Need info on Keycloak benchmarks & success stories
by Dmitry Telegin
Hi,
MGTS, Moscow's leading telephony and internet provider with ~4M
subscribers, holds a tender for a web SSO solution to replace their
current OpenAM. Our company participates with Keycloak/RHSSO based
solution. We've successfully passed an RFI phase and advanced to RFP,
where we will be asked to produce the following performance
measurements:
- single node capacity (logins/sec) for a known server configuration;
- capacity increase per each node added to the cluster.
Thus, I wanted to ask if anyone has performed such a sort of
benchmarking for Keycloak, and if the results are available. If not,
what's the best approach to perform benchmarking ourselves? Did anyone
have success with keycloak-benchmark?
Additionally, it would help us much if we could refer to some success
stories of real-world Keycloak deployments, preferably in the telecom
area.
Thanks!
Dmitry
9 years
Best way to verify an AccessToken with RSATokenVerifer and keycloak-admin-client
by Thomas Darimont
Hello Group,
what is currently the best way to verify an access token with the
keycloak-admin-client in an application without a configured keycloak
deployment/adapter?
In the adapter scenario the PublicKey needed by the RSATokenVerifier is
retrieved with a PublicKeyLocator which is provided by the
KeycloakDeployment.
With no deployment at hand one needs to retrieve the public key dynamically
to deal with key rotation. I found two variants to do this - which one do
you think is the best?
Variant 1)
Iterate over keycloak.realm(realmId).keys().getKeyMetadata().getKeys()
and find the public key currently referenced by the kid in the JWKSHeader
of the AccessToken.
However this requires that the current user / client role has at least one
role of the realm-management client, e.g. view-realm.
Variant 2)
Send a GET Request without any authentication to
http://192.168.99.1:8080/auth
This will return the representation of the PublicRealmResource as JSON
which contains the
currently active RSA public key for the realm.
This variant doesn't require any role on the client / user since it doesn't
require authentication.
Unfortunately the current keycloak-admin-client doesn't seem to provide a
way to access the PublicRealmResource information which requires additional
code to fetch the resource.
Is there a reason for this or is this "just" an API gap that can be fixed?
You can find a gist with a quick demo for the two variants here:
https://gist.github.com/thomasdarimont/52152ed68486c65b50a04fcf7bd9bbde
Cheers,
Thomas
9 years
Support for transactional email providers like SendGrid, Mailgun or Mandrill
by Vineet Reynolds
Hi everybody,
Has anyone managed to configure Keycloak 2.0.0.Final to use a
transactional email API instead of configuring an SMTP server? I would
prefer to have Keycloak send emails using a rest API like Sendgrid,
Mandrill, Mailgun or Amazon SES (the cloud-native way) instead of running
an SMTP server.
I'd also appreciate if this is possible through the SPI providers.
* Should I implement both EmailSenderProvider and EmailTemplateProvider
SPIs ?
* I cannot get my custom EmailSenderProvider SPI implementation to work,
as the FreemarkerEmailTemplateProvider implementation fails to obtain the
implementation of the EmailSenderProvider. Stack trace is below
13:17:53,991 ERROR
[org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider] (default
task-39) Failed to send verification email:
org.keycloak.email.EmailException: Failed to template email
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:179)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:150)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendVerifyEmail(FreeMarkerEmailTemplateProvider.java:146)
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:156)
at
org.keycloak.authentication.requiredactions.VerifyEmail.requiredActionChallenge(VerifyEmail.java:73)
at
org.keycloak.services.managers.AuthenticationManager.executionActions(AuthenticationManager.java:559)
at
org.keycloak.services.managers.AuthenticationManager.actionRequired(AuthenticationManager.java:490)
at
org.keycloak.services.managers.AuthenticationManager.nextActionAfterAuthentication(AuthenticationManager.java:412)
at
org.keycloak.services.resources.LoginActionsService$Checks.verifyRequiredAction(LoginActionsService.java:299)
at
org.keycloak.services.resources.LoginActionsService.processRequireAction(LoginActionsService.java:853)
at
org.keycloak.services.resources.LoginActionsService.requiredActionGET(LoginActionsService.java:846)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:185)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:177)
... 57 more
Thanks,
Vineet
9 years
Group Level Roles Not Honored by Policy Evaluation Tool
by Jeremy Majors
I have setup my users to have the 'read' role by associating that role to a group which my users have been associated with. While testing the policies for a resource using the Policy Evaluation tool I determined that the roles associated with the groups weren't being picked up and the user was being denied access to the resource (please note that when I looked at the user's roles I did notice that 'read' was listed as an effective role). When I removed one of the users from the group and directly assigned the 'role' to the user then I was able to successfully access the resource using the Policy Evaluation tool.
Can anyone else reproduce this issue? It's unclear whether it could be related to KEYCLOAK-2964, which has been closed.
Thanks in advance,
Jeremy
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer does not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of my firm shall be understood as neither given nor endorsed by it.
9 years
update password failed - invalid code
by Michael Mok
Hi All
Need help trying to allow the user to update their password. The use case
1) Login to admin
2) Select a user, goto credential and select Update Password as reset again
and sent email
3) User received email and click on the link (within the minute)
4) Keycloak complains with error We are sorry - an error occurred please
login again.
Setup
Keycloak 2.5.1 Final
Apache 2.4 - SSL enabled
Mod proxy ajp
OS ubuntu 14.04
Keycloak standalone.xml ajp config
<server name="default-server">
<ajp-listener name="mmemoeListener" socket-binding="ajp"
redirect-socket="proxy-https" scheme="https" />
<http-listener name="default" socket-binding="http"
redirect-socket="https"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<filter-ref name="proxy-peer"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content"
path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<filter name="proxy-peer"
class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"
module="io.undertow.core" />
<response-header name="server-header" header-name="Server"
header-value="WildFly/10"/>
<response-header name="x-powered-by-header"
header-name="X-Powered-By" header-value="Undertow/1"/>
</filters>
Apache 2 http conf
ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On <Proxy *>
RequestHeader set X-Forwarded-Proto "https" Require all granted </Proxy>
#Keycloak requirements LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\"
%>s %b \"%{Referer}i\" \"%{User-Agent}i\ " common ProxyPass /auth
ajp://localhost:8009/auth
Link received in the Update Your Account email
https://demo.mmemoe.com/auth/realms/mmemoeDemo/login-
actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeim
IMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
Apache log
[11/Feb/2017:01:37:06 +0000] "GET
/auth/realms/mmemoeDemo/login-actions/execute-actions?key=M5QehaYrsNyxEFC66hDSudzxWXoeimIMH5Sp9Lvbqhs.5b219018-98ad-4f39-a021-bda421809bcc
HTTP/1.1" 500 2441
Keycloak log
01:37:06,091 WARN [org.keycloak.events] (default task-1)
type=EXECUTE_ACTIONS_ERROR, realmId=2e6cf05c-62bc-4b12-8db2-4a85053225f7,
clientId=null, userId=null, ipAddress=110.143.116.121, error=invalid_code
Thanks.
9 years
Help with SSO
by Jorge M.
Hi,
In the past some systems inside my company were using a custom made sso
implementation that had the ability to do silent login among them.
On of that systems was completly refactored and is using keycloak for
authentication and authorization. Since than, we lost that silent login
feature with the other systems.
We assumed that it was ok to lost this feature for a while but now we are
trying to implement the silent login again.
So..summing up:
- System "A" is using keycloak with a realm "RealmA" with multiple clients
(modules) with sso between them.
- Other systems "B", "C" with their custom authentication and authorization
- We are using a custom federation on keycloak over the same users database
that is shared among all the systems.
What's the best practise to achieve sso between all the systems?
We are thinking about a proxy that detects if the user has a session on
some of the other systems and if that is true, we programatically create a
session on keycloak for a given (Is this possible with the API?).
Thank you,
JM
9 years
Performance with a large number of resources
by Scott Elliott
Using the photoz application as an example, what is the expected
performance if there are a very large (say, 5M) number of albums? What
about if there are multiple resources per album? You quickly get a very
large number of resources. The OIDC adapters cache some number of these, so
what effect will that have on the resource server?
Ideally there would be a way to authorize any resource associated with an
album, so if /album/vacation were authorized by /album/{id},
/album/vacation/photo/1 was also authorized, i.e., the URI that selects the
resource to be authorized would always be /album/vacation.
9 years
Two OIDC working, but not SSO
by Tech
Dear experts,
we are working with Moodle, a PHP based platform, where we have been
able to configure correctly Keycloak to implement OIDC.
To test Keycloak we cloned this application, with different URLs and we
did the first test:
* Connect to portal1
* User not recognized and redirected to Keycloak through OIDC
* Enter credentials stored into Keycloak
* User accepted and redirected to portal1
* Logout from portal1
After this we tested the second application:
* Connect to portal2
* User not recognized and redirected to Keycloak through OIDC
* Enter credentials stored into Keycloak
* User accepted and redirected to portal2
* Logout from portal2
In this case I know that OIDC is working for the two applications and we
can expect that also the SSO is working, but after the login in portal1
we have to login again portal2, and vice-versa.
We attach below here some logs, could you please help?
Thanks
*Login to portal1*
2017-04-25 09:54:40,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
Recovery) Send recover request for transaction origin node identifier 1
to EJB receiver with node name 79051ccf69ac
2017-04-25 09:54:45,055 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) new
JtaTransactionWrapper
2017-04-25 09:54:45,056 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30) was
existing? false
2017-04-25 09:54:45,056 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-30) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/auth
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-30)
AUTHENTICATE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-30)
AUTHENTICATE ONLY
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) processFlow
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator: auth-cookie
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-30)
Could not find cookie: KEYCLOAK_IDENTITY
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator ATTEMPTED: auth-cookie
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: auth-spnego requirement: DISABLED
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) execution is processed
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: identity-provider-redirector requirement:
ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator: identity-provider-redirector
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator ATTEMPTED: identity-provider-redirector
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: null requirement: ALTERNATIVE
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) execution is flow
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) processFlow
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) check execution: auth-username-password-form requirement: REQUIRED
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator: auth-username-password-form
2017-04-25 09:54:45,059 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) invoke authenticator.authenticate
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
TemplateLoader.findTemplateSource("template_en.ftl"): Not found
2017-04-25 09:54:45,060 DEBUG [freemarker.cache] (default task-30)
TemplateLoader.findTemplateSource("template.ftl"): Found
2017-04-25 09:54:45,061 DEBUG [freemarker.cache] (default task-30)
"template.ftl"("en_US", UTF-8, parsed): using cached since
file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
2017-04-25 09:54:45,064 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-30) authenticator CHALLENGE: auth-username-password-form
2017-04-25 09:54:45,064 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
JtaTransactionWrapper commit
2017-04-25 09:54:45,064 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-30)
JtaTransactionWrapper end
2017-04-25 09:54:50,503 DEBUG [org.jboss.ejb.client.txn] (Periodic
Recovery) Send recover request for transaction origin node identifier 1
to EJB receiver with node name 79051ccf69ac
*After authentication to portal1**
*
2017-04-25 09:54:56,041 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) new
JtaTransactionWrapper
2017-04-25 09:54:56,041 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31) was
existing? false
2017-04-25 09:54:56,042 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-31) RESTEASY002315: PathInfo:
/realms/Demo/login-actions/authenticate
2017-04-25 09:54:56,042 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-31)
authenticationAction
2017-04-25 09:54:56,042 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: auth-spnego requirement: DISABLED
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) execution is processed
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: null requirement: ALTERNATIVE
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check: auth-username-password-form requirement: REQUIRED
2017-04-25 09:54:56,043 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) action: auth-username-password-form
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) authenticator SUCCESS: auth-username-password-form
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processFlow
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) check execution: auth-otp-form requirement: OPTIONAL
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) authenticator: auth-otp-form
2017-04-25 09:54:56,141 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default
task-31) processFlow
2017-04-25 09:54:56,141 DEBUG
[org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl]
(default task-31) Hibernate RegisteredSynchronization successfully
registered with JTA platform
2017-04-25 09:54:56,142 DEBUG [org.hibernate.SQL] (default task-31)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:54:56,142 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-31) MySqlDS: getConnection(null,
WrappedConnectionRequestInfo@4570d800[userName=KeycloakUSR]) [0/20]
2017-04-25 09:54:56,143 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,143 DEBUG [org.hibernate.SQL] (default task-31)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:54:56,144 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,144 DEBUG [org.hibernate.SQL] (default task-31)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:54:56,144 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterStatement
2017-04-25 09:54:56,145 DEBUG [org.keycloak.events] (default task-31)
type=LOGIN, realmId=Demo, clientId=moodle,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
auth_method=openid-connect, auth_type=code,
redirect_uri=https://localhost/moodleiam/auth/oidc/,
consent=no_consent_required,
code_id=08539f13-cb1c-423e-86a3-365c29b055f1, username=testuser
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Removing old user session: session: 9a5218f8-aa9c-496c-aa00-780430f19c1b
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
max-age: -1
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Expiring remember me cookie
2017-04-25 09:54:56,145 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-31)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
2017-04-25 09:54:56,146 DEBUG
[org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-31)
redirectAccessCode: state: bIJNAcPb8Rxz8Wb
2017-04-25 09:54:56,146 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
JtaTransactionWrapper commit
2017-04-25 09:54:56,149 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-31) MySqlDS: returnConnection(4edba62b, false) [0/20]
2017-04-25 09:54:56,149 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-31) Initiating JDBC connection release from afterTransaction
2017-04-25 09:54:56,149 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-31)
JtaTransactionWrapper end
2017-04-25 09:54:56,642 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) new
JtaTransactionWrapper
2017-04-25 09:54:56,642 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24) was
existing? false
2017-04-25 09:54:56,642 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-24) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/token
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-24)
AUTHENTICATE CLIENT
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
client authenticator: client-secret
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
client authenticator SUCCESS: client-secret
2017-04-25 09:54:56,643 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-24)
Client moodle authenticated by client-secret
2017-04-25 09:54:56,663 DEBUG [org.keycloak.events] (default task-24)
type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
token_id=75173922-dd56-44ca-9255-9a5368e557f4,
grant_type=authorization_code, refresh_token_type=Refresh,
refresh_token_id=d7daabe5-8e73-4b8e-b108-92188e1118df,
code_id=08539f13-cb1c-423e-86a3-365c29b055f1,
client_auth_method=client-secret
2017-04-25 09:54:56,663 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
JtaTransactionWrapper commit
2017-04-25 09:54:56,663 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-24)
JtaTransactionWrapper end
*Login to portal2**
*
2017-04-25 09:56:17,566 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) new
JtaTransactionWrapper
2017-04-25 09:56:17,566 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6) was
existing? false
2017-04-25 09:56:17,567 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-6) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/auth
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-6)
AUTHENTICATE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-6)
AUTHENTICATE ONLY
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
processFlow
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator: auth-cookie
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
invoke authenticator.authenticate
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-6)
Could not find cookie: KEYCLOAK_IDENTITY
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator ATTEMPTED: auth-cookie
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: auth-spnego requirement: DISABLED
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
execution is processed
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator: identity-provider-redirector
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
invoke authenticator.authenticate
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator ATTEMPTED: identity-provider-redirector
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: null requirement: ALTERNATIVE
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
execution is flow
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
processFlow
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
check execution: auth-username-password-form requirement: REQUIRED
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator: auth-username-password-form
2017-04-25 09:56:17,569 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
invoke authenticator.authenticate
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
TemplateLoader.findTemplateSource("template_en_US.ftl"): Not found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
TemplateLoader.findTemplateSource("template_en.ftl"): Not found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
TemplateLoader.findTemplateSource("template.ftl"): Found
2017-04-25 09:56:17,572 DEBUG [freemarker.cache] (default task-6)
"template.ftl"("en_US", UTF-8, parsed): using cached since
file:/opt/jboss/keycloak/themes/base/login/template.ftl hasn't changed.
2017-04-25 09:56:17,573 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-6)
authenticator CHALLENGE: auth-username-password-form
2017-04-25 09:56:17,573 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
JtaTransactionWrapper commit
2017-04-25 09:56:17,573 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-6)
JtaTransactionWrapper end
*After authentication to portal2**
*
2017-04-25 09:56:29,001 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
JtaTransactionWrapper
2017-04-25 09:56:29,001 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
existing? false
2017-04-25 09:56:29,001 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-4) RESTEASY002315: PathInfo:
/realms/Demo/login-actions/authenticate
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-4)
authenticationAction
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: auth-cookie requirement: ALTERNATIVE
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
execution is processed
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: auth-spnego requirement: DISABLED
2017-04-25 09:56:29,002 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
execution is processed
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: identity-provider-redirector requirement: ALTERNATIVE
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
execution is processed
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: null requirement: ALTERNATIVE
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processAction: dfde24fe-5e06-4dc9-8dc2-f82eedd89846
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check: auth-username-password-form requirement: REQUIRED
2017-04-25 09:56:29,004 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
action: auth-username-password-form
2017-04-25 09:56:29,099 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
authenticator SUCCESS: auth-username-password-form
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processFlow
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
check execution: auth-otp-form requirement: OPTIONAL
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
authenticator: auth-otp-form
2017-04-25 09:56:29,100 DEBUG
[org.keycloak.authentication.DefaultAuthenticationFlow] (default task-4)
processFlow
2017-04-25 09:56:29,100 DEBUG
[org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl]
(default task-4) Hibernate RegisteredSynchronization successfully
registered with JTA platform
2017-04-25 09:56:29,100 DEBUG [org.hibernate.SQL] (default task-4)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:56:29,101 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-4) MySqlDS: getConnection(null,
WrappedConnectionRequestInfo@4570d800[userName=KeycloakUSR]) [0/20]
2017-04-25 09:56:29,102 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:56:29,103 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,103 DEBUG [org.hibernate.SQL] (default task-4)
select
roleentity0_.ID as col_0_0_
from
KEYCLOAK_ROLE roleentity0_
where
roleentity0_.CLIENT_ROLE=0
and roleentity0_.NAME=?
and roleentity0_.REALM=?
2017-04-25 09:56:29,104 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterStatement
2017-04-25 09:56:29,104 DEBUG [org.keycloak.events] (default task-4)
type=LOGIN, realmId=Demo, clientId=moodle2,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=192.168.0.27,
auth_method=openid-connect, auth_type=code,
redirect_uri=https://localhost/moodle2iam/auth/oidc/,
consent=no_consent_required,
code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef, username=testuser
2017-04-25 09:56:29,104 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Removing old user session: session: 431cecf6-5a6b-4bbc-9467-3f52eff8090f
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/Demo,
max-age: -1
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Expiring remember me cookie
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.services.managers.AuthenticationManager] (default task-4)
Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/Demo
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4)
redirectAccessCode: state: WUCTMXokISFDbFN
2017-04-25 09:56:29,105 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
JtaTransactionWrapper commit
2017-04-25 09:56:29,106 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default
task-4) MySqlDS: returnConnection(4edba62b, false) [0/20]
2017-04-25 09:56:29,106 DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-4) Initiating JDBC connection release from afterTransaction
2017-04-25 09:56:29,106 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4)
JtaTransactionWrapper end
2017-04-25 09:56:29,626 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) new
JtaTransactionWrapper
2017-04-25 09:56:29,626 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13) was
existing? false
2017-04-25 09:56:29,627 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-13) RESTEASY002315: PathInfo:
/realms/demo/protocol/openid-connect/token
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.AuthenticationProcessor] (default task-13)
AUTHENTICATE CLIENT
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
client authenticator: client-secret
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
client authenticator SUCCESS: client-secret
2017-04-25 09:56:29,627 DEBUG
[org.keycloak.authentication.ClientAuthenticationFlow] (default task-13)
Client moodle2 authenticated by client-secret
2017-04-25 09:56:29,656 DEBUG [org.keycloak.events] (default task-13)
type=CODE_TO_TOKEN, realmId=Demo, clientId=moodle2,
userId=ed5ba52a-531d-4e6e-b12e-9bc0957a8c1f, ipAddress=153.109.152.213,
token_id=ff9b3385-1362-4559-ad53-05317755b280,
grant_type=authorization_code, refresh_token_type=Refresh,
refresh_token_id=356011d7-e9fa-4c90-9368-a7627a445bc7,
code_id=cffeac69-54fc-4d19-be81-36f0f19ce1ef,
client_auth_method=client-secret
2017-04-25 09:56:29,656 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
JtaTransactionWrapper commit
2017-04-25 09:56:29,656 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-13)
JtaTransactionWrapper end
2017-04-25 09:56:29,660 DEBUG [io.undertow.request.io] (default I/O-1)
Error reading request: java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcherImpl.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
at sun.nio.ch.IOUtil.read(IOUtil.java:192)
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:282)
at
io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:658)
at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:530)
at
org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
at
io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:152)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:130)
at
io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:56)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at
io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1059)
at
org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:559)
9 years
SAML attribute mapper with processing
by Anders KK
Hi there,
Do you have a guide on how to implement a custom SAML attribute mapper?
Does that involve building KC on our own?
What we need:
Our SAML Idp (a widely used public Danish service) provides a custom
attribute on the SAML assertion. To support a detailed user privileges
profile, a chunk of xml data is base 64 encoded and added as the value of a
single attribute as follows:
<Attribute Name="dk:gov:saml:attribute:Privileges_intermediate"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>PD94bWwg ....based 64 encoded XML data.....
dmVyc2l==</AttributeValue>
</Attribute>
We want to implement a mapper that will: extract the attribute value, decode
the data, parse the XML and finally map each privilege to a role on the
Keycloak user.
Alternatively, if post-processing of the user is an option, we could map the
attribute on to the user and do the privilege/role processing later? Any
suggestions are appreciated :)
Kind regards,
Ulrik and Anders
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-attribute-mapper-with-proce...
Sent from the keycloak-user mailing list archive at Nabble.com.
9 years
Kerberos/SPNEGO Problem with Keycloak 3.0.0
by Hendrik Dev
Hi,
I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
Purpose is to provide single sign on for users logging in via IE from
a windows domain.
Keycloak itself is running on centOS, Kerberos server is Active
Directory. The setup is working so far because i can login via 'curl
--negotiate'. There are also several other java applications running
in this environment which are capable of doing SPNEGO over Kerberos
authentication successfully.
If the user access a Keycloak protected application the SPNEGO login
does not work and the Keycloak login page is displayed instead.
In the logs i see "Defective token detected (Mechanism level:
GSSHeader did not find the right tag)" and thats totally right because
the browser sends
'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
For me it looks like the browser never gets either a
'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
In other words: The browser seems to never gets challenged to do
SPNEGO over Kerberos.
I already tried to fix it
(https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce...)
but this oddly just ends up in a Basic Auth popup from the browser.
For the client app the standard flow as well as direct access grants
is enabled.
Keycloak is deployed as HA with 3 nodes and runs behind a HW
loadbalancer and Kerberos is setup within the LDAP Federation ()
Any ideas?
Thanks
Hendrik
--
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC
9 years
