Keycloak user data encoding
by Igor Zuk
Hi
I have an encoding problem. By default users' data fields (e.g. first name and last name) are encoded using ISO-8859-1. People from many countries can't properly create accounts as their personal data is silently messed up. How can I fix it?
* The MySQL DB receives already damaged names. By default all columns are ISO-8859-1-encoded, but manually converting them to UTF-8 doesn't help.
* Manual account modification from admin console has same effect.
* Change of default server (Wildfly) encoding to UTF-8 doesn't do anything.
Best regards
Igor Żuk
8 years, 4 months
Why is the Base URL repeated in client configuration?
by Martin Min
Hello, I am configuring a client in the KeyCloak admin console, but am
having a trouble to create an client to secure. Specifically, The Base URL
field is wrong (repeated), as I saved in the configuration page.
Please see the two attachments for an illustration of the the issue. This
looks very weird.
As you can see clearly from keycloak2.png, the base URL i typed is
repeated, thus invalid.
Thanks for any information that might be helpful.
Martin
8 years, 4 months
Keycloak Reference Token Support
by Jitendra Chouhan
I want to know does keycloak have support for Reference/Opaque token. I
have found one feature request which is still in open submitted for
implementing reference token fetaure i.e. KEYCLOAK-1719. Today i came
across "KEYCLOAK-2738" which talks about problem related to aud is missing
from reference token.Can someone confirm, whether Reference/Opaque token
feature is provided by keycloak if yes then please provide reference point
to do configuration to generate "Reference/Opqaue" token.
Thanks,
Jitendra Chouhan
8 years, 4 months
Customize Themes by Client
by Josh Cain
Hi All,
I've got some SP's that want the ability to customize the look/feel of the
login page. Couldn't find anything on the docs/jira site, but was curious
as to whether:
- Keycloak currently supports login themes by client
- If not, would the team be open to such a feature?
Josh Cain | Software Applications Engineer
*Identity and Access Management*
*Red Hat*
+1 843-737-1735
8 years, 4 months
Authenticate externally (broker identity) or locally
by Haim Vana
Hi,
In Identity provider settings using the 'Authenticate by Default' option the user can choose between authentication with the external IDP or locally (for example).
Is there an option to achieve the same with different URL's one for local and one for external ? so it will be without the user intervention.
The motivation is that sometime we want the external user to authenticate locally, for example due to some customization we have in our login page (a plugin that injects the user/psw to the local login page).
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
8 years, 4 months
Client roles for 'security-admin-console' application are not fine grained enough
by Valerij Timofeev
Hi,
after reading the ticket KEYCLOAK-528 I've encountered two other issues in
the "security-admin-console" application (tested on RH SSO 7.0.0):
1) As soon as a realm user gets the 'manage-users' role, he can manage
"User federation" settings and even delete it. This can result in
unintentional removal of all users linked with the user federation provider
and thus affect potentially millions of users.
2) Users having 'view-users' role can view "User Federation". "Delete"
button is visible as well although it does not work finally.
IMO "User federation" should be covered by the realm management roles
instead.
Additionally the provided roles for the 'realm-management' client are not
fine grained enough IMO. One role per REST method would be ideal and, I
suppose, simplier to consider in the Keycloak Admin API.
The "security-admin-console" application without fine grained roles exposes
too much risk in real life scenarios and so makes it unusable. One use case
in mind: prevent deletion of any kind for Helpdesk employees e.g. managing
users. Having dedicated roles for DELETE operation would make such task
possible.
Kind regards
Valerij Timofeev
8 years, 4 months
Handling SuspectExceptions in Keycloak
by Sarp Kaya
Hello,
There is already an existing bug report for Infinispan here:
https://issues.jboss.org/browse/ISPN-6721
Currently for Keycloak, if this exception is thrown then it sends an Internal Server Error page to the browser. Essentially what would be really good is that it sends the user back to the login page instead of displaying Internal Server Error.
This happens when I am consistently sending login and logout (around 40 req/s) requests to two Keycloak instances (let’s call them kc1 and kc2), then one new keycloak instance is started kc3. Kc3 connects to kc1 and 2 in clustering mode.
Now kc1 receives a new request (such as login) and while it is processing that, kc3 is gracefully shut including the cache with this log:
2016-07-28 09:15:53,656 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 61) WFLYCLINF0003: Stopped sessions cache from keycloak container
Just shortly after that (6 ms) kc1 throws an exception like this:
2016-07-28 09:15:53,662 ERROR [io.undertow.request] (default task-48) UT005023: Exception handling request to /auth/realms/{realm}/login-actions/authenticate: org.jboss.resteasy.spi.UnhandledException: org.infinispan.statetransfer.OutdatedTopologyException: Cache topology changed while the command was executing: expected 175, got 176
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415)
then shortly after(150 ms) kc1 wants to talk to kc3 and fails to do so with this exception:
2016-07-28 09:15:53,804 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-54) ISPN000136: Error executing command RemoveCommand, writing keys [f9bde276-dd03-41c9-995b-b1aaf64c1489]: org.infinispan.remoting.transport.jgroups.SuspectException: Cache not running on node kc3
at org.infinispan.remoting.transport.AbstractTransport.checkResponse(AbstractTransport.java:46)
at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:763)
at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$73(JGroupsTransport.java:612)
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602)
at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577)
at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474)
at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962)
at org.infinispan.remoting.transport.jgroups.RspListFuture.futureDone(RspListFuture.java:31)
at org.jgroups.blocks.Request.checkCompletion(Request.java:169)
at org.jgroups.blocks.GroupRequest.viewChange(GroupRequest.java:261)
at org.jgroups.blocks.RequestCorrelator.receiveView(RequestCorrelator.java:331)
at org.jgroups.blocks.RequestCorrelator.receive(RequestCorrelator.java:242)
at org.jgroups.blocks.MessageDispatcher$ProtocolAdapter.up(MessageDispatcher.java:684)
at org.jgroups.JChannel.up(JChannel.java:738)
at org.jgroups.fork.ForkProtocolStack.up(ForkProtocolStack.java:123)
at org.jgroups.stack.Protocol.up(Protocol.java:374)
at org.jgroups.protocols.FORK.up(FORK.java:118)
at org.jgroups.protocols.FRAG2.up(FRAG2.java:165)
at org.jgroups.protocols.FlowControl.up(FlowControl.java:394)
at org.jgroups.protocols.ENCRYPT.up(ENCRYPT.java:454)
at org.jgroups.protocols.pbcast.GMS.installView(GMS.java:735)
at org.jgroups.protocols.pbcast.ParticipantGmsImpl.handleViewChange(ParticipantGmsImpl.java:140)
at org.jgroups.protocols.pbcast.GMS.up(GMS.java:922)
at org.jgroups.stack.Protocol.up(Protocol.java:412)
at org.jgroups.protocols.pbcast.STABLE.up(STABLE.java:294)
at org.jgroups.protocols.UNICAST3.up(UNICAST3.java:474)
at org.jgroups.protocols.pbcast.NAKACK2.deliverBatch(NAKACK2.java:982)
at org.jgroups.protocols.pbcast.NAKACK2.removeAndPassUp(NAKACK2.java:912)
at org.jgroups.protocols.pbcast.NAKACK2.handleMessage(NAKACK2.java:846)
at org.jgroups.protocols.pbcast.NAKACK2.up(NAKACK2.java:618)
at org.jgroups.protocols.VERIFY_SUSPECT.up(VERIFY_SUSPECT.java:155)
at org.jgroups.protocols.FD.up(FD.java:260)
at org.jgroups.protocols.FD_SOCK.up(FD_SOCK.java:310)
at org.jgroups.protocols.MERGE3.up(MERGE3.java:285)
at org.jgroups.protocols.Discovery.up(Discovery.java:295)
at org.jgroups.protocols.TP.passMessageUp(TP.java:1577)
at org.jgroups.protocols.TP$MyHandler.run(TP.java:1796)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
The key that it tries to write is the user-id. After this, the browser receives an Internal Server Error page, which looks like this in html:
<html>
<head>
<title>
Error
</title>
</head>
<body>
Internal Server Error
</body>
</html>
I have configured my infinispan cache settings as following (the rest are default):
<distributed-cache name="sessions" mode="SYNC" owners="5"/>
<distributed-cache name="offlineSessions" mode="SYNC" owners="1"/>
<distributed-cache name="loginFailures" mode="SYNC" owners="1"/>
I have tried many things (such as playing with owner amounts or instance amounts etc). It does not seem to fix this exception. I am well aware that this seems more Infinispan issue than Keycloak, but I believe that Keycloak at least should respond the end user a better error message (perhaps a login again page) rather than an Internal Server Error page. Could you please handle this exception?
Kind Regards,
Sarp Kaya
8 years, 4 months
Token generation: possibilities to improve performance
by Matuszak, Eduard
Hello
Motivated by considerations on how to improve the performance of the token generation process I have two questions:
- I noticed that Keycloak's token generation via endpoint "auth/realms/ccp/protocol/openid-connect/token" generates a triple of tokens (access-, refresh- and id-token). Is there any possibility to dispense with the id-token generation?
- Is there a possibility to cause Keycloak to generate more "simple" bearer tokens then complex jwt-tokens?
Best regards, Eduard Matuszak
8 years, 4 months
Failed to run the Customer-portal Demo on two machines
by Martin Min
Hi, I can run the preconfigured Customer-portal demo successfully on the
single keycloak-demo-2.0.0.Final distribution by importing the
testrealm.json file to create the realm. Everything works fine.
And also I can run this simple login/logout demo by following this
instruction to install and setup KeyCloak and Wildfly servers separately:
https://keycloak.gitbooks.io/getting-started-tutorials/content/v/2.0/topi...
However, I failed to run the Customer-Portal demo by trying to set up the
KeyClaok server and Wildfly server separately. It always gives me this
message as I clicked the "Customer Listing
<http://localhost:8080/customer-portal/customers/view.jsp>" link:
http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?respo...
I did exactly the same thing as I tested in the KeyCloak-demo distribution
by importing the testrealm.json.
I didn't configure the subsystem section in the Wildfly 10's
standalone.xml, since I believe the "keycloak.json" and "web.xml" in the
application's WEB-INF directory will do the same thing. I only had this
configured in Wildfly standalone.xml:
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
What am I missing? Thank you for your help to this working. By the way, it
would be really great to have a full tutorial on how to set up the
customer-portal demo on two separate KeyCloak and Wildfly servers by
configuring both Json and subsystem file.
Thank you for help.
8 years, 4 months
