JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources
by Andreas Lau
Hello,
we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver.
We configured the web.xml like this:
[web.xml]
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>portal</web-resource-name>
<url-pattern>/portal/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>public</web-resource-name>
<url-pattern>/portal/pages/willkommen.jsf</url-pattern>
<url-pattern>/portal/pages/logout.jsf</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
...
<context-param>
<param-name>keycloak.config.resolver</param-name>
<param-value>de.sample.security.MandantBasedKeycloakConfigResolver</param-value>
</context-param>
...
</web-app>
As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1".
After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected.
Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls?
While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs.
Regards,
Andreas
[1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
[2] public KeycloakDeployment resolve(HttpFacade.Request request) {
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++);
final String mandantId = request.getFirstParam("kId");
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId);
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI());
if (mandantId == null || mandantId.isEmpty()) {
// throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!");
return null;
}
KeycloakDeployment deployment = cache.get(mandantId);
if (deployment == null) {
String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId);
InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename);
if (is == null) {
// throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename);
return null;
}
LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null));
deployment = KeycloakDeploymentBuilder.build(is);
cache.put(mandantId, deployment);
}
return deployment;
}
[3]
17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0
17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3
17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3
17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen
17:28:50,933 INFO [stdout] (default task-4) initialized mandant <<<<<<<<<<<<<
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1
17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found!
at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:]
at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
.......
17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null
17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout
17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found!
at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:]
at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final]
at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112]
5 years, 6 months
Instalation and configuration dilemmas
by Bojan Milosavljević
Hello,
With respect, I'll get straight to the point - I installed Keycloak on
remote machine, there I have PostgreSQL database which I want to secure
with Keycloak.
However, I have 2 doubts.
1) Does Keycloak (4.5.0) require to be used with WildFly server in order to
be able to properly secure applications (I will connect to db using Android
and iOS apps)? Because AeroGear has tutorials but with 1.1.0 version of
Keycloak where WildFly is necessary to secure application.
2) As far as I've understood I need to have some sort of back-end service
which will be used to unpack and test permissions written on tokens (cause
I don't see how can I use only Keycloak to access to db through it?) and
that back-end will take care of db access and Keycloak is only used as
token provider as far as I can tell? Am I wrong? If so, how can I use
Keycloak to properly secure this db and access it through say Android app?
Thank you in advance,
Bojan Milosavljevic.
5 years, 6 months
LDAP user group membership not syncing
by Luiz Carlos
Hi everyone
I'm trying to sync the LDAP groups into Keycloak but it doesn't update the
membership if I add or remove it from a group in LDAP.
I was able to sync the groups and its users into Keycloak correctly if
those wasn't provisioned before. For example, if the user already exists in
Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also
provisioned from LDAP), the user in Keycloak continues to being a member of
the group in the Groups tab of user's details screen and in client's group
mappers. However, if I open the Members tab of group's details screen the
user was removed from the group.
Is there any way to solve this problem? Because of my company policy I
can't use Keycloak to manage the groups.
I'm using Keycloak 2.5.1.
Thanks for the help
--
Luiz Carlos
5 years, 6 months
Refresh Token Becoming Stale because of User Not Before Date
by Huw McNamara
Hello,
I am having an issue with a refresh token I have requested using scope=offline_access becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on OpenShift Online.
After turning on some trace logging I get the following stack trace:
[0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Which, in the source code, seems to correspond with these lines:
if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
}
https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc40...
My Offline Session Idle for the realm is set to 30 days which was definitely not breached.
Can anyone tell me what the not before of the user is and how do I set its value?
5 years, 6 months
Keycloak as OIDC provider to AWS ALB, any hints!
by Max Allan
Hi,
The AWS ALB will allow you to authenticate to cognito or OIDC nowadays.
I thought "Great, I can connect it up to my KeyCloak".
Sadly not. Well, I can connect it to KeyCloak and see sensible looking
headers and JWTs flowing back and forth.
And then the ALB says "500 Internal Server Error" :-(
I can see a request to keycloak (from the client) :
https://auth.care.surevine.com/auth/realms/care/protocol/openid-connect/a...
And it 302 redirects back to the ALB :
https://dev.care.surevine.com/oauth2/idpresponse?state=8sp1j3N3baPa1r%2BE...
On the KeyCloak server I can see the POST requests from the browser coming
in and hitting the authenticate URL, KC hands back a 302 (the URL above)
Then the ALB does a POST to the token endpoint and gets a 200 response with
a nice chunk of access token. I can decode it and see my details quite
happily. I even validated the signature. (Using jwt.io 's debugger.)
Although the ALB doesn't ask for the certificate at any stage, so I don't
think it even bothers validating it.
But it doesn't seem to like it. And gives me a 500 error.
(I can authenticate with Google OIDC without any trouble...)
(NB Any secrets in any of those strings won't get you very far, there is no
content yet :-) )
5 years, 6 months
Need to log in to all realms with unique admin users
by Mattia Bello
We have this situation:
master realm -> used to manage other realms
realm1, realm2, realm3, .. -> are retailers and contain companies
for each realm we have group1, group2, group3, .. -> are companies and contain a group of users
we have to see all the retailers (realms), the companies (groups) and the users
How can I do it?
Can i create a master realm user and use it to access all the other realms?
Or i have to replicate the admin user in master realm into all other realm to use it to log in in that realm?
Thank to all
Mattia Bello
Developer
[Descrizione: cid:image001.jpg@01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile (+39) 340 36 07 937
www.horsa.it<http://www.horsa.it/>
5 years, 6 months
Temporarily Locked response from openid-connect
by Hylton Peimer
We have a user that is Temporarily Locked due to incorrect password entry.
When attempting to get the access/refresh token from the openid-connect
endpoint: /protocol/openid-connect/token
with grant_type=password, we receive the following error message:
Http Status: 401
{
"error": "invalid_grant",
"error_description": "Invalid user credentials"
}
In a previous version we received a message that indicated the user was
Locked.
Is there another way to get this information in response to token request?
5 years, 6 months
Keycloak OutOfMemoryError
by Jason Spittel
Hello,
We are currently experiencing an OutOfMemoryError / Memory Leak on our Keycloak servers. This occurs intermittently within a span of a few weeks to months between incidents. When it does happen, the entire server is brought down.
It's a very small load, less than 3000 users, with default settings across the board. One of the keycloak servers is an identity broker, and the other is an IdP that points to the broker (behind the broker is our actual application).
Looking at JVM logs, the memory is GC'ed regularly with no long term increase, then suddenly, over a period of 5 minutes, spikes to beyond what is allocated to the server (2GB).
We ran the Eclipse Memory Analyser against the .hprof file and found this as the memory leak suspect:
default I/O-4
at java.lang.OutOfMemoryError.<init>()V (OutOfMemoryError.java:48)
at java.util.ArrayDeque.doubleCapacity()V (ArrayDeque.java:162)
at java.util.ArrayDeque.addLast(Ljava/lang/Object;)V (ArrayDeque.java:252)
at java.util.ArrayDeque.add(Ljava/lang/Object;)Z (ArrayDeque.java:423)
at org.xnio.nio.WorkerThread.execute(Ljava/lang/Runnable;)V (WorkerThread.java:591)
at io.undertow.protocols.ssl.SslConduit.runReadListener(Z)V (SslConduit.java:223)
at io.undertow.protocols.ssl.SslConduit.access$1300(Lio/undertow/protocols/ssl/SslConduit;Z)V (SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady()V (SslConduit.java:1081)
at io.undertow.protocols.ssl.SslConduit$1.run()V (SslConduit.java:229)
at org.xnio.nio.WorkerThread.safeRun(Ljava/lang/Runnable;)V (WorkerThread.java:580)
at org.xnio.nio.WorkerThread.run()V (WorkerThread.java:464)
Which seems related to this bug:
https://stackoverflow.com/questions/43661909/keycloak-1-9-4-using-custom-...
The dev in that situation put Apache in front of keycloak to handle the SSL and seemed to resolve the issue. We'd prefer not to do this. Following this SO post to the mailing list thread:
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006771.html
There was some interest in the bug but it was then was abandoned.
Now, we are running an older version of Keycloak , 3.1.0.Final. But I looked through all the change logs from 3.1.0.Final to 4.5.0.Final as well as all the Jira Issues between those two versions that have to do with SSL, and found no fixes for this issue.
Is this a problem that is on the radar of the Keycloak devs? Is this the sort of bugfix that would only be in RH SSO?
Thanks,
Jason
[cid:8dad4d85-d402-4612-81a1-ded4d2092813]
[cid:ba354506-fb8c-46a0-b587-1430e9afe9a2]
5 years, 6 months
how to handle upgrade for Keycloak docker deployment
by Eugen Stan
Hello,
What are the steps to upgrade a Keycloak Docker deployment? The steps in
[upgrade-guide] are valid for normal deployments.
Docker upgrades can simply be done by changing the version number.
I know some steps are necesary. I also know that databse migration can
be handled by Keycloak automatically.
What about the other steps?
TLDR:
We are using keycloak to secure some of our services. We have deployed
it via Docker, following the instructions on [keycloak-docker].
However, there is something that bugs me: How to to upgrades.
I've read the [upgrade-guide] and the steps are:
- stoping the server
- run some script
- start the server (to do databasse migrations).
Our setup is simple, we have a single keycloak instance with PostgtreSQL
and no changes other than a custom theme.
[keycloak-docker] https://hub.docker.com/r/jboss/keycloak/
[upgrade-guide] https://www.keycloak.org/docs/4.5/upgrading/
Thanks,
Eugen
5 years, 6 months
Login via Magic URL
by Thomas Richner
Hi All,
I'm trying to lower the barrier for users by sending them a 'magic'
link to login without a password into a mobile app.
The general flow would be as following:
1. backend requests 'single use token' from Keycloak via API
2. backend sends email with this token to user via e.g. email as part
of a magic link
3. user opens the link on a mobile device
4. the uri scheme/domain is registered in the mobile OS for a specific
app, app gets opened
5. mobile app exchanges 'single use token' for a refresh token
6. user is logged in :)
As I understand there is no such flow available in Keycloak. Looking
at the SPI interfaces one might be able to implement something like
this by adding custom API endpoints and ActionTokenHandler.
Since I doubt I'm the first one to explore magic deep links with
Keycloak, did anybody already implement that? Did I miss a feature
that already exists? Is there an easier way to achieve this with
Keycloak?
Cheers,
Thomas
5 years, 6 months
