Keycloak & SSL - incorrect urls
by John D. Ament
Hi,
I have keycloak deployed behind an ELB and nginx, so its going ELB -> NGINX
-> KEYCLOAK. We do SSL termination at the ELB, so that the requests to
nginx and keycloak are actually HTTP calls. We've noticed that the
endpoint descriptors page (which provides an importable XML for a SAML
descriptor) is using HTTP urls, even though the public URL is an HTTPS url
(e.g. https://keycloak.mycompany.com)
Is there a configuration setting that would force keycloak to render HTTPS
urls?
John
7 years, 7 months
Executing kcadmin - missing jansi64 library
by Kevin Hirschmann
Hello,
when running a windows batch file
call kcadm.bat create realms -s realm=%realmName% -s enabled=true -s
loginTheme=xxx
ECHO Realm created
REM update security-admin-client
set endpointSecurityClient=clients/465f668f-cefc-4d42-9bc0-0b62b6784b18
call kcadm.bat update %endpointSecurityClient% -r %realmName% -s
directAccessGrantsEnabled=true
The last line produces the following stacktrace:
New clientId is 465f668f-cefc-4d42-9bc0-0b62b6784b18
Exception in thread "main" java.lang.UnsatisfiedLinkError: Could not load
librar
y. Reasons: [no jansi64-2.5.4.Final in java.library.path, no
jansi-2.5.4.Final i
n java.library.path, no jansi in java.library.path, Die Syntax für den
Dateiname
n, Verzeichnisnamen oder die Datenträgerbezeichnung ist falsch]
at org.fusesource.hawtjni.runtime.Library.doLoad(Library.java:182)
at org.fusesource.hawtjni.runtime.Library.load(Library.java:140)
at org.fusesource.jansi.internal.Kernel32.<clinit>(Kernel32.java:37)
at
org.fusesource.jansi.WindowsAnsiOutputStream.<clinit>(WindowsAnsiOutp
utStream.java:52)
at
org.jboss.aesh.terminal.WindowsTerminal.init(WindowsTerminal.java:63)
at org.jboss.aesh.console.Console.init(Console.java:190)
at org.jboss.aesh.console.Console.<init>(Console.java:118)
at
org.jboss.aesh.console.AeshConsoleImpl.<init>(AeshConsoleImpl.java:98
)
at
org.jboss.aesh.console.AeshConsoleBuilder.create(AeshConsoleBuilder.j
ava:160)
at org.keycloak.client.admin.cli.KcAdmMain.main(KcAdmMain.java:64)
This happens on Windows 8 and Windows 2012 Server
Keycloak 2.5.4
Wildfly 10.0.0
Has anyone an idea what configuration is missing?
Kind regards and thanks for your help
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
E-Mail: <mailto:kevin.hirschmann@huebinet.de>
kevin.hirschmann(a)huebinet.de
Internet: <http://www.huebinet.de/> www.huebinet.de
HUEBINET Informationsmanagement GmbH & Co. KG
An der Königsbach 8
56075 Koblenz
Sitz und Registergericht: Koblenz HRA 5329
Persönlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857
Geschäftsführung:
Dr. Carsten Schöpp; Michael Biemer; Michael Ewertz
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG,
Koblenz via E-Mail dient lediglich zu Informationszwecken.
Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses
Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch
Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is
only intended to provide information of a general kind, and shall not be
used for any statement with binding contents in respect to legal relations.
It is not totally possible to prevent a third party from manipulating emails
and email contents.
7 years, 7 months
Problems enable policy enforcer for spring security in spring boot.
by rafterjiang
I have set up an URL resource policy (For ex: /greeting for USER role) for my
bear only client on keycloak server. In this client, implemented by a spring
security in spring boot, I have added keycloak.json:
{
"realm": "auth",
"realm-public-key": "key",
"bearer-only": true,
"auth-server-url": "http://10.3.42.29:8080/auth",
"ssl-required": "external",
"resource": "auth-service",
"credentials": {
"secret": "secret"
},
"policy-enforcer": {
"user-managed-access" : {},
"enforcement-mode" : "ENFORCING",
"paths": [
{
"name" : "resource-greeting"
}
]
}
}
the "resource-greeting" is the resource name set up in authorization of
client "auth-service" on keycloak server, and only be accessible by USER
role accounts (a role based policy is also configured with a permission).
Now, I am very confused what need be done on spring security side, from what
I have read the examples so far, I have not seen any example using spring
security together with *policy enforcer*. Most examples enable the
authentication/authorization in SecurityConfig (which extends
KeycloakWebSecurityConfigurerAdapter), so override "config" method where it
uses antMatcher to restrict URL (/greeting in my case) for certain ROLES.
See following two examples:
@Override
protected void configure(HttpSecurity http) throws Exception
{
http
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.sessionAuthenticationStrategy(sessionAuthenticationStrategy())
.and()
.addFilterBefore(keycloakPreAuthActionsFilter(),
LogoutFilter.class)
.addFilterBefore(keycloakAuthenticationProcessingFilter(),
X509AuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint())
.and()
.authorizeRequests()
.antMatchers("/**").authenticated()
.anyRequest().permitAll();
}
@Override
protected void *configure*(HttpSecurity http) throws Exception
{
super.configure(http);
http
.authorizeRequests()
.antMatchers("/customers*").hasRole("USER")
.antMatchers("/admin*").hasRole("ADMIN")
.anyRequest().permitAll();
}
But as I understand so far for* policy enforcer*, all
authentication/authorization should be pushed outside of the code, and be
done by client adapter based on "paths" in keycloak.json, /*automatically*/.
My question is, what need be done in method configure? If we can do authz
through policy enforcer, why do we still need authorize in above configure
method?
I have also seen someone mention to add /*keycloakAuthenticatedActionsFilter
*/to make policy enforcer work, how to do that?
thanks,
Rong
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/Problems-enable-policy-enforcer-...
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years, 7 months
SQL error while migrating from mongo to mysql on 3.1.0.Final
by abhishek raghav
Hi
Since keycloak now don’t support mongo, We are trying to import the data
from keycloak-2.2.1 (mongo) to keycloak 3.1.0.Final (mysql)
.I did a Realm export in KC 2.2.1 using different files strategy and I got
<realm>-realm.json file and then on KC 3.1.0.Final, I did a realm import
through UI.
As soon as I click on create button, I get an error pop up saying *realm
already exists* message and on the console I see the below stacktrace.
2017-05-22 19:28:59,980 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] KEYCLOAK 3.1.0-0.1 SQL
Error: 1062, SQLState: 23000 2017-05-22 19:28:59,982 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] KEYCLOAK 3.1.0-0.1
Duplicate entry 'ABC-aPPName' for key 'UK_B71CJLBENV945RB6GCON438AT'
2017-05-22 19:28:59,983 INFO
[org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl] KEYCLOAK
3.1.0-0.1 HHH000010: On release of batch it still contained JDBC statements
Any suggestions on what possibly went wrong.
Note: Migration is happening from KC 2.2.1 to KC 3.1.0.Final and RDBMS
(Mongo to Mysql).
Also, if i use just H2 (no mysql) on KC 3.1.0, i could port all the data
without any issues from KC 2.2.1
Thanks in advance.
-Abhishek
7 years, 7 months
Jaxrs Client Example?
by Peter Donald
Hi,
This is a really dumb question and I have tried to google+RTFM but
still can't seem to find the answer.
I am looking for a simple example where I can use a jaxrs client to
access a service protected by keycloak. I have only really found
references to admin-client which seems to be more about admin of
keycloak and the JaxrsBearerTokenFilterImpl which seems like it may
work but can't find an example where it is used or how I would go
about it.
Preferably I would like to do a .register( X ) when creating the jaxrs
client and have it handled automagically by a filter. I don't have
resteasy available atm if that makes a difference.
Any hints on where to figure this out?
--
Cheers,
Peter Donald
7 years, 7 months
Debug Keycloak SAML adapter for an issue
by Pulkit Gupta
Hi All,
I am getting an error for one of my SAML enabled application in one of our
environment.
"Request URI does not match SAML request destination"
It seems to be an issue with the reverse proxy but I want to debug it to
find some more information about it. I checked the class "
*AbstractSamlAuthenticationHandler*" and can see that there is no good
debug logging codded. Can you please guide me how can I gather some more
information about the issue at hand.
--
PULKIT GUPTA
SENIOR SOFTWARE APPLICATIONS ENGINEER
Red Hat IN IT GBD <https://www.redhat.com/>
Pune - India
pulgupta(a)redhat.com T: +91-2066817536
<http://redhatemailsignature-marketing.itos.redhat.com/> IM: pulgupta
<https://red.ht/sig>
7 years, 7 months
Is there any way to bind Admin console web UI to different port?
by Pavel Bezdienezhnykh
Hi all.
I'm new in Keycloak, and trying to deploy it in docker container.
Everything works fine, but I want to hide admin console from access via
internet (allow access only from internal company network).
So, the question is - can I bind admin console web UI to different port,
not the same as regular port for auth requests,, or may be there is another
solution to make it unavailable from the internet?
Best regards,
Pavel
7 years, 7 months
Passing login_hint up to Identity Provider
by Boutin Damien
Hello,
We are using keycloak to authenticate our users, using both user federation and identity provider features.
Concerning the identity provider, we encountered an issue regarding the redirection to the authorized endpoint of our partner.
The "login_hint" parameter is not forwarded to the targeted provider.
A thread was opened several months ago regarding this subject but we haven't seen any feature request related to it.
http://lists.jboss.org/pipermail/keycloak-dev/2016-December/008595.html
Is it ok if we create a jira ticket for this feature request and provide you with a pull request ?
Thanks in advance
Regards,
Damien BOUTIN
7 years, 7 months
Rebalancing problem while adding a new node to a domain
by Elnaz razmi
hello
please help me about this problem:
*We choose to install domain mode keycloak in our company. We have a load
balancer and three slave nodes. It's working properly with two active node
but when we want to run the third node to connect to load balancer, load
balancer don't rebalance with new node. It just say that node is regestered
but it don't show these lines as we can see in other node connect process
:[org.infinispan.CLUSTER] (remote-thread--p8-t45) ISPN000310: Starting
cluster-wide rebalance for cache work, topology CacheTopology{id=3,
rebalanceId=2, currentCH=ReplicatedConsistentHash{ns = 60, owners =
(2)[master:server-one-master: 30, srvca61-site232:server-threeslave: 30]},
pendingCH=ReplicatedConsistentHash{ns = 60, owners =
(3)[master:server-one-master: 20, srvca61-site232:server-threeslave: 20,
srvca61-site231:server-twoslave: 20]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t44) ISPN000310: Starting cluster-wide rebalance for
cache loginFailures, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000310: Starting cluster-wide rebalance for
cache authorization, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t39) ISPN000310: Starting cluster-wide rebalance for
cache sessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t43) ISPN000310: Starting cluster-wide rebalance for
cache offlineSessions, topology CacheTopology{id=3, rebalanceId=2,
currentCH=DefaultConsistentHash{ns=80, owners =
(2)[master:server-one-master: 40+0, srvca61-site232:server-threeslave:
40+0]}, pendingCH=DefaultConsistentHash{ns=80, owners =
(3)[master:server-one-master: 27+0, srvca61-site232:server-threeslave:
27+0, srvca61-site231:server-twoslave: 26+0]}, unionCH=null,
actualMembers=[master:server-one-master, srvca61-site232:server-threeslave,
srvca61-site231:server-twoslave]}[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000336: Finished cluster-wide rebalance for
cache offlineSessions, topology id = 3[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000336: Finished cluster-wide rebalance for
cache authorization, topology id = 3[org.infinispan.CLUSTER]
(remote-thread--p8-t42) ISPN000336: Finished cluster-wide rebalance for
cache loginFailures, topology id = 3[org.infinispan.CLUSTER]
(remote-thread--p8-t45) ISPN000336: Finished cluster-wide rebalance for
cache work, topology id = 3[org.infinispan.CLUSTER] (remote-thread--p8-t45)
ISPN000336: Finished cluster-wide rebalance for cache sessions, topology id
= 3*
7 years, 7 months
