Keycloak standalone-ha cluster jgroups without multicast
by Christian Schneider
Hi,
I'm trying to setup a keycloak cluster.
We copy binaries and configuration through our build pipeline to the
servers, so we decided to for the "standalone clustered mode".
Since our operations don't enable ip multicast, we wan't to work with ip
static ip addresses.
The only source for this I found is:
https://kb.novaordis.com/index.php/WildFly_Clustering_without_Multicast
<https://deref-gmx.net/mail/client/Wiot_0qYjM4/dereferrer/?redirectUrl=htt...>
I configured both servers like this:
<subsystem xmlns="urn:jboss:domain:jgroups:4.0">
<channels default="ee">
<channel name="ee" stack="tcp"/>
</channels>
<stacks default="tcp">
<stack name="tcp">
<transfer type="TCP" socket-binding="jgroups-tcp"/>
<protocol type="TCPPING">
<property
name="initial_hosts">10.62.168.51[7600],10.62.168.52[7600]</property>
<property name="num_initial_members">2</property>
<property name="port_range">0</property>
<property name="timeout">2000</property>
</protocol>
<protocol type="MERGE3"/>
<protocol type="FD_SOCK"
socket-binding="jgroups-tcp-fd"/>
<protocol type="FD"/>
<protocol type="VERIFY_SUSPECT"/>
<protocol type="pbcast.NAKACK2"/>
<protocol type="UNICAST3"/>
<protocol type="pbcast.STABLE"/>
<protocol type="pbcast.GMS"/>
<protocol type="MFC"/>
<protocol type="FRAG2"/>
</stack>
</stacks>
</subsystem>
I can't figure out whether the two nodes paired each other. In the logfile
I only find this:
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000078:
Starting JGroups channel hibernate
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000078:
Starting JGroups channel web
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000078:
Starting JGroups channel keycloak
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000078:
Starting JGroups channel ejb
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000078:
Starting JGroups channel server
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000094:
Received new cluster view for channel keycloak: [app02.2.xxx.net|0] (1) [
app02.2.xxx.net]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000094:
Received new cluster view for channel hibernate: [app02.2.xxx.net|0] (1) [
app02.2.xxx.net]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000094:
Received new cluster view for channel ejb: [app02.2.xxx.net|0] (1) [
app02.2.xxx.net]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000094:
Received new cluster view for channel server: [app02.2.xxx.net|0] (1) [
app02.2.xxx.net]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000094:
Received new cluster view for channel web: [app02.2.xxx.net|0] (1) [
app02.2.xxx.net]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000079:
Channel server local address is app02.2.xxx.net, physical addresses are [
127.0.0.1:7600]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000079:
Channel ejb local address is app02.2.xxx.net, physical addresses are [
127.0.0.1:7600]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000079:
Channel web local address is app02.2.xxx.net, physical addresses are [
127.0.0.1:7600]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000079:
Channel keycloak local address is app02.2.xxx.net, physical addresses are [
127.0.0.1:7600]
INFO 2017-07-21 20:35:43 []
org.infinispan.remoting.transport.jgroups.JGroupsTransport ISPN000079:
Channel hibernate local address is app02.2.xxx.net, physical addresses are [
127.0.0.1:7600
I checked that the ports 7060 are open.
When I access just a single node, the setup works fine. With two nodes I
get {"error":"invalid_grant","error_description":"Session not active"} on
one of them.
The goal is that all userSessions are synced between the cluster nodes, so
that the loadbalancer can roundrobbin between all nodes.
Since we have around 20k users only, it would be fine to store the users in
our database. But keycloak doesn't provide this, right?
Do you have any idea how to figure out whats wrong?
Best Regards,
Christian.
P.S.: You can find the whole configuration here:
https://pastebin.com/WC46pXGp
<https://deref-gmx.net/mail/client/UIuwfhWwMZ0/dereferrer/?redirectUrl=htt...>
6 years, 9 months
Make "hardcoded-ldap-attribute-mapper" both way.
by Dmitry Repchevsky
Hello,
According the tooltip "hardcoded-ldap-attribute-mapper" is for putting
the hardcoded attribute to the LDAP.
How can I hardcode a user attribute when reading from LDAP? (I want to
know whether the user comes from LDAP).
Kind regards,
Dmitry
6 years, 9 months
Multiple LDAP Providers
by Dmitry Repchevsky
Hello,
Is there any way to define different user profiles to be stored in LDAP?
I would like to distinguish between local users and users that come from
Google.
The user groups should be different (with different attributes). For
instance local users have "homeDirectory" and "google" ones are treated
as "guests".
If I define two LDAP "WRITABLE" providers the attempt to write the new
user to LDAP is done by priority order, right?
I mean if I define a mandatory "homeDirectory" attribute and "google"
user has no this attribute, the user is stored in the second provider?
Thank you in advance,
Dmitry
6 years, 9 months
tutorial service-jee-jaxrs: Deployable container must be specified
by Viggo Navarsete
Hi,
I'm new to Keycloak, and have just started to familiarize with the
tutorials. I've cloned the quickstarters and started with the
service-jee-jarxrs.
I *think* I've followed all the instructions there, but still it fails
while trying to both run the tests and deploy it.
I've attached the output and hope someone are kind enough to take a look at
it:) I think Keycloak looks great, but please help me over the first bump
here :)
Best regards,
Viggo
6 years, 9 months
Be able to define an email template per action when using resource execute-actions-email endpoint
by Jesus Bernal
Is there a way to define a mail per action invoked by execute-actions endpoint over a user?
I can find a generic executeAction mail, however, the actions you are able to trigger can be quite different (from update password to verify mail or terms and conditions) and hence, the need to provide a different mail content for each of them.
Also, I have been looking for how to grab the action in the mail template so I can render a different message based on it. However, as per the documentation only realm, user, clientId, link and expiration are available.
Thanks a lot in advance,
Best Regards,
Jesus Bernal
Senior Software Engineer
jesus.bernal(a)checkit.net<mailto:jesus.bernal@checkit.net>
Elektron Technology
Broers Building, JJ Thomson Avenue, Cambridge, CB3 0FA, UK
www.elektron-technology.com<http://www.elektron-technology.com/>
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
6 years, 9 months
Re: [keycloak-user] Keycloak OpenIDConnect bearer token problem
by NAPPERT Olivier
I searched more and found the RFC that specifies the OAuth2 specifications for Token_type, it should be case insensitive as specified here https://tools.ietf.org/html/rfc6749#section-4.2.2 :
"token_type
REQUIRED. The type of the token issued as described in
Section 7.1<https://tools.ietf.org/html/rfc6749#section-7.1>. Value is case insensitive."
But in LemonLDAP::NG, the file that verifies if the token is valid isn't compliant with this because of the following line in /usr/share/perl5/Lemonldap/NG/Portal/_OpenIDConnect.pm:465 :
"unless ( $json->{token_type} eq "Bearer" ) {"
So in fact it wasn't a problem on Keycloak's side, but LL::NG.
Best regards,
Olivier Nappert
De : NAPPERT Olivier
Envoyé : vendredi 21 juillet 2017 16:38
À : 'keycloak-user(a)lists.jboss.org'
Objet : Keycloak OpenIDConnect bearer token problem
Hello,
I am trying to use Keycloak v3.2 standalone (Final) as an OpenID Connect Identity Provider, with an instance of LemonLDAP::NG working as my OIDC Relying Party. The latter is already configured and works well with multiple OIDC Identity Providers, like Google or other LL::NG instances.
When accessing the Keycloak token endpoint, the authentication fails with the following message :
Token type is bearer but must be Bearer
[perl:debug] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/AuthOpenIDConnect.pm 133:
[perl:error] Token response is not valid
Do you know how to change the token type sent in the Keycloak configuration please ? From my understanding the OpenID Connect standard states that the Token type MUST be Bearer, so I suspect that I'm not the first who's had this problem.
Best regards,
Olivier NAPPERT
6 years, 9 months
Keycloak OpenIDConnect bearer token problem
by NAPPERT Olivier
Hello,
I am trying to use Keycloak v3.2 standalone (Final) as an OpenID Connect Identity Provider, with an instance of LemonLDAP::NG working as my OIDC Relying Party. The latter is already configured and works well with multiple OIDC Identity Providers, like Google or other LL::NG instances.
When accessing the Keycloak token endpoint, the authentication fails with the following message :
Token type is bearer but must be Bearer
[perl:debug] CGI.pm(114): /usr/share/perl5/Lemonldap/NG/Portal/AuthOpenIDConnect.pm 133:
[perl:error] Token response is not valid
Do you know how to change the token type sent in the Keycloak configuration please ? From my understanding the OpenID Connect standard states that the Token type MUST be Bearer, so I suspect that I'm not the first who's had this problem.
Best regards,
Olivier NAPPERT
6 years, 9 months
Server 2016 ADFS won't accept descriptor
by John Craft
I've installed Windows Server 2016 with ADFS. When I try to create the trust as per the Keycloak help docs, ADFS reports the descriptor as malformed. Anybody had experience with this?
John Craft
Senior Software Engineer, GISP
Geocent, LLC
Cell : 601-299-1830
Stennis Space Center MS
www.geocent.com | John.Craft(a)Geocent.com
Confidentiality Notice:
This email communication may contain confidential information, may be legally privileged, and is intended only for the use of the intended recipients(s) identified. Any unauthorized review, use, distribution, downloading, or copying of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, immediately notify the sender by reply email, delete the communication, and destroy all copies. Thank you.
6 years, 9 months
Kerberos auth type displays basic auth prompt under Windows
by Steven Mirabito
Hey,
I have Keycloak configured to check passwords against an MIT Kerberos
server in my user federation source, and that works fine. I then set the
Kerberos authentication type to "alternative" - most of our users will be
coming in from personal devices where they'll just log in via the form, but
we do have a shared machine where this would be nice to have. However, I
started receiving complaints that when this option is enabled, any browser
under Windows will show a basic auth dialog which the user has to cancel
out of to reach the login page (other platforms show a blank "Kerberos
Unsupported" page and then redirect to the normal login page without a
dialog). To make matters worse, I can't seem to turn the option off now -
switching the Kerberos auth type to "disabled" will work for a little bit,
but after a short period of time it will turn itself back on and users will
start to see the basic auth dialog again.
Are these known issues? Ideally, I'd like to be able to have the Kerberos
auth type enabled, but a solution to keep it disabled in the meantime would
be greatly appreciated as well.
Thank you!
-Steven
6 years, 9 months
