Clustered Keycloak in Kubernetes
by Staffan
Hi,
I got a direct question based on the mailing list thread
http://lists.jboss.org/pipermail/keycloak-user/2016-November/008470.html.
The author tried different <inet-address value="${jboss.bind.address}"/>
values in standalone-ha.xml but failed to get docker containers to
"discover" each other.
Here's is my reply, which I think should be in the mailing list as well:
I never got the default JGroups config - UDP broadcast - to work in
Kubernetes (except in single-node testing). May work in some k8s clusters,
but I ended up switching to TCP. Instead of broadcast I chose JDBC for
jgroups "ping". I summarized my conclusions in https://github.com/jboss-
dockerfiles/keycloak/pull/62.
Regarding port binding I ended up using the interface "eth0" instead of an
IP. It allowed external connections in all docker contexts I tested,
without being specific to a network setup.
You can see the config changes produced by the PR as a diff in the build
output, for example: https://hub.docker.com/r/solsson/keycloak-ha-mysql/
builds/btueapadj2mhwhuggjbne4j/
regards
/Staffan
7 years, 2 months
Different TOC's for different clients
by Adam Keily
Is it possible using Keycloak to present different TOC's, or a custom form, depending on the client the user is trying to access? Somehow we need to detect and intercept the login event on a per client basis.
7 years, 2 months
Authenticate a rest api using keycloak access token (received from Authorization header in the HTTP GET request from the front end) in node js
by Saransh Kumar
down votefavorite
<http://stackoverflow.com/questions/42394475/authenticate-a-rest-api-using...>
var loadData = function () {
var url = 'http://localhost:3000/users';
var req = new XMLHttpRequest();
req.open('GET', url, true);
req.setRequestHeader('Accept', 'application/json');
req.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);
req.onreadystatechange = function () {
if (req.readyState == 4) {
if (req.status == 200) {
console.log('Success');
} else if (req.status == 403) {
console.log('Forbidden');
}
}}
req.send(); };
Above is my front end code requesting the REST API and passing the keycloak
token in the authorization header which will be needed for authentication
at the node js server side.
*Now I wanted to know how to secure my Rest Api using Keycloak and
authenticate it on the basis of token received from the front end and tell
whether the authentic user is requesting the rest api resource or not?*
I have created a rest api in node js and used keycloak-connect npm packge.
I have mapped the nodejs middleware with keycloak middleware.
var express = require('express');var router = express.Router();var app
= express();var Keycloak = require('keycloak-connect');var keycloak
=new Keycloak();
app.use( keycloak.middleware( {
logout: '/logout',
admin: '/',} ));
router.get('/users',function(req, res, next) {var
token=req.headers['authorization']; //Access token received from front
end
//Now how to authenticate this token with keycloak???
});
I have also included the keycloak.json file in the root folder of my
project.
7 years, 2 months
Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI
by Colin Coleman
The –x trick gave me enough info to find this…
https://issues.jboss.org/browse/KEYCLOAK-1268
And even if the workarounds work it looks like keycloak was not designed and is not tested for the sort of multi-tenant setup I was trying to do.
The jdbc driver version was a red herring – everything is the latest version
Using the CLI with –x I got the following
HTTP error - 400 Bad Request
org.keycloak.client.admin.cli.util.HttpResponseException: HTTP error - 400 Bad Request
at org.keycloak.client.admin.cli.util.HeadersBodyStatus.checkSuccess(HeadersBodyStatus.java:61)
at org.keycloak.client.admin.cli.util.HttpUtil.checkSuccess(HttpUtil.java:329)
at org.keycloak.client.admin.cli.commands.AbstractRequestCmd.process(AbstractRequestCmd.java:363)
at org.keycloak.client.admin.cli.commands.AbstractRequestCmd.execute(AbstractRequestCmd.java:126)
at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:63)
at org.jboss.aesh.console.command.container.DefaultCommandContainer.executeCommand(DefaultCommandContainer.java:48)
at org.keycloak.client.admin.cli.aesh.AeshConsoleCallbackImpl.execute(AeshConsoleCallbackImpl.java:54)
at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: <html>
<head><title>400 Request Header Or Cookie Too Large</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>Request Header Or Cookie Too Large</center>
<hr><center>awselb/2.0</center>
</body>
</html>
Colin
From: Colin Coleman <cco(a)capraconsulting.no>
Date: Wednesday, 15 February 2017 at 10:05
To: Marko Strukelj <mstrukel(a)redhat.com>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI
There is no stacktrace on the logs – I turned the <root-logger> level up to debug and could find nothing then either.
The only difference between a success when there were less than 20 realms and a failure when there were more than 20 realms was a lack of debug lines from org.hibernate which seems to show that the database never gets queried when a 400 is produced.
My Stack is:
Ubuntu 16.04
openjdk version "1.8.0_121"
PostgreSQL 9.6.1 (running on different machine)
keycloak-2.5.1.Final – running uning standalone-ha.xml
DB driver: postgresql-9.4.1212.jre6.jar
Writing this I notice that the db driver and db are not on the same level – I will update this and test again.
------------------------------------------------
Colin
From: Marko Strukelj <mstrukel(a)redhat.com>
Date: Tuesday, 14 February 2017 at 18:16
To: Colin Coleman <cco(a)capraconsulting.no>
Cc: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] HTTP error - 400 Bad Request - create realm CLI
There is no such restriction, and I can't reproduce your issue.
Is there any stacktrace on the server?
Do you get any more information on the client if you add -x option?
On Tue, Feb 14, 2017 at 1:01 PM, Colin Coleman <cco(a)capraconsulting.no> wrote:
Hello,
Is there a setting limiting the number of realms that can be created with the CLI?
When creating realms via the CLI I start getting HTTP error - 400 Bad Request after about 20 realms
kcadm.sh create realms -s realm=test3 -s enabled=true
kcadm.sh create realms -s realm=test4 -s enabled=true
kcadm.sh create realms -s realm=test5 -s enabled=true
.
.
.
I get
.
.
Created new realm with id 'test13'
Created new realm with id 'test14'
HTTP error - 400 Bad Request
HTTP error - 400 Bad Request
.
.
.
Colin
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
7 years, 2 months
Unknown authentication mechanism KEYCLOAK
by Kevin Marsden
Good Day.
I am unable to deploy a JAX-RS war to Wildfly 10.1,even after following the
instructions in the documentation to the letter.
I executed the patch script as follows :
jboss-cli.bat --connect --file="adapter-install.cli"
{"outcome" => "success"}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
{
"outcome" => "success",
"result" => [("keycloak" => "1.1.0")],
"response-headers" => {"process-state" => "reload-required"}
}
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
My standalone.xml has been updated as follows :
<extension module="org.keycloak.keycloak-adapter-subsystem"/>
<security-domain name="keycloak">
<authentication>
<login-module
code="org.keycloak.adapters.jboss.KeycloakLoginModule" flag="required"/>
</authentication>
</security-domain>
<subsystem xmlns="urn:jboss:domain:keycloak:1.1"/>
My web.xml is as follows :
<security-constraint>
<web-resource-collection>
<web-resource-name>webresources</web-resource-name>
<url-pattern>/webresources/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
I would gladly appreciate any help at this stage.
Kind Regards.
Kevin.
7 years, 2 months
Does keycloak OIDC supports decryption of JWT token encrypted with JWE ?
by Haseb Ansari
Hello all,
I have setup a custom Open ID Connect provider for my external IDP and
the token request on my external IDP sends me an encrypted JWT with JWE
(JSON Web Encryption). I have the enc key with me but cannot understand how
use it with Identity Provider settings.
Please help me out with this issue.
Thanks in advance !!!!!!
Regards,
Haseb
7 years, 2 months
Delete Roles on Active Directory when deleted from Keycloak
by Sumit Das
Hi
I have done an integration of Keycloak Realm with an Active Directory
instance. The realm roles that have been created are mapped with the help
of a role-mapper. When I delete any roles from the Realm, the role still
persists in the AD instance, even after using the synchronization of
"Keycloak Roles to LDAP". How do i ensure that when i delete any role on
the Keycloak, it also gets deleted from the AD as well?
I have kept the following configuration:-
1. In LDAP settings: Edit Mode: WRITABLE
2. In Role-mapper: Mode: LDAP_ONLY
Still it is not working.
Please do respond.
Regards
*Sumit Das*
*Mobile No.- +91-9986872466 *
7 years, 2 months