Keycloak, iframe, Safari and cookies
by Kristoffer Skaret
Our organization is implementing an OIDC platform based on Keycloak, and so
far we are over all happy with the result. But we are left with one major
issue regarding cookies and iframes.
Background:
- Our OIDC platform will be exposed through public domain on the
Internet, and will be used as an authentication service in a long range of
different web sites
- As a result, the clients to our service will run on different domains
- Many of the client applications will prefer to present the OIDC user
interface in an iFrame
The problem came up when we tried running with this setup using the Safari
browser. As it seems, Safari treats cookies presented in an iframe as 3rd
party cookies. So the browser will refuse to save these, unless a similar
cookie has already been presented.
- Has anybody else experience with this issue?
- Any suggested solutions?
As we have learned, Keycloak is very dependent upon cookies regarding many
different aspects of the functionality. However, we are considering the
option to try and make a fork of Keycloak without the need for cookies.
Many aspects, such as cookie-based SSO are not relevant In our solution.
Thanks,
Kristoffer
8 years, 3 months
Change root of activation URL
by Sebastian Wilhelm
I have two services, one is my rest-service the other one is the keycloak
service.
When I am using the keycloak-admin-client for triggering features in
keycloak like sending a verification email, I get an Email with the
activation URL like: localhost:xyz
auth/realms/wienenergie/login-actions/action-token?
I am calling the rest-api of keycloak internally per localhost:xyz. What I
wish to do is changing this internal local URL to my external URL in the
admin-console.
Is this possible?
8 years, 3 months
Accessing redirect url
by Hylton Peimer
Inside a custom Authenticator I am trying to access the original URL
entered at the user's browser.
How can I access this URL in the method:
authenticate(AuthenticationFlowContext) of interface Authenticator?
8 years, 3 months
GET users endpoint is making lots of requests to the database (its really slow!)
by Cesar Salazar
Hi,
First of all, thanks for the great work on keycloak!
We are using keycloak for an application, and it was working great (until
we launched to production)
We have 150 users which are connected to an Active Directory using the
Federation functionality.
It works, but the endpoint GET /{realm}/users takes about 23 seconds to
respond (Keycloak running on a container in GKE backed by a mysql server on
Google Cloud SQL).
I enabled mysql logging and the problem seems to be that just for
responding this endpoint, the server makes 901 queries to the database!
These are the queries:
First query, to get the users:
select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as
CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_,
userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED
as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_,
userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as
FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_,
userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as
REALM_I11_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_71_,
userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where
userentity0_.REALM_ID='my-realm' and
(userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by
userentity0_.USERNAME
Then,* for each user *a query like this, (getting user attributes I guess)
select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as
ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_,
attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_
from USER_ATTRIBUTE attributes0_ where
attributes0_.USER_ID='b920df7c-a419-4150-86bd-9f81c7ea0b70'
Then,* for each user* 4 queries similar to this, (getting credentials I
guess)
select credential0_.ID as ID1_18_, credential0_.ALGORITHM as ALGORITH2_18_,
credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as
CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as
DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_,
credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_,
credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_,
credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where
credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and
credential0_.TYPE='totp'
A query with type *totp* is queried 2 times, the other 2 times are queried
with type *hotp* and *password*
and finally one more query* for each user* (getting required actions I
guess)
select requiredac0_.USER_ID as USER_ID2_77_0_, requiredac0_.REQUIRED_ACTION
as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_,
requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION
requiredac0_ where
requiredac0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa'
So, in total, for 150 users, Keycloak is making 901 requests to the
database! If I increase the number to 500 users, will it be 30001
requests???
How can this be improved? Is there something wrong I'm doing in the
configuration? Does this happens only with Federated users?
Thanks!
--
*Cesar Salazar*
Development Manager
DEVSU | www.devsu.com
skype: cesarsalazar007
P: (213)-291-0752
M: +593 9 2917 160 (Ecuador)
8 years, 3 months
implicitly pick the IdP for brokering
by Sud Ramasamy
As I understand it currently keycloak expects a kc_idp_hint URL attribute if we want to redirect to a brokering IdP from a set of configured IdPs in the realm. Is it possible to accomplish the same behavior without having the specify the kc_id_hint attribute.
We don’t want the user to have to specify the kc_idp_hint URL attribute when accessing our SaaS application. But we also don’t want to add any URL rewrites in front of the application or in front of Keycloak where the kc_idp_hint param gets set if we can avoid it. We could add a Servlet Filter in the application that sets the kc_idp_hint parameter before passing the request to the Keycloak Java Adapter filter that we use in the application.
Outside of the custom filter option we were wondering if we were to do this entirely in Keycloak was that even possible and what would that look like.
Thanks
-sud
8 years, 3 months
REGISTER event: firstName & lastName always NULL
by Thilo Frotscher
Hi all,
In our project there is a requirement to execute some actions after successful
user registrations. I implemented an EventListenerProvider that listens to events
of type REGISTER. The details of this event type only contain the "username" of
the user that just registered, but first name and last name are missing.
So I thought I could retrieve this information from the user storage. But no
matter how I try to read the user information from the user storage, firstName
and lastName are always null.
Is this a bug or a feature? When manually logging on to the Admin Console,
I can see that firstName and lastName have been correctly saved. But how
can I programmatically retrieve the first name and last name of the user
that just registered in my event listener?
Sample code:
public void onEvent(Event event) {
if (!EventType.REGISTER.equals(event.getType())) {
LOGGER.info("Ignoring event of type " + event.getType());
return;
}
String realmId = event.getRealmId();
RealmModel realm = session.realms().getRealm(realmId);
String userId = event.getUserId();
Map<String, String> details = event.getDetails();
String username = details.get("username");
printUser(session.users().getUserByUsername(username, realm));
printUser(session.userLocalStorage().getUserByUsername(username, realm));
printUser(session.userCache().getUserByUsername(username, realm));
printUser(session.userStorageManager().getUserByUsername(username, realm));
}
private void printUser(UserModel user) {
if (user==null) {
LOGGER.info("User is null");
} else {
LOGGER.info(user.getFirstName()); // always null
LOGGER.info(user.getLastName()); // always null
LOGGER.info(user.getId());
LOGGER.info(user.getEmail());
LOGGER.info(user.getUsername());
}
}
Actually, I believe firstName and lastName should be part of the event details
in the first place...
Thanks for your help!
Cheers,
Thilo
8 years, 3 months
overriding built-in verify-email RequiredAction
by The Fredo
Hello all,
I need to extend a bit the built-in VerifyEmail RequiredAction (i.e. adding a specific attribute in the LoginFormsProvider, so that the login-verify-email.ftl template displays accordingly).What would be the right way to do this ?
I tried to build a new RequiredAction based on the existing VerifyEmail RequiredAction, but it happened to be far too complex for me.
(The only way I made it work was modifying the existing code (of VerifyEmail.java), it allowed to test that my data are available for the freemarker template).
Thanks in advance !
regards
Keycloak 3.2.1
8 years, 3 months
How to pass custom parameter to Keycloak SAML authenticationn endpoint
by Pankaj Mahajan
Hi Team,
I have multiple clients(OIDC and SAML both) in a single realm with multiple Identity providers in the same realm. I need to pass custom parameter in authentication request based on which within Keycloak I will be able to determine to which IDP this request need to be forwarded instead of displaying Keycloak login page.
For OIDC applications the kc_idp_hint query parameter can be used, but I would like to achieve this behavior for SAML applications.
Please let me know, if there is already a provision in Keycloak to achieve the above behavior. If not then please share your thoughts/pointers if any. Thank you in advance.
Thanks & regards,
Pankaj Mahajan
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
8 years, 3 months
Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy
by Matt McShea
Hello,
I am running into the exact issue described in a previous thread, and was wondering if there have been any updates made in the recent releases that fix this issue.
http://lists.jboss.org/pipermail/keycloak-user/2017-September/011905.html
Like Thomas in that thread, everything works with the ngninx reverse proxy, but when I go through the proxy I'm unable to login.
If I use the following line in my proxy configuration" proxy_set_header X-SSL-CERT $ssl_client_raw_cert", I just get a blank page with no html codes or anything.
If I use $ssl_client_cert instead, I get redirected to the username/password login as if there wasn't a client certificate.
I am currently using 3.1.0, but upgraded to Wildfly 11.
Thanks,
Matt McShea
8 years, 3 months
Re: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter?
by Ariel Carrera
Ok, It's solved now. After submit multiple times the file to Microsoft
Windows Defender (from UI and Web Page), it is solved.
The file appears to be clean now for MS.
I updated virus definition to last version and I could checked that file is
OK now.
[image: Imágenes integradas 1]
[image: Imágenes integradas 2]
Thanks.
2018-01-09 16:20 GMT-03:00 Stian Thorgersen <sthorger(a)redhat.com>:
> I'm going to reject the issue. Unless someone else reports it there's
> nothing we can do. Thanks for reporting.
>
> On 9 January 2018 at 20:10, Bruno Oliveira <bruno(a)abstractj.org> wrote:
>
>> Yes, everything is up to date. Like mentioned in my previous e-mail, I'm
>> running Windows 10 VM from https://developer.microso
>> ft.com/en-us/microsoft-edge/tools/vms/.
>>
>> I strongly recommend you to do the same. It's always better to test
>> things in a clean environment.
>>
>>
>> On Tue, Jan 9, 2018 at 1:47 PM Ariel Carrera <carreraariel(a)gmail.com>
>> wrote:
>>
>>> I don't know why we have differents Windows Defender results... but it's
>>> Microsoft...
>>>
>>> Bruno, Is your Windows (inside VM) updated? What version is? Do you
>>> updated virus definitions too?
>>>
>>> I updated definitions but problem persists... Here is another screenshot:
>>> [image: image.png]
>>>
>>>
>>> [image: image.png]
>>>
>>>
>>> You can check my windows version in second screenshot. It is version
>>> 10.0.16299.192 (and it was tested in another machine with version (
>>> 10.0.16299.125)).
>>>
>>> Recently, It was tested again with a third machine (at home) in another
>>> network / location / and installation. Same problem, virus detected.
>>>
>>> Maybe Microsoft has differents versions by location... I don't know...
>>> after update to last version, Windows Defender asked me to send the file to
>>> improve detection (I had not asked for this before).
>>>
>>>
>>>
>>> 2018-01-09 11:50 GMT-03:00 Bruno Oliveira <bruno(a)abstractj.org>:
>>>
>>>> So I don't have Windows 10, but I managed to run a VM from
>>>> https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/.
>>>>
>>>> After that I cloned the whole Keycloak repository https://github.com/
>>>> keycloak/keycloak-js-bower. Nothing was found, please see the
>>>> screenshot: https://i.imgur.com/1NbFGrn.png.
>>>>
>>>> On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen <sthorger(a)redhat.com>
>>>> wrote:
>>>>
>>>>> Please create an issue with the details. We'll need to figure out how
>>>>> to
>>>>> reproduce the issue though. Seemed like Ramunas had tried, but that
>>>>> Defender wasn't reporting anything for him.
>>>>>
>>>>> On 8 January 2018 at 21:18, Ariel Carrera <carreraariel(a)gmail.com>
>>>>> wrote:
>>>>>
>>>>> > "when your somebody get's a keycloak's distribution to be
>>>>> installed" read
>>>>> > like: "when someone gets Keycloak to be installed" xD
>>>>> >
>>>>> > 2018-01-08 16:56 GMT-03:00 Ariel Carrera <carreraariel(a)gmail.com>:
>>>>> >
>>>>> >> Hi Stian, I checked differences in keycloak.min.js comparing version
>>>>> >> 3.4.1 to 3.4.2.
>>>>> >> I can't see a problem at first sight... but It's still a problem to
>>>>> see
>>>>> >> your antivirus alerting for a threat when your browser access to a
>>>>> page
>>>>> >> that uses "keycloak.min.js" or when your somebody get's a keycloak's
>>>>> >> distribution to be installed.
>>>>> >>
>>>>> >> Maybe this issue must to be in Jira.
>>>>> >>
>>>>> >> Last changes in javascript file can be the problem.
>>>>> >>
>>>>> >> Maybe function "processInit()" needs some changes.
>>>>> >>
>>>>> >> Regards,
>>>>> >>
>>>>> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera <carreraariel(a)gmail.com>:
>>>>> >>
>>>>> >>> Checked with other computer (windows 10 + windows defender).
>>>>> >>>
>>>>> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3
>>>>> >>>
>>>>> >>>
>>>>> >>> 2018-01-03 17:44 GMT-03:00 Ramunas <ramunask(a)gmail.com>:
>>>>> >>>
>>>>> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file
>>>>> >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final"
>>>>> folder
>>>>> >>>> with Windows Defender on Windows 10 - no issues found
>>>>> >>>> * checked for Windows updates. New update "Definition Update for
>>>>> >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)"
>>>>> was found
>>>>> >>>> and installed.
>>>>> >>>> * scanned again. No issues found.
>>>>> >>>>
>>>>> >>>> Ramūnas
>>>>> >>>>
>>>>> >>>
>>>>> >>>
>>>>> >>>
>>>>> >>> --
>>>>> >>> Ariel Carrera
>>>>> >>>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> Ariel Carrera
>>>>> >>
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Ariel Carrera
>>>>> >
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>>
>>> --
>>> Ariel Carrera
>>>
>>
>
--
Ariel Carrera
8 years, 3 months
Re: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter?
by Ariel Carrera
Checked with other computer (windows 10 + windows defender).
keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3
2018-01-03 17:44 GMT-03:00 Ramunas <ramunask(a)gmail.com>:
> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file
> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder
> with Windows Defender on Windows 10 - no issues found
> * checked for Windows updates. New update "Definition Update for Windows
> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and
> installed.
> * scanned again. No issues found.
>
> Ramūnas
>
--
Ariel Carrera
8 years, 3 months
Inter realm authentication
by Pankaj Mahajan
Hi Team,
Is it possible to authenticate client from one realm with the IDP of other realm?
Like, we have a case where, we have Client-A in Realm-A and we have to authenticate it with IDP-I which is configured in Realm-B.
Is it possible in Keycloak or we need to change our approach to achieve this?
Thanks & regards,
Pankaj Mahajan
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
8 years, 3 months
Issue in Chrome and FF
by Tony Harris
After logging in to the admin Console in either Chrome or FF we are presented with a blank white screen and the following error in the browser console
app.js:31 XHR failed loading: GET "https://xxxxxxxx.com/auth/admin/master/console/whoami". whoAmI @ app.js:31
app.js:31 GET https://xxxxxxxx.com/auth/admin/master/console/whoami net::ERR_CONNECTION_CLOSED
app.js:76 Uncaught TypeError: error is not a function
at app.js:76
at XMLHttpRequest.req.onreadystatechange (app.js:26)
It ends up in the error handler section because the attempt to connect to the keycloak whoami end point fails with a 500 response, there is nothing in the JBoss logs. It looks very similar to the following Jira issue, but we do not end up in a redirect loop and we are not seeing the 401 Unauthorised.
https://issues.jboss.org/browse/KEYCLOAK-4735
Interestingly, IE 11 gets a 200 response from the whoami end point.
If we delete a recently created Realm then Chrome goes back to working, however the same realm created on another instance, it's created by a script so we know it's the same in both, of Keycloak has no issues. Other realms in this same Keycloak instance created via the script do not cause any issues. Has anyone seen this before>
Server Info
Server Version
3.1.0.Final
Server Profile
Community
Server Time
Tue Jan 09 09:56:53 UTC 2018
Server Uptime
11 days, 1 hour, 22 minutes, 39 seconds
Memory
Total Memory
455 MB
Free Memory
251 MB (55%)
Used Memory
204 MB
System
Current Working Directory
/opt/jboss
Java Version
1.8.0_121
Java Vendor
Oracle Corporation
Java Runtime
OpenJDK Runtime Environment
Java VM
OpenJDK 64-Bit Server VM
Java VM Version
25.121-b13
Java Home
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre
User Name
jboss
User Timezone
UTC
User Locale
us_EN
System Encoding
ANSI_X3.4-1968
Operating System
Linux 4.9.62-21.56.amzn1.x86_64
OS Architecture
amd64
[cid:image012.png@01D17AF7.D972DF70]<http://www.advancedtogether.com/>
Tony Harris
Java Developer
> A Sunday Times Top Track 250 Company 2016
> Proud to be a Patron of The Prince's Trust
________________________
Advanced Computer Software Group
Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL
t:08451 606 162
www.oneadvanced.com<http://www.advancedtogether.com/>
[cid:image018.png@01D17AF7.D972DF70] <http://www.linkedin.com/company/2426258> [cid:image019.png@01D17AF7.D972DF70] <https://twitter.com/adv_group>
> A Sunday Times Top Track 250 Company 2015
> Ranked in UK's 50 fastest growing technology companies 2014
***** Email confidentiality *****
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.
***** Email monitoring *****
Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.
***** Email security *****
In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.
Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.
This email has been scanned for viruses by the Symantec Email Security.cloud service.
Advanced Computer Software Group Limited
Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK
Registered in England under number 5965280
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
8 years, 3 months
Does Keycloak support a "Minimum password age"?
by Peter K. Boucher
We have a customer requirement that users not be able to change their
passwords more frequently than once per day.
We are currently using Keycloak 3.1. Does any later version of Keycloak
support (or plan to support) a "Minimum password age"?
Thanks!
8 years, 3 months
CORS support
by Kevin Price
Hi everyone,
I’m on the support team with the 3scale product and I’m currently writing a JS client for our Developer Portal to be used with RH SSO & our interactive documentation tool. So I have a question around supporting CORS on the keycloak server.
I’m currently just running my key cloak instance as a native Java app server, is there any way to configure CORS either on the server level or realm level? Typically users would log into the portal to test their own application (client) credentials via the Swagger specification, however, this means every individual application stored in the Keycloak server needs to have the Web Origins field configured to allow requests from the developer portal domain. I would prefer to avoid this additional configuration.
Apologies in advance if this is already covered in your documentation but I did take a look and I couldn’t find anything relevant.
Appreciate any help on this.
Regards,
Kevin Price
8 years, 3 months
security question
by Benjamin garcia
Hello,
I would like to use keycloack on my architechture, but I have (maybe) an issue in my design :
I have 3 applications :
- angularjs apps for the frontend
- a scalatra API to reponse to frontend throw http and which ask springboot app some datas,
- a springboot app for crud request on databases.
I would like to transfert bearer authentication from the front to springboot app throw scalatra API to ensure that request send on DB is from the right user. I don't really sure that's the right use case. Because, in my mind, If I use keycloack, it's to not modify some part of my code base with security knowledge. But in this use case, I'm mandatory to give jwt token on all my stak (which is not really cool).
Does somebody kown if I can do that or if it exist a better way?
Regards
Benjamin Garcia
8 years, 3 months
Forward Keycloak Events to Kafka
by Thomas Darimont
Hello,
just wanted to know if someone on this mailinglist has already built a
keycloak extension that forwards Keycloak user / admin events to Kafka?
Cheers,
Thomas
8 years, 3 months
login-status-iframe.html returning 403 with init parameters
by Oleg Gusakov (ogusakov)
I am trying to use the keycloak js adapter to manage the OIDC session. I am able to load the login-status-iframe.html page by itself when not using any init parameters.
However, when the init parameters are added: login-status-iframe.html/init?client_id=someclient&origin=https%3A%2F%2Flocalhost%3A8443, the iframe receives a 403 response.
8 years, 3 months
CORS in Keycloak 3.4
by Jonas Schönenberger
Hey there
I’ve been trying to figure out how to enable CORS in the later versions of
KeyCloak. I can’t seem to find a valid way to achieve this besides
hardcoding response headers in the standalone.xml. I’m using a standalone
deployment.
I know the functionality to handle preflight and other CORS scenarios is
there, so there must be surely a way to activate it?
Could somebody enlighten me please?
Thanks a lot
Jonas
8 years, 3 months
changing password not working with api
by Juan Diego
Hi,
I did some tests months ago, and I was pretty sure the following code
worked. Now when I am trying to implement a password change it doesnt
work. I am using basically the same way to change the last name of the
users, and it works. I can see the last name change in the keycloak
server. But when i try to login to the user that i just changed the
password I have to use and the old password.
Anyway this is my code:
UserResource ur = kc.realm(realm).users().get(id);
UserRepresentation user = ur.toRepresentation();
CredentialRepresentation credential = new CredentialRepresentation();
credential.setType(CredentialRepresentation.PASSWORD);
credential.setValue(password);
credential.setTemporary(false);
user.setCredentials(asList(credential));
ur.update(user);
8 years, 3 months
OpenID Connect IdP and nonce parameter
by Raphaël HOAREAU
Hi,
I'm facing an issue where I use an external oidc IdP (FranceConnect) for
my users to log in.
When trying to login with this provider, i have this error :
{"status":"fail","message":"The following fields are missing or empty : nonce"}
If i put, manually, &nonce=someRandomInt, in the URL, the process continues.
Am i missing something in my Identity Provider configuration ? Is there
a way to add a parameter when requesting the external provider ?
Regards,
Raphaël HOAREAU.
8 years, 3 months
Re: [keycloak-user] Unable to register provider implementation: not a subtype exception
by Alessandro Tundo
Hi folks!
Someone could help me out with this?
Best regards,
Alessandro
2017-12-20 16:52 GMT+01:00 Alessandro Tundo <aletundo(a)wikitolearn.org>:
> Hi folks!
>
> I followed the documentation for implementing and registering a SPI but
> I'm not able to deploy it correctly.
>
> The raised exception is:
>
> *java.util.ServiceConfigurationError:
> org.keycloak.credential.hash.PasswordHashProviderFactory: Provider
> org.wikitolearn.keycloak.provider.MediaWikiBTypePasswordHashProviderFactory
> not a subtype*
>
> I tried both registration ways but the outcome is the same. The .jar I'm
> trying to deployt has the following structure:
>
>
> - META-INF/services/org.keycloak.credential.hash.
> PasswordHashProviderFactory
> - org/wikitolearn/keycloak/provider/MediaWikiBTypePasswor
> dHashProviderFactory.class
> - org/wikitolearn/keycloak/provider/MediaWikiBTypePasswor
> dHashProvider.class
>
> The factory and the provider implements respectively PasswordHashProviderFactory
> and PasswordHashProvider.
>
> I would like also to point out that the SPI works correctly in my Keycloak
> fork. But as you can imagine, a fork is not a good option. Especially when
> are available more elegant ways to extend the software programatically
> without a fork.
>
> I'm looking forward to receiving your reply asap.
>
> Thank you!
>
> Alessandro
>
8 years, 3 months
cockroachdb
by Simon Payne
Hi,
has anyone successfully managed to use cockroachdb with keycloak?
if so, what steps were taken?
thanks
Simon.
8 years, 3 months
[Feature request] Adding scheduled tasks / change order of required actions / searchable user attributes
by Tomás García
Hi,
I'm trying to fulfill the needs of the GDPR of my company in Keycloak
and I noticed these things:
- I cannot add a scheduled task. I don't know where to put code like you
have in KeycloakApplication like:
TimerProvider timer = session.getProvider(TimerProvider.class);
timer.schedule(new
ClusterAwareScheduledTaskRunner(sessionFactory, new ClearExpiredEvents(),
interval), interval, "ClearExpiredEvents");
, so I can add a recurrent task starting from the startup of Keycloak. My
use case is that I want to remove users that didn't verify their email or
accepted terms & conditions after a week of first registration. So I was
thinking to add a task to be run daily to do that.
- The order of required actions execution is in alphabetical order, so if I
wanted a custom required action to be run after the "Verify email" action I
need to be sure that the name of my custom required action starts with "W"
at least. An UI interface like what we already have in the Authenticators
part would be nice.
- There are no facilities inside Keycloak to search users with a specific
attribute key or value. It would be nice too to have long integers as
attibute values, in case we want to search for users with greater / less
than a specific timestamp attribute like the one you use in the terms &
conditions required action. For example, for the removal task, I'd like to
search for users without a custom attribute, then I'll remove those. I
guess I'll just extend the data model if needed to workaround this issue.
- If someone declines the terms & conditions, the user is redirected to a
blank page with an "error" in the screen. I don't care about this since I'm
going to make my custom required action if I can find an alternative for
the things I'm saying above.
If I'm wrong about something, please let me know.
Thanks,
Tomás
8 years, 3 months
Add required action "Update Password" to all users after Password Policy change
by Steve Hoffman
Currently updating the Password Policy for a realm, and I was looking for an easier (safer) way of forcing users to update password on login once we've set our new preferences.
I'm aware that I can iterate through the users in the admin console (time/cost prohibitive) or POST/Update to the Admin REST API for each individual user after a GET for the user list.
Is there another simpler built-in mechanism that I'm overlooking?
Thanks,
Stephen Hoffman
--
XSB, Inc
Office (631) 371-8100 Ext. 8128
Mobile (631) 579-9857
Fax (631) 382-8228
http://www.xsb.com/
DISCLAIMER:
This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others.
Please notify the sender that you have received this e-mail in error by replying to the e-mail. Please then delete the e-mail and destroy any copies of it. Thank you.
8 years, 3 months
Keycloak JS + Cordova Adapter + iOS
by Jens Schliesser
Hello,
we have a Angular4 web application running with keycloak.js that works
great.
We are now trying to put this application into a cordova container running
on iOS, but in the login function of the keycloak cordova adapter
var loginUrl = kc.createLoginUrl(options);
var ref = window.open(loginUrl, '_blank', o);
ref is always null, so adding the event listener fails ?!?
We are bootstrapping (main.ts) our angular application like this:
function bootstrapKeyCloak() {
KeycloakService.init({
'url': environment.keycloakConfig.url,
'realm': environment.keycloakConfig.realm,
'clientId': environment.keycloakConfig.clientId,
}, {
onLoad: 'login-required',
flow: 'standard'
}).then(() => {
platformBrowserDynamic().bootstrapModule(AppModule);
}).catch((e: any) => {
alert(e);
});
}
if (typeof window['cordova'] !== 'undefined') {
if(document) {
document.addEventListener('deviceready', () => {
bootstrapKeyCloak();
}, false);
}
} else {
bootstrapKeyCloak();
}
Any ideas why window.open fails and how to fix this?
--
Kind Regards,
Jens Schliesser
8 years, 3 months
custom ldap attribute mapper
by Kevin Hirschmann
Hello,
I would like to add my own custom user-attribute-ldap-mapper. It is needed, because the usernames, groups and roles of a test environment are prefixed to distinguish them from production usernames etc. .
First I took the example "user-storage-simple" which worked right away.
Now I transfered this to ldap mappers. I created a maven project, added
a) A class org.keycloak.examples.ldap.mappers.XxMapperFactory
b) a file org.keycloak.storage.ldap.mappers.LDAPStorageMapperFactory and added to it the entry org.keycloak.examples.ldap.mappers.XxMapperFactory
c) I added a jboss-deployment-structure.xml file
<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.keycloak.keycloak-server-spi-private" />
</dependencies>
</deployment>
</jboss-deployment-structure>
I added the jboss-deployment-structure.xml because I found this https://issues.jboss.org/browse/KEYCLOAK-4428 which
matches my problem
INFO [org.jboss.as.server.deployment] (MSC service thread 1-8) WFLYSRV0027: Starting deployment of "ldap-mapper-example.jar" (runtime-name: "ldap-mapper-example.jar")
WARN [org.jboss.as.dependency.private] (MSC service thread 1-6) WFLYSRV0018: Deployment "deployment.ldap-mapper-example.jar" is using a private module ("org.keycloak.keycloak-server-spi-private:main") which may be changed or removed in future versions without notice.
WARN [org.jboss.modules] (MSC service thread 1-6) Failed to define class org.keycloak.examples.ldap.mappers.XxMapperFactory in Module "deployment.ldap-mapper-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/ldap/mappers/XxMapperFactory (Module "deployment.ldap-mapper-example.jar:main" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPConfigDecorator
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78)
at org.jboss.modules.Module.loadModuleClass(Module.java:605)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Unknown Source)
at java.util.ServiceLoader$LazyIterator.nextService(Unknown Source)
at java.util.ServiceLoader$LazyIterator.next(Unknown Source)
at java.util.ServiceLoader$1.next(Unknown Source)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206)
at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112)
at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
But it didn't help (why would I write this mail if it did).
What have I missed?
Thx
Kevin
8 years, 3 months
Fwd: Trojan in Keycloak Javascript Adapter?
by Ariel Carrera
Hi, I have downloaded Keycloak Javascript Adapter from
http://www.keycloak.org/downloads.html
and when it is done a Windows Defender's popup alerts about a Trojan inside.
Windows Defender info:
adapter file: keycloak-js-adapter-dist-3.4.2.Final.zip
trojan name: Trojan:JS/Jorv.A!cl
file: keycloak-js-adapter-dist-3.4.2.Final/keycloak.min.js
Am I the only one with this problem?
Thanks,
--
Ariel Carrera
--
Ariel Carrera
8 years, 3 months
Password Policy API end points
by Tony Harris
Wondering if anyone can point me in the right direction.
I want to be able to add and amend password policy setting on a realm via the Rest API, I can see how to retrieve the available PasswordPolicyTypeRepresentation from the ServerInfoRepresentation object but other than basic human readable string value representation of the password profile against the realm from the RealmRepresentation but I can not find a way of adding or amending the realm specific password policy settings, is this even currently possible with the API?
Tony
***** Email confidentiality *****
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited.
Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited.
***** Email monitoring *****
Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training.
***** Email security *****
In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email.
Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof.
This email has been scanned for viruses by the Symantec Email Security.cloud service.
Advanced Computer Software Group Limited
Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK
Registered in England under number 5965280
________________________________
Please consider the environment: Think before you print!
This message has been scanned for malware by Websense. www.websense.com
8 years, 3 months
Problem with Keys
by Karol Buler
Hi Keycloak community!
At the beginning I would wish you a Happy New Year! :)
About the problem... If we run Keycloak as a docker, every time Keycloak
is rebooted the Keys (Realm Setting -> Keys) are generated again. Result
is that each application which use Keycloak's adapter throws "Didn't
find publicKey for specified kid" error. This error occurs because the
Keys are not rotated in right way, and application does not know about
the rotation.
Have you met this problem? What is your workaround? Is it an issue?
Best regards,
Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
8 years, 3 months
admin user in clustered domain
by Olivier Rivat
Hi,
I am trying to setup a clustered domain.
I have been to boot the master and the slave as described in keycloak
But when tring to login, I cannot with user admin.
Troubleshooting I have done so far:
1) With standalone mode (or standalone cluster mode), first login screen
is welcome screen to define teh admini user and password.
With clustered domain, I never obtain this, but a usual login screen,
asking for username/password.
Of course, I cannot answer to this, as the admin as not yet been defined.
2) I have also tried teh script add-user-keycloak.sh
bin/add-user-keycloak.sh -r master -u admin6 -p admin6 --domain
Added 'admin6' to
'/home/orivat/rh_test/rh-sso-7.1/domain/configuration/keycloak-add-user.json',
restart server to load user
It creates a file domain/configuration/keycloak-add-user.json, but this
file is never upon restart of RH-SSO domain cluster instance (master or
slave).
(I have seen equivalent file being loaded, when doing standalone
clsueter tests).
So my question is very simple:
Ho is it possibel to get hold of an admin user allowing to connect to
the keycloak admin master login screen ?
Regards,
Olivier Rivat
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
8 years, 3 months
Deadlock Encountered while Trying Keycloak with Azure SQL
by Buddhi Iroshana
HI Team,
I am running the community version of Keycloak (version - 2.3.0.Final). I
am using Azure SQL : https://azure.microsoft.com/en-us/services/sql-database
as the database server for this keycloak instance.
Keycloak instance is deployed in Azure VM in this scenario.
Keycloak started successfully without any issues with Azure SQL database.
I have a JMeter script which is invoking following two Keycloak's RESTFul
endpoints with 10 parallel threads (can consider it as 10 different
clients).
1. POST auth/admin/realms/iotpdev/users - User creation
2. PUT auth/admin/realms/iotpdev/users/<USERID>/groups/ - Adding users
to a group
Behaviour:
During the first few invocations, above two endpoints got executed
successfully without any issue.
But, after sometime, keycloak was logging some database deadlock exceptions
in the log file. Stacktrace for this exception is as follows,
---------------------------------
2017-12-19T07:13:34.084336783Z [0m [33m07:13:34,079 WARN
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-15) SQL
Error: 1205, SQLState: 40001
2017-12-19T07:13:34.084377183Z [0m [31m07:13:34,080 ERROR
[org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-15)
Transaction (Process ID 123) was deadlocked on lock resources with another
process and has been chosen as the deadlock victim. Rerun the transaction.
2017-12-19T07:13:34.116059274Z [0m [31m07:13:34,097 ERROR
[io.undertow.request] (default task-15) UT005023: Exception handling
request to /auth/admin/realms/iotpdev/users:
org.jboss.resteasy.spi.UnhandledException:
javax.persistence.PersistenceException:
org.hibernate.exception.LockAcquisitionException: could not execute
statement
2017-12-19T07:13:34.116097074Z at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
2017-12-19T07:13:34.116104774Z at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
2017-12-19T07:13:34.116111874Z at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
2017-12-19T07:13:34.116118574Z at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
2017-12-19T07:13:34.116124973Z at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
2017-12-19T07:13:34.116131373Z at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
2017-12-19T07:13:34.116137873Z at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
2017-12-19T07:13:34.116144673Z at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
2017-12-19T07:13:34.116151173Z at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
2017-12-19T07:13:34.116157473Z at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
2017-12-19T07:13:34.116163773Z at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
2017-12-19T07:13:34.116170273Z at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
2017-12-19T07:13:34.116176673Z at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
2017-12-19T07:13:34.116183072Z at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
2017-12-19T07:13:34.116189472Z at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
2017-12-19T07:13:34.116195872Z at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
2017-12-19T07:13:34.116202272Z at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
2017-12-19T07:13:34.116210672Z at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
2017-12-19T07:13:34.116233672Z at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
2017-12-19T07:13:34.116240472Z at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
2017-12-19T07:13:34.116246771Z at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
2017-12-19T07:13:34.116253171Z at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
2017-12-19T07:13:34.116259271Z at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
2017-12-19T07:13:34.116265471Z at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
2017-12-19T07:13:34.116271871Z at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
2017-12-19T07:13:34.116278071Z at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
2017-12-19T07:13:34.116284371Z at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
2017-12-19T07:13:34.116290571Z at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
2017-12-19T07:13:34.116296771Z at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
2017-12-19T07:13:34.116302871Z at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
2017-12-19T07:13:34.116308970Z at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
2017-12-19T07:13:34.116315270Z at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
2017-12-19T07:13:34.116321470Z at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
2017-12-19T07:13:34.116327670Z at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
2017-12-19T07:13:34.116333770Z at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
2017-12-19T07:13:34.116339770Z at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
2017-12-19T07:13:34.116346770Z at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
2017-12-19T07:13:34.116352770Z at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
2017-12-19T07:13:34.116358770Z at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
2017-12-19T07:13:34.116364770Z at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
2017-12-19T07:13:34.116375069Z at java.lang.Thread.run(Thread.java:745)
2017-12-19T07:13:34.116384569Z Caused by:
javax.persistence.PersistenceException:
org.hibernate.exception.LockAcquisitionException: could not execute
statement
2017-12-19T07:13:34.116390969Z at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
2017-12-19T07:13:34.116397269Z at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
2017-12-19T07:13:34.116403369Z at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1700)
2017-12-19T07:13:34.116409469Z at
org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:70)
2017-12-19T07:13:34.116415469Z at
org.keycloak.models.jpa.UserAdapter.removeAttribute(UserAdapter.java:161)
2017-12-19T07:13:34.116421469Z at
org.keycloak.models.jpa.UserAdapter.setAttribute(UserAdapter.java:137)
2017-12-19T07:13:34.116427469Z at
org.keycloak.services.resources.admin.UsersResource.updateUserFromRep(UsersResource.java:267)
2017-12-19T07:13:34.116433468Z at
org.keycloak.services.resources.admin.UsersResource.createUser(UsersResource.java:216)
2017-12-19T07:13:34.116439568Z at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2017-12-19T07:13:34.116445468Z at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
2017-12-19T07:13:34.116451368Z at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2017-12-19T07:13:34.116457368Z at
java.lang.reflect.Method.invoke(Method.java:498)
2017-12-19T07:13:34.116463168Z at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
2017-12-19T07:13:34.116469168Z at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
2017-12-19T07:13:34.116475168Z at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
2017-12-19T07:13:34.116481268Z at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
2017-12-19T07:13:34.116487268Z at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
2017-12-19T07:13:34.116494767Z at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
2017-12-19T07:13:34.116500967Z at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
2017-12-19T07:13:34.116506967Z at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
2017-12-19T07:13:34.116513067Z at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
2017-12-19T07:13:34.116519067Z at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
2017-12-19T07:13:34.116525067Z ... 37 more
2017-12-19T07:13:34.116530767Z Caused by:
org.hibernate.exception.LockAcquisitionException: could not execute
statement
2017-12-19T07:13:34.116541467Z at
org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:123)
2017-12-19T07:13:34.116547967Z at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42)
2017-12-19T07:13:34.116554067Z at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109)
2017-12-19T07:13:34.116560166Z at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:95)
2017-12-19T07:13:34.116566166Z at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:207)
2017-12-19T07:13:34.116572366Z at
org.hibernate.hql.internal.ast.exec.BasicExecutor.doExecute(BasicExecutor.java:91)
2017-12-19T07:13:34.116578366Z at
org.hibernate.hql.internal.ast.exec.BasicExecutor.execute(BasicExecutor.java:60)
2017-12-19T07:13:34.116584366Z at
org.hibernate.hql.internal.ast.exec.DeleteExecutor.execute(DeleteExecutor.java:111)
2017-12-19T07:13:34.116590566Z at
org.hibernate.hql.internal.ast.QueryTranslatorImpl.executeUpdate(QueryTranslatorImpl.java:429)
2017-12-19T07:13:34.116596666Z at
org.hibernate.engine.query.spi.HQLQueryPlan.performExecuteUpdate(HQLQueryPlan.java:374)
2017-12-19T07:13:34.116602666Z at
org.hibernate.internal.SessionImpl.executeUpdate(SessionImpl.java:1348)
2017-12-19T07:13:34.116608666Z at
org.hibernate.internal.QueryImpl.executeUpdate(QueryImpl.java:102)
2017-12-19T07:13:34.116614666Z at
org.hibernate.jpa.internal.QueryImpl.internalExecuteUpdate(QueryImpl.java:405)
2017-12-19T07:13:34.116620665Z at
org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate(AbstractQueryImpl.java:61)
2017-12-19T07:13:34.116626665Z ... 55 more
2017-12-19T07:13:34.116632465Z Caused by:
com.microsoft.sqlserver.jdbc.SQLServerException: Transaction (Process ID
123) was deadlocked on lock resources with another process and has been
chosen as the deadlock victim. Rerun the transaction.
2017-12-19T07:13:34.124029047Z at
com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:216)
2017-12-19T07:13:34.124058646Z at
com.microsoft.sqlserver.jdbc.SQLServerStatement.getNextResult(SQLServerStatement.java:1515)
2017-12-19T07:13:34.124066146Z at
com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.doExecutePreparedStatement(SQLServerPreparedStatement.java:404)
2017-12-19T07:13:34.124082446Z at
com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement$PrepStmtExecCmd.doExecute(SQLServerPreparedStatement.java:350)
2017-12-19T07:13:34.124089946Z at
com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696)
2017-12-19T07:13:34.124095946Z at
com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:1715)
2017-12-19T07:13:34.124102145Z at
com.microsoft.sqlserver.jdbc.SQLServerStatement.executeCommand(SQLServerStatement.java:180)
2017-12-19T07:13:34.124108245Z at
com.microsoft.sqlserver.jdbc.SQLServerStatement.executeStatement(SQLServerStatement.java:155)
2017-12-19T07:13:34.124126445Z at
com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.executeUpdate(SQLServerPreparedStatement.java:314)
2017-12-19T07:13:34.124133245Z at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537)
2017-12-19T07:13:34.124139545Z at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204)
2017-12-19T07:13:34.124145745Z ... 64 more
2017-12-19T07:13:34.124151645Z
-------------------------
This JMeter script will create 1000 users in 10 threads. So, above user
creation and adding to group endpoints will be invoked 1000 times each with
typical TPS of 1 - 2 requests per second.
When we run JMeter script several times, we can create 1000 users - means,
when we run JMeter in first round, it will create 300 users approximately
and other 700 requests will fail due to above deadlock issue, and once we
run it for the second time it will create another 200 of users and so on...
(at some point, we will get all 1000 users).
The dialect which I am using for this instance is
: org.hibernate.dialect.SQLServer2012Dialect
Is there any specific configurations to be done if we are using Azure SQL
as the database ?
I am attaching the complete log file herewith.
Appreciate your help on this.
Regards,
Buddhi Iroshana De Silva
8 years, 3 months
Correct Maven dependencies in 3.4.2 Keycloak and admin client
by Tero Ahonen
Hi,
What are correct Maven settings to get keycloak-admin-client working on Wildfly 10
From command line client it works with following below. When using same code in Wildfly with most recent keycloak module execution fails with following
Caused by: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", "refreshToken"])
at [Source: org.apache.http.conn.EofSensorInputStream@9d6aba2; line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"])
I got that fixed in command line example by changing jackson provider to resteasy-jackson2-provider
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-core</artifactId>
<version>3.4.2.Final</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-adapter-core</artifactId>
<version>3.4.2.Final</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-common</artifactId>
<version>3.4.2.Final</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>3.4.2.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>3.0.24.Final</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jackson2-provider</artifactId>
<version>3.0.24.Final</version>
<scope>provided</scope>
</dependency>
.t
8 years, 3 months
