Re: [keycloak-user] Logout at security proxy fails
by Marko Strukelj
Ah, I was looking directly at the cause at the bottom, and missed the
UndertowPreAuthActionsHandler at the beginning of stack trace.
No idea then. If it's an out-of-the-box proxy install, and it's supposed to
just work, then maybe it's a bug.
On Mon, Jul 25, 2016 at 4:41 PM, Manfred Duchrow <
manfred.duchrow(a)caprica.biz> wrote:
> Hi,
>
> thanks for your response.
>
> The UndertowPreAuthActionsHandler actually is in the stacktrace. So I
> don't quite understand what you mean.
>
> The installation is out-of-the-box from the keycloak-proxy-2.0.0.Final.zip.
>
> I was assuming that in UndertowPreAuthActionsHandler#handleRequest()
> somthing like the following must happen,
> in order to execute the logout action handling in a worker thread:
>
> public void handleRequest(HttpServerExchange exchange) throws
> Exception {
> UndertowHttpFacade facade = createFacade(exchange);
> SessionManagementBridge bridge = new
> SessionManagementBridge(userSessionManagement, sessionManager);
> final PreAuthActionsHandler handler = new
> PreAuthActionsHandler(bridge, deploymentContext, facade);
> final AtomicBoolean requestHandled = new AtomicBoolean(false);
> if (exchange.getRequestURI().endsWith(AdapterConstants.K_LOGOUT)) {
> HttpHandler tmpHandler = new HttpHandler()
> {
> @Override
> public void handleRequest(HttpServerExchange exchange) throws
> Exception
> {
> requestHandled.set(handler.handleRequest());
> }
> };
> exchange.dispatch(tmpHandler); // This starts the worker thread
> that allows blocking I/O
> }
> else {
> requestHandled.set(handler.handleRequest());
> }
> if(requestHandled.get()) return;
> next.handleRequest(exchange);
> }
>
> Any feedback welcome.
>
> Cheers,
> Manfred
>
> On 25.07.2016 15:35, Marko Strukelj wrote:
>
> Giving a cursory look at KEYCLOAK-3311, and not really knowing this part
> of the code so I hope I'm not giving you a wrong lead here, but it looks
> like UndertowPreAuthActionsHandler should already be present in your
> stacktrace, while currently it is not.
>
> It sounds like Wildfly adapter was not installed correctly.
>
> On Mon, Jul 25, 2016 at 9:26 AM, Manfred Duchrow <
> manfred.duchrow(a)caprica.biz> wrote:
>
>> Hi,
>>
>> a few days ago I created the Jira issue KEYCLOAK-3311.
>>
>> Its about the following exception when "k_logout" request from the
>> keycloak server is coming in:
>>
>> IllegalStateException: UT000126: Attempted to do blocking IO from the IO
>> thread. This is prohibited as it may result in deadlocks
>>
>> Has anybody experienced the same? Is there a workaround?
>>
>> Currently this error prevents the logout from the secure proxy and
>> therefore the protected
>> application can still be reached (for a while) even if the user's session
>> on the keycloak server
>> has been terminated.
>>
>> Cheers,
>> Manfred
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
7 years, 9 months
Reverse Proxy - SSL Termination - Invalid parameter: redirect uri
by Derek Visch
Trying to setup reverse SSL for keycloak. Having issues finding
documentation about this, it's mentioned in
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
but the extra detail that's supposed to be in
https://keycloak.gitbooks.io/server-adminstration-guide/content/ I could
not find in regards to reverse SSL proxys.
Regardless I ended up following
http://lists.jboss.org/pipermail/keycloak-user/2014-June/000453.html
>From that previous mailling list post:
Follow the documentation for your web server to enable SSL and
configure reverse proxy for Keycloak. It is important that you make
sure the web server sets the X-Forwarded-For and X-Forwarded-Proto
headers on the requests made to Keycloak. Next you need to enable
proxy-address-forwarding on the Keycloak http connector. Assuming that
your reverse proxy doesn't use port 8443 for SSL you also need to
configure what port http traffic is redirected to. This is done by
editing standalone/configuration/standalone.xml.
First add proxy-address-forwarding and redirect-socket to the
http-listener element:
<subsystem xmlns="urn:jboss:domain:undertow:1.1">
...
<http-listener name="default" socket-binding="http"
proxy-address-forwarding="true" redirect-socket="proxy-https"/>
...
</subsystem>
Then add a new socket-binding element to the socket-binding-group element:
<socket-binding-group name="standard-sockets"
default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
...
<socket-binding name="proxy-https" port="443"/>
...
</socket-binding-group>
but now when I go to log on to the admin console I get "We're sorry ...
Invalid aparameter: redirect uri".
Tried stack overflow / google / IRC. No luck so far.
Any help would be appreciated :D
Thanks
7 years, 9 months
Obtaining full profile from "userinfo" endpoint
by Brian Watson
Hi all,
Keycloak version: 1.9.8
Here is my use case: I want to keep the access token JWS as lean as
possible, only containing user roles and a few custom claims I have added.
I want no PII in the access token. However, I would like my internal
services to obtain the full user profile (name, email, etc...) from the
OIDC "/userinfo" endpoint. Unfortunately, I can only seem to obtain the
"sub" claim and the few custom claims that already exist in the access
token. I don't see any support for adding scope values to the request.
Is there any way to accomplish what I would like, or any other ways of
obtaining this info that I may be missing?
Thanks in advance
7 years, 9 months
jetty-maven-plugin + Keycloak Jetty Adapter
by Lauer Markus
Hi,
Is there a way to use the keycloak adapter with jetty-maven-plugin?
I tried with no success:
<plugin>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-maven-plugin</artifactId>
<version>9.2.3.v20140905</version>
<configuration>
<webApp>
<extraClasspath>${keycloak-jetty-adapter}/lib/keycloak/bcpkix-jdk15on-1.52.jar;
${keycloak-jetty-adapter}/lib/keycloak/commons-logging-1.2.jar;
${keycloak-jetty-adapter}/lib/keycloak/jackson-annotations-2.5.4.jar;
${keycloak-jetty-adapter}/lib/keycloak/jboss-logging-3.3.0.Final.jar;
${keycloak-jetty-adapter}/lib/keycloak/keycloak-common-2.0.0.Final.jar;
${keycloak-jetty-adapter}/lib/keycloak/keycloak-jetty-adapter-spi-2.0.0.Final.jar;
${keycloak-jetty-adapter}/lib/keycloak/bcprov-jdk15on-1.52.jar;
${keycloak-jetty-adapter}/lib/keycloak/httpclient-4.5.jar;
${keycloak-jetty-adapter}/lib/keycloak/jackson-core-2.5.4.jar;
${keycloak-jetty-adapter}/lib/keycloak/keycloak-adapter-core-2.0.0.Final.jar;
${keycloak-jetty-adapter}/lib/keycloak/keycloak-core-2.0.0.Final.jar;
${keycloak-jetty-adapter}/lib/keycloak/keycloak-jetty-core-2.0.0.Final.jar;
${keycloak-jetty-adapter}/lib/keycloak/commons-codec-1.9.jar;
${keycloak-jetty-adapter}/lib/keycloak/httpcore-4.4.1.jar;
${keycloak-jetty-adapter}/lib/keycloak/jackson-databind-2.5.4.jar;
${keycloak-jetty-adapter}/lib/keycloak/keycloak-adapter-spi-2.0.0.Final.jar;
${keycloak-jetty-adapter}/lib/keycloak/keycloak-jetty92-adapter-2.0.0.Final.jar
</extraClasspath>
</webApp>
<scanIntervalSeconds>2</scanIntervalSeconds>
</configuration>
</plugin>
Where ${keycloak-jetty-adapter} is a path with the contents of
keycloak-jetty92-adapter-dist-2.0.0.Final.tar.gz
Running mvn jetty:run throws a ClassNotFoundException:
[WARNING] FAILED
org.eclipse.jetty.security.ConstraintSecurityHandler@834e986:
java.lang.NoClassDefFoundError:
org/eclipse/jetty/server/handler/ContextHandler
java.lang.NoClassDefFoundError:
org/eclipse/jetty/server/handler/ContextHandler
at
org.keycloak.adapters.jetty.core.AbstractKeycloakJettyAuthenticator.initializeKeycloak(AbstractKeycloakJettyAuthenticator.java:221)
at
org.keycloak.adapters.jetty.core.AbstractKeycloakJettyAuthenticator.setConfiguration(AbstractKeycloakJettyAuthenticator.java:175)
at
org.eclipse.jetty.security.SecurityHandler.doStart(SecurityHandler.java:384)
...
Thanks,
Markus.
________________________________
Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgeführte URL in Ihren Browser oder folgen Sie dem Link.
http://disclaimer.tec-saar.de/co-met.htm
7 years, 9 months
Keycloak datasource problem
by Martin Min
Hi, All:
I received this database connection failure issue. Any idea of how to fix
it? Thank you.
Caused by: java.lang.RuntimeException: Failed to connect to database
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:209)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:130)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:42)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:30)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:34)
at
org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRealmProviderFactory.java:16)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at
org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getDelegate(DefaultCacheRealmProvider.java:59)
at
org.keycloak.models.cache.infinispan.DefaultCacheRealmProvider.getRealm(DefaultCacheRealmProvider.java:161)
at
org.keycloak.services.managers.ApplianceBootstrap.setupDefaultRealm(ApplianceBootstrap.java:32)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:81)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:148)
... 19 more
Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS --
service jboss.naming.context.java.jboss.datasources.KeycloakDS
at
org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:106)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184)
at
org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:237)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193)
at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:202)
... 35 more
7 years, 9 months
Logout at security proxy fails
by Manfred Duchrow
Hi,
a few days ago I created the Jira issue KEYCLOAK-3311.
Its about the following exception when "k_logout" request from the
keycloak server is coming in:
IllegalStateException: UT000126: Attempted to do blocking IO from the IO
thread. This is prohibited as it may result in deadlocks
Has anybody experienced the same? Is there a workaround?
Currently this error prevents the logout from the secure proxy and
therefore the protected
application can still be reached (for a while) even if the user's
session on the keycloak server
has been terminated.
Cheers,
Manfred
7 years, 9 months
How to migrate users and roles from in-house storage
by Paulo Pires
Hi all,
I'm in the process of migrating from an in-house user-role storage to
Keycloak and I'm looking for programmatic (Java) ways to migrate all
current users to the new storage. And I need your help to figure out the
best approach.
At first, when reading KC documentation, I believed I could easily achieve
this by implementing a User Federation provider but after diving a little
more into it, and looking for examples, I can't see a way to migrate all
users on-demand but simply one user at a time, possible during log-in.
Next, I tried and look into ways, such as admin-cli, REST, etc but nothing
strikes me as the solution to use.
Here's what I was hoping to deliver:
* Get all roles and users from my soon-to-be deprecated storage, e.g. MySQL
tables
* Add roles to KC
* Iterate users and add user to KC + map roles + update password hashes
(here I know I need to implement a HashProvider)
Any hints will be appreciated!
Pires
7 years, 9 months
Re: [keycloak-user] Keycloak unable to open JDBC connection
by Edgar Vonk - Info.nl
We also recently had an issue where Keycloak stopped working because it could no longer get any (Oracle) DB connections from the connection pool. This was not after a restart but just during normal operation.
We had configured the DB connection pool to use background-validation and this has worked fine until recently.
As mentioned in http://stackoverflow.com/questions/28707650/wildfly-and-auto-reconnect-to... (linked from: https://issues.jboss.org/browse/KEYCLOAK-3204) the issue seems to be that starting from Wildfly 10 (?) this background validation no longer works due to a bug in Wildfly. As suggested there we have now configured the connection pool with validate-on-match set to true and we hope this will resolve the issue.
We only started to see this issue after upgrading to Keycloak 2.0.0 and I think that is where Wildfly was upgraded to version 10? Or maybe it was just bad luck..
The stack trace we had:
Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:66)
at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122)
at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:386)
at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:87)
... 71 more
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:656)
at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:429)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:747)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
... 75 more
Caused by: javax.resource.ResourceException: IJ000655: No managed connections available within configured blocking timeout (30000 [ms])
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:564)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:626)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:598)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:590)
... 78 more
7 years, 9 months
Picketlink -> Keycloak
by Keith Dev
I'm moving a web application with REST services from Picketlink to
Keycloak. This is a multi-tentant application (1k+ tenants) where single
user accounts can belong to multiple tenants. In Picketlink, this was
accomplished using Tiers. So there is a single realm, but one Tier per
tenant. Its not clear what the analog is in Keycloak.
We considered multiple realms, but both the number of tenants and the hard
requirement to allow a single user cross tenants seems to make this a
nonstarter.
The best idea we have so far is to have a single realm, but create
namespaced security artifacts: e.g. Tenant1.Admins. This is not ideal as we
were hoping for more separation between tenants. I did see this
<http://lists.jboss.org/pipermail/keycloak-dev/2013-July/000116.html> which
suggests that Picketlink Tiers equate to Resources, but its not clear how.
Certainly there does not seem to be any separation of security artifacts
within a Resource per se.
Advice?
7 years, 9 months
Some Keycloak Questions
by Tobias Schmidt
Hi,
is there a solution for this issue? https://issues.jboss.org/browse/KEYCLOAK-3067
We trapped in exactly this problem by using Keycloak with too many realms, maybe we haven't understood how to use it in the right way.
We have the need to have many Users with different grants per realm, we trying to have as many realms as possible and 20 realms per server instance will not work for us.
Is there a List or a statement, why we should not use the Wildfly overlay for our needs?
Found the statement on the website: http://www.keycloak.org/downloads.html
"Overlay - Server add-on for WildFly. Not recommended in production."
Thank you for your patience.
7 years, 9 months
