Re: [keycloak-user] loggin saml requests/responses
by Phillip Fleischer
Turns out I was adding the logging level to the console but was viewing the log through docker which shows the file
So i just needed to add the log level to the file handler.
I didn’t want to add to the root logger cause it was too noisy… with it set this way everything looks perfect.
<console-handler name="CONSOLE">
<level name="DEBUG"/>
<formatter>
<named-formatter name="COLOR-PATTERN"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<level name="DEBUG"/>
<formatter>
<named-formatter name="PATTERN"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
On Nov 14, 2017, at 12:06 PM, Phillip Fleischer <pcfleischer(a)outlook.com<mailto:pcfleischer@outlook.com>> wrote:
Hi,
I’m trying to debug using the saml clients and identity brokering, in the docs and several messages say that this can be done by turning on debug or trace.
I added the following to my standalone.xml but I’m not seeing anything. I also tried on a remote host by using jboss-cli.sh command to add the logger to no avail.
Is there something I’m missing?
<logger category="org.keycloak.saml">
<level name="TRACE"/>
</logger>
6 years, 5 months
Re: [keycloak-user] upgrade to 3.4 issue
by mj
Hi Martin,
And that fixed it! :-)
BTW we don't need the nocanon I guess. We don't see obvious style
issues... :-)
Thanks!
MJ
On 11/17/2017 03:33 PM, mph(a)tecbakery.com wrote:
> Hi
>
> sound familiar to me :-)
> guess you forgot to add
>
> <socket-binding name="proxy-https" port="443"/>
> in
> <socket-binding-group name="standard-sockets" [...]
>
> in my standalone.xml at the very bottom.
>
> in your apache conf you need these lines:
>
> RequestHeader set X-Forwarded-Proto "https"
> RequestHeader set X-Forwarded-Port "443"
>
> [...]
>
> ProxyPass / http://localhost:[port]/ nocanon
>
> (nocanon solved a style loading issue for me)
>
>
> Hope it helps
>
> Martin
>
>
>
> On 17.11.2017 14:38, mj wrote:
>> Hi Stian, list,
>>
>> So, manually editing standalone.xml got me further, but not yet 100%
>> succes. :-)
>>
>> I edited standalone.xml by hand, and have things working on port 8080.
>> But we have been using keycloak 2.x / 3.x through apache2 reverse https
>> proxy, requiring the following config in standalone.xml:
>>
>>> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/>
>> However, keycloak 3.4 complains with this config:
>>
>>> 14:34:18,158 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=default' are not available:
>>> org.wildfly.network.socket-binding.proxy-https; Possible registration points for this capability:
>>> /socket-binding-group=*/socket-binding=*
>>> 14:34:18,161 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
>>> 14:34:18,189 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) stopped in 6ms
>> Some advise would be appreciated, as we are not that experienced in
>> wildfly / java, etc.
>>
>> Or is there perhaps another (new?) way to have keycloak running on https
>> with an lets encrypt ssl certificate?
>>
>> Using the apache2 reverse proxy way has served us very well, the last years.
>>
>> Thanks!
>> MJ
>>
>> On 11/15/2017 09:26 AM, Stian Thorgersen wrote:
>>> That seems like it could be an issue caused by the fact that KC 3.3 was
>>> based on WildFly 11 Beta. You'll probably have to manually update the
>>> standalone file (or grab the one from 3.2 release if you still have that).
>>>
>>> On 14 November 2017 at 11:17, lists <lists(a)merit.unu.edu
>>> <mailto:lists@merit.unu.edu>> wrote:
>>>
>>> Hi,
>>>
>>> Today we tried to upgrade our standalone 3.3 install to 3.4, following
>>> the docs:
>>>
>>> - copied 3.3 /standalone/ over the 3.4 install, replacing all
>>> - copied mysql connector in modules/system/layers/keycloak/org
>>>
>>> But then, the standalone upgrade script doesn't work:
>>>
>>> > root@server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh
>>> --file=bin/migrate-standalone.cli
>>> > Cannot start embedded server: WFLYEMB0021: Cannot start embedded
>>> process: Operation failed: WFLYSRV0056: Server boot has failed in an
>>> unrecoverable manner; exiting. See previous messages for details.
>>> > root@server:/opt/keycloak-3.4.0.Final#
>>>
>>> When starting the 3.4 server without having run the upgrade script, we
>>> see what the actual problem appears to be:
>>>
>>> > OPVDX001: Validation error in standalone.xml
>>> -----------------------------------
>>> > |
>>> > | 470: </spi>
>>> > | 471: </subsystem>
>>> > | 472: <subsystem xmlns="urn:wildfly:elytron:1.2"
>>> final-providers="combined-providers"
>>> disallowed-providers="OracleUcrypto">
>>> > | ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>>> > |
>>> > | 473: <providers>
>>> > | 474: <aggregate-providers name="combined-providers">
>>> > | 475: <providers name="elytron"/>
>>> > |
>>> > | The primary underlying error message was:
>>> > | > ParseError at [row,col]:[472,9]
>>> > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
>>> > |
>>> >
>>> |-------------------------------------------------------------------------------
>>>
>>> The same standalone.xml still works in the keycloak 3.3, so it basically
>>> seems to be ok, or not corrupt at least. This install has been upgraded
>>> from:
>>> 3.0 -> 3.1 -> 3.3 (we skipped 3.2)
>>>
>>> It seems that our config has to be migrated using the script, but the
>>> upgrade-standalone.cli script will not run...
>>>
>>> What to do?
>>>
>>> MJ
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
6 years, 5 months
keycloak upgrade 3.3 to 3.4
by mph@tecbakery.com
Hi
I tried to upgrade our installation from 3.3 to 3.4, following the guide
at http://www.keycloak.org/docs/latest/upgrading/index.html, and am
receiving the following error on startup.
Comparing both default standalone.xml I found that in 3.3 the
urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0...
Any help is highly appreciated.
Martin
/opt/keycloak/keycloak-3.4.0# bin/standalone.sh
-Djboss.socket.binding.port-offset=9100 -b 0.0.0.0
=========================================================================
JBoss Bootstrap Environment
JBOSS_HOME: /opt/keycloak/keycloak-3.4.0
JAVA: /usr/lib/jvm/java-8-oracle/bin/java
JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
=========================================================================
13:55:39,468 INFO [org.jboss.modules] (main) JBoss Modules version
1.6.0.Final
13:55:40,161 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1
13:55:40,462 INFO [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049:
Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting
13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread)
OPVDX001: Validation error in standalone.xml
-----------------------------------
|
| 322: </deployment-permissions>
| 323: </subsystem>
| 324: <subsystem xmlns="urn:wildfly:elytron:1.2"
final-providers="combined-providers" disallowed-providers="OracleUcrypto">
| ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
|
| 325: <providers>
| 326: <aggregate-providers name="combined-providers">
| 327: <providers name="elytron"/>
|
| The primary underlying error message was:
| > ParseError at [row,col]:[324,9]
| > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
|
|-------------------------------------------------------------------------------
13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
at org.jboss.as.server.ServerService.boot(ServerService.java:387)
at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:370)
at java.lang.Thread.run(Thread.java:748)
13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
See previous messages for details.
6 years, 5 months
how to customize IDP initiated SSO login
by Snehalata Nagaje
Hi Team,
I have requirement to customize the IDP initiated SSO login.
is it possible this using custom authenticator
Thanks,
Snehalata
Disclaimer: This e-mail may contain Privileged/Confidential information and is intended
only for the individual(s) named. Any review, retransmission, dissemination or other use
of, or taking of any action in reliance upon this information by persons or entities
other than the intended recipient is prohibited. Please notify the sender, if you have
received this e-mail by mistake and delete it from your system. Information in this
message that does not relate to the official business of the company shall be understood
as neither given nor endorsed by it. E-mail transmission cannot be guaranteed to be
secure or error-free. The sender does not accept liability for any errors or omissions in
the contents of this message which arise as a result of e-mail transmission.If
verification is required please request a hard-copy version.
Visit us at http://www.harbingergroup.com/
6 years, 5 months
upgrade to 3.4 issue
by lists
Hi,
Today we tried to upgrade our standalone 3.3 install to 3.4, following
the docs:
- copied 3.3 /standalone/ over the 3.4 install, replacing all
- copied mysql connector in modules/system/layers/keycloak/org
But then, the standalone upgrade script doesn't work:
> root@server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh --file=bin/migrate-standalone.cli
> Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
> root@server:/opt/keycloak-3.4.0.Final#
When starting the 3.4 server without having run the upgrade script, we
see what the actual problem appears to be:
> OPVDX001: Validation error in standalone.xml -----------------------------------
> |
> | 470: </spi>
> | 471: </subsystem>
> | 472: <subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
> | ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> | 473: <providers>
> | 474: <aggregate-providers name="combined-providers">
> | 475: <providers name="elytron"/>
> |
> | The primary underlying error message was:
> | > ParseError at [row,col]:[472,9]
> | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem'
> |
> |-------------------------------------------------------------------------------
The same standalone.xml still works in the keycloak 3.3, so it basically
seems to be ok, or not corrupt at least. This install has been upgraded
from:
3.0 -> 3.1 -> 3.3 (we skipped 3.2)
It seems that our config has to be migrated using the script, but the
upgrade-standalone.cli script will not run...
What to do?
MJ
6 years, 5 months
UserRepresentation error in calling userResource.search(...) apis using keycloak-admin-client 3.4.0
by Subhrajyoti Moitra
Hello Friends,
I am getting the below exception when I call userResource.search(..) api in
keycloak-admin-client.
I am using wildfly-swarm to secure my rest services. One of the stateless
beans requires user details. So I am using keycloak-admin-client to get
user info from the Keycloak Server (standalone 3.2.1.Final) . I have tried
with admin-client 3.2.1.Final. I get the same error. What am i doing wrong?
I think some deps are messed. But which ones?
UserRepresentation is part of keycloak-core jar. I see the 3.4.0.Final jar
as expected.
Wildfly-swarm- 2017.11.0
keycloak-admin-client-3.4.0.Final
keycloak server- 3.2.1.Final
Please help. I am stuck and not able to proceed. Some pointers on the same
would be very helpful.
2017-11-17 12:43:10,542 [default task-1 ] ERROR stderr
- javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "access" (class
org.keycloak.representations.idm.UserRepresentation), not marked as
ignorable (24 known properties: "disableableCredentialTypes", "enabled",
"emailVerified", "origin", "self", "applicationRoles", "createdTimestamp",
"clientRoles", "groups", "username", "totp", "id", "email",
"federationLink", "serviceAccountClientId", "lastName", "clientConsents",
"socialLinks", "realmRoles", "attributes", "firstName", "credentials",
"requiredActions", "federatedIdentities"])
2017-11-17 12:43:10,542 [default task-1 ] ERROR stderr
- at [Source: org.apache.http.conn.EofSensorInputStream@519efa33; line:
1, column: 300] (through reference chain:
java.util.ArrayList[0]->org.keycloak.representations.idm.UserRepresentation["access"])
Thanks a lot,
Subhro.
6 years, 5 months
Users -- Live lookup to AD
by Y Levine
I have Keycloak which imported users from AD (with periodic sync).
Is it possible to leverage OIDC without importing users into Keycloak ---
hence when user authenticates, Keycloak will perform a live lookup on
credentials/attributes against AD?
6 years, 5 months
SP initiate SAML Logout
by Min Han Lee
Hello,
Does anybody know the SAML logout URL for the Keyclock please? The SSO SAML
IDPSSO descriptor on the installation tab is not really helpful.
I have an issue where my logout SAML is redirecting back to login SAML
Please, can anyone shed some lights on this?
Kind Regards
6 years, 5 months
API Authorization: on request or response?
by Corentin Dupont
Hi guys,
another small question :)
Suppose you have an API looking like this:
http://www.example.com/api/v1/cars
Cars have an owner:
{
name: "my car"
owner: "smith"
}
How to make sure that you can only get cars that are yours (you can have
several cars)?
If you make a simple GET on this endpoint, should I:
1. just reply with a "Access denied" because the request is too large: it
could yield cars that are not yours,
2. reply with "Access denied" if the response list contains some cars that
are not yours,
3. filter the response car list with only yours?
It seems that 1. is the simplest because it uses only the request to make
decisions.
2. uses the response to make decision, while 3. requires the collaboration
of the response handler in my API server, in order to implement the
filtering.
What is the most standard way?
I have also some trouble understanding how to implement that with Keycloak
protect in NodeJS.
Cheers!!
Corentin
6 years, 5 months
