DB deadlock for concurrent logins
by Vikrant Singh
Hi,
I am Running Keycloak 3.2.1.Final on openshift platform with MariaDB 10.2.7
for DB, recently upgraded from 3.1.0.Final.
Deployment is consist of 3 keycloak servers along with 3 DB instances. As
part of kubernetes rediness check, a token is requested for a local user in
master realm every 10 sec. The concurrent token request for same user is
causing the deadlock exception in DB. Following is the exception being
logged in keycloak.
Caused by: java.sql.SQLException: Deadlock found when trying to get
lock; try restarting transaction
Query is: select userentity0_.ID as ID1_71_,
userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as
EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_,
userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as
ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_,
userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as
LAST_NAM9_71_, userentity0_.REALM_ID as REALM_I10_71_,
userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE11_71_,
userentity0_.USERNAME as USERNAM12_71_ from USER_ENTITY userentity0_
where userentity0_.ID=? and userentity0_.REALM_ID=?, parameters
['ddafa525-baae-4c40-98f8-08c25a23f2c6','master']
at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:146)
at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:221)
at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:218)
... 76 more
Caused by: java.sql.SQLException: Lock wait timeout exceeded; try
restarting transaction
Query is: update CREDENTIAL set ALGORITHM=?, COUNTER=?,
CREATED_DATE=?, DEVICE=?, DIGITS=?, HASH_ITERATIONS=?, PERIOD=?,
SALT=?, TYPE=?, USER_ID=?, VALUE=? where ID=?, parameters
['pbkdf2-sha256',0,1501750736628,<null>,0,27500,0,<bytearray:???7'3^
.??LT???>,'password','ddafa525-baae-4c40-98f8-08c25a23f2c6','Hdpx8Zg5Ec8M9qVUp+Ylwlje+nhcGAzVPStF6/cvrqZghTeby048b8d3uqExfzS0of/9Quwx9CROGKTC685Tpw==','5929a82b-542c-4597-b3eb-524d74e58919']
at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:146)
at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:221)
at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:218)
... 78 more
Why keycloak is trying to update the user credential for every login.
and why is deadlock occurring? Any help truly appreciated.
Thanks,
Vikrant
6 years, 9 months
Security Patches
by Veit Guna
Hi.
As the keycloak support page explicitly states, that the keycloak
community edition will _never_ get patches, I'm wondering how this is
usually handled.
Let's assume there's a security critical bug in keycloak that can be
exploited from the outside. Usually how quickly gets this fixed in the
community edition?
I know, that this is will be quickly patched in the Red Hat SSO version
of keycloak, but what does that mean regarding keycloak CE?
When will such fixes usually reach keycloak? Are patches for Red Hat SSO
public available so one could theoretically use them to patch keycloak
by oneself?
Cheers
Veit
6 years, 9 months
NullPointerException when attempting to remove group
by Tiemen Ruiten
Hello,
I'm getting the following error when I attempt to delete a group that has
been imported from a FreeIPA LDAP User Federation through a
group-ldap-mapper:
2017-08-04 16:46:21,636 ERROR [io.undertow.request] (default task-16)
UT005023: Exception handling request to
/auth/admin/realms/authentid/groups/e2a3cd4a-c4f4-4b9e-bb51-d9782d40aae0:
org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException
at
org.keycloak.services.resources.admin.permissions.GroupPermissions.deletePermissions(GroupPermissions.java:188)
at
org.keycloak.services.resources.admin.permissions.GroupPermissions.setPermissionsEnabled(GroupPermissions.java:167)
at
org.keycloak.services.resources.admin.permissions.AdminPermissions$1.onEvent(AdminPermissions.java:77)
at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:68)
at
org.keycloak.models.jpa.JpaRealmProvider.removeGroup(JpaRealmProvider.java:379)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.removeGroup(RealmCacheSession.java:926)
at
org.keycloak.models.cache.infinispan.RealmAdapter.removeGroup(RealmAdapter.java:1242)
at
org.keycloak.services.resources.admin.GroupResource.deleteGroup(GroupResource.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
In fact, I can not delete any groups anymore. There are two LDAP User
Federations setup, one to an Active Directory, one to the aforementioned
FreeIPA instance. Both have group mappers setup and some of the group
names clash unfortunately, that's why I wanted to delete some groups and
redo the import. What can I do?
--
Tiemen Ruiten
Systems Engineer
R&D Media
6 years, 9 months
Re: [keycloak-user] Brute Force Detection issue: wrong password attempt counter not reset with successful login
by Zhao, Edwin (NSB - CN/Beijing)
Is there any suggestion?
Should I create a bug fix Jira ticket?
From: Zhao, Edwin (NSB - CN/Beijing)
Sent: Friday, August 04, 2017 10:45 PM
To: 'keycloak-dev-bounces(a)lists.jboss.org'; keycloak-user(a)lists.jboss.org
Subject: Brute Force Detection issue: wrong password attempt counter not reset with successful login
Hi Keycloak team,
Many of our products would like to use keycloak for SSO, and with brute force detection function enabled.
But they all want password failure counter can be reset after a correct password is entered.
I saw 2 related tickets had once been created before, but product teams here in Nokia A&A organization still want the counter be reset after successful login.
https://issues.jboss.org/browse/KEYCLOAK-2692
https://issues.jboss.org/browse/KEYCLOAK-3046
We once again raise this request, please help to provide the enhancement.
Thanks,
Edwin
----------------------------------------------
Reproduce:
Enable Brute Force Detection on the realm
Set Max Login Failures to 3 (or any other number) on a user
Attempt to log in to Keycloak with the user try invalid password 2 times
Attempt to log in to Keycloak with the user with correct password (should succeed)
Log out
Attempt to log in to Keycloak with the user try invalid password 1 times
Attempt to log in to Keycloak with the user with correct password (should succeed, but fails)
Verify by loggin in with Administrator to Keycloak and check the user status (will be locked out).
6 years, 9 months
Federation/Provider update 2.2.1 to 3.2
by Markus Piatkowski
Hi everyone,
I am trying to update our federation from Keycloak 2.2.1 to 3.2.
My problem is that the federation in our setup is responsible for blocking inactive user accounts. In the old version the validateAndProxy-method was called on every user-request (e.g. during the login-process). This method deactivated the user when the lastLogin timestamp (user attribute) was too old.
In the current version the federation has changed. My first try was to implement the UserStorageProvider with the ImportedUserValidation interface. But the validate method is calling only once for each user. According to my understanding the method is only calling on the local storage access and not when the user is in the cache.
My second try was to implement an EventListenerProvider and check the timestamp on the LOGIN event. This worked but I did not get any error message on the Login-Screen. If I disable a user during the login process keycloak fires a CODE_TO _TOKEN_ERROR event. The result is a reload of the login screen without user notification or any error message for the user.
Does someone have an idea how to solve the problem?
Thanks and regards,
Markus
6 years, 9 months
REST api for user self-registration
by Sajid Chauhan
Hi All,
I have found that there are REST apis for Admin. Are there REST Apis for a
new user to register himself? Can you please share the link?
Secondly, is there a way to customize the user registration screen and add
more text box fields? Or would we need to make code changes for that?
Thanks and regards,
Sajid
6 years, 9 months
keycloak.json configuration - link between resource attribute and Keycloak client
by Marc Destefanis
Hi,
I don't understand how the < resource > attribute from the keycloak.json is bound to a client. I explain the case I face :
In my WAR I have a keycloak.json which contains the value < WS > on the < resource > attribute.
I've previously created a < GUI > client that allows me to generate a token and a < WS > client with a bearer-only access type that I use to secure my WARs.
Everything works fine, my WARs are secured and I'm able to request the web services with the token generated with the GUI client.
BUT,
If I change the < resource > attribute value with a client name which doesn't exist it still works.
I can set the < resource > attribute to < anyThing > or < oneTwoThree > etc and it still works even if I didn't create these clients.
I was expecting an error like < the client oneTwoThree doesn't exist > or something else when I request a web service secured in a WAR with a non existing resource value in the keycloak.json file.
Is it a normal behavior ?
Do I misunderstood something or do I have an issue ?
Regards,
Marc Destefanis.
6 years, 9 months
Credential Reset question | secondary email address
by mj
Hi,
We configured a writeable federated ldap (AD) provider. Needs to be
writeable, because we use the keycloak password change function.
Now, in case a user doesn't remember his password, we can use the
"Credential Reset" function, which sends a password reset email to the
LDAP email address.
However, since the user doesn't remember his password, he will not be
able to access the reset email... Chicken and egg situtation...
So we can change the email address in keycloak temporarily, but that
will also change the email in AD LDAP (since it's writeable) which
causes many problems in other ldap-connected applications.
So: Is there a way to send the password reset email to a 'secondary'
email address? Perhaps an address we can manually enter at the moment a
user requests the password reset (using a popup?), or is there a
secondary password field for a user in keycloak? (perhaps importable
from ldap, as we keep secondary emails there as well)
Best regards,
MJ
6 years, 9 months
