December 2017 - keycloak-user - Jboss List Archives

by Olivier Rivat

Hi, I am trying to setup a clustered domain. I have been to boot the master and the slave as described in keycloak But when tring to login, I cannot with user admin. Troubleshooting I have done so far: 1) With standalone mode (or standalone cluster mode), first login screen is welcome screen to define teh admini user and password. With clustered domain, I never obtain this, but a usual login screen, asking for username/password. Of course, I cannot answer to this, as the admin as not yet been defined. 2) I have also tried teh script add-user-keycloak.sh bin/add-user-keycloak.sh -r master -u admin6 -p admin6 --domain Added 'admin6' to '/home/orivat/rh_test/rh-sso-7.1/domain/configuration/keycloak-add-user.json', restart server to load user It creates a file domain/configuration/keycloak-add-user.json, but this file is never upon restart of RH-SSO domain cluster instance (master or slave). (I have seen equivalent file being loaded, when doing standalone clsueter tests). So my question is very simple: Ho is it possibel to get hold of an admin user allowing to connect to the keycloak admin master login screen ? Regards, Olivier Rivat -- <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif> <http://www.janua.fr/images/6g_top.gif> Olivier Rivat CTO orivat(a)janua.fr <mailto:dchikhaoui@janua.fr> Gsm: +33(0)682 801 609 Tél: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr <http://www.janua.fr/> <http://www.janua.fr/images/6g_top.gif>

6 years, 3 months

3
4
0 / 0

Deadlock Encountered while Trying Keycloak with Azure SQL

by Buddhi Iroshana

HI Team, I am running the community version of Keycloak (version - 2.3.0.Final). I am using Azure SQL : https://azure.microsoft.com/en-us/services/sql-database as the database server for this keycloak instance. Keycloak instance is deployed in Azure VM in this scenario. Keycloak started successfully without any issues with Azure SQL database. I have a JMeter script which is invoking following two Keycloak's RESTFul endpoints with 10 parallel threads (can consider it as 10 different clients). 1. POST auth/admin/realms/iotpdev/users - User creation 2. PUT auth/admin/realms/iotpdev/users/<USERID>/groups/ - Adding users to a group Behaviour: During the first few invocations, above two endpoints got executed successfully without any issue. But, after sometime, keycloak was logging some database deadlock exceptions in the log file. Stacktrace for this exception is as follows, --------------------------------- 2017-12-19T07:13:34.084336783Z [0m [33m07:13:34,079 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-15) SQL Error: 1205, SQLState: 40001 2017-12-19T07:13:34.084377183Z [0m [31m07:13:34,080 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-15) Transaction (Process ID 123) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction. 2017-12-19T07:13:34.116059274Z [0m [31m07:13:34,097 ERROR [io.undertow.request] (default task-15) UT005023: Exception handling request to /auth/admin/realms/iotpdev/users: org.jboss.resteasy.spi.UnhandledException: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement 2017-12-19T07:13:34.116097074Z at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) 2017-12-19T07:13:34.116104774Z at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) 2017-12-19T07:13:34.116111874Z at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) 2017-12-19T07:13:34.116118574Z at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) 2017-12-19T07:13:34.116124973Z at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) 2017-12-19T07:13:34.116131373Z at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) 2017-12-19T07:13:34.116137873Z at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) 2017-12-19T07:13:34.116144673Z at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) 2017-12-19T07:13:34.116151173Z at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) 2017-12-19T07:13:34.116157473Z at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) 2017-12-19T07:13:34.116163773Z at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) 2017-12-19T07:13:34.116170273Z at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) 2017-12-19T07:13:34.116176673Z at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) 2017-12-19T07:13:34.116183072Z at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) 2017-12-19T07:13:34.116189472Z at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) 2017-12-19T07:13:34.116195872Z at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) 2017-12-19T07:13:34.116202272Z at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) 2017-12-19T07:13:34.116210672Z at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) 2017-12-19T07:13:34.116233672Z at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 2017-12-19T07:13:34.116240472Z at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) 2017-12-19T07:13:34.116246771Z at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) 2017-12-19T07:13:34.116253171Z at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 2017-12-19T07:13:34.116259271Z at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) 2017-12-19T07:13:34.116265471Z at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) 2017-12-19T07:13:34.116271871Z at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) 2017-12-19T07:13:34.116278071Z at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) 2017-12-19T07:13:34.116284371Z at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) 2017-12-19T07:13:34.116290571Z at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) 2017-12-19T07:13:34.116296771Z at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 2017-12-19T07:13:34.116302871Z at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) 2017-12-19T07:13:34.116308970Z at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 2017-12-19T07:13:34.116315270Z at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) 2017-12-19T07:13:34.116321470Z at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) 2017-12-19T07:13:34.116327670Z at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) 2017-12-19T07:13:34.116333770Z at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) 2017-12-19T07:13:34.116339770Z at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) 2017-12-19T07:13:34.116346770Z at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) 2017-12-19T07:13:34.116352770Z at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) 2017-12-19T07:13:34.116358770Z at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 2017-12-19T07:13:34.116364770Z at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 2017-12-19T07:13:34.116375069Z at java.lang.Thread.run(Thread.java:745) 2017-12-19T07:13:34.116384569Z Caused by: javax.persistence.PersistenceException: org.hibernate.exception.LockAcquisitionException: could not execute statement 2017-12-19T07:13:34.116390969Z at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) 2017-12-19T07:13:34.116397269Z at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) 2017-12-19T07:13:34.116403369Z at org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1700) 2017-12-19T07:13:34.116409469Z at org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:70) 2017-12-19T07:13:34.116415469Z at org.keycloak.models.jpa.UserAdapter.removeAttribute(UserAdapter.java:161) 2017-12-19T07:13:34.116421469Z at org.keycloak.models.jpa.UserAdapter.setAttribute(UserAdapter.java:137) 2017-12-19T07:13:34.116427469Z at org.keycloak.services.resources.admin.UsersResource.updateUserFromRep(UsersResource.java:267) 2017-12-19T07:13:34.116433468Z at org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:216) 2017-12-19T07:13:34.116439568Z at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 2017-12-19T07:13:34.116445468Z at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 2017-12-19T07:13:34.116451368Z at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 2017-12-19T07:13:34.116457368Z at java.lang.reflect.Method.invoke(Method.java:498) 2017-12-19T07:13:34.116463168Z at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) 2017-12-19T07:13:34.116469168Z at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) 2017-12-19T07:13:34.116475168Z at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) 2017-12-19T07:13:34.116481268Z at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) 2017-12-19T07:13:34.116487268Z at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) 2017-12-19T07:13:34.116494767Z at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) 2017-12-19T07:13:34.116500967Z at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) 2017-12-19T07:13:34.116506967Z at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) 2017-12-19T07:13:34.116513067Z at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) 2017-12-19T07:13:34.116519067Z at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) 2017-12-19T07:13:34.116525067Z ... 37 more 2017-12-19T07:13:34.116530767Z Caused by: org.hibernate.exception.LockAcquisitionException: could not execute statement 2017-12-19T07:13:34.116541467Z at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:123) 2017-12-19T07:13:34.116547967Z at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) 2017-12-19T07:13:34.116554067Z at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) 2017-12-19T07:13:34.116560166Z at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95) 2017-12-19T07:13:34.116566166Z at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207) 2017-12-19T07:13:34.116572366Z at org.hibernate.hql.internal.ast.exec.BasicExecutor.doExecute(BasicExecutor.java:91) 2017-12-19T07:13:34.116578366Z at org.hibernate.hql.internal.ast.exec.BasicExecutor.execute(BasicExecutor.java:60) 2017-12-19T07:13:34.116584366Z at org.hibernate.hql.internal.ast.exec.DeleteExecutor.execute(DeleteExecutor.java:111) 2017-12-19T07:13:34.116590566Z at org.hibernate.hql.internal.ast.QueryTranslatorImpl.executeUpdate(QueryTranslatorImpl.java:429) 2017-12-19T07:13:34.116596666Z at org.hibernate.engine.query.spi.HQLQueryPlan.performExecuteUpdate(HQLQueryPlan.java:374) 2017-12-19T07:13:34.116602666Z at org.hibernate.internal.SessionImpl.executeUpdate(SessionImpl.java:1348) 2017-12-19T07:13:34.116608666Z at org.hibernate.internal.QueryImpl.executeUpdate(QueryImpl.java:102) 2017-12-19T07:13:34.116614666Z at org.hibernate.jpa.internal.QueryImpl.internalExecuteUpdate(QueryImpl.java:405) 2017-12-19T07:13:34.116620665Z at org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:61) 2017-12-19T07:13:34.116626665Z ... 55 more 2017-12-19T07:13:34.116632465Z Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: Transaction (Process ID 123) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction. 2017-12-19T07:13:34.124029047Z at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:216) 2017-12-19T07:13:34.124058646Z at com.microsoft.sqlserver.jdbc.SQLServerStatement.getNextResult(SQLServerStatement.java:1515) 2017-12-19T07:13:34.124066146Z at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.doExecutePreparedStatement(SQLServerPreparedStatement.java:404) 2017-12-19T07:13:34.124082446Z at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement$PrepStmtExecCmd.doExecute(SQLServerPreparedStatement.java:350) 2017-12-19T07:13:34.124089946Z at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696) 2017-12-19T07:13:34.124095946Z at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1715) 2017-12-19T07:13:34.124102145Z at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeCommand(SQLServerStatement.java:180) 2017-12-19T07:13:34.124108245Z at com.microsoft.sqlserver.jdbc.SQLServerStatement.executeStatement(SQLServerStatement.java:155) 2017-12-19T07:13:34.124126445Z at com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.executeUpdate(SQLServerPreparedStatement.java:314) 2017-12-19T07:13:34.124133245Z at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) 2017-12-19T07:13:34.124139545Z at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) 2017-12-19T07:13:34.124145745Z ... 64 more 2017-12-19T07:13:34.124151645Z ------------------------- This JMeter script will create 1000 users in 10 threads. So, above user creation and adding to group endpoints will be invoked 1000 times each with typical TPS of 1 - 2 requests per second. When we run JMeter script several times, we can create 1000 users - means, when we run JMeter in first round, it will create 300 users approximately and other 700 requests will fail due to above deadlock issue, and once we run it for the second time it will create another 200 of users and so on... (at some point, we will get all 1000 users). The dialect which I am using for this instance is : org.hibernate.dialect.SQLServer2012Dialect Is there any specific configurations to be done if we are using Azure SQL as the database ? I am attaching the complete log file herewith. Appreciate your help on this. Regards, Buddhi Iroshana De Silva

6 years, 3 months

2
1
0 / 0

Problems using keycloak admin client

by Tero Ahonen

Hi, I have some problems using keycloak admin client against Keycloak instance that is running on Openshift Online Pro. Basic functions work ok, I can get token and do login, but cannot do any admin stuff with Java client (keycloak-admin-client 3.4.2.Final). My keycloak (v 3.4.2) is running ok on Openshift Online Pro and I'm using custom SSL certificate. I have tried different approaches on routing layer. Using Edge termination with my own cert stuff and also Passthru SSL with proper cert configured on keycloak Wildfly. Even tried to us default hostname xxxx-namespace.e4ff.pro-eu-west-1.openshiftapps.com. When using default router hostname (e4ff ...) I get javax.ws.rs.ServiceUnavailableException: HTTP 503 Service Unavailable at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus( ClientInvocation.java:211) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult( ClientInvocation.java:174) at org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity( BodyEntityExtractor.java:59) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke( ClientInvoker.java:104) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke( ClientProxy.java:64) at com.sun.proxy.$Proxy19.grantToken(Unknown Source) at org.keycloak.admin.client.token.TokenManager.grantToken( TokenManager.java:89) at org.keycloak.admin.client.token.TokenManager.getAccessToken( TokenManager.java:69) at org.keycloak.admin.client.token.TokenManager.getAccessTokenString( TokenManager.java:64) at org.keycloak.admin.client.resource.BearerAuthFilter.filter( BearerAuthFilter.java:52) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke( ClientInvocation.java:413) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke( ClientInvoker.java:102) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke( ClientProxy.java:64) at com.sun.proxy.$Proxy27.list(Unknown Source) at KeycloakTestStage.main(KeycloakTestStage.java:43) There is nothing in keycloak logs that describes that 503. When using browser or curl that URL works fine. When using own certs I get own hostname I get javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke( ApacheHttpClient4Engine.java:287) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke( ClientInvocation.java:436) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke( ClientInvoker.java:102) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke( ClientProxy.java:64) at com.sun.proxy.$Proxy19.grantToken(Unknown Source) at org.keycloak.admin.client.token.TokenManager.grantToken( TokenManager.java:89) at org.keycloak.admin.client.token.TokenManager.getAccessToken( TokenManager.java:69) at org.keycloak.admin.client.token.TokenManager.getAccessTokenString( TokenManager.java:64) at org.keycloak.admin.client.resource.BearerAuthFilter.filter( BearerAuthFilter.java:52) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke( ClientInvocation.java:413) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke( ClientInvoker.java:102) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke( ClientProxy.java:64) at com.sun.proxy.$Proxy27.list(Unknown Source) at KeycloakTestStage.main(KeycloakTestStage.java:43) Caused by: javax.net.ssl.SSLException: Certificate for < keycloak-XXX.mycustomhostname.com> doesn't match any of the subject alternative names: [*.e4ff.pro-eu-west-1.openshiftapps.com, e4ff.pro-eu-west-1.openshiftapps.com] at org.apache.http.conn.ssl.AbstractVerifier.verify( AbstractVerifier.java:164) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify( BrowserCompatHostnameVerifier.java:61) at org.apache.http.conn.ssl.AbstractVerifier.verify( AbstractVerifier.java:140) at org.apache.http.conn.ssl.AbstractVerifier.verify( AbstractVerifier.java:114) at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname( SSLSocketFactory.java:569) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket( SSLSocketFactory.java:544) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket( SSLSocketFactory.java:409) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection( DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open( ManagedClientConnectionImpl.java:304) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect( DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute( DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute( AbstractHttpClient.java:882) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:55) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke( ApacheHttpClient4Engine.java:283) ... 13 more Custom route hostname is configured as CNAME in my domain name provider as instructed. CNAME points to e4ff.pro-eu-west-1.openshiftapps.com I'm creating Keycloak object like this Keycloak kc = Keycloak.getInstance(KC_AUTH_SERVER_URL, KC_ADMIN_REALM, KC_ADMIN_USER, KC_ADMIN_PWD, KC_ADMIN_CLIENT_ID); Even with constructor code like this SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() { public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { return true; } }).build(); Keycloak.getInstance(KC_AUTH_SERVER_URL, KC_ADMIN_REALM, KC_ADMIN_USER, KC_ADMIN_PWD, KC_ADMIN_CLIENT_ID, null, sslContext); I get same result. When checking from code (if this is correct code) https://github.com/keycloak/keycloak/blob/master/integration/admin-client... public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, SSLContext sslContext, ResteasyJackson2Provider customJacksonProvider) { ResteasyClientBuilder clientBuilder = new ResteasyClientBuilder() .sslContext(sslContext) .hostnameVerification(ResteasyClientBuilder.HostnameVerificationPolicy.WILDCARD) .connectionPoolSize(10); if (customJacksonProvider != null) { clientBuilder.register(customJacksonProvider); } return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, clientBuilder.build(), null); } Based on the code hostname verification cannot be overridden. Br, Tero

6 years, 3 months

1
0
0 / 0

Re: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas DUMINIL)

by Darrell Wu

Hi Nicolas, The secure deployment name attribute should match your module-name in the web.xml in your WAR with .war appended In your case it should be something like customer-management-rest.war assuming you have the following in your web.xml <module-name>customer-management-rest</module-name> Darrell On 20 December 2017 at 07:34, <keycloak-user-request(a)lists.jboss.org> wrote: > Send keycloak-user mailing list submissions to > keycloak-user(a)lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request(a)lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner(a)lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Re: Prevent federated users from setting a password (Rens Verhage) > 2. Re: Failed to initialize in KC 3.4 (Bob McWhirter) > 3. Keycloak 3.4.0.Final - Can't secure an EAR (Nicolas DUMINIL) > 4. How to check permissions on lot of resources (Teddy CHAMBARD) > 5. AdapterRsaTokenVerifier throws NullPointerException on > getPublicKey after processing expired token (Dmitry Korchemkin) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 19 Dec 2017 07:56:32 +0000 > From: Rens Verhage <Rens.Verhage(a)topicus.nl> > Subject: Re: [keycloak-user] Prevent federated users from setting a > password > To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> > Message-ID: <94BBDF41-9A45-4F30-B5C0-2AE3387BF63A(a)topicus.nl> > Content-Type: text/plain; charset="utf-8" > > Sat down with a colleague and did some out of the box thinking. Came up > with a solution that works best for us: set up 2 realms, A and B. A > contains all users that log in with username and password and is an > identity provider to realm B. This way we have levelled the playing field, > in B all users log in through an IdP and we can treat them all the same. > > > > Rens > > > > On 18 Dec 2017, at 12:19, Rens Verhage <Rens.Verhage(a)topicus.nl<mailto: > Rens.Verhage(a)topicus.nl>> wrote: > > Hi all, > > We?re implementing Keycloak in an existing multi-tenant application and > have to make a choice: 1 realm for all our tenants or each tenant its own > realm? > > >From an administrator?s point of view, one single realm for all user > accounts seems a good choice. However, there is one important requirement > that until now, we haven?t been able to fulfil this way: > > A tenant might choose to let their users log in through an external > identity provider, ADFS will be fairly common. Users that will log in this > way will be required to always do so and therefore are not allowed to set a > password in Keycloak. Deleting a user will be as easy as removing the user > from the Active Directory. > > However, not all tenants will have their own identity provider. For these > tenants, users must be able to log in with a username and password. They > also get a forgot password link, so they can reset their password once > forgotten. Now that raises a problem. Users that log in through their > identity provider can use this link to set a password and thus bypass their > identity provider. Should such a user be removed from the AD, he or she can > still log in using this password. > > Can we somehow prevent federated identities from ever setting a password? > Or is this not possible and are we forced to setup multiple realms? > > > > Rens > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ------------------------------ > > Message: 2 > Date: Tue, 19 Dec 2017 09:28:50 -0500 > From: Bob McWhirter <bmcwhirt(a)redhat.com> > Subject: Re: [keycloak-user] Failed to initialize in KC 3.4 > To: Abhishek Koserwal <akoserwa(a)redhat.com> > Cc: keycloak-user <keycloak-user(a)lists.jboss.org> > Message-ID: > <CA+45JvEmMJ_=3LBWHNrWqoC5Huy1Dv+9mK42a38TJHxTPmxk_Q@mail. > gmail.com> > Content-Type: text/plain; charset="UTF-8" > > And you may wish to use a fully-qualified rooted path to keycloak.json, if > you?re doing a single-page-app with browser-based routing, as it seems to > look for the argument relative to the current window location, which may > not be / when doing SPAs. Using an absolute path works in that case, such > as ?/keycloak.json? > > -Bob > > On Mon, Dec 18, 2017 at 1:55 AM, Abhishek Koserwal <akoserwa(a)redhat.com> > wrote: > > > You need to instantiate like this, it will work. > > > > var keycloak = Keycloak('keycloak.json'); > > > > I tested with KC 3.4.1. > > > > Thanks > > > > > > On Thu, Dec 14, 2017 at 6:08 PM, Marek Posolda <mposolda(a)redhat.com> > > wrote: > > > > > The best is likely to look at Keycloak quickstart/examples for JS > > > adapter and compare what is different. > > > > > > Marek > > > > > > On 12/12/17 10:45, Corentin Dupont wrote: > > > > Hi guys, > > > > > > > > I use this code in my javascript application: > > > > > > > > var keycloak = Keycloak(); > > > > keycloak.init().success(function(authenticated) { > > > > alert(authenticated ? 'authenticated' : 'not > > > authenticated'); > > > > }).error(function() { > > > > alert('failed to initialize'); > > > > }); > > > > > > > > Since I updated Keycloak I get the message 'failed to initialize'. > > > > It was working well with the previous version of KC 3.2. > > > > > > > > What could it be? How can I get a better error message? > > > > > > > > > > > > Thanks! > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user(a)lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > -- > > Regards, > > Abhishek Koserwal > > Software Application Engineer, ADS > > Red Hat (Pune, India) > > IRC: akoserwa > > > > The capacity to learn is a gift; The ability to learn is a skill; The > > willingness to learn is a choice -- Brian Herbert > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > Message: 3 > Date: Tue, 19 Dec 2017 17:26:22 +0100 > From: "Nicolas DUMINIL" <nicolas.duminil(a)simplex-software.fr> > Subject: [keycloak-user] Keycloak 3.4.0.Final - Can't secure an EAR > To: <keycloak-user(a)lists.jboss.org> > Message-ID: <00c001d378e6$1c40db20$54c29160$(a)simplex-software.fr> > Content-Type: text/plain; charset="us-ascii" > > Hello, > > I'm using Keycloak 3.4.0.Final. > > I have an EAR containing a WAR. The WAR contains REST services that I need > to secure. The Wildfly config is as follows: > > <subsystem xmlns="urn:jboss:domain:keycloak:1.1"> > <secure-deployment > name="customer-management.ear.customer-management-rest.war"> > <realm>demo</realm> > <auth-server-url> <http://localhost:18080/auth> > http://localhost:18080/auth</auth-server-url> > <public-client>true</public-client> > <ssl-required>EXTERNAL</ssl-required> > <resource>customer-client</resource> > </secure-deployment> > </subsystem> > The notation I used for the <secure-deployment> element is > ear-name.ear.war-name.war. But it doesn't seem to work. It raises the > following exception: > > Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingExcept > ion: > WarMetaData not found for customer-management.ear. Make sure you have > specified a WAR as your secure-deployment in the Keycloak subsystem."}, > > I found this syntax by googling for solutions but it's probably wrong. > Please notice that I cannot used the JSON syntax. > > Kind regards, > > Nicolas DUMINIL > > > > ------------------------------ > > Message: 4 > Date: Tue, 19 Dec 2017 17:50:33 +0000 > From: Teddy CHAMBARD <t.chambard(a)bee-buzziness.com> > Subject: [keycloak-user] How to check permissions on lot of resources > To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> > Cc: TeamScalabilite <TeamScalabilite(a)bee-buzziness.com> > Message-ID: <1a4a5599db2c4bf69934aa23bf53e77c(a)BBUZ-EXCH01.bbuzg.net> > Content-Type: text/plain; charset="us-ascii" > > Hello, > > > I'm trying to protect resources with keycloak, but I wonder how to protect > millions... > > I created successfully resources with the Protection API (UMA 2.0), and > also created necessary permsions and policies with the Admin REST API. > > > What I would like to do is simply get the list of resources I should be > able to access. > > > To simplify my needs, here is a simple example : > > > Bob asks for resource1 and resource2 throught entitlement API > > Regarding my policies and permissions Bob only have rights on resource 1 > but not on resource2. > > > I was thinking making a POST request with the following payload : > > > { > "permissions" : [ > { > "resource_set_name" : "resource1" > }, { > "resource_set_name" : "resource2" > } > ] > } > > > would return a RPT with the list of permitted resources (resource1), but I > got 403 forbidden without the list of granted resources. > > > > So, I know I could run two separated requests to get my authorizations, > but when I have thousands of resources to check, I can't run thousands http > requests on entitlement API. > > > The question is how can I filter the data I retrieved from my database > with keycloak in order to get only granted data ? > > > > Keycloak is wonderful, and I would really continue to use it despite this > trouble that I encounter. > > > Thank you very much by advance for your help. > > > > > ------------------------------ > > Message: 5 > Date: Tue, 19 Dec 2017 21:34:15 +0300 > From: Dmitry Korchemkin <moon3854(a)gmail.com> > Subject: [keycloak-user] AdapterRsaTokenVerifier throws > NullPointerException on getPublicKey after processing expired token > To: keycloak-user <keycloak-user(a)lists.jboss.org> > Message-ID: > <CAHpfDHM4=8fZu0niEhg2f4+MNjTDc2HEwixF-fNMnid3C-iF5A@ > mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Hello, > > Just upgraded to 3.4.1.Final to check if my issues with > NullPointerException (and resulting 500 status) when using keycloak > spring-security-adapter and expired tokens would be gone. There's no more > an unexpected NullPointer from an empty kid value (fixed in KEYCLOAK-5636 > <https://issues.jboss.org/browse/KEYCLOAK-5636>), but a problem still > remains. > This time it's publicKeyLocator being null in > AdapterRSATokenVerifier::getPublicKey. Somehow, after token was already > deemed inactive and TokenNotActiveException was already printed, there's a > second call to this method, this time with an empty deployment, and i'm > pretty sure it's not my code calling it. Since there's no null check on > locator field, it produces NullPointer upon trying to call > pkLocator.getPublicKey, even if kid is being checked for null. > > Here's the first exception, the one i'm expecting: > > 2017-12-19 14:55:54,341 DEBUG XNIO-2 task-24 no_request_id > c.n.c.m.s.i.d.IdpConfigResolver - Error to validate token with public key > org.keycloak.exceptions.TokenNotActiveException: Token is not active > at org.keycloak.TokenVerifier$2.test(TokenVerifier.java:84) > at org.keycloak.TokenVerifier.verify(TokenVerifier.java:370) > at org.keycloak.RSATokenVerifier.verify(RSATokenVerifier.java:89) > at > org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken( > AdapterRSATokenVerifier.java:56) > at > security.idp.deployment.IdpConfigResolver.checkPublicKey( > IdpConfigResolver.java:149) > at > security.idp.deployment.IdpConfigResolver.generateKeycloakDeploymentFrom > AuthorizationHeader(IdpConfigResolver.java:80) > at > security.idp.deployment.IdpConfigResolver.resolve( > IdpConfigResolver.java:57) > at > org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment( > AdapterDeploymentContext.java:88) > at > org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessi > ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi > ngFilter.java:138) > at > org.springframework.security.web.authentication. > AbstractAuthenticationProcessingFilter.doFilter( > AbstractAuthenticationProcessingFilter.java:212) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.logout. > LogoutFilter.doFilter(LogoutFilter.java:116) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter. > doFilter(KeycloakPreAuthActionsFilter.java:84) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.context.SecurityContextPersistenceFilt > er.doFilter(SecurityContextPersistenceFilter.java:105) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal( > FilterChainProxy.java:214) > at > org.springframework.security.web.FilterChainProxy.doFilter( > FilterChainProxy.java:177) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate( > DelegatingFilterProxy.java:347) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter( > DelegatingFilterProxy.java:263) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.RequestContextFilter.doFilterInternal( > RequestContextFilter.java:99) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:107) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest( > ServletChain.java:64) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:274) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath( > ServletInitialHandler.java:209) > at > io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl( > RequestDispatcherImpl.java:221) > at > io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup( > RequestDispatcherImpl.java:147) > at > io.undertow.servlet.spec.RequestDispatcherImpl.forward( > RequestDispatcherImpl.java:111) > at > org.springframework.web.servlet.view.InternalResourceView. > renderMergedOutputModel(InternalResourceView.java:168) > at > org.springframework.web.servlet.view.AbstractView. > render(AbstractView.java:303) > at > org.springframework.web.servlet.DispatcherServlet. > render(DispatcherServlet.java:1286) > at > org.springframework.web.servlet.DispatcherServlet.processDispatchResult( > DispatcherServlet.java:1041) > at > org.springframework.web.servlet.DispatcherServlet. > doDispatch(DispatcherServlet.java:984) > at > org.springframework.web.servlet.DispatcherServlet. > doService(DispatcherServlet.java:901) > at > org.springframework.web.servlet.FrameworkServlet.processRequest( > FrameworkServlet.java:970) > at > org.springframework.web.servlet.FrameworkServlet. > doGet(FrameworkServlet.java:861) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) > at > org.springframework.web.servlet.FrameworkServlet. > service(FrameworkServlet.java:846) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:81) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest( > ServletChain.java:64) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:274) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath( > ServletInitialHandler.java:209) > at > io.undertow.servlet.spec.RequestDispatcherImpl.error( > RequestDispatcherImpl.java:479) > at > io.undertow.servlet.spec.RequestDispatcherImpl.error( > RequestDispatcherImpl.java:412) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:319) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call( > ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call( > ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call( > ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call( > ContextClassLoaderSetupAction.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:332) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > However, it is immediately followed by this: > > 2017-12-19 14:55:54,343 ERROR XNIO-2 task-24 no_request_id i.u.request - > UT005022: Exception generating error page /error > org.springframework.web.util.NestedServletException: Request processing > failed; nested exception is java.lang.RuntimeException: > java.lang.NullPointerException > at > org.springframework.web.servlet.FrameworkServlet.processRequest( > FrameworkServlet.java:982) > at > org.springframework.web.servlet.FrameworkServlet. > doGet(FrameworkServlet.java:861) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) > at > org.springframework.web.servlet.FrameworkServlet. > service(FrameworkServlet.java:846) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:81) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest( > ServletChain.java:64) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:274) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath( > ServletInitialHandler.java:209) > at > io.undertow.servlet.spec.RequestDispatcherImpl.error( > RequestDispatcherImpl.java:479) > at > io.undertow.servlet.spec.RequestDispatcherImpl.error( > RequestDispatcherImpl.java:412) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:319) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call( > ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call( > ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call( > ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call( > ContextClassLoaderSetupAction.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:104) > at io.undertow.server.Connectors.executeRootHandler(Connectors. > java:332) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.lang.RuntimeException: java.lang.NullPointerException > at > io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl( > RequestDispatcherImpl.java:245) > at > io.undertow.servlet.spec.RequestDispatcherImpl.forwardImplSetup( > RequestDispatcherImpl.java:147) > at > io.undertow.servlet.spec.RequestDispatcherImpl.forward( > RequestDispatcherImpl.java:111) > at > org.springframework.web.servlet.view.InternalResourceView. > renderMergedOutputModel(InternalResourceView.java:168) > at > org.springframework.web.servlet.view.AbstractView. > render(AbstractView.java:303) > at > org.springframework.web.servlet.DispatcherServlet. > render(DispatcherServlet.java:1286) > at > org.springframework.web.servlet.DispatcherServlet.processDispatchResult( > DispatcherServlet.java:1041) > at > org.springframework.web.servlet.DispatcherServlet. > doDispatch(DispatcherServlet.java:984) > at > org.springframework.web.servlet.DispatcherServlet. > doService(DispatcherServlet.java:901) > at > org.springframework.web.servlet.FrameworkServlet.processRequest( > FrameworkServlet.java:970) > ... 29 common frames omitted > Caused by: java.lang.NullPointerException: null > at > org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey( > AdapterRSATokenVerifier.java:44) > at > org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken( > AdapterRSATokenVerifier.java:55) > at > org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken( > AdapterRSATokenVerifier.java:37) > at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken( > BearerTokenRequestAuthenticator.java:87) > at > org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate( > BearerTokenRequestAuthenticator.java:82) > at > org.keycloak.adapters.RequestAuthenticator.authenticate( > RequestAuthenticator.java:68) > at > org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessi > ngFilter.attemptAuthentication(KeycloakAuthenticationProcessi > ngFilter.java:147) > at > org.springframework.security.web.authentication. > AbstractAuthenticationProcessingFilter.doFilter( > AbstractAuthenticationProcessingFilter.java:212) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.authentication.logout. > LogoutFilter.doFilter(LogoutFilter.java:116) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter. > doFilter(KeycloakPreAuthActionsFilter.java:84) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.context.SecurityContextPersistenceFilt > er.doFilter(SecurityContextPersistenceFilter.java:105) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > org.springframework.security.web.FilterChainProxy$ > VirtualFilterChain.doFilter(FilterChainProxy.java:331) > at > org.springframework.security.web.FilterChainProxy.doFilterInternal( > FilterChainProxy.java:214) > at > org.springframework.security.web.FilterChainProxy.doFilter( > FilterChainProxy.java:177) > at > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate( > DelegatingFilterProxy.java:347) > at > org.springframework.web.filter.DelegatingFilterProxy.doFilter( > DelegatingFilterProxy.java:263) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.RequestContextFilter.doFilterInternal( > RequestContextFilter.java:99) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:107) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > org.springframework.web.filter.OncePerRequestFilter. > doFilter(OncePerRequestFilter.java:101) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletChain$1.handleRequest( > ServletChain.java:64) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:274) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchToPath( > ServletInitialHandler.java:209) > at > io.undertow.servlet.spec.RequestDispatcherImpl.forwardImpl( > RequestDispatcherImpl.java:221) > ... 38 common frames omitted > > Needless to say, i'm not expecting any error pages to be shown and i have > no idea where would keycloak get such a deployment that does not even have > keyLocator. > One place where i call AdapterRSATokenVerifier.verifyToken has a > deployment > with explicitly set HardcodedPublicKeyLocator, which workes in every other > instance of token validation i've encountered so far. > > I'd report this as a bug right away and make a request with a null check on > pkLocator, but somehow it seems the issue is not that simple, empty > deployment shouldn't be there in the first place. In the mean tiime, any > idea how can i get around this second verify() call or maybe disable the > /error page behaviour? > > Best regards, > Dmitry > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 48, Issue 29 > ********************************************* >

6 years, 3 months

2
1
0 / 0

Keycloak quickstart app-jee-jsp and service-jaxrs don't seem to work !

by Nicolas DUMINIL

Hello, I'm working since a while to secure some Jax-RS services with Keycloak and, since I got stucked, I'm trying to get working the quickstarts. I'm following the instructions here <https://github.com/keycloak/keycloak-quickstarts> https://github.com/keycloak/keycloak-quickstarts. I have deployed the projects service-jaxrs and app-jee-jsp on Wildfly 10.1.0 while the security artifacts are on a Keycloak 3.4.2.Final server, on the same host. Trying to browse at <http://localhost:8080/app-jsp> http://localhost:8080/app-jsp, I get 403 Forbidden for the Loggin, Invoke Secured and Invoke Admin buttons. However, I followed very exactly all the instrcutions. What could be wrong here ? Many thanks in advance. Kind regards, Nicolas

6 years, 3 months

1
0
0 / 0

Keycloack 3.4.0.Final - Basic and bearer only authentication fails

by Nicolas DUMINIL

Hi, I'm using Keycloak 3.4.0.Final and Wildfy 10.1.0 with the right adapter. I have the following realm: { "id": "fd12b07c-8fdf-4e94-9688-cf80387a06c2", "realm": "demo-realm", "enabled": true, "sslRequired": "external", ... "roles": { "realm": [ ... { "id": "c67ee573-05fa-4253-a1e0-5c09b3e9e162", "name": "customer-manager-role", "scopeParamRequired": false, "composite": false, "clientRole": false, "containerId": "fd12b07c-8fdf-4e94-9688-cf80387a06c2" }, ...... ], "client": { "curl": [], ... } }, "groups": [], "defaultRoles": [ "offline_access", "uma_authorization" ], "requiredCredentials": [ "password" ], ... "clients": [ { "id": "9d43b813-3232-49c3-ba5d-f097e6a56618", "clientId": "curl", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**********", "redirectUris": [ " <http://localhost> http://localhost" ], "webOrigins": [ " <http://localhost> http://localhost" ], "notBefore": 0, "bearerOnly": false, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": true, "serviceAccountsEnabled": false, "publicClient": true, "frontchannelLogout": false, "attributes": {}, "fullScopeAllowed": true, "nodeReRegistrationTimeout": -1, "protocolMappers": [ ... ], ... }, { "id": "fa8edc2a-51c1-4b04-8939-8a0838d21130", "clientId": "customer-manager-client", "surrogateAuthRequired": false, "enabled": true, "clientAuthenticatorType": "client-secret", "secret": "**********", "redirectUris": [ " <http://localhost:8080/customer-management/*> http://localhost:8080/customer-management/*" ], "webOrigins": [ " <http://localhost:8080> http://localhost:8080" ], "notBefore": 0, "bearerOnly": true, "consentRequired": false, "standardFlowEnabled": true, "implicitFlowEnabled": false, "directAccessGrantsEnabled": false, "serviceAccountsEnabled": false, "publicClient": false, "frontchannelLogout": false, "attributes": {}, "fullScopeAllowed": true, "nodeReRegistrationTimeout": -1, "protocolMappers": [ ... ] ...... }, ... ] } This file has been obtained by the export function in the console. Strange enough, the users aren't exported and ther is no button "Export users" as it exists "Export groups and roles" and "export clients". On the Wildfly side, I have a war containing a couple of JAX-RS services, which web.xml is as follows: <?xml version="1.0" encoding="UTF-8"?> <web-app version="3.1" xmlns=" <http://xmlns.jcp.org/xml/ns/javaee> http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi=" <http://www.w3.org/2001/XMLSchema-instance> http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" <http://xmlns.jcp.org/xml/ns/javaee http:/xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd> http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"> <module-name>customer-management-rest</module-name> <security-constraint> <web-resource-collection> <web-resource-name>customers</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>customer-manager-role</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>demo-realm</realm-name> </login-config> <security-role> <role-name>customer-manager-role</role-name> </security-role> </web-app> The idea is that the services be accessed via the customer-manager-role which is assigned to the user customer-manager-user. After deployment, using the following curl request: curl <http://customer-manager-user:toto@localhost:8080/customer-management/servic es/customers> http://customer-manager-user:toto@localhost:8080/customer-management/service s/customers replies: <html><head><title>Error</title></head><body>Forbidden</body></html> In the previous curl request, customer-manager-user is the user name created on te demo-realm realm. In its Role Mapings list i have "customer-manager-role" which is a role created on the same realm. And "toto" here is the password assigned to the user customer-manager-user. So I would expect that the basic authentication works but obviously it doesn't. The same happens if Im trying bearerOnly by including the token obtained via the curl client. What could be wrong here ? Could that have anything to do with the fact that there is no any trace of my customer-manager-user in the realm ? Many thanks in advance. Kind regards, Nicolas

6 years, 4 months

1
0
0 / 0

Can't invoke Keycloaks OpenID Connect token endpoint with grant type set to password

by Nicolas DUMINIL

Hello, I'm following this blog ( <http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.htm l> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html ) to secure some jax-rs services. I have the following client: ./keycloak/bin/kcadm.sh get clients/f3c2109d-9eb0-4fb3-b6be-32a52a691d42 -r demo-realm { "id" : "f3c2109d-9eb0-4fb3-b6be-32a52a691d42", "clientId" : "curl", "surrogateAuthRequired" : false, "enabled" : true, "clientAuthenticatorType" : "client-secret", "redirectUris" : [ " <http://localhost> http://localhost" ], "webOrigins" : [ ], "notBefore" : 0, "bearerOnly" : false, "consentRequired" : false, "standardFlowEnabled" : true, "implicitFlowEnabled" : false, "directAccessGrantsEnabled" : true, "serviceAccountsEnabled" : true, "authorizationServicesEnabled" : false, "publicClient" : true, "frontchannelLogout" : false, "protocol" : "openid-connect", "attributes" : { "saml.assertion.signature" : "false", "saml.force.post.binding" : "false", "saml.multivalued.roles" : "false", "saml.encrypt" : "false", "saml_force_name_id_format" : "false", "saml.client.signature" : "false", "saml.authnstatement" : "false", "saml.server.signature" : "false", "saml.server.signature.keyinfo.ext" : "false", "saml.onetimeuse.condition" : "false" }, "fullScopeAllowed" : true, "nodeReRegistrationTimeout" : -1, "protocolMappers" : [ { "id" : "5916961f-e222-4a6d-968e-ca2031961168", "name" : "family name", "protocol" : "openid-connect", "protocolMapper" : "oidc-usermodel-property-mapper", "consentRequired" : true, "consentText" : "${familyName}", "config" : { "userinfo.token.claim" : "true", "user.attribute" : "lastName", "id.token.claim" : "true", "access.token.claim" : "true", "claim.name" : "family_name", "jsonType.label" : "String" } } I'm doing the following curl request: curl --data "grant_type=password&client_id=curl&username=customer-manager-user&password= toto" <http://localhost:18080/auth/realms/master/protocol/openid-connect/token> http://localhost:18080/auth/realms/master/protocol/openid-connect/token and I get the following error: {"error":"unauthorized_client","error_description":"UNKNOWN_CLIENT: Client was not identified by any client authenticator"} The user "customer-manager-user" is as follows: [jboss@ca385990f977 ~]$ ./keycloak/bin/kcadm.sh get users -r demo-realm -q username=customer-manager-user [ { "id" : "52f6b73c-0982-415d-9157-a4735bf619b1", "createdTimestamp" : 1513861722307, "username" : "customer-manager-user", "enabled" : true, "totp" : false, "emailVerified" : false, "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], "notBefore" : 0, "access" : { "manageGroupMembership" : true, "view" : true, "mapRoles" : true, "impersonate" : true, "manage" : true } } ] I have googled in order to find a solution and I found several persons reporting the issue but I didn't find any solution. Many thanks in advance for any help. Kind regards, Nicolas

6 years, 4 months

3
5
0 / 0

Keycloak behind an IIS proxy

by Kevin Cuijpers

Hello, I am trying to make KeyCloak work behind an IIS proxy. Here is what I want to do: KeyCloak is installed and available remotely on: https://www.server.com/auth/ On IIS I created an "Application Request Routing Cache" that I already use for another application. I created an "URL Rewrite" with inbound rule that takes pattern auth/(.*) and rewrites it to rewrite url: http://127.0.0.1:8080/auth/{R:1} Now my problem is that this rewrite url is used by the keycloak server when a user tries to log in. If my application redirects the user to log in, the url is https://www.server.com/auth/realms/myrealm/protocol/openid-connect/auth?r.... but behind the Login button, the action is http://127.0.0.1:8080/auth/realms/myrealm/login-actions/aut... which of course doesn't work because it needs to be https://www.server.com instead of http://127.0.0.1:8080 I have tried about everything in http://www.keycloak.org/docs/latest/server_installation/index.html#identi... but without success. If I use proxy-address-forwarding="true" I get We're sorry ... HTTPS required Can somebody please clarify how I can configure keycloak to use https://www.server.com instead of http://127.0.0.1:8080 ? Best regards, Kevin

6 years, 4 months

3
3
0 / 0

Keycloak redirect request URL form issue

by Pavel Veremenyuk

Hello community! I'm almost new to keycloak. I was given an issue at some project to investigate. We are using Keycloak to authenticate an openui5 app users. Redirection to keycloak server works well for authentication, corresponding URL looks ok: http://host/auth/realms/ourrealm/protocol/openid-connect/auth?client_id=a... So far only Chrome browser was considered in test. After authentication at keycloak server at Chrome Network tab I can see resource appname/ getting loaded with the "expected redirected" Request URL = http://host/appname/ and the rest of application resources loaded ok. But in FF (tried versions 56 and 57) after authentication (keycloak request URL's straucture is the same = http://host/auth/realms/ourrealm/protocol/openid-connect/auth?client_id=a...) I can see at FF network monitor that resource appname/ is loading with not expected (to me) Request URL = http://host/appname/#state=de7ae95b-12e2-4974-8c27-f18570d7d7b9&code=uss.... With that additional hash app resources not loading well. What can be the reason in FF Request URL looks different from Chrome? Appreciate any hints how to get rid off that hash.

6 years, 4 months

1
0
0 / 0

Creating users in a group

by Mark Hammond

Hi, We have a requirement that our clients need to be able to manage users within a group. What we want to achieve is to have a group admin user create users, but only within that group. Is there a way to achieve this? Kind regards, Mark

6 years, 4 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user December 2017