they are in the same network. > We?ve left the memory at 512MB. The test script, database and API that > connects to the federator are in separate machines. > *Federator*: > > We have a simple custom federator that makes calls to a very > performant api, which has been tested and is ok. Additionally, we've > tested stubbing the API so the performance is not a problem there. > This federator is using a jaxb marshaller to create a request, again > tested in isolation and is performing well. > > As the federator is doing a lot of calls to the API (3 per login > request), I've implemented a httpclient that uses a > PoolingHttpClientConnectionManager with 1000 connections available to > use, instead of using the standard apache httpclient from http > components. That hasn't improved a bit the performance of the system. > *Tests*: > It is a gatling scala script that could generate around ~300 (or more) > requests/second to the direct grants login endpoint using random > usernames from a list (all of them already registered using KC). The > script is doing a round robin across both instances of Keycloak with > an even distribution to each KC instance. > The idea is simulate a load of 300 to 1500 concurrent users trying to > login into our systems. > *Problem*: > > If I run the tests without using a federation I can see a very good > performance, but when I try to run the tests with the custom > federation code, the performance drops from ~150 requests/second to 22 > req/sec using both instances. > Memory wise, it seems to be ok. I've never seen an error related to > memory with this configuration, also if you take a look at the > attached visualVM screenshot you'll see that memory is not a problem > or it seems not to be. > CPU utilisation is very low to my mind, I'd expect more than 80% of > usage or something like that. > There is a method that is leading the CPU samples on VisualVM called > Semaphore.tryAcquire(). Not quite sure what's that for, still > investigating. > > I can see that a lot of new threads are being created when the test > starts, as it creates around 60requests/second to the direct grants > login call, but it seems to be a bottleneck at some point. > > So I'm wondering if there is some configuration I'm missing on > Keycloak side that could be affecting the cluster performance when a > federator is enabled. Maybe something related to jpa connections, > infinispan configuration or even wildfly. > > I'd really appreciate your help on this one as I'm out of ideas. > > I've attached some screenshots of visualVM and tests results from my > last run today. > > > Sorry for the long email and please let me know if you need further > information. > > Thank you in advance, > > Regards, > Fab > > -- > *Fabricio Milone* > Developer

8 years, 4 months

4
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user June 2016