November 2018 - keycloak-user - Jboss List Archives

by Karipineni, Neelima,M.D.

We have a use case where we’re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used. The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference. Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It’s like an additional consent step after user and client authentication rather than an additional authentication step. My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/..., and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested. I’m not sure it’s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it’s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this? As an additional wrench, we’re still on v3.3.0 and upgrade is not on the schedule as of now. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.

6 years, 8 months

3
4
0 / 0

UserRepresentation enabled Boolean

by Matthew Broadhead

org.keycloak.representations.idm.UserRepresentation (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...) has a property enabled which is of type java.lang.Boolean. Technically this should have getters and setters of getEnabled and setEnabled. A type boolean would have isEnabled and setEnabled. This stops it from working with JSF (https://stackoverflow.com/questions/14400222/boolean-properties-starting-...) This also applies to totp and emailVerified in the same class.

6 years, 10 months

2
3
0 / 0

LDAP user federation with AD range retrieval

by Sidney Beekhoven

Hello, We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this: Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com] at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112) at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380) at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316) at org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236) … Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s.... When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role. For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-... for more info about this. The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that. Did anyone else maybe run into this issue, and if so had another solution for it? Kind regards, Sidney Beekhoven

6 years, 10 months

2
4
0 / 0

KC installation DB problems

by Henning Waack

Dear all. I try to setup KC 4.2.1 (also tried with 4.0.0) on Ubuntu 18.04 with Mysq 5.7l/MariaDB 10.x. It works totally fine on my Vagrant box (I use Ansible), but on the "real" server the Liquibase init scripts time out. Please note that the DB is installed physically on the same machine as Keycloak, connection is done trough localhost. The error is some kind of transaction timeout exception, please see below the log. It is interesting to note that a) the script runs for more than 5 minutes before it fails, and b) most tables have been created in the DB, but after this error the state is unrecoverable. Do you have any pointers/hints on why I run into these timeout issues? I am totally at loss, having tried so many combinations (KC version x DB type x DB version), which all run fine on Vagrant but fail on the server. Thanks in advance & greetings Henning ------ 2018-09-20 19:00:53,220 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 49) Node name: sso, Site name: null 2018-09-20 19:00:55,982 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml 2018-09-20 19:05:53,240 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e in state RUN 2018-09-20 19:05:53,252 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e 2018-09-20 19:05:53,938 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 in state RUN 2018-09-20 19:05:53,940 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 2018-09-20 19:06:13,864 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 49) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 2018-09-20 19:06:13,913 INFO [org.hibernate.Version] (ServerService Thread Pool -- 49) HHH000412: Hibernate Core {5.1.10.Final} 2018-09-20 19:06:13,914 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000206: hibernate.properties not found 2018-09-20 19:06:13,916 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000021: Bytecode provider name : javassist 2018-09-20 19:06:13,943 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 49) HCANN000001: Hibernate Commons Annotations {5.0.1.Final} 2018-09-20 19:06:14,076 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 49) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect 2018-09-20 19:06:14,107 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 49) Envers integration enabled? : true 2018-09-20 19:06:14,534 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 49) HV000001: Hibernate Validator 5.3.5.Final 2018-09-20 19:06:15,154 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 49) HHH000397: Using ASTQueryTranslatorFactory 2018-09-20 19:06:15,842 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) SQL Error: 0, SQLState: null 2018-09-20 19:06:15,842 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) javax.resource.ResourceException: IJ000460: Error checking for a transaction 2018-09-20 19:06:15,843 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (ServerService Thread Pool -- 49) HHH000327: Error performing load command : org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection 2018-09-20 19:06:15,844 WARN [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 2018-09-20 19:06:15,850 WARN [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e 2018-09-20 19:06:15,853 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 2018-09-20 19:06:15,857 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 49) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ... 6 more Caused by: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy68.find(Unknown Source) at org.keycloak.models.jpa.MigrationModelAdapter.getStoredVersion(MigrationModelAdapter.java:38) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:84) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 28 more Caused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1619) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1106) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1033) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) ... 41 more Caused by: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:87) at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.connection(StatementPreparerImpl.java:47) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.prepareQueryStatement(AbstractLoadPlanBasedLoader.java:241) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:185) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86) at org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:167) at org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4069) at org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:508) at org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:478) at org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:219) at org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:278) at org.hibernate.event.internal.DefaultLoadEventListener.doOnLoad(DefaultLoadEventListener.java:121) at org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:89) at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1142) at org.hibernate.internal.SessionImpl.access$2600(SessionImpl.java:167) at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.doLoad(SessionImpl.java:2762) at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2741) at org.hibernate.internal.SessionImpl.get(SessionImpl.java:978) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1075) ... 47 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000460: Error checking for a transaction at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122) at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:386) at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:84) ... 70 more Caused by: javax.resource.ResourceException: IJ000460: Error checking for a transaction at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:425) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 74 more Caused by: javax.resource.ResourceException: IJ000459: Transaction is not active: tx=Local transaction (delegate=TransactionImple < ac, BasicAction: 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 status: ActionStatus.ABORTED >, owner=Local transaction context for provider JBoss JTA transaction provider) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:409) ... 76 more 2018-09-20 19:06:15,872 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTPS listener https suspending 2018-09-20 19:06:15,872 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] 2018-09-20 19:06:15,877 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 2018-09-20 19:06:15,878 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-6) WFLYJCA0019: Stopped Driver service with driver-name = h2 2018-09-20 19:06:15,881 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = mariadb 2018-09-20 19:06:15,881 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 2018-09-20 19:06:15,885 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTP listener default suspendi --

7 years, 1 month

2
1
0 / 0

Deploying Keycloak on Openshift with MariaDB persistence produces errors in logs

by Cristi Cioriia

Hello, While deploying Keycloak 4.5.0.Final in an Openshift environment, using Mariadb (Galera) as a database produces several exceptions in the logs, all of them being related to the communication between the Keycloak server and the database. The access to the Galera server (3 instances) is performed via a Maxscale proxy. The Galera server, Maxscale (deployment of 3 pods) and Keycloak (deployment of 2 replicas) are all deployed inside Openshift, on AWS (1master + 3 workers). I am hoping you guys can help with fixing these issues. The errors look like below: 08:40:46,603 WARN [org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory] (ConnectionValidator) IJ030027: Destroying connection that is not valid, due to the following exception: org.mariadb.jdbc.MariaDbConnection@76883993: java.sql.SQLNonTransientConnectionException: (conn=24) unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:334) at org.mariadb.jdbc.MariaDbStatement.execute(MariaDbStatement.java:386) at org.jboss.jca.adapters.jdbc.CheckValidConnectionSQL.isValidConnection(CheckValidConnectionSQL.java:74) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.isValidConnection(BaseWrapperManagedConnectionFactory.java:1273) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getInvalidConnections(BaseWrapperManagedConnectionFactory.java:1086) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.validateConnections(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1442) at org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator$ConnectionValidatorRunner.run(ConnectionValidator.java:277) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.sql.SQLException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) Query is: SELECT 1 at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:119) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:199) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:328) ... 9 more Caused by: java.io.EOFException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacketArray(StandardPacketInputStream.java:239) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacket(StandardPacketInputStream.java:207) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.readPacket(AbstractQueryProtocol.java:1347) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.getResult(AbstractQueryProtocol.java:1328) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:196) ... 10 more I suspect that the errors come from the way the jdbc data source is configured. The mariadb configurations related to connections and wait timeouts are like below: max_connections=1000 wait_timeout=180 The second issue I noticed was the following: one of the pods in the deployments (we deploy 2 replicas of Keycloak) sometimes does not start correctly because of the following exception, which is still related to the database connection: 08:13:03,409 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 52) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) ... 43 more Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 45 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) ... 48 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1093) at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:494) at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:150) at org.mariadb.jdbc.Driver.connect(Driver.java:86) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) ... 55 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.connException(ExceptionMapper.java:83) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:606) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:477) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1089) ... 59 more Caused by: java.sql.SQLException: Error reading SessionVariables results. Socket is connected ? true at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readRequestSessionVariables(AbstractConnectProtocol.java:572) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:603) ... 61 more The pod is in state running, but it is not ready, as it can be seen below: oc describe pod keycloak-787795bbcb-qng6j Name: keycloak-787795bbcb-qng6j Namespace: frame-2900 Start Time: Thu, 25 Oct 2018 10:03:30 +0200 Labels: application=keycloak pod-template-hash=3433516676 Annotations: openshift.io/scc=restricted Status: *Running* IP: 10.131.0.12 Controlled By: ReplicaSet/keycloak-787795bbcb Containers: keycloak: Container ID: docker://b703c13a70ffa24f696e08996590b972ec65e6b6041f8d08f50a44372b9e4760 Image: jboss/keycloak Image ID: docker-pullable:// docker.io/jboss/keycloak@sha256:cb5c24d06f22c51ca193e6d1e930d206ef0b841a745f8e475a08e33f10b38ad4 Ports: 8080/TCP, 8443/TCP *State: Waiting* * Reason: CrashLoopBackOff* Last State: Terminated Reason: Error Exit Code: 1 Started: Thu, 25 Oct 2018 10:12:43 +0200 Finished: Thu, 25 Oct 2018 10:13:03 +0200 Ready: False * Restart Count: 6* Liveness: http-get http://:8080/auth/realms/master delay=60s timeout=1s period=10s #success=1 #failure=3 Readiness: http-get http://:8080/auth/realms/master delay=30s timeout=1s period=10s #success=1 #failure=10 Environment: KEYCLOAK_USER: BokIm2Kl KEYCLOAK_PASSWORD: o8QobI0D PROXY_ADDRESS_FORWARDING: true DB_VENDOR: MARIADB JGROUPS_DISCOVERY_PROTOCOL: dns.DNS_PING JGROUPS_DISCOVERY_PROPERTIES: dns_query=keycloak.default.svc.cluster.local DB_ADDR: max-scale DB_DATABASE: keycloak DB_PORT: 4408 DB_USER: <set to the key 'keycloakDatabaseUserName' in secret 'qa-complex-secret'> Optional: false DB_PASSWORD: <set to the key 'keycloakDatabaseUserPassword' in secret 'qa-complex-secret'> Optional: false Mounts: /var/run/secrets/kubernetes.io/serviceaccount from frame-2900-token-k8cwj (ro) Conditions: Type Status Initialized True Ready False PodScheduled True Volumes: frame-2900-token-k8cwj: Type: Secret (a volume populated by a Secret) SecretName: frame-2900-token-k8cwj Optional: false QoS Class: BestEffort Node-Selectors: node-role.kubernetes.io/compute=true Tolerations: <none> Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 11m default-scheduler Successfully assigned keycloak-787795bbcb-qng6j to ip-10-0-141-24.eu-west-1.compute.internal Normal SuccessfulMountVolume 11m kubelet, ip-10-0-141-24.eu-west-1.compute.internal MountVolume.SetUp succeeded for volume "frame-2900-token-k8cwj" Normal Pulled 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Successfully pulled image "jboss/keycloak" Normal Created 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Created container Normal Started 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Started container Normal Pulling 6m (x5 over 10m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal pulling image "jboss/keycloak" Warning BackOff 53s (x31 over 8m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Back-off restarting failed container The pod is restarted several times it seems, but it does not start correctly. I deleted the pod and it was recreated automatically by Openshift and the new pod started correctly. Then, there is a third issue that I've encountered while trying to login into the deployed application. While entering some wrong credentials I got an error page and noticed in the logs that there is still a database connection error: 08:18:12,405 WARN [org.keycloak.services] (default task-2) KC-SERVICES0013: Failed authentication: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) at org.keycloak.models.jpa.JpaUserProvider.getUserByUsername(JpaUserProvider.java:526) at org.keycloak.storage.UserStorageManager.getUserByUsername(UserStorageManager.java:390) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:253) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:213) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:153) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:48) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79) at org.hibernate.loader.Loader.getResultSet(Loader.java:2122) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1905) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1881) at org.hibernate.loader.Loader.doQuery(Loader.java:925) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) at org.hibernate.loader.Loader.doList(Loader.java:2622) at org.hibernate.loader.Loader.doList(Loader.java:2605) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2434) at org.hibernate.loader.Loader.list(Loader.java:2429) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:370) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1339) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 83 more Caused by: java.sql.SQLNonTransientConnectionException: (conn=476) Connection is closed at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:216) at org.mariadb.jdbc.MariaDbPreparedStatementClient.execute(MariaDbPreparedStatementClient.java:150) at org.mariadb.jdb c.MariaDbPreparedStatementClient.executeQuery(MariaDbPreparedStatementClient.java:164) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) ... 99 more Caused by: java.sql.SQLException: Connection is closed at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.cmdPrologue(AbstractQueryProtocol.java:1711) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:237) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:209) ... 103 more After a couple of seconds, the issue dissapeared, probably because Keycloak was able to get a valid connection from the connection pool. Thanks in advance for your help. Greetings, Cristi

7 years, 2 months

2
1
0 / 0

Re: [keycloak-user] Shared datastore?

by Sebastian Laskawiec

Yes, I think that could be case, I see a plenty of places where we use SKIP_CACHE_STORE. Let me ask Marek for help here since it has been implemented long before I joined the team and I don't know the history behind it... On Thu, Nov 8, 2018 at 8:48 PM William Burns <wburns(a)redhat.com> wrote: > > > ----- Original Message ----- > > From: "Sebastian Laskawiec" <slaskawi(a)redhat.com> > > To: "Nicolas Ocquidant" <nocquidant(a)gmail.com> > > Cc: keycloak-user(a)lists.jboss.org, "Will Burns Rosenquist Burns" < > wburns(a)redhat.com> > > Sent: Thursday, November 8, 2018 12:33:47 PM > > Subject: Re: [keycloak-user] Shared datastore? > > > > So I think there are at least two ways to address this problem. This > first > > one is to use Offline Tokens [1]. I'm not sure if that fits into your > > application since it requires your client applications to store the > token. > > In other words you can simply delegate this problem one layer below in > your > > system. > > > > If that doesn't work for you, yes passivation is a way to go. Frankly, I > > haven't used passivation but from the manual I see it works hand in hand > > with eviction [2][3]. Will (on CC) can probably correct me here, but my > > understanding is that whenever an entry gets evicted, the passivation > > mechanism picks it up and stores somewhere. > > It does and it works, the problem is that passivation doesn't play well > with shared stores in Infinispan. We prevent this configuration in 9.4 or > newer even. > > I recommended that Nicolas just use eviction and a shared store without > passivation. However it seems that entries are not written to the store in > this configuration. My guess is that KeyCloak performs write operations > with the SKIP_CACHE_STORE flag and assumes entries will only be written to > the store due to passivation. Is there a reason for that? > > > > > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html > > [2] > > > http://infinispan.org/docs/stable/user_guide/user_guide.html#cache_passiv... > > [3] > > > https://github.com/infinispan/infinispan/blob/master/core/src/test/java/o... > > > > On Thu, Nov 8, 2018 at 5:40 PM Nicolas Ocquidant <nocquidant(a)gmail.com> > > wrote: > > > > > My requirements are the following: store tokens emitted by KC during > one > > > year. > > > > > > I don't know how many users there are, but here are the number I get: > > > * the number of connections a week is about 700k. > > > * the number of session refresh a week is about 200k. > > > > > > I approximated around 1M of sessions a week, thus 52M a year. > > > In memory, a user session has been estimated around 4KB (about 1KB in > > > file/DB). > > > > > > But I guess a refresh does not create another session isn't it? And > maybe > > > it's possible to ask KC to delete previous emitted tokens when a new > one is > > > created for a same user? > > > > > > If yes, my estimation is probably a little bit too high here, but I > > > certainly have several millions of tokens to keep (and maybe dozens of > > > millions). > > > > > > Thanks > > > --nick > > > > > > Le mer. 7 nov. 2018 à 18:17, Nicolas Ocquidant <nocquidant(a)gmail.com> > a > > > écrit : > > > > > > > Hi, > > > > > > > > According to Infinispan, when passivation is disabled, every update > to > > > the > > > > cache should always write to the store. > > > > > > > > But I can't manage to get it work with Keycloak. If I disable > > > passivation, > > > > my SQL store (Postgres) stays empty, even if the cache is full. > > > > > > > > So, if passivation is needed for Keycloak to write to the DB, it > means > > > > that the use of a shared DB is not possible... > > > > > > > > But this leads to another issue for me. Enable passivation without a > > > > shared DB seems to imply that either 'fetch-state' or 'purge' should > be > > > > enabled on startup, in order for the cache to not contain stale > entries. > > > > > > > > 15:27:44,626 WARN > > > > > [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] > > > (MSC > > > > service thread 1-6) ISPN000149: Fetch persistent state and purge on > > > startup > > > > are both disabled, cache may contain stale entries on startup > > > > > > > > As I need to keep millions of sessions, this will considerably slow > down > > > > the startup of my node (when started again after a crash for > instance). > > > > > > > > So, is shared datastore allowed in Keycloak? If yes, how to enable > it? > > > > Otherwise what other options do I have to improve my startup time, if > > > > millions of sessions are in the store? > > > > > > > > Thanks > > > > --nick > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > >

7 years, 2 months

4
3
0 / 0

Re : Setting authentication execution requirement via kcadm.sh?

by triton oidc

Hi Craig, i'm not an expert, but here is what i did to set my execution value to REQUIRED : create a json with {"id":[ID_OF_YOUR_EXECUTION],"requirement":"REQUIRED"} put it in a file my_file.json you can have the id of you execution using this command ./kcadm.sh get authentication/flows/[your_flow]/executions --format csv -r $keycloak_new_realm --fields id | tr -d '\n' and you can import the file using this command : ./kcadm.sh update authentication/flows/[your_flow]/executions -r $keycloak_new_realm -f my_file.json There is probably a better way but i didn't found it hope it helps Amaury On Mon, Oct 15, 2018 at 1:07 PM <keycloak-user-request(a)lists.jboss.org> wrote: > Send keycloak-user mailing list submissions to > keycloak-user(a)lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request(a)lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner(a)lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Setting authentication execution requirement via kcadm.sh? > (Craig Setera) > 2. org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not > update user roles (Philippe Gauthier) > 3. Re: Unrecognized field "authenticationFlowBindingOverrides" > (Fabio Ebner) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 15 Oct 2018 07:21:30 -0500 > From: Craig Setera <craig(a)baseventure.com> > Subject: [keycloak-user] Setting authentication execution requirement > via kcadm.sh? > To: keycloak-user(a)lists.jboss.org > Message-ID: > < > CAPVdwjq1oyjCom4_A0TBJ8m3KBCgit5nOqMCGqKP4t2RU6zb5Q(a)mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > I'm trying to figure out if it is possible to set the "requirement" level > of an execution that is created for an authentication flow via the kcadm > tool. I have a shell script that I'm using to set up the Keycloak > configuration that looks like the following: > > > *echo "Creating new authentication flow..."AUTO_LINK_FLOW_ID=`${KCADM} > create authentication/flows --id -r ${REALM_NAME} -s > alias="FirstBrokerLoginAutoLink" -s providerId="basic-flow" -s > topLevel=true`* > > > > *echo "Adding unique authenticator..."${KCADM} create > authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r > ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s > requirement=ALTERNATIVE -s priority=10* > > > > > *echo "Adding auto link authenticator..."${KCADM} create > authentication/flows/FirstBrokerLoginAutoLink/executions/execution -r > ${REALM_NAME} \ -s provider=idp-auto-link -s requirement=ALTERNATIVE -s > priority=20* > With this script, I'm seeing the flow and executions created, but the > requirement seems to be ignored. In this case, the executions are always > set to DISABLED. I've tried to follow that up with an update call that > looks like this: > > > > > > > *echo "Adding unique authenticator..."EXECUTION_ID=`${KCADM} create > authentication/flows/FirstBrokerLoginAutoLink/executions/execution --id -r > ${REALM_NAME} \ -s provider=idp-create-user-if-unique -s > requirement=ALTERNATIVE -s priority=10`${KCADM} update > authentication/flows/FirstBrokerLoginAutoLink/executions -r ${REALM_NAME} > \ -s id=${EXECUTION_ID} -s requirement=ALTERNATIVE* > > However, that is failing with the following error: > > > > *HTTP request error: Can not deserialize instance of > com.fasterxml.jackson.databind.node.ObjectNode out of START_ARRAY tokenat > [Source: [B@527ee8a7; line: 1, column: 1]* > Can anyone offer any suggestions on how to get this authentication flow > properly configured so that the executions are set to ALTERNATIVE? > > Thanks! > Craig > > ================================= > *Craig Setera* > > *Chief Technology Officer* > > > ------------------------------ > > Message: 2 > Date: Mon, 15 Oct 2018 12:45:04 +0000 > From: Philippe Gauthier <philippe.gauthier(a)inspq.qc.ca> > Subject: [keycloak-user] > org.keycloak.broker.oidc.mappers.ClaimToRoleMapper does not update > user roles > To: "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org> > Cc: ?tienne Sadio <etienne.sadio(a)inspq.qc.ca> > Message-ID: > < > YTOPR0101MB141798E50DFEF73BB8C32857B1FD0(a)YTOPR0101MB1417.CANPRD01.PROD.OUTLOOK.COM > > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi > > > I saw a 2017 post from Simon Payne about ClaimToRoleMapper and I cannot > find any answers for his question. > > http://lists.jboss.org/pipermail/keycloak-user/2017-October/012129.html > > > This post was about ClaimToRoleMapper class of the OIDC broker component. > This class search for a claim, check for its value and grant a role if the > value is equals to the value specified in the configuration. > > > If the user from the IdP is not known by Keycloak, it will be created by > the First Broker Login Flow and the role will be granted. > > > If the user is already known by Keycloak, he have the role specified by > the mapper and he don't have the claim anymore, the role will be revocated. > > > But. If the user is known by Keycloak, he don't have the role specified by > the mapper and he have the claim, Keycloak does not grant him the role. > > > It is clear why it does this in the code but it is not clear why this have > been done that way: > > > Here is the code. > > @Override > public void importNewUser(KeycloakSession session, RealmModel realm, > UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, > roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.grantRole(role); > } > } > > @Override > public void updateBrokeredUser(KeycloakSession session, RealmModel > realm, UserModel user, IdentityProviderMapperModel mapperModel, > BrokeredIdentityContext context) { > String roleName = mapperModel.getConfig().get(ConfigConstants.ROLE); > if (!hasClaimValue(mapperModel, context)) { > RoleModel role = KeycloakModelUtils.getRoleFromString(realm, > roleName); > if (role == null) throw new IdentityBrokerException("Unable to > find role: " + roleName); > user.deleteRoleMapping(role); > } > /* Maybe we should add an else here that does what the importNewUser > does. > } > Thankyou > > Philippe Gauthier. > > > > ------------------------------ > > Message: 3 > Date: Mon, 15 Oct 2018 09:53:48 -0300 > From: Fabio Ebner <fabio.ebner(a)lumera.com.br> > Subject: Re: [keycloak-user] Unrecognized field > "authenticationFlowBindingOverrides" > To: Marek Posolda <mposolda(a)redhat.com> > Cc: keycloak-user(a)lists.jboss.org > Message-ID: > < > CAFxMZba+qwDnfkrggWXn6U+iY_hZYpMJ0CzMYvrtYgMmL3rQ9g(a)mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Marek tks I was using a old version in my pom. but after I put the correct > 4.5.0.Final when I try to start my project throw an exception: > > Caused by: java.lang.NoClassDefFoundError: > org/springframework/boot/web/server/WebServerFactoryCustomizer > > Look in the google say that class are only in springboot > 2 so I update my > project to Springboot 2.0.5.Final, now my project start but when I try to > access any url I got the error: > > in a loop: > > > > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.363 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[Tomcat].[localhost] : Exception Processing > /favicon.ico > > java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at or > > ..... > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.387 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet > [dispatcherServlet] threw exception > > java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > ...... > > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.399 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[Tomcat].[localhost] : Exception Processing > ErrorPage[errorCode=0, location=/error] > > javax.servlet.ServletException: Filter execution threw an exception > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .SocketProcessorBase.run(SocketProcessorBase.java:49) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [na:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [na:1.8.0_162] > at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] > Caused by: java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > .... > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.425 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet > [dispatcherServlet] threw exception > > java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at org.keycloak.ada > .... > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > > 2018-10-15 09:50:12.437 ERROR 20936 --- [nio-8081-exec-2] > o.a.c.c.C.[Tomcat].[localhost] : Exception Processing > ErrorPage[errorCode=0, location=/error] > > javax.servlet.ServletException: Filter execution threw an exception > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:472) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:395) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:316) > ~[tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:395) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:254) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:349) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:175) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > org.apache.tomcat.util.net > .SocketProcessorBase.run(SocketProcessorBase.java:49) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > [na:1.8.0_162] > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > [na:1.8.0_162] > at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > [tomcat-embed-core-8.5.34.jar:8.5.34] > at java.lang.Thread.run(Thread.java:748) [na:1.8.0_162] > Caused by: java.lang.StackOverflowError: null > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at > > org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:45) > ~[keycloak-spring-boot-adapter-core-4.5.0.Final.jar:4.5.0.Final] > at org.key > > > > Em seg, 15 de out de 2018 ?s 04:19, Marek Posolda <mposolda(a)redhat.com> > escreveu: > > > I think the field "authenticationFlowBindingOverrides" was added in some > > Keycloak 4.X version. I suggest to update Keycloak dependencies versions > > in your pom from 3.4.3.Final to same version, which your Keycloak server > > is. > > > > Marek > > > > On 13/10/18 04:18, Fabio Ebner wrote: > > > When I try to get my client wit this code: > > > > > > ClientRepresentation app1Client = > > > realmResource.clients().findByClientId("central-api").get(0); > > > > > > > > > that error return: > > > > > > javax.ws.rs.client.ResponseProcessingException: > > > javax.ws.rs.ProcessingException: > > > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > > > Unrecognized field "authenticationFlowBindingOverrides" (class > > > org.keycloak.representations.idm.ClientRepresentation), not marked as > > > ignorable (38 known properties: "enabled", "clientAuthenticatorType", > > > "redirectUris", "clientId", "authorizationServicesEnabled", "name", > > > "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", > > > "publicClient", "attributes", "protocol", "webOrigins", > > "protocolMappers", > > > "id", "baseUrl", "surrogateAuthRequired", "adminUrl", > "fullScopeAllowed", > > > "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", > > > "secret", "useTemplateMappers", "notBefore", "useTemplateScope", > > > "standardFlowEnabled", "description", "directAccessGrantsEnabled", > > > "useTemplateConfig", "serviceAccountsEnabled", "consentRequired", > > "access", > > > "bearerOnly", "registrationAccessToken", "defaultRoles", > > > "authorizationSettings"]) > > > > > > > > > > > > this is my pom. > > > > > >  > > > <dependency> > > > <groupId>org.keycloak</groupId> > > > <artifactId>keycloak-spring-security-adapter</artifactId> > > > <version>3.4.3.Final</version> > > > </dependency> > > > <dependency> > > > <groupId>org.keycloak</groupId> > > > <artifactId>keycloak-spring-boot-starter</artifactId> > > > <version>3.4.3.Final</version> > > > </dependency> > > > <dependency> > > > <groupId>org.keycloak</groupId> > > > <artifactId>keycloak-admin-client</artifactId> > > > <version>3.4.3.Final</version> > > > </dependency> > > > <dependency> > > > <groupId>javax.ws.rs</groupId> > > > <artifactId>javax.ws.rs-api</artifactId> > > > <version>2.1</version> > > > </dependency> > > >  > > > <dependency> > > > <groupId>org.jboss.resteasy</groupId> > > > <artifactId>resteasy-client</artifactId> > > > <version>3.1.3.Final</version> > > > </dependency> > > > <dependency> > > > <groupId>org.jboss.resteasy</groupId> > > > <artifactId>resteasy-jackson2-provider</artifactId> > > > <version>3.1.3.Final</version> > > > </dependency> > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 58, Issue 37 > ********************************************* >

7 years, 3 months

2
1
0 / 0

Magic Link feature removed?

by Stefan Hesse

Hello, according to this issue: https://issues.jboss.org/browse/KEYCLOAK-1942 Magic Link was introduced in version 4.0.0.Beta1. I am running 4.0.0.Beta.2, and I tried to follow the following tutorial in order to implement it: https://www.youtube.com/watch?v=oyUsI3QgEq8 Strangely the option does not appear in the Beta2 anymore. Was the feature removed again? Regards Stefan

7 years, 3 months

3
3
0 / 0

4.6.0 Upgrade disables client scopes

by Lamina, Marco

Hi, I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the “scope” parameter is ignored and none of my default client scopes are applied. The “scope” claim in the token endpoint response is always empty. Is that a feature that needs to be enabled similar to the token exchange? [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-ex... Thanks, Marco

7 years, 3 months

3
3
0 / 0

start up of keycloak nodes roughly increases two folds for every 100 tenants.

by Madhu

Hi I am using keycloak 4.5. i created about 600+ tenants with 50 users each for a performance testing. Upon creating tenants the start up time of keycloak increases drastically. This seems to be due to pretty much all entities at start up.. I tried disabling realm cache, user cache and did not help.. can you suggest how to bring down the start up time? Is it absolutely necessary for keycloak to load every thing at start up?? This is an extract from hibernate stat i got on a c4 xlarge ec2 instance ( 4 core 8 gig), keycloak configured with xms=xmx=5g. 018-11-24 10:33:19,998 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool – 61) Envers integration enabled? : true 2018-11-24 10:33:20,499 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool – 61) HV000001: Hibernate Validator 5.3.6.Final 2018-11-24 10:33:21,296 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool – 61) HHH000397: Using ASTQueryTranslatorFactory ^C [centos@ip-172-31-45-199 log]$ 11:10:45,750 INFO [org.hibernate.engi ne.internal.StatisticalLoggingSessionEventListener] (ServerService Th read Pool – 61) Session Metrics { 669457663 nanoseconds spent acquiring 92974 JDBC connections; 148185664 nanoseconds spent releasing 92974 JDBC connections; 1852958902 nanoseconds spent preparing 92974 JDBC statements; 35866600579 nanoseconds spent executing 92974 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 543461113 nanoseconds spent executing 2 flushes (flushing a total of 227216 entities and 158902 collections); 2197548626817 nanoseconds spent executing 14139 partial-flushes ( flushing a total of* 1042012050 entities and 1042012050 collections*) } 11:10:45,780 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool – 61) Session Metric s { 7689387 nanoseconds spent acquiring 1 JDBC connections; 34263 nanoseconds spent releasing 1 JDBC connections; 8025969 nanoseconds spent preparing 1 JDBC statements; 909784 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 3525215 nanoseconds spent executing 3 flushes (flushing a total o f 3 entities and 0 collections); 0 nanoseconds spent executing 0 partial-flushes (flushing a total of 0 entities and 0 collections)} 11:10:45,795 INFO [org.hibernate.engine.internal.StatisticalLoggingS essionEventListener] (ServerService Thread Pool – 61) Session Metric s { 437680 nanoseconds spent acquiring 1 JDBC connections; 10539 nanoseconds spent releasing 1 JDBC connections; 465001 nanoseconds spent preparing 1 JDBC statements; 719260 nanoseconds spent executing 1 JDBC statements; 0 nanoseconds spent executing 0 JDBC batches; 0 nanoseconds spent performing 0 L2C puts; 0 nanoseconds spent performing 0 L2C hits; 0 nanoseconds spent performing 0 L2C misses; 0 nanoseconds spent executing 0 flushes (flushing a total of 0 en tities and 0 collections); 17455 nanoseconds spent executing 1 partial-flushes (flushing a total of 0 entities and 0 collections) All My 600 +realms are pretty much same i.e. each realm has a client scope, a java script mapper (to get all the realm roles into resouce role),couple of attribute mappers, 2 users groups ( 1 for admins) and 1 for other users. i have about 50 users in each realm and all the user belongs to one of the 2 user groups ( no custom roles though).. Also, I bench marked the start up time after creating 50 or 100 realms and the start up time increases as the number of realms increases . I am able to manage as i have disabled the admin console and use rest endpoints.. but still the start up time and loading pretty much every thing seems little wiered. Please correct my understanding if i am wrong here.. | No of Realms | Start up time in mins | | 0 realms | 0.22 mins | | 100 realms | 2.34 mins | | 200 realms | 2.53 mins | | 300 realms | 5.34 mins | | 400 realms | 9.42 mins | | 500 realms | 14.6 mins | | 650 realms | 37 mins | Like wise the time taken to create tenants too gradually increases ( i use import to create realms) from about 3 seconds for first few realms to about 30 sec for 600th realm.. Any advise /help will be appreciated.

7 years, 3 months

2
5
0 / 0

Keycloak Modules developed for the Cloudtrust project

by Doswald Alistair

Hello, I just wanted to let this mailing list know that for the Cloudtrust project (https://github.com/cloudtrust), we have developed a certain number modules for Keycloak. These are currently compatible with the version 3.4.3.Final of Keycloak, but we will make them compatible with Keycloak 4.X (where X will be the latest sub-version of Keycloak when we start working on this) as soon as we can. These modules are: * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an implementation of the WS-Federation protocol for keycloak. This allows to select the WS-Federation protocol for Keycloak clients and for identity brokers. * keycloak-authorization (https://github.com/cloudtrust/keycloak-authorization): this module allows the use of the client authorization system to prevent a user which is authenticated in a Keycloak realm to access a given client. It works no matter which protocol is used, and without the client having to support any extra protocol. Note: this solution is a bit hacky, but necessary for one of our use-cases. * keycloak-client-mappers (https://github.com/cloudtrust/keycloak-client-mappers): a module for adding any mappers that we might need that are not yet part of Keycloak. Currently only contains a JavaScript mapper for SAML, analogous to the OIDC script mapper. I've noticed that there's an open issue for this feature (https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could submit this code not as a module but a solution to the issue. * keycloak-export (https://github.com/cloudtrust/keycloak-export): a module adding an endpoint to fully export a realm while Keycloak is still running (no need for restarts!). Cheers, Alistair PS: I'm mailing this both dev and user mailing lists as I believe it may interest members of both mailing lists

7 years, 3 months

4
7
0 / 0

How to get access access token with SPNEGOAuthenticator?

by ola rob

Hi, For some legacy reasons, we are using keycloak API/services for authentication but not redirecting our application to keycloak. We are able to get access token and refresh token (AccessTokenResponse.class) when we authenticate using login API by sending username and password. But we are unable to get them when authenticating using spnego token. The SPNEGOAuthenticator class doesn't return any access token after successful authentication. We need these tokens to manage our application session internally. So, how can we get access and refresh token or response similar to username password authentication? SPNEGOAuthenticator spnegoAuthenticator = new SPNEGOAuthenticator(kerberosConfig, kerberosAuth, spnegoToken); spnegoAuthenticator.authenticate(); if (spnegoAuthenticator.isAuthenticated()) { String username = spnegoAuthenticator.getAuthenticatedUsername(); // returning the username correctly. } Thanks in advance!

7 years, 4 months

2
3
0 / 0

StackOverflowError when listing federated identities

by Wyllys Ingersoll

Using Keycloak 4.6.0.Final, when I query for all users in a realm which is federated to an AD domain (only about 25 users in the domain), it pretty consistently throws exceptions (see below). Oddly enough, if I add the parameter "briefRepresentation=true", the list is returned successfully. I can query for individual users just fine (brief or full). This was not an issue in 4.5.0, Im only seeing now that I upgraded to 4.6.0. Possibly a memory issue, but its hard to tell. Any ideas? thanks, Wyllys Ingersoll 21:32:11,324 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-112) Uncaught server error: java.lang.StackOverflowError at sun.reflect.GeneratedMethodAccessor378.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) at com.sun.proxy.$Proxy92.find(Unknown Source) at org.keycloak.models.jpa.JpaUserProvider.getUserById(JpaUserProvider.java:520) at org.keycloak.storage.UserStorageManager.getUserById(UserStorageManager.java:369) at org.keycloak.models.cache.infinispan.UserAdapter.getUserModel(UserAdapter.java:399) at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:42) at org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) at org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305) at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43) at org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) at org.keycloak.models.cache.infinispan.UserAdapter.getRequiredActions(UserAdapter.java:173) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.models.utils.UserModelDelegate.getRequiredActions(UserModelDelegate.java:99) at org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapper$MSADUserModelDelegate.getRequiredActions(MSADUserAccountControlStorageMapper.java:305) at org.keycloak.models.cache.infinispan.DefaultLazyLoader.get(DefaultLazyLoader.java:43) at org.keycloak.models.cache.infinispan.entities.CachedUser.getRequiredActions(CachedUser.java:111) ...

7 years, 4 months

2
2
0 / 0

group federation?

by Wyllys Ingersoll

We have a realm configured to get federated users from our Active Directory domain server. Is there a way to also get the list of federated group information for each user (i.e. include the AD groups that the AD user is a member of in the federated user information) ? thanks...

7 years, 4 months

2
2
0 / 0

NotSerializableException: org.keycloak.adapters.elytron.ElytronAccount

by Andrew Murphy

I've installed the keycloak-wildfly-adapter-dist-4.6.0.Final.zip adapter in a clean version of WildFly Full 14.0.1.Final, running on Windows 8.1. The keycloak server is running on a separate port. When I configure the adapter subsystem (server not running) with the newer Elytron adapter using > cd bin > jboss-cli.bat --file=adapter-elytron-install-offline.cli -Dserver.config=standalone-full.xml and thereafter attempt to sign into a basic war application I get the keycloak login page, followed by an error page once credentials are posted. The server.log reports the following (abbreviated) error stacktrace 2018-11-21 20:17:37,654 ERROR [io.undertow.request] (default task-1) UT005023: Exception handling request to /curo-crm/: java.lang.IllegalArgumentException: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.adapters.elytron.ElytronAccount at org.wildfly.clustering.web.infinispan.session.coarse.CoarseSessionAttributes.setAttribute(CoarseSessionAttributes.java:71) [snip] Caused by: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.adapters.elytron.ElytronAccount Now, if I configure the adapter subsystem with the legacy non-Elytron adapter on WildFly using > cd bin > jboss-cli.bat --file=adapter-install-offline.cli -Dserver.config=standalone-full.xml everything works without errors i.e. I can access the protected web app on login success. Question 1: Have I missed something in the server configuration that is causing the NotSerializableException? Question 2: The keycloak config documentation recommends the use of the newer Elytron adapter over the legacy non-Elytron adapter, but gives no reasoning. Are there drawbacks to using the legacy version? Thanks

7 years, 4 months

3
3
0 / 0

Login after registration fails when other user was logged in before

by Rainer-Harbach Marian

Hi, we encountered a problem in a special use case (Keycloak 4.5.0.Final): We'd like to display a registration button in our application even when a user (user1) is logged in. Directly calling the registration form seems to be supported according to http://lists.jboss.org/pipermail/keycloak-user/2016-August/007473.html However, the login after the registration (of user2) fails when user1 was logged in before. The problem can be reproduced by following these steps: 1. Log user1 into the account app 2. Open the registration form at https://<host>/auth/realms/<realm>/protocol/openid-connect/registrations?client_id=account&response_type=code&scope=openid+email&redirect_uri=<url_to_account_app> 3. Register user2 4. After registration, this message is shown: "We're sorry... You are already authenticated as different user <user1> in this session. Please logout first." The message contains a link "Back to Application". However, user1 is not logged in anymore and the link "Back to Application" leads to the login form. This situation is not straightforward for a user to resolve: user1 has to log in again, then log out, and only then is user2 able to log in. The reason appears to be that opening the registration form in step 2 deletes the cookies KEYCLOAK_IDENTITY and KEYCLOAK_SESSION. However, the cookie AUTH_SESSION_ID remains unchanged. To me it seems that opening the registration form should cause a new AUTH_SESSION_ID to be generated (beside KEYCLOAK_IDENTITY and KEYCLOAK_SESSION being cleared). I'd appreciate any thoughts on that! Best regards, Marian

7 years, 4 months

2
2
0 / 0

How to retrieve user ID from Keycloak to my web app

by Kunal Kumar

Before, my web app is has its own login form to authenticate users. But since I have connected my web app to Keycloak to authenticate the users now, my web app does not need to have the login form anymore, hence I need to remove it. This was roughly how I retrieved the users information before Keycloak:- if (chkLogin(getUserID(), getUserPwd())) { MaintainUser mu = new MaintainUser(); this.usrInfo = null; String[] usr = mu.validatePassword(getUserID(), getUserPwd()); } This is not the full coding, but basically I use the getUserID method to retrieve the users info and check it for authentication before. How do I perform this if I want to retrieve the user ID from the Keycloak admin console? Regards, Kunal Kumar

7 years, 4 months

2
1
0 / 0

Motivation behind the removal of client_id from "aud" in the JWT

by Cristian Schuszter

Hi! We just updated from release 4.5.0 to 4.6.0 and discovered that the "aud" field has been changed to "aud": "account", rather than the client-id of the application. After a bit of digging, we found the commit and associated pull request for the change: https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342f... Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't find it on the Jira board. We were counting on the "client_id" being present in the audiences, as the Microsoft.NET core validators target specifically the audiences in the JWT token, with no option of targeting the "azp" field. Could anybody shed some light as to why the *client_id* was removed from the audiences? Best regards, Cristian Schuszter

7 years, 4 months

4
3
0 / 0

Temporary support for current sign-in flow

by Craig Setera

As everyone is probably painfully aware from all of my questions, we are in the midst of replacing our proprietary login flow with a Keycloak OpenID-based flow. The eventual goal is to use the standard Keycloak login pages to allow for extra factors of authentication such as Google Authenticator. One option that we've allowed until now is for customers to host custom login HTML forms (just username and password) on their sites. This is something that we are (most likely) going to remove support for in the long run, but in the short term, I think we are going to need to support this if only to allow for a transition period. The login flow is: Customer Site (HTML form) -> Login Handler (JEE Session) -> Redirect browser to SPA along with JSESSIONID All API calls use JEE sessions for "authentication". What I'm hoping to do somehow in the short term is: Customer Site (HTML form) -> Login Handler -> Keycloak -> Redirect browser to SPA with OAuth codes/tokens What is the best/correct way to do something like this? Should I be using the authorization code grant in this case? Thanks for any insights. Craig ================================= *Craig Setera* *Chief Technology Officer*

7 years, 4 months

2
1
0 / 0

LDAP role mapper loses client on client renaming

by Peemöller, Björn

Hi all, in our Keycloak installation we have connected Keycloak to an internal AD using user federation and configured a role-ldap-mapper as described in https://www.keycloak.org/docs/latest/server_admin/index.html#_ldap_mappers . We now discovered that if we rename a client, than the associated LDAP mapper loses the connection to the client, as it stores only the client name but not its internal id in the mapper configuration. Currently, we therefore need to reconfigure all associated mappers once we rename a client. Is it possible to avoid this problem (or wouldn't it be even better to store the internal UUID)? Kind regards, Björn Björn Peemöller IT & IT Operations BERENBERG Joh. Berenberg, Gossler & Co. KG Neuer Jungfernstieg 20 20354 Hamburg Telefon +49 40 350 60-8548 Telefax +49 40 350 60-900 E-Mail bjoern.peemoeller(a)berenberg.de<mailto:bjoern.peemoeller@berenberg.de> www.berenberg.de<http://www.berenberg.de/> Sitz: Hamburg - Amtsgericht Hamburg HRA 42659 Bei Berenberg hat der Schutz Ihrer Daten seit jeher höchste Priorität. Informationen zum Umgang mit personenbezogenen Daten finden Sie hier: https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundenin... Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender über die Antwortfunktion. Anschliessend moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge sowie die unbefugte Weitergabe der darin enthaltenen Daten und Informationen sind nicht gestattet. Wir weisen darauf hin, dass rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen. Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie sich bitte an den Absender oder an info(a)berenberg.de. Please refer to https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundenin... for our confidentiality notice.

7 years, 4 months

2
2
0 / 0

Data filtering in SQL

by Byrd, Rob M

I am comparing OPA authorization to Keycloak - how could I enforce Keycloak policy in the SQL closest to the data for good performance, including returning subsets of lists? OPA discusses this at https://blog.openpolicyagent.org/write-policy-in-opa-enforce-policy-in-sq.... Thanks! Rob Byrd DST Solutions Lead SS&C Technologies Inc. | 1055 Broadway, Kansas City, MO 64105 t: (816) 435-7286 | m (816) 509-0119 rmbyrd(a)dstsystems.com<mailto:rmbyrd@dstsystems.com> | www.ssctech.com<http://www.ssctech.com/> Follow us: [cid:image001.png@01D412C1.A14C5770] <https://www.linkedin.com/company/ss-c-technologies/> | [cid:image002.png@01D412C1.A14C5770] <https://twitter.com/ssctechnologies> | [cid:image003.png@01D412C1.A14C5770] <https://www.facebook.com/ssctechnologies/> Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system.

7 years, 4 months

4
11
0 / 0

Customize OpenID/OAuth token

by Francisco Javier Crujeiras

Hi, We're thinking on using Keycloak as our main IDP and SSO solution. At this time, we're using a "custom" IDP server based on Spring and we are investigating if we can migrate our client database to Keycloak without disturbing our users. So, we have seen that, by default, Keycloak answers a token request with a complete JWT token, like this one: { "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEWk4wX1liZUZGNFZMUVdxQ2NWMGFWd0VFbXBlUGlnX1NFaWk3dkozSGRvIn0.eyJqdGkiOiI5YTc4MTY5NC04MGUwLTQ2OTEtOGY3Yi00MzQ5MzA3ZTBkYWIiLCJleHAiOjE1NDM1NzMxMDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOlsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImFjY291bnQiXSwic3ViIjoiYzgxNzYzNjgtMGI5NS00MWFmLTgzZDUtZTk4N2Y0ZWVlYTg3IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE3Mi4xOC4wLjEiLCJjbGllbnRJZCI6Imh0dCtxMklHWUJBRzhwZEwxeGxxeDNMcWtXbXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtciIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTguMC4xIiwiZW1haWwiOiJzZXJ2aWNlLWFjY291bnQtaHR0K3EyaWd5YmFnOHBkbDF4bHF4M2xxa3dtckBwbGFjZWhvbGRlci5vcmcifQ.BgF6v7VQGO4vH4Z0VLFZmiO1CARpaoE1V7MjaNIJB85QORfk3L431VFQr3WJdT5ZBeC0Q5mB5LB7f9gLAd2lso4P9AegYAi8PmjJRvI-oL59Qe0PfDn8fjfZdaC8i3K0ZrZNDS9ivTdqL-8Gvq2C1l8x4tZaSxw1Yu8hxrWEfgOfATdn9XL5cbYXWRkm6AoJkVFVd300fPr0k6f67Jb4WOJP72692g8QRTWkqCrZyz0DrJxgg7fSX6M_0bxOa-JOidmGuJIwScciT1b5IVvvcQi3hx4UMwRQFunq1j2T7iRCT_LB99oP480KtoSXyCUS3dDzj6wCp4BEHb5K792isg" , "expires_in": 300, "refresh_expires_in": 1800, "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhNmQzZTgzZi1iZGUxLTQ3YjgtYmQ4Yy1hMjVhNDdjMmExZTYifQ.eyJqdGkiOiJmZWZhNTRjZS1hMjA0LTQ2NjAtODNkMC1kNDE0OWQwOTU0YWMiLCJleHAiOjE1NDM1NzQ2MDgsIm5iZiI6MCwiaWF0IjoxNTQzNTcyODA4LCJpc3MiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJhdWQiOiJodHRwOi8vMTcyLjE4LjAuMzo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QtcmVhbG0iLCJzdWIiOiJjODE3NjM2OC0wYjk1LTQxYWYtODNkNS1lOTg3ZjRlZWVhODciLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjcyZWNiNzk4LWRiNTgtNDE2MS04ZTA5LTRhYWVkYjJlYWI4ZiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiaHR0K3EySUdZQkFHOHBkTDF4bHF4M0xxa1dtciI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIn0.WTW9TwMnx4DSzRlLkDj_uXgabFAAUD4wDB5D084GMdY" , "token_type": "bearer", "not-before-policy": 0, "session_state": "72ecb798-db58-4161-8e09-4aaedb2eab8f", "scope": "profile email" } But, we'd like to send a "non-JWT" token, like this one: { "access_token": "laskddjfnasdf7-fas45nfdsa-56kr-8uy7-fasd87fyasdf", "token_type": "bearer", "expires_in": 3600, "scope": "scope-1 scope-2 scope-n" } We're not very experienced in Keycloak and we do not know if this is even possible, but any help will make us very happy. Thanks in advance! Regards,

7 years, 4 months

3
3
0 / 0

Keycloak user sessions persistence

by marco.scheuermann＠daimler.com

Hello Community, after redeployment of keycloak we mentioned that all existing session are gone. Is there any way to persist the session, so that the also exist after server restart or redeployment? Thank you, Marco If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

7 years, 4 months

2
1
0 / 0

User session creation

by Erlend Hamnaberg

Hello all. This is a bit hard to explain. I have created a IDP which uses CAS ( Central Authentication Service) as its backend. Our KC instance is again used by a clients KC instance. They have chosen to disable their persistent cookie handling, and thereby our by passing "prompt=login" to the login request. We are passing on the prompt=login by passing on renew=true to CAS. We get a token back, and verify that. However; Since the user session is not refreshed by the cookie handling, it seems like we are then timing out intermittently. Is there a problem with creating/refreshing the user session in the authenticationFinished Method in the gist below? https://gist.github.com/hamnis/547c550a532be7e8235aa653725b2ba2 Thanks. /Erlend

7 years, 4 months

1
2
0 / 0

Send welcome mail after successful registration

by Andreas Lau

Hey, i'd like keycloak to send a welcome mail after the user has successfully registered and verified his email. Currently I don't know how to do it. I found jira [1] feature request proposing a extension to support welcome email by configuration (I think). In the comments someone suggested to use SMTP provider and EventListener. The next comment has a Link [3] to a EventListener sample but I can not figure out what I have to do. I think they suggested the follwing workflow: 1. registration finished 2. listener invokes - how to tell Listener to listen on the registration event (how is the event named) 3. SMTP provider sends a email Hope someone is able to help me out. Andreas [1] https://issues.jboss.org/browse/KEYCLOAK-1835 [2] https://github.com/keycloak/keycloak/tree/master/examples/providers/event...

7 years, 4 months

2
2
0 / 0

Issue with CORS on Keycloak

by Joao Paulo Ramos

Hi guys, Sorry if it's not the correct place to make this question (please guide me to the correct place). I'm facing some problems with CORS when using rh-sso 7.1. I'm using the following environment: - JBoss EAP 7.1 with Resteasy in the backend -> localhost:8080/accountmovement/api - ReactJS in the frontend -> localhost:3000 - RH-SSO -> localhost:8180 The JBoss EAP is using the Wildfly/EAP Adapter from Red Hat, with the configurations made on the standalone.xml file as a subsystem: <subsystem xmlns="urn:jboss:domain:keycloak:1.1"> <secure-deployment name="accountmovement.war"> <realm>demo</realm> <resource>accountmovement-backend</resource> <use-resource-role-mappings>true</use-resource-role-mappings> <public-client>true</public-client> <auth-server-url>http://localhost:8180/auth </auth-server-url> <ssl-required>EXTERNAL</ssl-required> <enable-cors>true</enable-cors> </secure-deployment> </subsystem> I Already enabled the Web Origins to " * " in the RH-SSO Admin console for both of the clients I'm using. The error I receive is the following: "" Failed to load http://localhost:8080/accountmovement/api/accounts?_=1543522008489: Redirect from ' http://localhost:8080/accountmovement/api/accounts?_=1543522008489' to ' http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth?respo...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. "" Do you have any idea for what can I do? If you need more information just let me know! Thank you, JOÃO PAULO RAMOS BUSINESS FINANCE - DATA SCIENCE INTERN Red Hat Brasil jramos(a)redhat.com M: +55-11-96505-6159 <https://red.ht/sig>

7 years, 4 months

1
0
0 / 0

Access to security-admin-console via SSL is prohibited?

by dominic.michel01＠realdigital.de

Hi. I've just deployed a keycloak which is only reachable via a haproxy that enforces SSL. Now i'm trying to log into the security-admin-console via https://myserver.com/auth/admin/ which is redirecting me to https://mysever.com/auth/realms/master/protocol/openid-connect/auth?clien... But this request ends in status 400 with the response "Invalid parameter: redirect_uri" On a test environment without SSL it's actually working fine with an absolute uri using http. But here i cannot use http. The haproxy prevents it completely. I tried changing the redirect_uri param to a relative one (redirect_uri=%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F) but then keycloak responds with a non-SSL redirect to the base URL (http://myserver.com/auth/admin/master/console/) which leaves my with an error in the browser because haproxy changes the call to https, but some content seems to be still embeded using http --- Content Security Policy: The page’s settings blocked the loading of a resource at http://myserver.com/auth/realms/master/protocol/openid-connect/login-stat... (“frame-src”). --- So it looks like i'm effectively locked out. Based on my current situation i have three questions. 1. Why does keycloak respond with http redirects even though the issuing call (https://myserver.com/auth/realms/master/protocol/openid-connect/auth...) was using https and how can this be changed? 2. Given that the default redirect uri pattern for the security-admin-console is "/auth/admin/master/console/*", why is https://myserver.com/auth/admin/master/console not considered a valid redirect_uri but http://myserver.com/auth/admin/master/console is? 3. Does anybody know what to change now (via admin cli i guess) to get access to the UI? Thanks for your help. Kind regards, Dominic real,- Digital Services GmbH, Sitz: Duesseldorf Amtsgericht Duesseldorf, HRB 75643 Geschaeftsfuehrer: Dr. Gerald Schoenbucher, Mehmet Toezge Die in dieser E-Mail enthaltenen Nachrichten und Anhaenge sind ausschliesslich fuer den bezeichneten Adressaten bestimmt. Sie koennen rechtlich geschuetzte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfaenger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfaeltigung oder Weitergabe der Nachrichten und Anhaenge untersagt. Falls Sie diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte unverzueglich den Absender und vernichten Sie die E-Mail.

7 years, 4 months

2
3
0 / 0

WG: Using keycloak for SAML integration. confused by documentation. login loop

by Manuel Waltschek

Hello, I am resending this, since I needed to confirm my subscription to this mailing list first and I got the "not allowed" message when I sent it fort he first time. Regards, Manuel Waltschek Von: Manuel Waltschek Gesendet: Donnerstag, 29. November 2018 18:27 An: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org> Betreff: Using keycloak for SAML integration. confused by documentation. login loop Hello there, I'm sorry to bother you since this might have been asked quite a lot, but I am not able to configure my application as a SAML service provider to authenticate against an external IdP like https://samltest.id/saml/idp . I tried to use keycloak server as an identity broker but ran into different issues. I tried to follow instructions of this documentation: https://www.keycloak.org/docs/latest/securing_apps/index.html If you want details on my configuration you can check out https://stackoverflow.com/questions/53487692/keycloak-saml-as-identity-br... but some aspects might have changed, since I tried an alternative. Alternatively I tried to configure the Wildfly 10 system/application to use the external IdP directly, which kind of works. At least I am able to authenticate at the IdPs Website when I try to access a protected resource of my application, but when I get redirected to application-name/saml (which is my defined endpoint since it is described like this in the documentation. I do not understand how this should even work) I do not know how to access the assertion / the SAMLprincipal at this stage and if I register a ServletFilter in web.xml with an URL-pattern of /saml/* or /saml it won't trigger. Also I do not know if this is even how it should work out, since I don't get how the keycloak server even fits into the equation, since it is not called or anything when SP communicates automatically with the external IdP. Also why does the KeycloakLoginModule never get called? What is it for? And how does the assertion actually get processed? I cannot find any reference on these topics. I am getting really frustrated about this since the documentation is unclear (for me) about SAML and the use case I described and there are really no answers on public websites. I will be really happy if anyone could help me solve this issue. Do not hesitate to ask for more information/details. Thank you in advance, [relaunch]<https://www.prisma-solutions.com/> Unsere Website erstrahlt im neuen Glanz und ganz im Corporate und selbstverständlich Responsive Design. Wenn Sie wissen wollen, wie wir Verkehrsmanagement digital unterstützen, wie Städte eine vielfältige Fahrradkultur etablieren können, wo automatisierte Kleinbusse uns in Zukunft hinbringen werden oder wie die Lebenszykluskosten von Straßeninfrastruktur evaluiert und optimiert werden, dann schauen Sie doch auf https://www.prisma-solutions.com vorbei! [Logo] Manuel Waltschek BSc. +43 660 86655 47<tel:+436608665547> manuel.waltschek(a)prisma-solutions.at<mailto:manuel.waltschek@prisma-solutions.at> https://www.prisma-solutions.com PRISMA solutions EDV-Dienstleistungen GmbH Klostergasse 18, 2340 Mödling, Austria Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt

7 years, 4 months

1
0
0 / 0

back channel logout in case of keycloak adapter sitting behind reverse proxy.

by Madhu

Hi, I am exploring on how to implement back channel logouts/ sso logout properly and have a question in this regard. I have a set of applications (say App1, App2, App3) which are integreated with keycloak through servelet adapter (keycloak-servlet-adapters and keycloak-spring-boot2-adapters).. Each of this application for HA/scalablity resons sit behind their own reverse proxies.. So typically there will be multiple instance of each application App1-Node1, App1-Node2.. App1-Node'n' , like wise App2-Node1,App2-Node2,App2-Node'n'.. and so on for each of the Apps. When a user u1,logs on to App1 and App2 an SSO session is establised in keycloak, and in the user sessions i see that user has connected to clients App1 and App2 ( app1 and app2 are clients in keycloak realm).. When user logged on App1-Node1 took the request, and for App2, App2-Node2 took the request.. On the keycloak side, the admin urls are configured with the Reverse proxy url of the each Apps ( same as the valid rediect and base url). When a SSO logout happens, how can i ensure that the keycloak server sends the SSO logout signal (k_logout) to the correct node? Will keycloak preserve the headers which came at the time of orignial login request and use them while sending admin requests as well ? ( so that the reverse proxy could dispatch the request to correct node, assuming that the application is configured to be sticky).. Regards,Madhu

7 years, 4 months

1
0
0 / 0

Re: [keycloak-user] permanent configuration for Keycloak

by Bruno Oliveira

features Reply-To: In-Reply-To: <CADNp1BaSBngh+DecKghGjT5_FUnD3CeaKtZSyxq7CG5ZY9Yqsw(a)mail.gmail.com> Hi Max, if the documentation lacks of more information. Please, do not hesitate to create a Jira mentioned which part is missing. That helps us to improve the docs. Indeed, the profile.properties file is the best place to put the permanent configuration. For that, just create a file inside $KEYCLOAK_SERVER/standalone/configuration called profile.properties, with the following content: feature.scripts=enabled I created the following Jira to track this: https://issues.jboss.org/browse/KEYCLOAK-8979 On 2018-11-29, Max Allan wrote: > As I start my keycloak with systemd, (following the wildfly setup > instructions). Rather than logging in and running standalone.sh all the > time, can you give more details about where to add this config to make it > permanent and upgrade resistant? > > Would you recommend adding JAVA_OPTS to wildfly.conf? > JAVA_OPTS=-Dkeycloak.profile.feature.scripts=enabled > OR the documentation mentions a file called "profile.properties" without > giving any idea where it can be found. That sounds ideal, if only it was > clearer how to use it. Much cleaner than this -D on startup command line > mess that was created. > > Also, I've added to KEYCLOAK-8872 that the other documentation needs fixing > : > https://www.keycloak.org/docs/latest/server_installation/index.html#profiles > States that "scripts" is called "script" and that it is enabled by default. > And the profile.properties file is mentioned without a location. > > > Max -- abstractj

7 years, 4 months

1
0
0 / 0

Default configuration of master realm

by Mike Wakim

Hello, When the Keycloak server is started for the very first time, it automatically creates a master realm with default configurations. Is it possible to customize some of these default configurations during / prior to the initial deployment? For example, I want to change the master realm such that each time a keycloak server gets deployed, the master realm by default has some password policies (e.g. password expiry enabled). I know that I can override the master realm with a JSON that has the configurations that I need using -Dkeycloak.migration.file=master-realm.json and -Dkeycloak.migration.strategy=OVERWRITE_EXISTING, but I'd like to avoid the overwrite and have the custom configurations applied upon the initial creation of the master realm if possible. Does anyone have any thoughts on this? Thanks! Mike

7 years, 4 months

1
0
0 / 0

(no subject)

by Max Allan

Hi, I just installed 4.6.0-Final and started to configure a new site. I cannot see the "Script" authentication execution type in the drop down menu. I compared it with 4.5 and can see where it should be. They're still in the documentation : https://www.keycloak.org/docs/latest/server_admin/index.html#executions Is there some new/different config required to make them work now? I read the upgrade notes, even thought this is a new deployment. I found some references to JavaScipt. Not a language I have heard of before. https://www.keycloak.org/docs/latest/upgrading/index.html#javascipt-adapt... I wonder if it is similar to JavaScript.. But no mention of script authentication executions. Any ideas? Thanks, Max

7 years, 4 months

3
3
0 / 0

krbLastPwdChange - can we use this attribute

by Callum Smith

Dear Keycloakers, I was wondering, if Keycloak can accept the pwdLastSet from MSAD, why can it not use krbLastPwdChange from FreeIPA to allow for better integration of password resets? Surely this is possible and potentially even trivial to implement? Regards, Callum -- Callum Smith Research Computing Core Wellcome Trust Centre for Human Genetics University of Oxford e. callum(a)well.ox.ac.uk<mailto:callum@well.ox.ac.uk>

7 years, 4 months

2
3
0 / 0

Internet facing Keycloak, security best practices ?

by Mathieu Poussin

Hello. Is there any king of best practices on how to deploy and secure an internet facing Keycloak instance ? So far I've been doing some filtering on my reverse proxy : - Limit /auth/admin to trusted IP - Block = /auth (The default auth page) But I suppose there are maby other things that can be done ? I could not find any official documentation. Thanks.

7 years, 4 months

1
0
0 / 0

Issue in client admin- management

by Dhara Basida

Hey, I have created realm admin through which I created client and assigned client admin to one user.Now I logged in the system through that client admin but I am unable to manage that client. I had referred the below link for managing this client admin, https://www.keycloak.org/docs/latest/server_admin/index.html#_admin_permi... As seen in the snap shot, when I click on any horizontal tab,I am getting a page with message Forbidden. Please provide the steps through which I can manage the roles and permission for users through client admin login. Thanks and Regards, Dhara Basida

7 years, 4 months

1
0
0 / 0

Feature request : Support having large number of clients (KEYCLOAK-8275)

by Andrea Pasqualini

Actually keycloak lacks support for large number of clients (over 10K) Keycloak Version 3.4.6 keeps all clients in memory and reloads them all (one by one) each time a client is added or deleted, this behavior causes performance and deadlock issues (https://issues.jboss.org/browse/KEYCLOAK-3210). In the following use cases : .Mobile application instances dynamically registering themselves to get installation-specific credentials .Clients registering with the OAuth server from a developer portal or API management system Support for large number of clients is not an option If you are interested vote for this feature here https://issues.jboss.org/browse/KEYCLOAK-8275 Regards Andrea Pasqualini

7 years, 4 months

1
0
0 / 0

Issues when modifying account.ftl

by So Be

Hi, I added some attributes to registration page by following this link https://www.keycloak.org/docs/latest/server_development/index.html#modify... but I got this error: Caused by: freemarker.core.ParseException: Syntax error in template "account.ftl" in line 54, column 171: 11/28/2018 10:22:28 AMUsing ?html (legacy escaping) is not allowed when auto-escaping is on with a markup output format (HTML), to avoid double-escaping mistakes. 11/28/2018 10:22:28 AM at freemarker.core.FMParser.BuiltIn(FMParser.java:1188) .... Best, Sofiane.

7 years, 4 months

2
1
0 / 0

http connection/session timeout

by Phillip Fleischer

Hi, We use new relic APM to monitor keycloak and seems that on occasion there will be transactions running for ~30min which seems to be exceptionally long. We already lowered our database transaction timeouts, but thinking we should also add/change the wildly servlet timeout timeout from the default of 30 minutes. <servlet-container name="default" default-session-timeout="1"> <jsp-config/> <websockets/> </servlet-container> I can’t see this being related to any of the “keycloak session” timeouts, just wondering if anyone would know if this is a terrible idea?? — Phil

7 years, 4 months

1
1
0 / 0

Auto refresh ADFS federation metadata.xml?

by Rens Verhage

Hi all, Can Keycloak automatically detect changes in metadata of SAML providers by polling the metadata URL? I’m asking because our clients regularly change their certificates and it would be nice not having to update them manually every time :) Rens

7 years, 4 months

1
0
0 / 0

Failed to replace entity

by Nicolas Ocquidant

Hi I am currently testing KC and I get WARN messages in my console when I try to refresh tokens. 11:42:54,245 WARN [org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction] (default task-1) Failed to replace entity '9c206d08-8542-4385-ad97-61ae61ee4e00' in cache 'sessions' Steps to reproduce : - start KC 4.6.0.Final - populate KC using the admin web console : realm=SpringBootKeycloak, client=login-app, role=user, user=user1/user1(role user) - use curl to login user1 : tmp=$(curl -s -d "grant_type=password&client_id=login-app&username=user1&password=user1" -X POST -H "Content-Type: application/x-www-form-urlencoded" http://localhost:8180/auth/realms/SpringBootKeycloak/protocol/openid-conn...) && refresh_token1=$(echo "$tmp" | jq -r '.refresh_token') && echo "$tmp" | jq . - use curl to refresh tokens of user1 : curl -s -d "grant_type=refresh_token&client_id=login-app&refresh_token=$refresh_token1" -X POST -H "Content-Type: application/x-www-form-urlencoded" http://localhost:8180/auth/realms/SpringBootKeycloak/protocol/openid-conn... | jq . My config is as follow : <distributed-cache name="sessions" owners="2" statistics-enabled="true" remote-timeout="600000"> <state-transfer timeout="36000000"/> <binary-memory eviction-type="COUNT" size="30000"/> <expiration lifespan="86400000" interval="120000"/> <jdbc-store data-source="InfinispanDS" dialect="POSTGRES" fetch-state="true" passivation="true" preload="false" purge="false" shared="false" singleton="false"> <table prefix="ISPN_mbd_node1"> <id-column name="ID_COLUMN" type="VARCHAR(255)"/> <data-column name="DATA_COLUMN" type="BYTEA"/> <timestamp-column name="TIMESTAMP_COLUMN" type="BIGINT"/> </table> </jdbc-store> </distributed-cache> Shall I fill a Jira? Thanks, --nick

7 years, 4 months

1
0
0 / 0

(no subject)

by Kunal Kumar

Hi all, I am connecting 5 of my web apps to Keycloak for authentication. I already know that we can change the theme of the Keycloak login page. But what I am curious about is if the themes for the Keycloak login page could be slightly different for each of the web app accessed. Is mapping the theme to the particular redirect_uri of the web app possible? For example, if a user wants to enter website A he will be redirected to Keycloak of course, but with a redirect_uri of website A, but using that redirect_uri value, determining the correct theme to be displayed during the login. Is this plausible or just pure fantasy, would like to know your thoughts on this guys. Regards, Kunal Kumar

7 years, 4 months

1
0
0 / 0

keycloak and nginx

by Dimitris Charlaftis

Hello, I am trying to connect keycloak with an nginx reverse proxy. The nginx server will receive calls from protected sites , each configured per virtual host and send the request to keycloak for authorization. When nginx receives OK from keycloak it proxies back the authenticated call to client. Correct? I assume I have to create a realm for that nginx and a client for each of these sites. Can you provide some configuration for the nginx server? Regards, Dimitris. -- _____________________________ Dimitris Charlaftis Software Engineer National Documentation Center email: dharlaftis(a)ekt.gr _____________________________

7 years, 4 months

1
0
0 / 0

Clustering + SAML = No backchannel logout. Why?

by Chris Brandhorst

Hi, We can all see the following warning in the description of the Java Servlet Filter Adapter: Backchannel logout does not currently work when you have a clustered application that uses the SAML filter. We are unable to find or guess what the reasons behind these are, so my question is: why? Could someone explain the details as to why this is the case? And on which side (KC or the SAML filter) side things go wrong? Thanks, Chris

7 years, 4 months

1
0
0 / 0

Host Fixed provider

by Abdulaziz AlMalki

Hi, The documentation says that: "It is also possible to override the hostname for a specific realm through the configuration of the realm in the admin console." https://www.keycloak.org/docs/latest/server_admin/index.html#fixed-provider However, I cannot find any setting to override host name in the realm configuration. Am I missing anything? Is it really implemented? Thanks..

7 years, 4 months

2
2
0 / 0

Keycloak event-listener-sysout example not working , v4.6.0.Final

by abhilashreddy abhi

Hello, I am using 4.6.0.Final keycloak version and trying out event-sysout example ( https://github.com/keycloak/keycloak/tree/master/examples/providers/event...) ,but i am unable to make it work and getting following errors 1) I have created a spring boot application with following classes --Application.class (Contains Main method) --SysoutEventListenerProvider ---SysoutEventListenerProviderFactory I have placed org.keycloak.events.EventListenerProviderFactory file in src/main/resources/META-INF/services which points to my SysoutEventListenerProviderFactory. Did a maven clean install and took the jar from target folder and tried placing it any one of standalone/deployments folder , Keycloak_Home/providers folder and also created as a module as per instructions in documentation but all of the above methods throws the following error. Caused by: java.util.ServiceConfigurationError: org.keycloak.events.EventListenerProviderFactory: Provider com.example.demo.springboot.SysoutEventListenerProviderFactory not found at java.util.ServiceLoader.fail(Unknown Source) at java.util.ServiceLoader.access$300(Unknown Source) at java.util.ServiceLoader$LazyIterator.nextService(Unknown Source) at java.util.ServiceLoader$LazyIterator.next(Unknown Source) at java.util.ServiceLoader$1.next(Unknown Source) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:92) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:214) at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:80) at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:331) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:118) 2) This time, I have removed Application.class and exported the jar using export->jar in eclipse and tried placing it in deployment folder or providers or as a module and the application starts but throws the following log. ERROR [org.keycloak.events.EventBuilder] (default task-1) Event listener 'sysout' registered, but provider not found Can someone please help me with what I am missing? Thanks Abhilash

7 years, 4 months

2
1
0 / 0

Custom verification mail with image

by Luka Odak

Hy, I'm trying to customize email which is sent on executeActionsEmail("VERIFY_EMAIL") In folder themes I created following structure mytheme email html messages text resources img css theme.properties and populated it with necessary files. When in messages_en.properties I set <img src=" ${url.resourcesPath}/img/ logo.jpg"> delivered mail is not stylized, but just plain text without image. I tried to move resources directory through structure but without success. Also I've tried to hardcode path to the image. That way I receive stylized email but without image. What am I doing wrong? Thanks. With best regards ------------------------------------------------------------- Luka Odak Software Developer

7 years, 4 months

2
1
0 / 0

Simple server OAuth client?

by Craig Setera

I have a need to do a service-level account connection between two servers. I believe that the client credentials grant and Keycloak service accounts are the proper way to handle this. What I'm wondering is if there is a simple to use OAuth authentication client built into the Keycloak code that can be used for this purpose? In particular, something that manages refresh token and such. It appears like a lot of the logic of interest is available in RefreshableKeycloakSecurityContext, however I'm not sure if this is really meant to be consumed as a generic OAuth client library? Thanks, Craig ================================= *Craig Setera* *Chief Technology Officer*

7 years, 4 months

2
2
0 / 0

Issue to keycloak client access

by Dhara Basida

Hey, Greetings! I am currently working on managing client in keycloak. I had set up proper roles and permission and added policy as required.I had created the client admin by following the steps given in the keycloak document , but I am unable to get access to client page. Any help would be appreciable. Thanks and Regards, Dhara Basida

7 years, 4 months

2
1
0 / 0

Issue in keycloak

by Dhara Basida

Hey, I had installed keycloak version 4.6.0. I am unable to find Client Permissions Tab as mentioned in your doc for managing single client.It would be a great appreciation to your help in advance. Thanks and Regards, Dhara Basida

7 years, 4 months

2
1
0 / 0

Re: [keycloak-user] [EXTERNAL] Re: Keycloak Admin Realm is not upgraded on Keycloak upgrade from v3.0 to v4.5

by Deepti Tyagi

Re-Sending email, received another email of rejection. Looks like its bounced back. Thanks, Deepti ________________________________ From: Deepti Tyagi Sent: Monday, November 26, 2018 12:19 AM To: Dmitry Telegin Cc: Sachin Gandhi; Shankar Bhaskaran Subject: RE: [EXTERNAL] Re: [keycloak-user] Keycloak Admin Realm is not upgraded on Keycloak upgrade from v3.0 to v4.5 Great Thanks Dmitri for your kind support. Yes, you are right. On changing back to default keycloak theme, it worked. :) I had left it to do later, didn't realize that it could be the reason. Thank You once Again, Deepti ________________________________ From: Dmitry Telegin [dt(a)acutus.pro] Sent: Friday, November 23, 2018 9:35 AM To: Deepti Tyagi Cc: Sachin Gandhi; Shankar Bhaskaran Subject: Re: [EXTERNAL] Re: [keycloak-user] Keycloak Admin Realm is not upgraded on Keycloak upgrade from v3.0 to v4.5 External Sender: Use caution with links/attachments. Deepti, Didn't you forget to migrate your themes? Your realm references a custom "darktheme", so you should either migrate it too or disable in the database (set REALM.LOGIN_THEME to "keycloak" or NULL). Having done the latter, I was able to login again with Keycloak 4.5.0. Also it seems that we've found a regression. In the case of nonexistent theme, Keycloak 3.0.0 prints and error falls back to the built-in one, while Keycloak 4.5.0 throws an exception. Let me know if it works and if I can reply to the ML, so that others could benefit from the answer too. Good luck, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro<mailto:info@acutus.pro> On Fri, 2018-11-23 at 09:06 +0000, Deepti Tyagi wrote: Thanks Dmitry for the prompt reply. It took some time to prepare an standalone reproducible example as you have asked for. Attached the same. Please follow steps mentioned below. Standalone.xmls, a sample war and non-master realm are attached. I have used postgres DB and its jboss module, though H2 DB should also be fine. Here you go. 1. Download Keycloak v3.0.0 2. Replace attached standalone.xml 3. Start the server in standalone mode. 4. Access Keycloak on localhost:8880. And upload attached non_master_realm.json 5. Download Wildfly v10.1 6. Install Keycloak adapters. (Keycloak v4.5 adapters also worked fine for me.) 7. Use attached standalone.xml and temp-console.war. 8. Start the server. War should be deployed. 9. Access url (http://localhost:8080/temp-console). It<https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_temp...> should load a login page. 10. Stop Keycloak server. 11. Download Keycloak v4.5 12. Copy standalone, domain folders from old keycloak. 13. Execute below migration scripts. jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss-2Dcli.sh&d=DwQF...> --file=migrate-standalone.cli jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss-2Dcli.sh&d=DwQF...> --file=migrate-standalone-ha.cli jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss-2Dcli.sh&d=DwQF...> --file=migrate-domain-clustered.cli jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss-2Dcli.sh&d=DwQF...> --file=migrate-domain-standalone.cli 14. Start keycloak server and access on localhost:8880 15. Restart Wildfly server. 16. Access Wildfly Server Url (http://localhost:8080/temp-console<https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_temp...>). It should reproduce the issue. 17. Check Keycloak v4.5 server.log Please find below answers to your questions. On terminology: by "custom admin realm", do you mean simply a non-master realm in Keycloak that you've created yourself? [D]: Yes On upgrade process: normally, you don't need to export/import realm data during upgrades, since schema+data migration will be performed by Keycloak itself (it uses Liquibase under the hood). You only migrate your .xml configs, and then simply run the new Keycloak version with the same database connection. Did you try this? [D]: Yes. Exactly, same I have been doing. Thanks, Deepti ________________________________ From: Dmitry Telegin [dt(a)acutus.pro] Sent: Wednesday, November 21, 2018 9:34 AM To: Deepti Tyagi Subject: [EXTERNAL] Re: [keycloak-user] Keycloak Admin Realm is not upgraded on Keycloak upgrade from v3.0 to v4.5 External Sender: Use caution with links/attachments. Hi again Deepti, Just FYI, our company provides a free-of-charge community support on a volunteer basis, but we generally can't afford to spend more than 1-2h per day on that. For this all to be fruitful, I'd expect your active participation like preparing the reproducible example (see my reply to the ML). Good luck :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro<mailto:info@acutus.pro> On Wed, 2018-11-21 at 07:28 +0000, Deepti Tyagi wrote: Hi Team, I am working on upgrading our in-house Keycloak Server from v3.0 to v4.5. Facing issue on trying to re-use old custom admin realm. Is there any way we can re-use the old admin realm or preserve at least users? We have another Wildfly 10 application that use Keycloak v3.0 for authentication purpose using a custom admin realm (custom-realm.json) that have multiple clients, roles, users and protocol mappers. While upgrading keycloak, I had run migration scripts to upgrade standalone, domain.xmls. Postgres DB also gets upgraded and able to login to Keycloak using the same admin user in v3.0. Though, our Wildfly 10 application isn't able to authenticate with keycloak using that old custom-realm (with new jboss adapters even). I had to re-create a new custom admin realm, created same clients, roles, users to make it work. And had to trash old realm that deleted all users also. I also tried multiple workarounds like; 1. Created a new custom-realm on v4.5 and compared with v3.0 on keycloak UI, no visible difference. 2. Partially re-imported new custom realm having same clients and roles. No help. 3. Trashed old realm and imported new custom realm, then tried partially importing old custom realm users. Its not allowed. (KC-SERVICES0037: Error creating user: java.lang.RuntimeException: Unable to find client role mappings for client: ds-data) With the 3rd attempt, I can see at least keycloak login page on our wildfly 10 application but can not login till I create admin user manually. With 1st and 2nd attempt, I do not even see keycloak login page on our wildfly 10 application and below exception is thrown in keycloak server.log. 2018-11-20 23:56:30,691 WARN [org.keycloak.events<https://urldefense.proofpoint.com/v2/url?u=http-3A__org.keycloak.events&d...>] (default task-2) type=LOGIN_ERROR, realmId=DecisionSpace_Integration_Server, clientId=dsis-console, userId=null, ipAddress=127.0.0.1<https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1&d=DwQFaQ&c=...>, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=http://localhost:8080/dsdataserver-console/<https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8080_dsda...>, code_id=a50ff093-64b8-43d2-a353-2a3ec1346297, response_mode=query 2018-11-20 23:56:30,692 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: java.lang.NullPointerException at org.keycloak.theme.ExtendingThemeManager.loadTheme(ExtendingThemeManager.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ExtendingThemeManager...>:117) at org.keycloak.theme.ExtendingThemeManager.getTheme(ExtendingThemeManager.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ExtendingThemeManager...>:95) at org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__DefaultThemeManager.j...>:26) at org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__DefaultThemeManager.j...>:21) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.getTheme(FreeMarkerLoginFormsProvider.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__FreeMarkerLoginFormsP...>:267) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__FreeMarkerLoginFormsP...>:160) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createErrorPage(FreeMarkerLoginFormsProvider.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__FreeMarkerLoginFormsP...>:506) at org.keycloak.services.ErrorPage.error(ErrorPage.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ErrorPage.java&d=DwQF...>:31) at org.keycloak.authentication.AuthenticationProcessor.handleBrowserException(AuthenticationProcessor.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AuthenticationProcess...>:728) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AuthorizationEndpoint...>:143) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AuthorizationEndpoint...>:409) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AuthorizationEndpoint...>:152) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AuthorizationEndpoint...>:108) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__NativeMethodAccessorI...>:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__DelegatingMethodAcces...>:43) at java.lang.reflect.Method.invoke(Method.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__Method.java&d=DwQFaQ&...>:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__MethodInjectorImpl.ja...>:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceMethodInvoker...>:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceMethodInvoker...>:401) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceMethodInvoker...>:365) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__PreMatchContainerRequ...>:361) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceMethodInvoker...>:367) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceMethodInvoker...>:339) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceLocatorInvoke...>:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceLocatorInvoke...>:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceLocatorInvoke...>:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ResourceLocatorInvoke...>:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SynchronousDispatcher...>:441) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SynchronousDispatcher...>:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SynchronousDispatcher...>:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__PreMatchContainerRequ...>:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SynchronousDispatcher...>:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SynchronousDispatcher...>:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletContainerDispa...>:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__HttpServletDispatcher...>:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__HttpServletDispatcher...>:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__HttpServlet.java&d=Dw...>:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletHandler.java&d...>:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__FilterHandler.java&d=...>:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__KeycloakSessionServle...>:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ManagedFilter.java&d=...>:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__FilterHandler.java&d=...>:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__FilterHandler.java&d=...>:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletSecurityRoleHa...>:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletChain.java&d=D...>:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletDispatchingHan...>:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SecurityContextAssoci...>:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__PredicateHandler.java...>:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SSLInformationAssocia...>:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletAuthentication...>:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__PredicateHandler.java...>:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AbstractConfidentiali...>:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletConfidentialit...>:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AuthenticationMechani...>:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__CachedAuthenticatedSe...>:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__NotificationReceiverH...>:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__AbstractSecurityConte...>:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__PredicateHandler.java...>:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__JACCContextIdHandler....>:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__PredicateHandler.java...>:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__GlobalRequestControll...>:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__PredicateHandler.java...>:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletInitialHandler...>:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletInitialHandler...>:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletInitialHandler...>:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletInitialHandler...>:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletRequestContext...>:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ContextClassLoaderSet...>:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__SecurityContextThread...>:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__UndertowDeploymentInf...>:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__UndertowDeploymentInf...>:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__UndertowDeploymentInf...>:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__UndertowDeploymentInf...>:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletInitialHandler...>:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletInitialHandler...>:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ServletInitialHandler...>:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__Connectors.java&d=DwQ...>:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__HttpServerExchange.ja...>:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__ContextClassLoaderSav...>:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__EnhancedQueueExecutor...>:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__EnhancedQueueExecutor...>:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__EnhancedQueueExecutor...>:1378) at java.lang.Thread.run(Thread.java<https://urldefense.proofpoint.com/v2/url?u=http-3A__Thread.java&d=DwQFaQ&...>:748) Thanks, Deepti ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mail...>

7 years, 4 months

1
0
0 / 0

Admin console permissions vs. UMA Policies

by Lamina, Marco

Hi, I am unsure if my understanding of Keycloaks permission evaluation engine is flawed, or if there’s a bug in the system. I have a resource that is protected by multiple permissions. What is the expected behavior if one permission decides to DENY and another decides to PERMIT? I would expect that the overall decision would be PERMIT. However, I can create both scenarios – overall decision PERMIT / DENY – depending on which permissions I set (see screenshots for details). I wasn’t able to find a detailed explanation in the docs, so I would be grateful for some clarity. Thanks, Marco [cid:image001.png@01D485A1.1D536320][cid:image002.png@01D485A1.1D536320]

7 years, 4 months

1
0
0 / 0

Keycloak Gatekeeper on macos

by Meissa M'baye Sakho

Hello everyone, Is it possible to install keycloak Gatekeeper on macos? thanks, Meissa

7 years, 4 months

3
2
0 / 0

custom cache

by Sud Ramasamy

Hi, We’ve developed a custom authenticator that we’ve been able o plugin into Keycloak to handle a custom authentication mechanism. The authenticator has some state that needs to be available across the cluster. We could store the state in the database and thereby make it available to other nodes in the cluster. But this seems a little heavy weight. Instead we were hoping to be able to use the Infinispan capabilities in the Keycloak/Wildfly distribution to cache and distribute the state to nodes in the cluster. Is this possible without forking the Keycloak codebase? We noticed that the Keycloak infinispan model module provides the existing caching mechanism for the User, Realm and Session cache. Was wondering if there is a way to possibly plugin our own infinispan Cache Provider for our custom object and thereby use this cache in our custom authenticator in a similar way that the User, Realm and Session caches are used. Or what our alternatives might we have. Thanks in advance. -sud

7 years, 4 months

2
1
0 / 0

Script Mapper can not create json arrays?

by Lengenfeld, Jan

Hello, we want to add groups and their ids in the following format to the token: { // ... other values omitted for readability ... "userGroups": [ { "id": "b6ebc9af-3355-462b-ab1e-583a24f094aa", "name": "my-group" }, { "id": "92b0c111-510c-4da9-a978-d980c3893eac", "name": "my-other-group" } ] } But all we get is: { // ... other values omitted for readability ... "userGroups": { "0": { "id": "b6ebc9af-3355-462b-ab1e-583a24f094aa", "name": "my-group" }, "1": { "id": "92b0c111-510c-4da9-a978-d980c3893eac", "name": "my-other-group" } } } We are using the Script Mapper with the following code: var groups = user.groups; var simplifiedGroupsForToken = []; for each (var group in groups) { simplifiedGroupsForToken.push({"id": group.id, "name": group.name}); } simplifiedGroupsForToken; Do you have any suggestions how to solve our problem? Thanks in advance. Best regards, Jan Lengenfeld

7 years, 4 months

2
1
0 / 0

Event-listener-sysout example not working , v4.6.0.Final

by abhilashreddy abhi

Hello, I am using 4.6.0.Final keycloak version and trying out event-sysout example ( https://github.com/keycloak/keycloak/tree/master/examples/providers/event...) ,but i am unable to make it work and getting following errors 1) I have created a spring boot application with following classes --Application.class (Contains Main method) --SysoutEventListenerProvider ---SysoutEventListenerProviderFactory I have placed org.keycloak.events.EventListenerProviderFactory file in src/main/resources/META-INF/services which points to my SysoutEventListenerProviderFactory. Did a maven clean install and took the jar from target folder and tried placing it any one of standalone/deployments folder , Keycloak_Home/providers folder and also created as a module as per instructions in documentation but all of the above methods throws the following error. Caused by: java.util.ServiceConfigurationError: org.keycloak.events.EventListenerProviderFactory: Provider com.example.demo.springboot.SysoutEventListenerProviderFactory not found at java.util.ServiceLoader.fail(Unknown Source) at java.util.ServiceLoader.access$300(Unknown Source) at java.util.ServiceLoader$LazyIterator.nextService(Unknown Source) at java.util.ServiceLoader$LazyIterator.next(Unknown Source) at java.util.ServiceLoader$1.next(Unknown Source) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:92) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:214) at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:80) at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:331) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:118) 2) This time, I have removed Application.class and exported the jar using export->jar in eclipse and tried placing it in deployment folder or providers or as a module and the application starts but throws the following log. ERROR [org.keycloak.events.EventBuilder] (default task-1) Event listener 'sysout' registered, but provider not found Can you please help me what I am missing? Thanks Abhilash

7 years, 4 months

1
0
0 / 0

Client Registration performance

by Eivind Larsen

Hello Keycloak Users! We are planning on using the Client Registration flow for setting up clients on login. This is mainly to more clearly identify each individual device a user has logged in with. Are there anyone using this feature in production with a large number of clients? With our current stats, we would probably end up with a few million clients by the end of the year. 1. Will this scale well with the way Keycloak works? 2. If a user loses their device, how should a full revoke & logout be performed? 3. Is there an alternative approach to give each user more control over their device and session? Thanks, Eivind Larsen

7 years, 4 months

2
1
0 / 0

Clients purely for namespacing, makes sense?

by Geoffrey Cleaves

Hi, looking for a little advise. I have a typical SPA front end and REST API. Each customer can have multiple users with different roles like admin or user. It's conceivable for a single user to belong to two different customer accounts. Because a single user could be an admin to account A and only a user in account B, I thought of using Keycloak clients for namespacing the roles. I would create a disabled client for each account purely to namespace the roles. Make sense? I believe I would continue to use a single public client for the SPA and single bearer only client for the API resource server. I've read that keycloak has issues with large numbers of clients, but I only expect to reach a few hundred.

7 years, 4 months

1
0
0 / 0

Securing an ASP.NET Core 2.1 Web API with KeyCloak

by Joe Livu

Hi, Has anyone had any success securing an ASP.NET Core 2.1 Web API with KeyCloak? Am interested to learn more on such implementation. Much appreciated for any assistance. Regards, Joe

7 years, 4 months

1
0
0 / 0

Theoretical max number of clients Kecyloak can handle

by Andrea Pasqualini

Hi Daniel Unfortunately as you can see here https://issues.jboss.org/browse/KEYCLOAK-8275 keycloak does not properly handle large numbers of clients. Vote the issue if you are interested. Regards Andrea >Hi All, > >What's the theoretical max number of clients Keycloak can handle >efficiently? > >I'm doing some tests where I created around 10000 clients (saml & >openid, all under the same realm) and now every operation that has to do >with clients (list them, create new one, get one by ID, etc) became >extremely slow and sometimes they even timeout. The other API endpoints >seem to perform just fine. > >I'm using 4.6.0.Final and MySQL DB as a data store. > >Are there some options I can tweak to improve the performance with a few >thousands clients (ideally around 50K)? Will postgres perform better? > >Thanks a lot, > >Daniel.

7 years, 4 months

1
0
0 / 0

can't use refresh token with keycloak-gatekeeper

by Andrey Kozichev

Hello! has anyone come across use of refresh tokens with keyckloak-gatekeeper? I've got a Web app running behind keycloak-gatekeeper. Currently session expires after 5 minutes of inactivity. In the logs I see "session expired and access token refreshing is disabled". To avoid this, I am trying to enable "refresh tokens" on my gatekeeper proxy by adding "*--enable-refresh-tokens=true"* , the full list of configuration options: - --client-id=my_clientid - --discovery-url=<keycloak_url> - --enable-default-deny=false - --enable-json-logging=true - --enable-logging=true - --enable-request-id=true - --enable-encrypted-token=true - --encryption-key=<secret> * - --enable-refresh-tokens=true* - --enable-security-filter=true - --listen=0.0.0.0:8080 - --preserve-host=true - --redirection-url=http://my-public-url - --resources=uri=/*|roles=user-role - --upstream-url=myservice.svc.cluster.local:8080 However after adding "*enable-refresh-tokens=true*" - I get 502 when trying to login. In the Gatekeeper logs I see below lines. Has anyone came across this? I must be missing something obvious. {"level":"info","ts":1542757702.835068,"msg":"issuing access token for user","email":"myemail(a)gmail.com ","expires":"2018-11-20T23:53:22Z","duration":"4m59.164934314s"} {"level":"info","ts":1542757702.8363702,"msg":"client request","latency":0.05726285,"status":307,"bytes":37,"client_ip":" 10.44.1.32:60746","method":"GET","path":"/oauth/callback"} *{"level":"error","ts":1542757702.8891447,"msg":"no session found in request, redirecting for authorization","error":"authentication session not found"}* {"level":"info","ts":1542757702.8892436,"msg":"client request","latency":0.000152955,"status":307,"bytes":75,"client_ip":" 10.44.1.32:60752","method":"GET","path":"/favicon.ico"} {"level":"info","ts":1542757703.03116,"msg":"client request","latency":0.001002773,"status":307,"bytes":319,"client_ip":" 10.44.1.32:60754","method":"GET","path":"/oauth/authorize"} {"level":"info","ts":1542757703.108161,"msg":"issuing access token for user","email":"myemail(a)gmail.com ","expires":"2018-11-20T23:53:23Z","duration":"4m59.891841634s"} {"level":"info","ts":1542757703.109042,"msg":"client request","latency":0.021427778,"status":307,"bytes":48,"client_ip":" 10.44.1.32:60758","method":"GET","path":"/oauth/callback"} Regards, Andrey

7 years, 4 months

2
2
0 / 0

Keycloak-js adapter ES6/Promise

by Alexander Philippi

Hi, I start using the javascript adapter this week. The documentation https://www.keycloak.org/docs/4.6/securing_apps/#_javascript_adapter "says" that the init(...) function should returns a Promise. After installing the official(?) javascript adapter with "npm install keycloak-js" I only get the old "success" function as return value. I don't understand what I am doing wrong here. Shouldn't I get a keycloak.js file with a Promise in it? Also I wonder if the keycloak-js adapter should be on ES6 so I am able to do an "import Keycloak from "keycloak-js"". I don't find any information about on https://github.com/keycloak/keycloak-js-bower. Since 4.0.0-beta nothing changed here. Best Regards Alex

7 years, 4 months

3
3
0 / 0

Logging not working properly

by So Be

I see this in keycloak log: LogManager error of type FORMAT_FAILURE: Formatting error java.util.IllegalFormatConversionException: d != java.util.UUID ... Anyone knows the cause of this issue? Sofiane.

7 years, 4 months

2
1
0 / 0

Updating user attributes within an Authenticator

by marco.scheuermann＠daimler.com

Hi community, is there a way to update custom user attributes within an Authenticator? I currently cannot find any API which allows to update an existing user. I only can find this for credentials: UserCredentialModel userCredentialModel = new UserCredentialModel(); userCredentialModel.setType(UserCredentialModel.PASSWORD); userCredentialModel.setValue(“password”); session.userCredentialManager().updateCredential(realmModel, userModel, userCredentialModel); How can I update custom user attributes? Thank you, Marco If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

7 years, 4 months

2
1
0 / 0

How to add Authorization (policies) for public clients in keycloak

by Shubham Akodiya

Hi, I've one public client 'react' which uses the implicit grant for authentication. Now I want to secure this app back-end APIs, thus need to apply the authorization (policy, resource) settings. Is there any way to use the *Authorization* settings for the public client? As per my understanding, Authorization (policy, resource, scope) settings does not apply for *Public (Client Protocol)* client, It only for *Credential (Client Protocol) *client. Now the problem here is that when a user tries to log in using *credential-keycloak-client, *In that case, we need to use the *client_secret key* in front-end which would make the application more vulnerable. Let me know If my understanding is incorrect and feel free to share another approach to resolve this issue. Thanks, Shubham Akodiya

7 years, 4 months

2
1
0 / 0

Admin like user that is only enabled to create/delete/manage other users?

by Rafael Weingärtner

Hello Keycloakers, I have been wondering, is it possible to configure a role (or do some other configurations) that would allow me to create a user type that is able to manage other users, but not changing/seeing other realm settings? -- Rafael Weingärtner

7 years, 4 months

1
1
0 / 0

Theoretical max number of clients Kecyloak can handle

by Daniel Fernandez Rodriguez

Hi All, What's the theoretical max number of clients Keycloak can handle efficiently? I'm doing some tests where I created around 10000 clients (saml & openid, all under the same realm) and now every operation that has to do with clients (list them, create new one, get one by ID, etc) became extremely slow and sometimes they even timeout. The other API endpoints seem to perform just fine. I'm using 4.6.0.Final and MySQL DB as a data store. Are there some options I can tweak to improve the performance with a few thousands clients (ideally around 50K)? Will postgres perform better? Thanks a lot, Daniel.

7 years, 4 months

1
0
0 / 0

SPI with a third party database. Could not find any META-INF/persistence.xml file in the classpath

by Luis Rodríguez Fernández

Hello there, I am using the standalone server distribution [1]. We need to extend the keycloak server [2] and we need to access a third party database to get some data. I developed a sample domain extension based on the keycloak example domain extension [3]. The deployment of this example one works at the first try, thanks!!! My sample domain extension access a third party database (mysql), so in wildfly... - I install the mysql driver - I create a datasource ... and in my sample I create a META-INF/persistence.xml <persistence version> <persistence-unit name="JavaHelps" transaction-type="RESOURCE_LOCAL"> <non-jta-data-source>java:/MySqlDS</non-jta-data-source> <class>my.entity.Class</class> <properties> <property name="hibernate.dialect" value="org.hibernate.dialect.MySQLDialect"/> </properties> </persistence-unit> </persistence> I add my sample $KEYCLOAK_HOME/bin/jboss-cli.sh --command="module add --name=... And it seems that wildfly likes evrything (from standard output), you can see below part of the wildfly output at startup time. However when I run it I get: Uncaught server error: java.lang.ExceptionInInitializerError.... Caused by: javax.persistence.PersistenceException: No Persistence provider for EntityManager named JavaHelps I found a workaround: having a deeper look at the standard output I saw this message... parse checking if "$KEYCLOAK_HOMEl/modules/system/layers/keycloak/org/keycloak/keycloak-server-subsystem/main/server-war/WEB-INF/classes/META-INF/persistence.xml" exists, result = false 10:59:55,279 TRACE [org.jboss.as.jpa] (MSC service thread 1-1) parsed persistence unit definitions for war server-war ... so if I copy my persistence.xml to that location my domain extension sample WORKS! My question is WHY??? Any thoughts on this? Thanks in advance, Luis [1] https://downloads.jboss.org/keycloak/4.6.0.Final/keycloak-4.6.0.Final.zip [2] https://www.keycloak.org/docs/latest/server_development/index.html#_exten... [3] https://github.com/keycloak/keycloak/tree/master/examples/providers/domai... 10:59:54,575 INFO [org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool -- 28) WFLYJCA0005: Deploying non-JDBC-compliant driver class com.mysql.jdbc.Driver (version 5.1) 10:59:55,071 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-8) WFLYJCA0001: Bound data source [java:/MySqlDS] 10:59:55,158 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse checking if "/content/domain-extension-example.jar/META-INF/persistence.xml" exists, result = true 10:59:55,163 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse persistence.xml: attribute value(0) = JavaHelps 10:59:55,163 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse persistence.xml: attribute value(1) = RESOURCE_LOCAL 10:59:55,164 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse persistence.xml: element=non-jta-data-source 10:59:55,164 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse persistence.xml: element=class 10:59:55,164 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse persistence.xml: element=properties 10:59:55,165 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse persistence.xml: reached ending persistence-unit tag 10:59:55,165 INFO [org.jboss.as.jpa] (MSC service thread 1-7) WFLYJPA0002: Read persistence.xml for JavaHelps 10:59:55,166 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) PersistenceUnitMetadataImpl(version=2.1) [ name: JavaHelps jtaDataSource: null nonJtaDataSource: java:/MySqlDS transactionType: RESOURCE_LOCAL provider: org.hibernate.jpa.HibernatePersistenceProvider classes[ com.javahelps.jpa.Student ] packages[ ] mappingFiles[ ] jarFiles[ ] validation-mode: AUTO shared-cache-mode: UNSPECIFIED properties[ hibernate.dialect: org.hibernate.dialect.MySQLDialect ]] 10:59:55,167 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parsed persistence unit definitions for jar domain-extension-example.jar 10:59:55,168 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) incrementing PU count for domain-extension-example.jar by 1 10:59:55,174 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added javax.persistence.api dependency to domain-extension-example.jar 10:59:55,174 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added org.hibernate.bytecodetransformer dependency to domain-extension-example.jar 10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added org.jboss.as.jpa dependency to domain-extension-example.jar 10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added org.jboss.as.jpa.spi dependency to domain-extension-example.jar 10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added (default provider) org.hibernate dependency to domain-extension-example.jar (since 1 PU(s) didn't specify jboss.as.jpa.providerModule) 10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added org.hibernate dependency to domain-extension-example.jar 10:59:55,196 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) install persistence unit definition for jar domain-extension-example.jar 10:59:55,196 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) adding 'vfs:/content/domain-extension-example.jar/' to annotation index map 10:59:55,196 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) returning global (module) Persistence Provider org.hibernate.jpa.HibernatePersistenceProvider 10:59:55,199 DEBUG [org.jboss.as.jpa] (MSC service thread 1-8) loaded persistence provider adapter org.jboss.as.jpa.hibernate5.HibernatePersistenceProviderAdaptor from classloader ModuleClassLoader for Module "org.hibernate" version 5.3.6.Final from local module loader @400cff1a (finder: local module finder @275710fc (roots: /media/hdd/keycloak-4.6.0.Final/modules,/media/hdd/keycloak-4.6.0.Final/modules/system/layers/keycloak,/media/hdd/keycloak-4.6.0.Final/modules/system/layers/base)) 10:59:55,202 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) add second level cache dependencies with properties '{caches=entity, container=hibernate}' 10:59:55,203 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) added PersistenceUnitService (phase 1 of 2) for 'service jboss.persistenceunit."domain-extension-example.jar#JavaHelps".__FIRST_PHASE__'. PU is ready for injector action. 10:59:55,204 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) returning global (module) Persistence Provider org.hibernate.jpa.HibernatePersistenceProvider 10:59:55,206 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-4) Deploying Keycloak provider: domain-extension-example.jar 10:59:55,234 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) install persistence unit definition for jar domain-extension-example.jar 10:59:55,234 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) adding 'vfs:/content/domain-extension-example.jar/' to annotation index map 10:59:55,234 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) returning global (module) Persistence Provider org.hibernate.jpa.HibernatePersistenceProvider 10:59:55,235 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) add second level cache dependencies with properties '{caches=entity, container=hibernate}' 10:59:55,235 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) added PersistenceUnitService (phase 2 of 2) for 'service jboss.persistenceunit."domain-extension-example.jar#JavaHelps"'. PU is ready for injector action. 10:59:55,645 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 57) WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service 'domain-extension-example.jar#JavaHelps' 10:59:55,695 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 57) HHH000204: Processing PersistenceUnitInfo [ name: JavaHelps ...] 10:59:56,038 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 57) WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service 'domain-extension-example.jar#JavaHelps' -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett

7 years, 4 months

2
2
0 / 0

keucloak Hash Algorithm

by Dimitris Charlaftis

Hello, I use keykloak 4.5 and i have set up a user federation to an ldap directory that uses SHA-1 password encoding. In order to login to a realm that is connected to that ldap, I use the ldap username and the SHA-1 encoded password in the login form for the time being. This is not good for common users! All i want is this: The user puts his username / password in plain text and keycloak transforms that password in plain text in the login form to the SHA-1 equivalent (that's how our ldap directory works..) , so that the ldap authorization succeeds. In your password policy docs you state "See the Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/> on how to plug in your own algorithm". Server dev guide does not have that information, where is it? Thanks in advance, Dimitris -- _____________________________ Dimitris Charlaftis Software Engineer National Documentation Center email: dharlaftis(a)ekt.gr _____________________________

7 years, 4 months

2
1
0 / 0

Keycloak javascript client iframe policy

by Lukasz Lech

Hello, I haven't looked in internals how Javascript Keycloak client is speaking with keycloak server until the token refresh has stopped to work in one of our instalations, which was because firewall was adding per default HTTP header X-Frame-Options: sameorigin. Then I've found out Keycloak client is creating and manipulating iframe. Is this solution really safe against CSRF attacks? I'm not an expert in that domain, but I've read recommendations to use Authorization: Bearer headers and call API directly, so I don't understand, why is this Iframe needed. I have a bit problem now explaining WHY do we need to use Iframes and how (un)safe is it... Best regards, Lukasz Lech

7 years, 4 months

1
0
0 / 0

Library for external HTTP calls.

by marco.scheuermann＠daimler.com

Hi community, I wrote a keycloak extension based on Authenticator SPI. What is currently the preferred way to do HTTP calls to an external system within a provider module? Which library should I use for that purpose? Should I use an external one, like e.g. Apache HTTP Client or a lib already packaged with keycloak. Thank you, Marco Marco Scheuermann Dipl.-Informatiker [id:image001.png@01D3CB2E.313F1BF0] Software Engineer RD/UIA – Team Rising Stars Tel.: +49 151 5860 5255 E-Mail: marco.scheuermann(a)daimler.com Daimler AG Sitz und Registergericht/Domicile and Court of Registry: Stuttgart HRB-Nr./Commercial Register No. 19360 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Manfred Bischoff Vorstand/Board of Management: Dieter Zetsche (Vorsitzender/Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Hubertus Troska, Bodo Uebber, Thomas Weber If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

7 years, 4 months

2
1
0 / 0

NPE in SegmentKeyTracker.track method

by Nicolas Ocquidant

Hi Still trying to start KC with millions of sessions in my JDBC store (remote cache): http://lists.jboss.org/pipermail/keycloak-user/2018-November/016393.html So now, and after the patch made by William Burns, no more OOM, see https://issues.jboss.org/browse/ISPN-9752 But then, I got the following exception during startup, see below. Note, there is a TODO in the code: public boolean track(byte[] key, short status, ClassWhiteList whitelist) { int segment = HotRodConstants.hasCompatibility(status) ? segmentConsistentHash.getSegment(dataFormat.keyToObj(key, status, whitelist)) : segmentConsistentHash.getSegment(key); Set<WrappedByteArray> keys = keysPerSegment.get(segment); // TODO: this assertion may fail due to ISPN assert keys != null : "Segment " + segment + " not initialized, tracking key " + Util.toStr(key); boolean result = keys.add(new WrappedByteArray(key)); if (trace) log.trackingSegmentKey(Util.printArray(key), segment, !result); return result; } Do I have a workaround? Thanks --nick 22:35:55,749 WARN [org.infinispan.client.hotrod.impl.iteration.RemoteCloseableIterator] (pool-16-thread-3) Error reaching the server during iteration: org.infinispan.client.hotrod.exceptions.TransportException:: java.lang.NullPointerException at org.infinispan.client.hotrod.impl.Util.rewrap(Util.java:54) at org.infinispan.client.hotrod.impl.Util.await(Util.java:27) at org.infinispan.client.hotrod.impl.iteration.RemoteCloseableIterator.fetch(RemoteCloseableIterator.java:117) at org.infinispan.client.hotrod.impl.iteration.RemoteCloseableIterator.fetch(RemoteCloseableIterator.java:131) at org.infinispan.client.hotrod.impl.iteration.RemoteCloseableIterator.fetch(RemoteCloseableIterator.java:131) at org.infinispan.client.hotrod.impl.iteration.RemoteCloseableIterator.fetch(RemoteCloseableIterator.java:131) at org.infinispan.client.hotrod.impl.iteration.RemoteCloseableIterator.fetch(RemoteCloseableIterator.java:131) at org.infinispan.client.hotrod.impl.iteration.RemoteCloseableIterator.hasNext(RemoteCloseableIterator.java:99) at org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader.loadSessions(RemoteCacheSessionsLoader.java:108) at org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader.loadSessions(RemoteCacheSessionsLoader.java:45) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:71) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:228) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:67) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34) at org.infinispan.commands.read.DistributedExecuteCommand.invokeAsync(DistributedExecuteCommand.java:99) at org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart.lambda$execute$1(DefaultExecutorService.java:1060) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException at org.infinispan.client.hotrod.impl.iteration.SegmentKeyTracker.track(SegmentKeyTracker.java:50) at org.infinispan.client.hotrod.impl.operations.IterationNextOperation.acceptResponse(IterationNextOperation.java:111) at org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:144) at org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) ... 3 more

7 years, 4 months

1
0
0 / 0

Prefill Custom Attribute for User

by Louie, Betty

Hi All, I’m trying to pass along a value to be set as a custom attribute on the user when they register for a keycloak account. I was trying to implement something along the lines of this http://lists.jboss.org/pipermail/keycloak-user/2018-May/013874.html where the value gets passed along as a query param and I grab the value from the query string and set it as a user attribute in a script. This isn’t reliable because if the registration form doesn’t pass the necessary validation, the page is refreshed and the query parameters are removed from the url. I was wondering if anyone else has needed to pass along a value to be prefilled on the registration form and how you were able to get around it or if there is another way to keep hold of some value before and after the user registers for an account. Thanks, Betty

7 years, 4 months

2
1
0 / 0

Requires uma_protection scope

by Julien Deruere

Any update on this? I got the exact same message when using POSTMAN : I fist do this (with grant_type=client_credentials): http://localhost:8080/auth/realms/sg2b/protocol/openid-connect/token And then this with the token I received: GET http://localhost:8080/auth/realms/sg2b/authz/protection/resource_set?type... Which answer me this: { "error": "invalid_scope", "error_description": "Requires uma_protection scope." }

7 years, 4 months

3
12
0 / 0

docker images 4.6.0.Final

by Pierre Nowak

Hello, When I login to the admin console and do any operation I get an error, the logs are : 16:35:35,883 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: java.lang.NullPointerException at org.keycloak.services.resources.Cors.build(Cors.java:193) at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:211) at sun.reflect.GeneratedMethodAccessor444.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:69) at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:48) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:99) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) with the 4.3.0.Final tag it works but with 4.6 (& 4.5) it's broken, any idea ? btw I run keycloak with the following comand: docker run -d --name keycloak \ -p 8080:8080 \ --restart always \ --net keycloak \ -e "DB_VENDOR=MYSQL" \ -e "KEYCLOAK_USER=${KEYCLOAK_USER}" \ -e "KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD}" \ -e "KEYCLOAK_LOGLEVEL=DEBUG" \ -e "PROXY_ADDRESS_FORWARDING=true" \ -e "DB_ADDR=mysql" \ -e "DB_DATABASE=keycloak" \ -e "DB_USER=${MYSQL_USER}" \ -e "DB_PASSWORD=${MYSQL_PASSWORD}" \ jboss/keycloak:4.6.0.Final

7 years, 4 months

3
3
0 / 0

running 2 different keycloak clusters sharing the same database ( 1 cluster to create new realms, and another for all other access)

by Madhu

Hi, Have a weird question, I want to run 2 different keycloak clusters, one for creating realms and another for accessing realms/login and all other activity. Is this kind of setup possible, have any body tried it before? The 1st cluster just takes requests for provisioning new realms and any one time setup (like creating the admin user in realm, giving him specific access only etc) After that, all interactions login, token creating, provisioning further user etc will take place through the other cluster.. I see that realm creation in my case ( realm has few user groups, client scopes, mappers (java script mapper), other custom mappers, about 10 clients, client specific roles etc) is a cpu intensive process and realm creation when we have about 80 to 100 relams(tenants) takes any where between 20 to 30 sec with cpu usage spiking to 100%. So, wanted to test if having a separate instance/cluster for realm creation will help and ease the load on other cluster which servers typical login/logout and all other requests. Any insights here will be much appreciated. - Would like to know if this could corrupt the keycloak schema?- I am ok if the new realms are not eagerly loaded in infispan cache (of the other cluster which handles regular request), but this should start loading the new realm the moment a login request comes ( i am ok for the first few logins to be slow). RegardsMadhu

7 years, 4 months

2
1
0 / 0

Keycloak Admin Realm is not upgraded on Keycloak upgrade from v3.0 to v4.5

by Deepti Tyagi

Hi Team, I am working on upgrading our in-house Keycloak Server from v3.0 to v4.5. Facing issue on trying to re-use old custom admin realm. Is there any way we can re-use the old admin realm or preserve at least users? We have another Wildfly 10 application that use Keycloak v3.0 for authentication purpose using a custom admin realm (custom-realm.json) that have multiple clients, roles, users and protocol mappers. While upgrading keycloak, I had run migration scripts to upgrade standalone, domain.xmls. Postgres DB also gets upgraded and able to login to Keycloak using the same admin user in v3.0. Though, our Wildfly 10 application isn't able to authenticate with keycloak using that old custom-realm (with new jboss adapters even). I had to re-create a new custom admin realm, created same clients, roles, users to make it work. And had to trash old realm that deleted all users also. I also tried multiple workarounds like; 1. Created a new custom-realm on v4.5 and compared with v3.0 on keycloak UI, no visible difference. 2. Partially re-imported new custom realm having same clients and roles. No help. 3. Trashed old realm and imported new custom realm, then tried partially importing old custom realm users. Its not allowed. (KC-SERVICES0037: Error creating user: java.lang.RuntimeException: Unable to find client role mappings for client: ds-data) With the 3rd attempt, I can see at least keycloak login page on our wildfly 10 application but can not login till I create admin user manually. With 1st and 2nd attempt, I do not even see keycloak login page on our wildfly 10 application and below exception is thrown in keycloak server.log. 2018-11-20 23:56:30,691 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=DecisionSpace_Integration_Server, clientId=dsis-console, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=http://localhost:8080/dsdataserver-console/, code_id=a50ff093-64b8-43d2-a353-2a3ec1346297, response_mode=query 2018-11-20 23:56:30,692 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: java.lang.NullPointerException at org.keycloak.theme.ExtendingThemeManager.loadTheme(ExtendingThemeManager.java:117) at org.keycloak.theme.ExtendingThemeManager.getTheme(ExtendingThemeManager.java:95) at org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java:26) at org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java:21) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.getTheme(FreeMarkerLoginFormsProvider.java:267) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createResponse(FreeMarkerLoginFormsProvider.java:160) at org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createErrorPage(FreeMarkerLoginFormsProvider.java:506) at org.keycloak.services.ErrorPage.error(ErrorPage.java:31) at org.keycloak.authentication.AuthenticationProcessor.handleBrowserException(AuthenticationProcessor.java:728) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:143) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:409) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:152) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:108) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Thanks, Deepti ---------------------------------------------------------------------- This e-mail, including any attached files, may contain confidential and privileged information for the sole use of the intended recipient. Any review, use, distribution, or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive information for the intended recipient), please contact the sender by reply e-mail and delete all copies of this message.

7 years, 4 months

2
1
0 / 0

group mapper per client

by Ronald Demneri

Hello everyone, Please forgive me if this was already asked previously. After creating the LDAP connection (read-only) and some LDAP mappers, I am trying to figure out a way how to allow login to clients for users in respective groups in AD, for example for client app1 allow login to users that are members of AD_group_app1; if account is not a member of the app1 group in AD, then he should not be allowed to login. Is it also possible to do it via role mappings? Please note that we'd like to avoid modification of AD at all costs. Thanks in advance, Ronald

7 years, 4 months

2
10
0 / 0

Limit re-send verification emails

by Viktor Chuchurski

Hello all, I have a question regarding re-sending of verification emails. Is it somehow possible to configure how often can the user request a re-send? As far as I looked, currently there is no check when the last re-send was requested, which allows a third party to spam "click" the resend button and cause problems on the mail server. Thanks in advance, Viktor

7 years, 4 months

2
1
0 / 0

Feature request: create UMA permission ticket by resource_type

by Geoffrey Cleaves

It occurs to me that it might be useful to create permission tickets by resource_type and I don't think it's possible today. If I am a resource server and somebody hits the GET endpoint /api/recipes where recipe is a resource_type, then we would request a ticket that has the permissions to all recipes. That way the resource server knows which ones to list while easing the load a little bit on Keycloack by not asking to evaluate all the resources, only recipes. Makes sense to you, Pedro? If so, I can open a feature request in JIRA. Geoff

7 years, 4 months

2
1
0 / 0

Re: [keycloak-user] Client Registration performance

by Andrea Pasqualini

As you can see here, https://issues.jboss.org/browse/KEYCLOAK-8275 It seems that there are currently problems with a large number of clients. This is becoming a big lack for keycloaks Andrea Pasqualini >Hello Keycloak Users! > >We are planning on using the Client Registration flow for setting up >clients on login. >This is mainly to more clearly identify each individual device a user >has logged in with. > >Are there anyone using this feature in production with a large number >of clients? >With our current stats, we would probably end up with a few million >clients by the end of the year. > >1. Will this scale well with the way Keycloak works? >2. If a user loses their device, how should a full revoke & logout be performed? >3. Is there an alternative approach to give each user more control >over their device and session? > >Thanks, >Eivind Larsen

7 years, 4 months

1
0
0 / 0

Keycloak realm detection from email domain

by Scott Hezzell

Hi I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem? My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint. Can anyone see any issues with this approach? Or a suggest a better approach? Thanks Scott

7 years, 4 months

3
2
0 / 0

Realm resolution by username

by Ian Duffy

Hi all, I'm using keycloak in a multi-tenant scenario where each tenant is a realm and the clients are duplicated across them. The username for each user is an email address of username(a)tenant.tld Is there any way to use the @tenant.tld part of the email address as a realm resolver and have all users access the system via the same login page? Thanks, Ian.

7 years, 4 months

2
1
0 / 0

Keycloak Session timeout issue

by Ashutosh Kanthi

Hi, We are using Keycloak 2.5.5 and we are facing issues with regard to keycloak session timeout. 1. Even after session timeout for a particular user, keycloak is maintaining session for that particular user for some extended time. 2. And if the same user log in again then keycloak is showing that the same user maintains 2 sessions in active session section. (Previous session [it is no longer exists for him at application level] and current session.) We have done following keycloak settings just for checking above scenario. Could anyone please suggest what are the settings to be done in keycloak so that above mentioned scenario could be avoided? [cid:image002.jpg@01D48002.E6221430] Thanks & regards, Ashutosh Kanthi Le contenu de ce courriel et de toute pièce jointe est destiné à l’usage exclusif de son destinataire. Il contient des renseignements exclusifs, privilégiés, confidentiels ou assujettis au droit d’auteur. Toute divulgation, distribution ou reproduction non autorisée est strictement interdite. Si vous n’êtes pas le destinataire prévu, veuillez-nous en aviser immédiatement et supprimer toutes les copies de ce courriel et des pièces jointes. Les courriels sont susceptibles d’altération. EXFO Inc. et ses sociétés affiliées ne seront pas tenues responsables du message s’il a été contrefait, modifié ou falsifié. The content of this email and any of its attachments is intended for the exclusive use of its recipient. It contains information that is proprietary, privileged, confidential and/or subject to copyright. Any unauthorized disclosure, distribution or reproduction is strictly prohibited. If you are not the intended recipient, please notify us immediately and delete all copies of this email and any attachments. E-mails are susceptible to alteration. EXFO Inc. and its affiliates shall not be liable for the message if altered, changed or falsified.

7 years, 4 months

3
3
0 / 0

Deploy keycloak to Kubernetes Cluster on GCP

by William Nankap

Hi every one, when i deploy docker keycloak4.5.0.Final to kubernetes cluster on GCP i can normaly access to keycloak interface via the extern ip address on port 8080. But i can't access to the WILDFLY Management Interface on port 9990. My questions: 1/ What are the recommandation to use keycloak in production? a/ Install keycloak server side an wildfly server to use it correctly? b/ Install only the keycloak server. How can i manage deployment for an app if i can't access to the wildfly management interface? Is it imperativ to access it? 2/ Need you more details on my deployment to help me? If yes, which? 3/ How can i get the wildfly management interface on my GCP deployment to deploy my app? 4/ Have you suggestions for me, the best way to use keycloak in production? Some support? I will be very thankful for your answer. Kindest regards...

7 years, 4 months

2
4
0 / 0

OOM at startup with 1 million sessions

by Nicolas Ocquidant

Hi My UC is to keep one year of sessions, this is what I have done to simulate it: 1. I use JDBC to store 1 million of session objects, 2.8KB (in memory) each 2. I start one Infinispan node with passivation=false and shared=true, and Xmx=8G 3. I start one Keycloak node configured with a remote-cache and Xmx=4G Note that I use a remote-store in KC as it is the only way to set passivation=false and shared=true (see http://lists.jboss.org/pipermail/keycloak-user/2018-November/016180.html). No problem in step 2, ISPN process is less than 300MB large in memory. But after 3, ISPN process goes up to around 6GB. See below for the traces, but basically I get OOM. Using the debugger, I can see that getting the size of the cache is a really slow operation, and bump memory to 3GB in ISPN process. From org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer: RemoteCacheSessionsLoader.computeLoaderContext(KeycloakSession session) // ... int sessionsTotal = remoteCache.size(); <--- HERE //... } And then (OOM here): InfinispanCacheInitializer.startLoadingImpl(InitializerState state, SessionLoader.LoaderContext ctx) { // ... for (Future<WorkerResult> future : futures) { // Called 4X (ie the number of segments), but 1st one does not terminate: OOM // -> org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart WorkerResult result = future.get(); <--- Very slow and bump mem to 8GB // ... } So, with 1M of sessions in store, I cannot get KC/ISPN to start. And I am far from my goal which is to keep one year of sessions (which has been estimated to ~52M of sessions)... Is it something I can't achieve with KC/ISPN? Any help appreciated. Thanks nick Note, versions I used are: * ISPN 9.4.1 Wildfly * KC 4.6.0 Wildfly -- ISPN process 10:42:22,969 ERROR [stderr] (Periodic Recovery) Exception in thread "Periodic Recovery" java.lang.OutOfMemoryError: Java heap space 10:42:22,977 ERROR [stderr] (Periodic Recovery) at sun.text.resources.fr.FormatData_fr.getContents(FormatData_fr.java:86) 10:42:22,975 ERROR [org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory] (pool-9-thread-1) ISPN008018: Sql failure retrieving connection from datasource: java.sql.SQLException: javax.resource.ResourceException: IJ000456: Unchecked throwable in ManagedConnection.getConnection() cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@3e3890ff[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@3f033728 connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387 lastCheckedOut=1542706916019 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@2772dcff mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool@5e82b87d[pool=InfinispanDS] xaResource=LocalXAResourceImpl@308d2c98[connectionListener=3e3890ff connectionManager=1691f7d6 warned=false currentXid=null productName=PostgreSQL productVersion=10.5 jndiName=java:jboss/datasources/InfinispanDS] txSync=null] at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory.getConnection(ManagedConnectionFactory.java:83) at org.infinispan.persistence.jdbc.stringbased.JdbcStringBasedStore.purge(JdbcStringBasedStore.java:461) at org.infinispan.persistence.manager.PersistenceManagerImpl.lambda$purgeExpired$6(PersistenceManagerImpl.java:459) at java.util.ArrayList.forEach(ArrayList.java:1257) at org.infinispan.persistence.manager.PersistenceManagerImpl.purgeExpired(PersistenceManagerImpl.java:462) at org.infinispan.expiration.impl.ClusterExpirationManager.processExpiration(ClusterExpirationManager.java:119) at org.infinispan.expiration.impl.ExpirationManagerImpl$ScheduledTask.run(ExpirationManagerImpl.java:245) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.resource.ResourceException: IJ000456: Unchecked throwable in ManagedConnection.getConnection() cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@3e3890ff[state=NORMAL managed connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@3f033728 connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387 lastCheckedOut=1542706916019 trackByTx=false pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@2772dcff mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool@5e82b87d[pool=InfinispanDS] xaResource=LocalXAResourceImpl@308d2c98[connectionListener=3e3890ff connectionManager=1691f7d6 warned=false currentXid=null productName=PostgreSQL productVersion=10.5 jndiName=java:jboss/datasources/InfinispanDS] txSync=null] at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:811) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 15 more Caused by: java.lang.OutOfMemoryError: Java heap space -- KC process 10:42:23,216 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21] (Thread-0) ISPN004005: Error received from the server: java.lang.RuntimeException: java.sql.SQLException: Error java.sql.SQLException: Error java.lang.OutOfMemoryError: Java heap space 10:42:23,359 WARN [org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader] (pool-16-thread-4) Error loading sessions from remote cache 'sessions' for segment '3': org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=55 returned server error (status=0x85): java.lang.RuntimeException: java.sql.SQLException: Error java.sql.SQLException: Error java.lang.OutOfMemoryError: Java heap space at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:333) at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:179) at org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:138) at org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

7 years, 4 months

4
5
0 / 0

Keycloak notify admin via , when a new user is registered using keycloak registration page

by abhilashreddy abhi

Hello, Is there a way to notify keycloak admin users via email whenever a new user is registered using keycloak registration page? I dint see email event listener for Register action.Please guide me to this feature if it is hidden somewhere in admin console or if it is not implemented is it possible to write any custom email event listener for a new user registration? Thanks Abhilash

7 years, 4 months

2
1
0 / 0

Keycloak SAML IdP and URL parameter

by Sud Ramasamy

Hi, We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak. We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator. Thanks in advance for your help. Regards -sud

7 years, 4 months

2
4
0 / 0

Saas muti-tenant architecture with multi-step authentication process

by Olivier Rivat

Hi, *1) introduction* I have a multi-tenant architecture deployed with keycloak. At first, to investigate multi-tenant architecture, I have followed what is available within keycloak: documentation * https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy examples: * https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant The same application is deployed in both tenants with * http://localhost:8080/multitenant/tenant1 and login as user-tenant1, password user-tenant1 * http://localhost:8080/multitenant/tenant2 and login as user-tenant2, password user-tenant2 When you specify http://localhost:8080/multitenant/tenant1, you are redirected to tenant1, and you need to authenticate. *2) description of the problem* The issue I am facing, is that I have a customer client application, which can redirected to several diffrent realms. The realm selction is based on the email address. * user1(a)foo.com ---> should redirect to realm foo * user2(a)bar.com ---> shou0dl redirect to realm bar In fact, the email analsys shoudl redirect to the correct realm (foo or bar , or more). Once I have the login screen of the corresponding realm1, it is the as in /introduction/, where user authenticates normally in his specific tenant. *3) Authentication workflow requirement* In fact the authentication workflow process should be as follows: *step1* * General welcome panel * the user enter his email address * based on the analysis of his welcome address, the users is redirected to a specific authentication realm (foo or bar or more) *step 2* * The user enter is login/password in realm login authentication screen After analysis, it sounds like that the keycloak authentication process needs to be updated/modified with 1. adding an extra additional step (which is a general form asking for email) 2. based on teh email analysis, the corresponding tenant login screen is presented to the tenant 3. the user authenticates to the tenant with his login/password. *4) How to move forward* For information, Azure and atlassian already implements such a redirection mechanism in SAAS multi tenant architecture. Keycloak documentation does not seem to mention about such a possibility to tailor "out of the box" the authentication workflow to our needs. Could the mechanism described above being achieved by customizing the authentication workflow by developing a specific authentication SPI plugin which could handles the both steps mentioned above ? Does this approach sounds correct to you, or is it something to rule out ? Or woudl you advise another approach ? Tkx for your help. Regards, Olivier -- <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif> <http://www.janua.fr/images/6g_top.gif> Olivier Rivat CTO orivat(a)janua.fr <mailto:dchikhaoui@janua.fr> Gsm: +33(0)682 801 609 Tél: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr <http://www.janua.fr/> <http://www.janua.fr/images/6g_top.gif>

7 years, 4 months

3
3
0 / 0

NullPointerException in PolicyResourceService.java token-exchange permissions

by Daniel Fernandez Rodriguez

Hi All, I've been using policies and token-exchange permissions extensively for some of my clients for a while now. All worked as expected but since a few weeks ago I'm experiencing some errors when trying to delete old policies, add new ones or create new token-exchange permission. From the WebUI I always get the same generic error saying: *> Error!* An unexpected server error has occurred Checking the server logs it seems there is uncaught NullPointerException in PolicyResourceService.java. (stack trace when attempting to create new policy) Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,328 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-7) *org.keycloak.authorization.jpa.entities.PolicyEntity*{owner=null, resourceServer=org.keycloak.authorization.jpa.entities.ResourceServerEntity#7fd6467c-9f95-4cbd-90b2-3586ba308dda, name=deleteme, description=null, resources=[], id=c6a35294-3031-4674-bcfc-3957ca4af846, logic=0, scopes=[], associatedPolicies=[], type=client, config=[], decisionStrategy=1} Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,328 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-7) org.keycloak.authorization.jpa.entities.ResourceServerEntity{id=7fd6467c-9f95-4cbd-90b2-3586ba308dda, allowRemoteResourceManagement=false, policyEnforcementMode=0} Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,328 DEBUG [org.hibernate.SQL] (default task-7) Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: select Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: cliententi0_.ID as col_0_0_ Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: from Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: CLIENT cliententi0_ Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: where Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: cliententi0_.CLIENT_ID=? Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: and cliententi0_.REALM_ID=? Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,330 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-7) Initiating JDBC connection release from afterStatement Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,333 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) *Uncaught server error: java.lang.NullPointerException* Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at *org.keycloak.authorization.admin.PolicyService.audit(PolicyService.java:334)* Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at org.keycloak.authorization.admin.PolicyService.create(PolicyService.java:124) Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at java.lang.reflect.Method.invoke(Method.java:498) Is there something I can do to fix it? Since these errors appeared the service became pretty unresponsive giving me a lot of errors (exporting clients does not work anymore and many other small things) I'm using keycloak 4.5.0Final with an external mysql database. Thanks a lot for your help, Daniel.

7 years, 4 months

2
2
0 / 0

how to get a token in js webapp for bearer-only backend api client

by chapani

Hi, I got this setup for my app: 1. Keycloak server 2. Keycloak-protected nodejs backend (bearer-only) 3. PHP/Reactjs frontend The frontend is optionally login-protected. For some users it will be required to login which will redirect the user to Keycloak server. After a user is logged in, the frontend will have a bearer token to make api calls to the keycloak-protected backend. My problem is how to get a bearer token for users that don't need to be logged in (anonymous users). I tried this approach: 1. Created "confidential" client to be used by PHP. 2. Frontend PHP gets a bearer token using client_id and client_secret and passes them to javascript (by that I mean, printing out token values inside <script> tag which is a global variable) 3. Initially, the frontend makes successful api calls because the access_token passed by php is fresh/valid. 4. After the access_token is expired, I will need to fetch a new one using refresh_token. 5. But, for that I need client_secret which is not available in the js app (and it's not recommended to save client_secret and password in js app, as you know). I'm stuck here. I researched, read a lot of documentation, but failed to find a way to achieve that. One other idea that crossed my mind was to make the bearer access_token long-lived; 6 hours, for instance. But, some users may use the app for more than that. What options do I have? Sent with [ProtonMail](https://protonmail.com) Secure Email.

7 years, 4 months

1
0
0 / 0

Persistent Redirect Params in Registration

by Gregor Tudan

Hi, I’m trying to find a solution for passing redirect parameters reliably through the registration page. Our users will go through some steps prior to the registration. We generate an anonymous profile for saving the user input of this step. Then we trigger a registration in Keycloak and pass the id of the profile as parameter in the redirect url. This works fine in happy path, but breaks on some occasions: - we use email-verification. If registration works, but the user fails to confirm the mail-address before the link expires, he will be promted to complete the confirmation the next time he logs in. But the mail in the Confirmation-link will now no longer contain the redirect params of the original mail - if an error occurs during the registration (the user fails multiple times to fill out the form) an error message will be shown prompting the user to restart the registration. The original params will be lost. Is there a way to pass the query params in a more reliable manner through Keycloak? Or is it better to implement this kind of logic in the application code? If so, are there any recommendations? Email-Verification makes this quiet hard to do, as the registration can be completed on a completely different device. Thanks, Gregor

7 years, 4 months

2
1
0 / 0

Permission tab missing, token exchange impossible

by Geoffrey Cleaves

Hello. In Keycloak 4.6, the Permissions tab is gone. The documentation for allowing token exchange depends on the Permissions tab, is this a bug? [image: Screen Shot 2018-11-19 at 11.53.56.png] Somebody else is asking the same question: https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-ex... Geoff

7 years, 4 months

2
4
0 / 0

Unable to unmarshall bytes for CLIENT_CACHE_ENTRY_CREATED

by Nicolas Ocquidant

Hi This is my very simple UC to reproduce: 1. Start one Infinispan node with passivation=false and shared=true (I don't think parameters are important here) 2. Start one Keycloak node configured with a remote-cache 3. Populate Keycloak using admin console (one realm, one client, one role and one user) 3. Ask for an access token with curl (no client_secret) Than, in Codec21.readCacheEvent(): case CLIENT_CACHE_ENTRY_CREATED: Object createdKey = dataFormat.keyToObj(ByteBufUtil.readArray(buf), status, whitelist); <-- BOOM My config is: <distributed-cache name="sessions" owners="1" remote-timeout="600000" statistics-enabled="true"> <binary-memory eviction-type="COUNT" size="10000"/> <remote-store cache="sessions" socket-timeout="600000" remote-servers="remote-cache" passivation="false" fetch-state="false" purge="false" preload="false" shared="true"> <property name="rawValues">true</property> <property name="marshaller">org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property> </remote-store> </distributed-cache> The stack trace is (see below). It is a config issue? Thanks for your help --nick 11:09:13,373 WARN [org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder] (Thread-0) ISPN004039: Unable to complete reading event from server / 127.0.0.1:11222: org.infinispan.client.hotrod.exceptions.HotRodClientException:: ISPN004034: Unable to unmarshall bytes 01012926033E2439633136373130642D653432332D343134342D396163652D393461356564353639313462 at org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:48) at org.infinispan.client.hotrod.DataFormat.keyToObj(DataFormat.java:93) at org.infinispan.client.hotrod.impl.protocol.Codec21.readCacheEvent(Codec21.java:75) at org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:153) at org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98) at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647) at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582) at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461) at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.io.IOException: Unsupported protocol version 1 at org.jboss.marshalling.river.RiverUnmarshaller.start(RiverUnmarshaller.java:1349) at org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.startObjectInput(AbstractJBossMarshaller.java:129) at org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromByteBuffer(AbstractJBossMarshaller.java:110) at org.infinispan.commons.marshall.AbstractMarshaller.objectFromByteBuffer(AbstractMarshaller.java:82) at org.infinispan.client.hotrod.marshall.MarshallerUtil.bytes2obj(MarshallerUtil.java:32) ... 25 more

7 years, 4 months

1
0
0 / 0

null pointer in org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598) while starting keycloak

by Madhu

Hi ,I am starting keycloak where i have about 400 realms and the startup was timing out, after i tweaked the wildfly server setting , i get the following error ,and the application fails to start. Help will be appriciated., why is getUsersCount throwoing null pointer? Caused by: java.lang.NullPointerException at org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:451) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:460) at org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55) :07:24,279 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 62) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect09:07:24,323 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 62) Envers integration enabled? : true09:07:24,893 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 62) HV000001: Hibernate Validator 5.3.6.Final09:07:25,718 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 62) HHH000397: Using ASTQueryTranslatorFactory09:13:12,576 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 62) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485)Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 moreCaused by: java.lang.NullPointerException at org.keycloak.models.jpa.JpaUserProvider.getUsersCount(JpaUserProvider.java:598) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:451) at org.keycloak.storage.UserStorageManager.getUsersCount(UserStorageManager.java:460) at org.keycloak.services.managers.ApplianceBootstrap.isNoMasterUser(ApplianceBootstrap.java:55) at org.keycloak.services.resources.KeycloakApplication$2.run(KeycloakApplication.java:163) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:159) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more 09:13:12,581 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal09:13:12,654 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000080: Disconnecting JGroups channel ee09:13:12,662 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000080: Disconnecting JGroups channel ee09:13:12,663 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thre

7 years, 4 months

1
0
0 / 0

Using Gatekeeper with ingress-nginx

by David Leonard

Hello everyone, We're attempting to use Gatekeeper to integrate into a workflow with auth_request to provide authorization from Keycloak. We're wanting to use this in our Kubernetes stack to sidecar Gatekeeper to our nginx-ingress controller. We're attempting to follow a setup similar to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/aut... but replacing oauth2_proxy with Gatekeeper. We are able to complete a full authorization cycle using /oauth/expired to test if we have a current token. This doesn't seem to work though because the X-Auth-* headers get passed only into the "proxied" application. Specifically oauth2_proxy provides the following config item: -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) We're wanting to sidecar Gatekeeper because we get the infinite flexibility of nginx-ingress. Is it possible to set a flag similar to -set-xauthrequest? Looking at the code itself it seems this is not possible, as the headers are only ever set in the middleware. Thanks! -- David Leonard Director of Professional Services, South Region 303.245.4509 3010 Waterview Parkway, Richardson, TX, 75080 This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s) and only the addressee or authorized agent of the addressee may review, copy, distribute or disclose to anyone the message or any information contained within. If you are not the addressee, please contact the sender by electronic reply and immediately delete all copies of the message. This message is not an offer capable of acceptance, does not create an obligation of any kind and no recipient may rely on this message.

7 years, 4 months

1
0
0 / 0

Users/Groups access restrictions

by Lyderic Dubut

Hi Keycloak peoples! I'm slowly introduce keycloak in production environnement, but I still do not Know how to restric permissions to users or groups. To picture my words, I have 3 Applications A,B and C All company people can access to the application A For the application B I want prohibit access to non-admin group member. So when a non-admin clic on OIDC button to login in app an redirect to keycloak, I wan't a message like "you don't have permissions". And for the application C all people can access except Bob because he have broken twice this application :-) It's posisble to do it?

7 years, 4 months

2
1
0 / 0

Configure EMail failed

by So Be

Hi, as an administrator, I like to receive notifications when users log into Keycloak. I tried to configure the EMail for the realm but I got Logged in user does not have an e-mail. Any idea about what causing this? Thank you.

7 years, 4 months

3
2
0 / 0

Welcome Email after Verification Success

by Mitra Rajib, Bedag

Hi! I use Keycloak for User-Registration and would like to send a realm-customized "Welcome"-Email after the user verified his email-account. The doc at https://www.keycloak.org/docs/3.2/server_admin/topics/events/login.html mentions 4 different type of email events, but none of these events fit my use-case. Is there any other way I can (easily) implement such a functionality ? Thanks, Rajib

7 years, 4 months

2
3
0 / 0

Re: [keycloak-user] How to package a provider as EAR

by marco.scheuermann＠daimler.com

Hi together, do you have any example how to package a provider implementation as an EAR file? I packaged it as JAR and it works but then I added some external libs (JARS) so I have the requirement to package it as an EAR. Thank you, Marco Marco Scheuermann Dipl.-Informatiker [id:image001.png@01D3CB2E.313F1BF0] Software Engineer RD/UIA – Team Rising Stars Tel.: +49 151 5860 5255 E-Mail: marco.scheuermann(a)daimler.com Daimler AG Sitz und Registergericht/Domicile and Court of Registry: Stuttgart HRB-Nr./Commercial Register No. 19360 Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Manfred Bischoff Vorstand/Board of Management: Dieter Zetsche (Vorsitzender/Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Hubertus Troska, Bodo Uebber, Thomas Weber If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

7 years, 4 months

2
1
0 / 0

Adding attributes during login

by Craig Setera

We have an attribute we use to allow customers to to "scope" or "namespace" a users interaction with our system (a "partner code" that is known to our system). In our previous proprietary Java session-based security system, this value was stored in the Java session at the time of login and used by the authorization engine to further restrict what the user was allowed to see. As we transition to using Keycloak for authentication, I'm wondering if there is a way to use Keycloak to manage this partner code during a login session? Some way to send the value during the Keycloak login sequence and then later retrieve it based on the access token? Thanks for any insights. Craig ================================= *Craig Setera* *Chief Technology Officer*

7 years, 4 months

3
12
0 / 0

Re :Keycloak Idp SLO response location

by ge sly

Hi I am tringle to configure Keycloak as an Idp with OIOSAML as a SP. OIOSAML has 2 urls for the single logout: <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:8443/oiosaml2-demo.java/saml/LogoutServiceHTTPPost" ResponseLocation="https://localhost:8443/oiosaml2-demo.java/saml/LogoutServiceHTTPRedirectR..."/> I dont see how to enter the Location and the ResponseLocation in the Clients config. If I import the metadata only the Location is used. Thanks Regards Sylvain Envoyé depuis Yahoo Mail pour Android

7 years, 4 months

2
5
0 / 0

Restrict user's access to a client on keycloak-3.4.3.Final

by rachid sbaibi

Hi all, I'm using keycloak-3.4.3.Final. For our UXP applications we delegate the authentication to Keycloak but we need to do some additional checks before granting access to the user. Our use case is quite simple: Not All registered users in Keycloak have access to our applications. So we need to insure that the user has permition to access our applications before granting him access to UXP. This is done in the backend. I tried to map roles to user and client but this does not work. Is there a way to achieve that? Thanks in advance. Rachid.

7 years, 4 months

1
0
0 / 0

SaaS idp brokering

by mj

Hi, This question is slightly off-topic, I hope it's allowed to ask here. We are using keycloak as an IdP, loving it. One of our sister institutes is using another (openid connect / saml2 compatible) IdP. Now a new project: Trying to achieve web SSO across both institutes, for several web applications, mostly supporting only one single IdP. We have made a PoC using keycloak's brokering function, and it worked nicely. However, our sister institute prefers a SaaS solution. I've done my googling, but terminology is confusingly different: - onelogin ("trusted IdP") - okta ("inbound federation") - gluu ("inbound identity") and obviously - keycloak ("IdP brokering") (but not saas) and I am not even sure that the above solution are really the same as keycloak's IdP brokering, and that they would solve our SSO requirement. (doing a PoC would be the next step) So I am asking for recommendations from the guru's here. What are the do's and don't for something like this? Perhaps suggestions what to look for, what to avoid, what other products to take a look at, etc, etc. Insights? Thanks very much in advance, and again: apologies for being a bit off-topic, hope not to offend anyone. MJ

7 years, 4 months

3
4
0 / 0

ldaps configuration --> Bug or regression with ldap connection ulr

by Meissa M'baye Sakho

Hello everyone, I'm facing a very strange behaviour using keycloak 4.5 Final while configuring my realm user federation with ldaps. When I set the ldap connection URL to ldaps://myldaphost. It works fine. When I change it to LDAPS://myldaphost, the test connexion fails with the exception below (extract): *KC-SERVICES0055: Error when connecting to LDAP: intra-dev01.bdf-dev01.local:636: javax.naming.CommunicationException: intra-dev01.bdf-dev01.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]* * at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)* * at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)* * at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)* * at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)* * at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)* * at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)* * at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)* * Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target* * at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)* * at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)* With Keycloak 3.4.3Final, I used LDAPS without any problem. Any advice? Meissa

7 years, 4 months

3
4
0 / 0

Policy API endpoint lacks crucial information (in my opinion ; )

by Geoffrey Cleaves

Hi. When querying the http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy endpoint I get a response similar to this: [ { "id": "6d5ffed7-5f1c-4b43-b2a8-986528aaee92", "name": "b189864a-754e-4b5d-9c5b-f36fd9aad102", "type": "uma", "scopes": [ "campaign:view" ], "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "owner": "45cb05ba-5485-459e-9cfc-25128adb1854", "users": [ "user(a)domain.com" ] } ] The problem here is that we don't know what resource this policy applies to. As far as I know, there is no way to extract that information. Please let me know if I am missing something. I tried inspecting the network calls that the Admin Console does when listing a user's UMA policies, but unfortunately for me the information seems to be rendered server side instead of using the UMA REST API. The goal is to recreate and enhance the Keycloak supplied UMA My Resources functionality.

7 years, 4 months

2
1
0 / 0

Querying permissions of the Policy API always empty

by Geoffrey Cleaves

Hi, I'm sending GET requests to http://${host}:${post}/auth/realms/${realm}/authz/protection/uma-policy but only get an empty array. I have a permission/policy assigned to hundreds of resources belonging to dozens of users and some resources owned by the resource server itself. Reading the docs <https://www.keycloak.org/docs/latest/authorization_services/index.html#_s...>, I expect to be able to get a list of all permissions or query by name. Perhaps I am misunderstanding this: This API is protected by a bearer token that must represent a consent granted by the user to the resource server to manage permissions on his behalf. The bearer token can be a regular access token obtained from the token endpoint using: - Resource Owner Password Credentials Grant Type - Token Exchange, in order to exchange an access token granted to some client (public client) for a token where audience is the resource server But I don't think so because if my token were wrong I'd get a 401 or 403 instead of 200 with an empty array. In any case I've tried with Client Credentials Grant and Resource Owner Password Credentials Grant Type. [image: Screen Shot 2018-11-18 at 12.19.25.png] curl -D - -X GET \ https://.../authz/protection/uma-policy \ -H 'Authorization: Bearer eyJh' \ -H 'Cache-Control: no-cache' \ -H 'Postman-Token: deb09a7a-0499-430f-8164-3097e5ac145d' \ -H 'cache-control: no-cache' HTTP/1.1 200 OK Server: nginx/1.11.10 Date: Sun, 18 Nov 2018 11:23:41 GMT Content-Type: application/json Content-Length: 2 Connection: keep-alive Cache-Control: no-cache [] Any advise?

7 years, 4 months

2
2
0 / 0

internal server error on /permission endpoint

by Robert Richter

Hi all, I'm using keycloak 4.5.0-FINAL in docker ( https://hub.docker.com/r/jboss/keycloak/) I try to issue a permission ticket. Therefore I have requested a PAT for the client "resource-provider" and send this along with the following json body (with and without scopes). I received a http-500 internal server error. without scopes:{ "resource_id": "resource-provider" } with scopes: { "resource_id": "resource-provider", "resource_scopes": [ "private-data.read" ] } Did I miss something? I also tried to investigate the log file (/opt/jboss/keycloak/standalone/log/server.log) and increase the log level in standalone.xml, but it seems that nothing is written to that file. I restarted jboss with jboss-cli.sh /:reload. Do you have any suggestions for me? Kind regards Tobert

7 years, 4 months

2
3
0 / 0

SSO experience

by Ori Doolman

Hi, I have 2 applications: one is desktop (Windows) and the other one is a web application. My desktop application performs authentication and login using Keycloak, and getting a JWT Access Token. My web application is using the Keycloak JS adapter to perform the same. After I login to my desktop application, is there a way to pass the generated access token to the web application and continue the same session? Or at least have an SSO experience and get another token for the user without the user entering the credentials again? Maybe I can pass the token and refresh token from desktop application as init parameters to the Keycloak-JS ? I see the following code is checking if initOptions contains the token: function processInit() { var callback = parseCallback(window.location.href); if (callback) { window.history.replaceState({}, null, callback.newUrl); } if (callback && callback.valid) { return setupCheckLoginIframe().success(function() { processCallback(callback, initPromise); }).error(function (e) { initPromise.setError(); }); } else if (initOptions) { if (initOptions.token && initOptions.refreshToken) { setToken(initOptions.token, initOptions.refreshToken, initOptions.idToken); Thanks, Ori Doolman Lead Software Architect Amdocs Optima [cid:image001.png@01D2C8DE.BFF33E10] “Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.

7 years, 4 months

2
3
0 / 0

Authenticated Protocol Mapper?

by Hannah Short

Hi, I’d like to deploy a custom OIDC Protocol Mapper that is itself a client of Keycloak. Is this possible? The objective is for the mapper to be able to call an API that is protected also by Keycloak. The current approach was for the mapper to use the Client Credentials flow to authenticate, exchange the access token for one for the API client, and use it to call the API. This works OK until I deploy the mapper to Keycloak, where it throws various exceptions and does not seem to attempt the Client Credentials flow. Any guidance, including alternative approaches, would be appreciated! Cheers, Hannah

7 years, 4 months

2
3
0 / 0

Assigning clientRoles while creating the new user through API

by Shubham Akodiya

Hi, I want to assign the clientRoles while creating the user. I've gone through the link https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_userrepresenta... but here the format of clientRoles is not specified. (It specified as a map but no other info provided) Could you please tell me how to assign the clientRoles while creating the user through API? Thanks, Shubham Akodiya

7 years, 4 months

2
1
0 / 0

Getting 404 error while calling the create user API of keycloak 4.5

by Shubham Akodiya

Hi, I'm getting the 404 error while calling the create user API. I've gone through the steps which are explained in this link <https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource> but still, it gives the 404 error. URL - http://localhost:8080/auth/{realm_name}/users METHOD - Post Headers - Content-Type = "application/json" Authorization = "bearer <token>" Body - { "username": "rodrigo.sasaki", "enabled": true, "totp": false, "emailVerified": false, "firstName": "Rodrigo", "lastName": "Sasaki", "email": "rodrigo.sasaki at email.com.br", "credentials": [ { "type": "password", "value": "myPassword" } ] }

7 years, 4 months

1
0
0 / 0

Create user with API & update the client role

by Shubham Akodiya

Hi, Is there any way to create the user with default password using the API and update the user client role while creating the user? It would be more helpful If you provide any working example of nodeJS for this or suggest the APIs. I've already gone through the link <https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource>but still, seems incomplete as per my requirement. Thanks, Shubham Akodiya

7 years, 4 months

1
0
0 / 0

Keycloak + JACC

by Luca Stancapiano

I'm trying out the quickstart example at https://github.com/keycloak/keycloak-quickstarts. I use a keycloak 4.5.0.Final server distribution and a Wildfly 14.0.1 that opts the keycloak adapter and the web application. Once the client is installed on the server distribution and added the correct keycloak.json as required in the README on https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-je... , the application works well. I would like to understand though if JACC can be used as a standard in web applications. For example, if I try to use the PolicyContext class inside a controller class method: public boolean isLoggedIn (HttpServletRequest req) throws PolicyContextException { System.out.println ("subject:" + PolicyContext.getContext ("javax.security.auth.Subject.container")); return getSession (req)! = null; } I get null. Also trying to configure a JACC policy like: /Subsystem=elytron/policy=JACC:add(JACC-policy={}) /Subsystem=undertow/application-security-domain=other:write-attribute(name=enable-JACC,value=true) I always get null. Is it possible to use JACC inside keycloak?

7 years, 4 months

1
1
0 / 0

Re: [keycloak-user] Keycloak 4.6.0.Final released

by Cédric Couralet

Le 2018-11-15 16:53, Pedro Ruivo a écrit : > Hi Sebastian, > > Which ISPN version is shipped with 4.6.0? > > The StateRequestCommand changed its wire format in 9.3.1/9.4.0. > > From the exception, it looks like some nodes are using an older > version and the "new" nodes can't deserialize it. > Thanks for the answers, I realize now that I the old version was not entirely stopped before the new instance started. I'm guessing the change in format caused those exceptions. I'll change my procedures for future versions. Sorry for the noise. Cédric

7 years, 4 months

2
5
0 / 0

NullpointerException in AuthenticationManager

by Henning Waack

Dear all. Using KC 4.5.0, I get the following exception in my Custom SPI: 2018-11-16 17:05:23,407 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-3) Uncaught server error: java.lang.NullPointerException at org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:249) at org.keycloak.keys.DefaultKeyManager.getKey(DefaultKeyManager.java:104) at org.keycloak.crypto.ServerAsymmetricSignatureVerifierContext.getKey(ServerAsymmetricSignatureVerifierContext.java:29) at org.keycloak.crypto.ServerAsymmetricSignatureVerifierContext.<init>(ServerAsymmetricSignatureVerifierContext.java:25) at org.keycloak.crypto.AsymmetricSignatureProvider.verifier(AsymmetricSignatureProvider.java:39) at org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:1138) at org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:71) at org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:66) at org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:58) at de.sys.keycloak.spi.UserSearchResourceProvider.<init>(UserSearchResourceProvider.java:46) The method invoking it is as follows: * RealmManager realmManager = new RealmManager(session);* * RealmModel realm = realmManager.getRealmByName(realmName);* * this.auth = new AppAuthManager().authenticateBearerToken(session, realm);* Any pointer at what is happening here? Server did function before quite nicely, don't know what could lead to this situation. Thanks & greetings Henning -- Henning Waack | IT Consultant codecentric AG | Hochstraße 11 <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> | <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...>42697 Solingen <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> |Deutschland <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Soli...> tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochgürtel . Ulrich Kühn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus Jäger . Jürgen Schütz Diese E-Mail einschließlich evtl. beigefügter Dateien enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und löschen Sie diese E-Mail und evtl. beigefügter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder Öffnen evtl. beigefügter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

7 years, 4 months

1
1
0 / 0

End user sharing of his resource removes permission to his resource

by Geoffrey Cleaves

I'm experiencing unexpected results and believe there is a bug. I am losing permissions to my resource after sharing my resource with another user. Resource owner rs1 has read and edit rights to his resource1 through a JS policy and permission which grants the resource owner the rights. If rs1 uses the My resources screen to grant another user, rs2, the read scope to resource1, rs1 looses the right to the read scope. Please see JIRA https://issues.jboss.org/browse/KEYCLOAK-8794 and the screen cast within the JIRA.

7 years, 4 months

2
4
0 / 0

How to package a provider as EAR

by Mike Keith

Hi Marco, I'm currently exploring this exact thing, and so far haven't gotten it right just yet. Today I plan to figure more about about the maven ear plugin: https://maven.apache.org/plugins/maven-ear-plugin/ I'll reply back if I find anything, and definitely would be interested in your own progress as well if you find anything useful or make progress as well. -Mike -- ---- > Hi together, > do you have any example how to package a provider implementation as an EAR > file? > I packaged it as JAR and it works but then I added some external libs > (JARS) so I have the requirement to > package it as an EAR. > Thank you, > Marco > Marco Scheuermann

7 years, 4 months

1
0
0 / 0

Spring Boot Multitenancy

by Ondrej Scerba

Hi, I'm trying to implement multitenant Spring Boot application using Spring Security Adapter. I'm able to authenticate based on path to correct realm. Now I want to protect endpoints based on realm. How can I achieve it? E.g. endpoint /realm/Customer1/users will be accessible only for authenticated user which belongs to realm Customer1 and endpoint /realm/Customer2/users will be accessible only for authenticated user which belongs to realm Customer2? Thanks, Ondrej

7 years, 4 months

1
0
0 / 0

Spring Boot Multitenancy

by Ondrej Scerba

Hi, I'm trying to implement multitenant Spring Boot application using Spring Security Adapter. I'm able to authenticate based on path to correct realm. Now I want to protect endpoints based on realm. How can I achieve it? E.g. endpoint /realm/Customer1/users will be accessible only for authenticated user which belongs to realm Customer1 and endpoint /realm/Customer2/users will be accessible only for authenticated user which belongs to realm Customer2? Thanks, Ondrej

7 years, 4 months

1
0
0 / 0

Keycloak 4.6.0.Final released

by Stian Thorgersen

http://blog.keycloak.org/2018/11/keycloak-460final-released.html

7 years, 4 months

4
4
0 / 0

Shared datastore?

by Nicolas Ocquidant

Hi, According to Infinispan, when passivation is disabled, every update to the cache should always write to the store. But I can't manage to get it work with Keycloak. If I disable passivation, my SQL store (Postgres) stays empty, even if the cache is full. So, if passivation is needed for Keycloak to write to the DB, it means that the use of a shared DB is not possible... But this leads to another issue for me. Enable passivation without a shared DB seems to imply that either 'fetch-state' or 'purge' should be enabled on startup, in order for the cache to not contain stale entries. 15:27:44,626 WARN [org.infinispan.configuration.cache.AbstractStoreConfigurationBuilder] (MSC service thread 1-6) ISPN000149: Fetch persistent state and purge on startup are both disabled, cache may contain stale entries on startup As I need to keep millions of sessions, this will considerably slow down the startup of my node (when started again after a crash for instance). So, is shared datastore allowed in Keycloak? If yes, how to enable it? Otherwise what other options do I have to improve my startup time, if millions of sessions are in the store? Thanks --nick

7 years, 4 months

4
4
0 / 0

Realm resolution based on username (email address)

by Pedro Pedro

Hi. I'm working on a multi tenant project where usernames are actually their email addresses and the domain of the email serves as a tenant identifier. Now in Keycloak I'll have different realms per tenant, but I want to have a single login page for all tenants and the actual realm that will do the authentication to be somehow resolved by the username (email address). How do I go about doing that? Best regards, Pedro.

7 years, 4 months

2
1
0 / 0

multitenant login with Keyclaok OpenID connect providers

by Marian Petrik

Dear Keycloak team, I have a multitenant keycloak setup with dedicated tenant realms. The goal is to have a single login page and pick the target realm automatically based on the domain in the user email. Can this be achieved in keycloak? My idea is to create an extra LOGIN realm with keycloak OIDC provider for each tenant realm. Client would only use this single LOGIN realm. The issue is how to get rid of the realm selection and implement custom authentication flow. Is this the right way to do this? Kind regards, Maran Petrik

7 years, 4 months

1
0
0 / 0

filter group claim in token per client

by Ronald Demneri

Hello everyone, Is there a way to filter the groups a user is a member of per client, based on clientId (which is part of the group name(s) in AD). Let's say that user Ronald is member of group_client1, group_client2 and group_client3, so using a group mapper, the token will contain a claim like group:["group_client1", "group_client2", "group_client3"]. Upon logging in to client1 app, I want to customize the group claim so that it contains only the respective group_client1 value. Thanks in advance, Ronald

7 years, 4 months

2
10
0 / 0

Update user attributes on login

by Oliver-Rainer Wittmann

Hi, I have a running keycloak with a custom identity provider - corresponding implementation of AbstractOAuth2IdentityProvider On registration of a user certain user attributes are stored and mapped into the token. Now, I want to update these user attributes on following logins. How to do this? Unfortunately, I did not find a corresponding hint in the documentation. Thx in advance for your support. Best regards, Oliver

7 years, 4 months

2
2
0 / 0

Unspecified behavior of token endpoint when obtaining permissions

by Lamina, Marco

Hi, I am trying to use Keycloak’s token endpoint to obtain a list of all resources and the respective scopes that a user has permission to access. However, the behavior I am observing does not match what is described in the documentation (Link [1]). I am using the token endpoint as shown in Link [2]. Expected behavior: Token endpoint returns a list of all resources and scopes that the token’s user has permission to access. Observed behavior: Token endpoint only returns resources that are owned by either the token’s user or the resource server itself. Resources owned by other users are not listed, even though the token’s user has permission to access them. Is that a bug or expected behavior? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... [2] https://issues.jboss.org/browse/KEYCLOAK-8768?focusedCommentId=13658545&p... Thanks, Marco

7 years, 4 months

3
8
0 / 0

User registration

by So Be

I want to enable user registration, it works fine, but after successful registration (email confirmation, etc), the new user is first redirected to "account management" and not directly to the client (in my case JupyterHub). Is there a solution to avoid users to get the account management page? Best, Sofiane.

7 years, 4 months

2
1
0 / 0

UMA fine grained management in the client itself

by Pierre Nowak

Hello, I have difficulties finding the best way of protecting resources using Authorization Services or UMA. Here is the following problem: user1 creates resource/item/id1 user2 creates resource/item/id2 I want to be able in my nodejs confidential client to: 1. list users that have access to a specific item (eg: item/id1) 2. list all resources a user has access to (not only the ones he has, but also the ones other users shared with him) 3. permit a user to access a resource 4. remove the access of a user to a resource I saw in photoz UMA example a nice UI directly in keycloak. I would like to reproduce this tab directly in my client calling APIs to Keycloak. The reason is the tab in the account page doesnt give enough functionality for example if I want to join some detail about the resources that would only be available in my resource server. I saw the resource set api and a node package ( https://github.com/proficonf/keycloak-authz) that tries to manage the resources only but I can't find APIs that directly handle the 4 steps I just mentioned. Thanks

7 years, 4 months

2
1
0 / 0

UMA 2.0 manage shared access with Rest-API

by Jeroschewski Sven Erik (INST-CSS/BSV-OS)

Hello everyone, is there an example project or tutorial with UMA 2.0 where the user can give his consent regarding shared access using the Rest-API of Keycloak? We already had a look at the "app-authz-uma-photoz" project from the "keycloak-quickstarts" repository. However, the example integrates a Keycloak website where the user can manage the requests for her/his resources. In our application we would like to have a custom service through which the user can manage his/her resources, can get notifications for new requests, and can define rules for permissions that are set automatically when a new resource is created or a new request is coming in. For example, we have a use case in which an application creates new resources where the user is the resource owner. This resource should be accessible by another user by default or the uploading application should be able to grant access in the name of the resource owner. We would be glad for any comments and recommendations on our approach. Mit freundlichen Grüßen / Best regards Sven Erik Jeroschewski Open Source Services - Product Group Customer Success Services (INST-CSS/BSV-OS) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Tel. +49 30 726112-416 | Mobil +49 152 24308225 | SvenErik.Jeroschewski(a)bosch-si.com<mailto:SvenErik.Jeroschewski@bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic

7 years, 4 months

2
1
0 / 0

Upgrade Keycloak running in Docker

by So Be

Hi, I am running keycloak 3 in a docker container. Is it possible to upgrade to v4 or the to the latest version without pulling new image? The reason of my question is that I don't want to configure the realms, clients, etc from scratch. Do you have an advice for this? Thank you. Sofiane.

7 years, 4 months

2
1
0 / 0

Custom authentication

by Vagelis Savvas

Hello, I'd like some advice on how to go about implementing the following custom authentication scenario: - A user besides the standard username and password optionally provides one more secret in the login screen. - The secret is associated with a realm role (one to one) by the realm admin, and if matched the user is dynamically added to the corresponding role. - If the secret isn't provided the user is normally authenticated and gets whatever roles he is assigned, like the default behavior Of course I would like to avoid implementing an SPI for that :-) but if it is not possible to avoid it I'd appreciate any insights and advice. I admit I haven't carefully read the relevant SPI extension docs yet, hoping that there is some way of doing it without an SPI extension. Cheers, Vagelis

7 years, 4 months

2
2
0 / 0

Notify Keycloak Bearer Clients on Admin Actions

by Miguel Haber

Hi, I'm just wondering about one scenario where I'm running: - Keycloak server (using it as a user base, and for authentication/authorization) - 3 resource servers connected to the Keycloak as bearer-only clients These resource servers store separate information about users. One use case I need to investigate: - Keycloak admin logs in, deletes one user that has data in all 3 resource servers Questions: 1) Do the 3 resource servers get notified at the moment in order to purge the user data from their DBs? 2) What if 1 resource server is offline, does it get notified as soon as it goes back online? Thanks

7 years, 4 months

2
1
0 / 0

EVENTTYPE for a temporarily disabled user

by Anneke Breust

Hi, in context with customized Prometheus metrics I am looking for an Event, which is emitted whenever a user is temporarily disabled (and a counterpart, which is emitted when the disabled user is enabled again). The goal is to be able to monitor the number of currently disabled users as well as how many times in a specific time span a user has been disabled. I looked through the EventTypes here https://www.keycloak.org/docs-api/3.2/javadocs/org/keycloak/events/EventT... but I didn't find anything useful- did I overlook something? Thanks in advance, Anneke

7 years, 4 months

2
1
0 / 0

Keycloak + Custom AuthenticatorFactory + Spring 5

by Tommaso Tamantini

Hi to all, I'm trying to develope a custom AuthenticatorFactory with a custom Authenticator. I would like to inject my custom Authenticator as Spring Bean into my custom AuthenticatorFactory (because my authenticator should use an existing spring library). My authenticator is like: @Component public class MyAuthenticator extends AbstractUsernameFormAuthenticator implements Authenticator { [.] To achieve it, I created an ApplicationContextAware bean @Service public class BeanUtil implements ApplicationContextAware { private static ApplicationContext applicationContext; public BeanUtil() { } @Override public void setApplicationContext(ApplicationContext applicationContext) throws BeansException { this.applicationContext = applicationContext; } public static Authenticator getAuthenticatorBean() { return applicationContext.getBean(MyAuthenticator.class); } } My factory is: public class MyAuthenticatorFactory implements AuthenticatorFactory, ConfigurableAuthenticatorFactory { public static final String PROVIDER_ID = "aruba-alias-authenticator"; public static final String G_RECAPTCHA_RESPONSE = "g-recaptcha-response"; public static final String RECAPTCHA_REFERENCE_CATEGORY = "recaptcha"; public static final String SITE_KEY = "site.key"; public static final String NUMBER_KEY = "number.key"; public static final String SITE_SECRET = "secret"; @Override public String getId() { return PROVIDER_ID; } @Override public MyAuthenticator create(KeycloakSession session) { return BeanUtil.AuthenticatorBean(); } [.] Keycloak starts up correctly. When I try to use myAuthenticator, i get: 16:46:48,484 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://0.0.0.0:9990/management sia-keycloak | 16:46:48,484 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://0.0.0.0:9990 sia-keycloak | 16:46:48,485 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 4.5.0.Final (WildFly Core 5.0.0.Final) started in 23456ms - Started 943 of 1231 services (653 services are lazy, passive or on-demand) sia-keycloak | 16:47:12,357 WARN [org.keycloak.services] (default task-3) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException sia-keycloak | at ...authenticator.alias.BeanUtil.getArubaAliasAuthenticatorBean(BeanUtil.java :22) sia-keycloak | at ..authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.jav a:35) sia-keycloak | at ...authenticator.alias.AuthenticatorFactory.create(MyAuthenticatorFactory.ja va:1) The reason in that the Spring Context is null. Any idea about how to fix this issue? Many thanks, Tom

7 years, 4 months

2
1
0 / 0

File based cache store migration

by Nicolas Ocquidant

Hi When using a file based cache store for sessions, and assuming that I have millions of sessions in the file I don't want to loose, could Keycloak helps me migrate this file when upgrading for a new version of Keycloak? It is serialized data inside, so migration may be difficult that's why I am asking. Thanks --nick

7 years, 4 months

1
0
0 / 0

Persist Keycloak session cache into JDBC store, no data is written into table

by Röck, Cedric

Hi, we are currently trying to persist the in-memory session cache of our Keycloak (9.5.0.Final) deployment into a persistent store, preferably JDBC based. In order to achieve this, we already updated the configuration and ended up with this config for the Infinispan subsystem: <subsystem xmlns="urn:jboss:domain:infinispan:6.0"> <cache-container name="keycloak"> <transport lock-timeout="60000"/> <local-cache name="realms"> <object-memory size="10000"/> </local-cache> <local-cache name="users"> <object-memory size="10000"/> </local-cache> <local-cache name="authorization"> <object-memory size="10000"/> </local-cache> <local-cache name="keys"> <object-memory size="1000"/> <expiration max-idle="3600000"/> </local-cache> <replicated-cache name="work"/> <distributed-cache name="sessions" statistics-enabled="true" owners="${env.CACHE_OWNERS:1}"> <jdbc-store data-source="KeycloakDS" dialect="SQL_SERVER" fetch-state="true" passivation="false" preload="true" purge="false" shared="true" singleton="false"> <property name="dropTableOnExit"> false </property> <property name="createTableOnStart"> true </property> <table/> </jdbc-store> </distributed-cache> <distributed-cache name="clientSessions" statistics-enabled="true" owners="${env.CACHE_OWNERS:1}"/> <distributed-cache name="authenticationSessions" statistics-enabled="true" owners="${env.CACHE_OWNERS:1}"/> [...] </cache-container> [...] </subsystem> Even though the table „ispn_entry_sessions“ gets created once Keycloak starts, no data is being persisted there. Not after 5min and also not once several hours passed. To exclude batch sizes and alike as error cause, our test creates 300 users and performs repeated logins for all of them, so there should also be enough load on the system. Some more details: * The statistics already show more than 600 cache-loader-misses for the jdbc store, but no successful load. * Our deployment consists of three Keycloak instances running in Kubernetes pods / docker containers. * Target JDBC Database is an Azure managed SQL DB / SQL Server * We can’t see any errors in the logs and also the cache distribution appears to still work amongst all nodes in the cluster. If you need more details, log excerpts, the full config, …, just give me a ping. What are we missing? Any help is very much appreciated. Thanks and kind regards Cedric Cedric Röck ______________________________ Senacor Technologies AG Äußere Cramer-Klett-Str. 21 90489 Nürnberg M +49 (170) 2274 878 Cedric.Roeck(a)senacor.com www.senacor.com Senacor Technologies Aktiengesellschaft - Sitz: Eschborn - Amtsgericht Frankfurt am Main - Reg.-Nr.: HRB 110482 Vorstand: Matthias Tomann, Marcus Purzer - Aufsichtsratsvorsitzender: Daniel Grözinger Diese E-Mail inklusive Anlagen enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten, informieren Sie bitte den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. This e-mail including any attachments may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the materials in this e-mail is strictly forbidden.

7 years, 4 months

3
2
0 / 0

4.6.0 Final

by Geoffrey Cleaves

Anybody know when 4.6.0 is expected to roll out? I'm waiting for some nice bug fixes...

7 years, 4 months

1
0
0 / 0

setting up TLS(SSL) through the X509_CA_BUNDLE environment variable

by Meissa M'baye Sakho

hello everyone, I'm using the jboss/keycloak:4.5.0.Final docker image. I'm trying to setup Mutual TLS by using the X509_CA_BUNDLE environment variable as explained in the Jboss/keycloak docker image documentation. I've mounted a volume to the image pointing to the cert file and defined the env variable. I'm running the image with the following command: *docker run -d --name opengie -e KEYCLOAK_USER=meissa -e KEYCLOAK_PASSWORD=meissa \* * -e PROXY_ADDRESS_FORWARDING=true \* * -v /home/centos/docker-opengie/docker-image/staging:/var/run/secrets \* * -v /home/centos/docker-opengie/docker-image/staging/jks:/etc/x509/https \* * -e JGROUPS_DISCOVERY_PROTOCOL=dns.DNS_PING \* * -e JGROUPS_DISCOVERY_PROPERTIES=dns_query=bdf-opengie-test.paas.eclair.local \* * -e X509_CA_BUNDLE=/var/run/secrets/bdf-ca.crt \* * jboss/keycloak:4.5.0.Final* When The container starts, I've checked that the cert has been corectly mounted to the expected folder /var/run/secrets But I see in the log that the certificat import fails (extract below): *Creating HTTPS keystore via OpenShift's service serving x509 certificate secrets..* *HTTPS keystore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/https-keystore.jks* *Creating Keycloak truststore..* *Keycloak truststore successfully created at: /opt/jboss/keycloak/standalone/configuration/keystores/truststore.jks* *Importing certificates from system's Java CA certificate bundle into Keycloak truststore..* *Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!* *Setting JGroups discovery to dns.DNS_PING with properties {dns_query=>bdf-opengie-test.paas.eclair.local}* I've checked in the script that handle the TLS import [1], but I'm not able to guess why the import is failing. The following extract is a part of the scripts that is used by the image to import the cert. # Import existing system CA certificates into the newly generated truststore local SYSTEM_CACERTS=$(readlink -e $(dirname $(readlink -e $(which keytool)))"/../lib/security/cacerts") if keytool -v -list -keystore "${SYSTEM_CACERTS}" -storepass "changeit" > /dev/null; then echo "Importing certificates from system's Java CA certificate bundle into Keycloak truststore.." keytool -importkeystore -noprompt \ -srckeystore "${SYSTEM_CACERTS}" \ -destkeystore "${JKS_TRUSTSTORE_PATH}" \ -srcstoretype jks -deststoretype jks \ -storepass "${PASSWORD}" -srcstorepass "changeit" >& /dev/null if [ "$?" -ne "0" ]; then echo "Successfully imported certificates from system's Java CA certificate bundle into Keycloak truststore at: ${JKS_TRUSTSTORE_PATH}" else echo "Failed to import certificates from system's Java CA certificate bundle into Keycloak truststore!" fi Any advice? [1]= https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x5... Meissa

7 years, 4 months

2
6
0 / 0

Re: [keycloak-user] [keycloak-dev] There is already a httpSessionManager

by Thomas Darimont

Hello Calixto, this is more a question for keycloak-user instead of keycloak-dev. There are some issues with Spring Security and the latest version of the keycloak spring-boot / spring-security adapter 4.5.0.Final. You can have a look at the following two examples for a working configuration. see: https://github.com/thomasdarimont/wjax2018-spring-keycloak/tree/master/demos - spring-boot-2-frontend - spring-boot-2-backend The examples are currently using <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.0.6.RELEASE</version> <relativePath/>  </parent> but the configuration works as well with <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.1.0.RELEASE</version> <relativePath/>  </parent> in combination with the following setting in application.yml / application.properties: spring: main: allow-bean-definition-overriding: true which seems to be required since Spring Boot 2.1 Cheers, Thomas Am Di., 13. Nov. 2018 um 01:18 Uhr schrieb Calixto Meleán <cmelean(a)gmail.com >: > I’m doing a simple tutorial with SpringBoot 2.1.0 and KeyCloack 4.5.0. > When I start my app, I am getting the error below. It’s like the session > manager bean is being registered more than once. > > org.springframework.beans.factory.support.BeanDefinitionOverrideException: > Invalid bean definition with name 'httpSessionManager' defined in class > path resource [com/example/demo/configuration/SecurityConfig.class]: Cannot > register bean definition [Root bean: class [null]; scope=; abstract=false; > lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; > primary=false; factoryBeanName=securityConfig; > factoryMethodName=httpSessionManager; initMethodName=null; > destroyMethodName=(inferred); defined in class path resource > [com/example/demo/configuration/SecurityConfig.class]] for bean > 'httpSessionManager': There is already [Generic bean: class > [org.keycloak.adapters.springsecurity.management.HttpSessionManager]; > scope=singleton; abstract=false; lazyInit=false; autowireMode=0; > dependencyCheck=0; autowireCandidate=true; primary=false; > factoryBeanName=null; factoryMethodName=null; initMethodName=null; > destroyMethodName=null; defined in URL [jar:file:/Users/bigcat/.m! > 2/repository/org/keycloak/keycloak-spring-security-adapter/4.5.0.Final/keycloak-spring-security-adapter-4.5.0.Final.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]] > bound. > > Relevant maven dependencies I have are: > > <dependency> > <groupId>org.keycloak</groupId> > <artifactId>keycloak-spring-boot-starter</artifactId> > <version>${keycloak.version}</version> > </dependency> > > <dependency> > <groupId>org.springframework.boot</groupId> > <artifactId>spring-boot-starter-security</artifactId> > </dependency> > > SecurityConfig.class is: > > @KeycloakConfiguration > public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { > > @Bean > public KeycloakConfigResolver KeycloakConfigResolver() { > return new KeycloakSpringBootConfigResolver(); > } > > /** > * Registers the KeycloakAuthenticationProvider with the authentication > manager. > */ > @Autowired > public void configureGlobal(AuthenticationManagerBuilder auth) throws > Exception { > auth.authenticationProvider(keycloakAuthenticationProvider()); > } > > /** > * Defines the session authentication strategy. > */ > @Bean > @Override > protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { > return new RegisterSessionAuthenticationStrategy(new > SessionRegistryImpl()); > } > > @Override > protected void configure(HttpSecurity http) throws Exception > { > super.configure(http); > http > .authorizeRequests() > .antMatchers("/customers*").hasRole("pharmacist") > .anyRequest().permitAll(); > } > } > > > Appreciate any help. Thanks > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev

7 years, 4 months

1
0
0 / 0

Login via SAML RESPONSE from an IdP

by Karsten Honsack

Hello everybody, I am trying to figure out if Keycloak is capable to fulfil the following requirement. I read through the documentation but was not able to figure it out. Scenario: A user is on a website where he has the possibility to jump to web applications of different partners via SSO. The website provider only supports IdP Initiated SSO and the button links provided are SAML Assertion Consumer URLs. The flow describes what should be happening for my understanding: Flow: 1. User login on website. 2. User clicks on button. 3. Website creates an encrypted SAML RESPONSE using its STS, redirects user to Keycloak's SAML Assertion Consumer URL and POSTs the SAML RESPONSE there. 4. Keycloak decrypts/validates SAML RESPONSE and authenticates the user. 5. Keycloak redirects user to the application. 6. User uses application. Is this possible? How has it to be configured? Do you need any more information to help me? Thank you in advance! Best regards Karsten Honsack **************************************

7 years, 4 months

3
4
0 / 0

Extend keycloak notifications

by David Monichi

Hi, I'm considering to create a new application and for sure I'll use keycloak as user backend. It's really cool stuff what you guys created. I thought about various solutions for notifications of my application and was wondering if you guys already thought about to extend your e-mail notification to a more general and flexible system. So that not only keycloak e-mails will be sent over keycloak but also other applications e-mails and even more notifications can be send over keycloak (I'm thinking here of SMS, etc.). Therefore applications would need to upload any kind of templates to keycloak and somehow be able to manage them. There are 2 reasons for such a step. First of all keycloak already provides such basic functionality to sent notifications and so extending it could be done with lower overhead. Second, keycloak already owns the recipient data, if applications manage users over keycloak. As additional feature of course a proper monitoring should be placed in such a feature, since notifications are really vital to modern applications. We would be able to provide programming resources for such a feature but of course working together, specially for the design phase, with you guys. The alternative would be to provide a different notification system and forward keycloak e-mails to that service (actually the event to sent a notification). Don't know if this actually is the way to go ... My motivation for such a feature is, that a single application should be responsible for sending notifications of any kind and not be widespread over various applications. Any ideas welcome ;) Eventually I overlooked something in my design ... Thx in advance for all your thoughts & all the best /david

7 years, 4 months

2
1
0 / 0

Authorize Url

by Fabio Ebner

I using SpringBoot 2.0.5 and keycloak 4.5.0.Final so it's possible to secure an URL using: @PreAuthorize("hasRole('USER')") @GetMapping("/mensagem/enviada/t") instead the .antMatchers("/mensagem/enviada/**").hasRole("USER")

7 years, 4 months

1
0
0 / 0

Running Keycloak examples

by Pritha Srivastava

Hi All, I am trying to setup a Keycloak server and run the examples, for which I did the following: 1. Downloaded 4.5.0.Final Standalone Server distribution, and started the server using ./standalone.sh, which worked fine. 2. Downlaoded keycloak-examples-4.5.0.Final, and for the preconfigured-demo, I did a mvn clean install and mvn wildfly:deploy and the second step gave me this error - UT010039: Unknown authentication mechanism KEYCLOAK 3. To solve the error in 2.0, I downloaded the wildfly adapter keycloak-wildfly-adapter-dist-4.5.0.Final.zip, and ran this command - ./bin/jboss-cli.sh --file=adapter-install.cli --connect --controller=127.0.0.1:9990 which gave the following response: {"outcome" => "success"} { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } { "outcome" => "failed", "failure-description" => "WFLYCTL0310: Extension module org.keycloak.keycloak-adapter-subsystem not found", "rolled-back" => true, "response-headers" => {"process-state" => "reload-required"} } I am not sure how to solve the above problem. Any help is greatly appreciated. P.S.: I am completely new to Jboss, Wildfly etc. Thanks, Pritha

7 years, 4 months

2
4
0 / 0

How update the locale value in user profile with REST API ?

by David F

Hi, I use the doc to update my profile with REST API PUT /{realm}/users/{id} but if I want to change the locale value ("en", "fr"...), it's impossible. I have this response "Unrecognized field "locale" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable" because in my body object I use "locale" key for "en" value for example. I don't see in the doc how send my new locale value in my body object. Thanks for your help 😊

7 years, 4 months

2
1
0 / 0

Regarding keycloak REST api

by Sharlet Wilson

Hi, I have a user's keycloak access token on my backend Node.js application. Would like to know how I can use it to authorize a user to access my custom REST apis. (I am using the /auth/realms/<realm-name>/protocol/openid-connect/token api to get the user's access token). Regards, Sharlet Hannah Wilson

7 years, 4 months

2
3
0 / 0

Latvian translation review

by Stian Thorgersen

Anyone from the community that can review Latvian translation PR [1]? [1] https://github.com/keycloak/keycloak/pull/5676

7 years, 4 months

1
0
0 / 0

Add CA certificates for LDAPS ?

by Mathieu Poussin

Hello. What would be the recommended way to add a custom CA certificates ? The documentation has a lot of different ways and so far none of them worked : - The X509_CA_BUNDLE env variable thing (It's running in a container), I can see the certificates in the JKS store but looks like they are completely ignored by the app server. - Added custom SPI to load a custom JKS store, same, no error at server start but they are completely ignored by the app server. This is the error I am getting : Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ... 99 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 105 more Another option would be to disable certificate verification on LDAPS as it's a trusted environment (last resort but well so far nothing else worked), would there be a way to do that? Connecting over LDAP is not an option a this prevent some features to work like password reset. Thanks.

7 years, 4 months

5
12
0 / 0

There is already a httpSessionManager

by Calixto Meleán

I’m doing a simple tutorial with SpringBoot 2.1.0 and KeyCloack 4.5.0. When I start the app, I am getting the following error: org.springframework.beans.factory.support.BeanDefinitionOverrideException: Invalid bean definition with name 'httpSessionManager' defined in class path resource [com/example/demo/configuration/SecurityConfig.class]: Cannot register bean definition [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=securityConfig; factoryMethodName=httpSessionManager; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com/example/demo/configuration/SecurityConfig.class]] for bean 'httpSessionManager': There is already [Generic bean: class [org.keycloak.adapters.springsecurity.management.HttpSessionManager]; scope=singleton; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in URL [jar:file:/Users/bigcat/.m! 2/repository/org/keycloak/keycloak-spring-security-adapter/4.5.0.Final/keycloak-spring-security-adapter-4.5.0.Final.jar!/org/keycloak/adapters/springsecurity/management/HttpSessionManager.class]] bound. Relevant maven dependencies I have are: <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-spring-boot-starter</artifactId> <version>${keycloak.version}</version> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> SecurityConfig.class is: @KeycloakConfiguration public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Bean public KeycloakConfigResolver KeycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } /** * Registers the KeycloakAuthenticationProvider with the authentication manager. */ @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(keycloakAuthenticationProvider()); } /** * Defines the session authentication strategy. */ @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .authorizeRequests() .antMatchers("/customers*").hasRole("pharmacist") .anyRequest().permitAll(); } } Appreciate any help. Thanks

7 years, 4 months

2
1
0 / 0

Email-Event UPDATE-PASSWORD

by Gregor Tudan

Hi, We’re trying to send an email to a user if his/her password was changed. The Email-Event UPDATE-PASSWORD looks exactly like what we want. https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... <https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...> There’s one catch: the email seems to only get sent if the user has a verified email address. Email-Verification is not activated on the realm. Is there a reason why email-verification is required for those emails? Thanks, Gregor

7 years, 4 months

2
2
0 / 0

Mobile app authentication flow

by Joe Livu

Hi, I came across KeyCloak while searching for a security provider and was immediately impressed. I am planning on building a REST API using ASP.NET <http://asp.net/> Core Web API to be consumed by a mobile application to be built using Google's Flutter framework. I have a few questions. 1. Would KeyCloak be suitable for securing my REST API Whig is built using C# (ASP.NET <http://asp.net/> Core Web API)? If so, can I get a brief explanation and steps that need to be taken to achieve this? 2. Now I need my mobile app to consume the REST API secured by KeyCloak. For authenticating users (e.g., via login screen using username/password credentials), how would this be done? Which grant type and flow will be suitable? The Web application demos shows a redirect to the KeyCloak server for authentication and then back to the app. It seems this cannot be applied for mobile apps (correct me if am wrong), so what would be the best approach for a mobile application? I would think KeyCloak would provide a REST API for such cases but I can only find an Admin REST API for admin purposes only Any help regarding this would very much appreciated. Kind regards, Joe Livu

7 years, 4 months

2
1
0 / 0

Restrict access to clients based on Group membership

by Prashant Bapat

Hi, In our Keycloak setup (ver 4.4.0) we have a master realm configured to authenticate users in a Windows AD. We heavily use SAML and OIDC and both work great. Is there a way to restrict access to a OIDC client based on a group membership ? I’ve been reading up the docs and trying to get this working without success. For example, let’s say we have 2 clients; client-dev-api client-prod-api Can I configure Keycloak to issue JWT token for client-dev-api to members of AD group “Developers” and client-prod-api to members AD group “Production” ? Any guidance on getting this to work would be appreciated. Thanks. --Prashant

7 years, 4 months

2
1
0 / 0

How can I use Keycloak to support my architecture?

by ola rob

Hi, I need some help in securing my applications with keycloak: I have couple of grails applications (App1 and App2) using spring security. However, currently I am using keycloak REST API to authenticate users by passing username and password and receive token without registering these applications as clients in the keycloak. But this approach seems to be inefficient when we want to support SSO, kerberos and other lot of powerful features that Keycloak offers. So I came up with the below approach to support SSO/kerberos but wanted to know if Keycloak can solve our problem. "Create a new spring boot master application (App3) and register with Keycloak and redirect the login page to Keycloak. Once login is successful, use the token that keycloak provides and pass it on to App1 and App2 and tweak my existing code flow to handle this. Can this be possible because I am not registering/creating any clients for app1 and app2 in keycloak here but only creating for app3 which is the master application and using the access token? Is it mandatory to register/create all clients in Keycloak to support SSO?" Any help would be highly appreciated. Thanks in advance!

7 years, 4 months

3
2
0 / 0

Keycloak Javascript Adapter - Advisable to be used for confidential clients?

by Bruce Wings

I am referring to Keycloak Javascript adapter as mentioned in : https://www.keycloak.org/docs/4.5/securing_apps/index.html#_javascript_ad... I have a confidential client and I have downloaded keycloak-oidc.json containing client secret. Now I am not sure how secure is it to keep this file containing client-secret at the client side. Am I being over concerned?

7 years, 4 months

4
9
0 / 0

OpenID Java Adapter: configuring keycloak to use an IDP different then Keycloak Server

by Usai, Fabrizio

Dear, We are using Keycloak Java adapter 4.5.0 in combination with EAP7.1. When we configure our keycloak.json we have for auth-server-url the url https://authentication.country.com/op/v1/auth (the original url is changed for privacy reasons). So far so good. When we navigate to our application, we are forwarded to https://authentication.country.com/op/v1/auth/realms/KeycloakOIDCRealm/pr.... This is not good, since we use our own identity provider. Removing the realms/KeycloakOIDCRealm/protocol/openid-connect/ part of the url, forwards it correctly to the identity provider. So the Keycloak adapter adds it by default, assuming we will always use Keycloak as an identity provider. Before we were using SAML and didn't had this issue. How can we configure the keycloak.json for the adapter to leave out the addition of realms/KeycloakOIDCRealm/protocol/openid-connect/? We don't understand why with SAML we didn't had this issue at all, and now with OpenID it seems very difficult to solve this issue. Our current guess to solve this, is to overwrite some Keycloak Java class and make sure the url is built the correct way. Although it is a bit dirty, we could accept this as solution (if it is possible), but we prefer to do this via configuration. Kind regards, Fabrizio Usai

7 years, 4 months

2
3
0 / 0

TLS configuration issues with 4.5.0

by Balazs Kovacs

Hi, I run a test instance of keycloak from public docker hub. I'm able to set up the server with TLS on default port 8443 up until KC 4.3.0 with my own certificates. I did not try with 4.4.0, but 4.5.0 never succeeds and ends up with a auto-generated self-signed certificate in any case. I attached the standalone.xml configuration I use. When I turn on DEBUG log level, I get the below suspicious error that I thought is related: ESC[0mESC[32m10:07:51,880 DEBUG [org.jboss.as.domain.management] (MSC service thread 1-2) Starting 'ApplicationRealm' Security Realm Service ESC[0mESC[32m10:07:52,028 DEBUG [org.jboss.modcluster] (MSC service thread 1-1) MODCLUSTER000005: Received add context event for default-host:/wildfly-services ESC[0mESC[32m10:07:52,032 DEBUG [org.jboss.modcluster] (MSC service thread 1-1) MODCLUSTER000007: Received start context event for default-host:/wildfly-services ESC[0mESC[32m10:07:52,124 DEBUG [io.undertow] (MSC service thread 1-1) JDK9 ALPN not supported: java.lang.NoSuchMethodException: javax.net.ssl.SSLParameters.setApplicationProtocols([Ljava.lang.String;) at java.lang.Class.getMethod(Class.java:1786) at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:47) at io.undertow.protocols.alpn.JDK9AlpnProvider$1.run(JDK9AlpnProvider.java:43) at java.security.AccessController.doPrivileged(Native Method) at io.undertow.protocols.alpn.JDK9AlpnProvider.<clinit>(JDK9AlpnProvider.java:43) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.lang.Class.newInstance(Class.java:442) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at io.undertow.protocols.alpn.ALPNManager.<init>(ALPNManager.java:40) at io.undertow.protocols.alpn.ALPNManager.<clinit>(ALPNManager.java:35) at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:68) at io.undertow.server.protocol.http.AlpnOpenListener.<init>(AlpnOpenListener.java:94) at org.wildfly.extension.undertow.HttpsListenerService.createAlpnOpenListener(HttpsListenerService.java:123) at org.wildfly.extension.undertow.HttpsListenerService.createOpenListener(HttpsListenerService.java:108) at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:177) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736) at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698) at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364) at java.lang.Thread.run(Thread.java:748) Any idea what's going wrong with this version of keycloak docker image and TLS setup? Thanks, Balazs

7 years, 4 months

2
1
0 / 0

How to enable keycloak for Embedded Jetty 9.3 server

by ola rob

Hi, I wanted to use jetty 9.3 adapter to secure my applications using keycloak. But I see that keycloak doc talks about configuration on standalone jetty servers but not on embedded jetty servers: java -jar $JETTY_HOME/start.jar --add-to-startd=keycloak My application uses embedded jetty server. Can you please provide steps to enable keycloak module for embedded jetty server? Thanks in advance!

7 years, 4 months

1
0
0 / 0

Verification of Access Token failed

by Tim Rademacher

Hi all, I am struggling with access token verification. So here is what I am doing (using Keycloak 4.5): 1. Generate an offline auth code from Client A. 2. Generate a refresh token from Client A. 3. Generate an access token from Client A. This token has an *ES256* Signatur. When using this token, I got an error from my Spring Boot application, that the used public key was not available: "Didn't find publicKey for specified kid". I set the public-key-cache-ttl to 1 sec and the log level to debug and could see, that only one pubilc key was retrieved for my configured Client: "Realm public keys successfully retrieved for client xxxxxxxxxx. New kids: [xxxxx]". As I could see in the realm settings, the key was created using *RS256*. When I force the Client A to just use RS256 signature by setting the "Access Token Signature Algorithm", then it works fine. But I wonder, how I could also use other signature algorithms!? Release notes are stating, that both (and more) algorithms are supported. Thanks for your help! Regards Tim

7 years, 5 months

1
0
0 / 0

Re: [keycloak-user] How can I use Keycloak to support my architecture?

by ola rob

Thanks Luis for quick help! Can you please relate to my example? I mean login-module is App3? Also, how can I get the token once login is successful after redirected back to my App3?

7 years, 5 months

2
1
0 / 0

/authz/protection/permission/ticket usage?

by Ulrik Sjölin

Hello, I have a question on how to use the API: /authz/protection/permission/ticket I can call the endpoint successfully if I do the call with only ids: curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket \ -H "Authorization: Bearer ${service_access_token}" \ -H "Content-Type: application/json" \ -d "{ \"resource\":\"${resource_id}\", \"scope\":\"40065a35-02d5-4db9-be46-02566cf7a666\", \"requester\":\"79ae9a5a-0304-41ec-b721-d57a09d419cb\", \"granted\":\"true\" }” It would however be a lot more workable for me if I could use names like: curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/authz/protection/permission/ticket \ -H "Authorization: Bearer ${service_access_token}" \ -H "Content-Type: application/json" \ -d "{ \"resource\":\"${resource_id}\", \"scope\":\”Read\", \"requester\":\”alice\", \"granted\":\"true\" }” But when I do this I get: {"error":"invalid_scope","error_description":"Scope [Read] is invalid”} {"error":"invalid_permission","error_description":"Requester does not exists in this server as user.”} Looking at the code there seems to be lookups from names to id, but for some reason it fails. What am I doing wrong? Any help is greatly appreciated. Best Regards, Ulrik Sjölin

7 years, 5 months

2
1
0 / 0

Set sessions lifespan by realm?

by Nicolas Ocquidant

Hello Would it be possible to have several cache "sessions" with different configurations associated with different realms? I mean, I need to configure different lifespans for sessions, for different realm. How could I do that? Does the "SSO Session Max" entry from the GUI override the definition from the file standalone-ha.xml, for each realm: <distributed-cache name="sessions" owners="2" statistics-enabled="true"> <binary-memory eviction-type="COUNT" size="10000"/> <expiration lifespan="1800000"/> ... I yes, does it mean I need to set expiration lifespan in standalone-ha.xml as the maximum of all "SSO Session Max" GUI entries? Thanks a lot for clarification --nick

7 years, 5 months

1
0
0 / 0

Bulk Resource Delete?

by Geoffrey Cleaves

I want to delete thousands of resources. Must I do it 1 by 1 or is there a trick to delete multiple items with a single REST call? Or maybe a SQL delete would do the trick?

7 years, 5 months

2
1
0 / 0

Account Page Fields

by Aaron Echols

Hello All, How hard is to modify or add fields that could be modified in the users account page? It would be nice to add a personal email field to have be able to send their password reset email to. Currently, they can only send to their employee addresses, which if they forget their password, makes the email a moot point. Thank in advance for any ideas. :) -- *Aaron Echols*

7 years, 5 months

3
3
0 / 0

Refreshing exchanged token

by Paolo Tedesco

Hi all, I have a problem refreshing an exchanged token, and I would need some help to understand if I'm doing something wrong. I have two test confidential clients, client_1 and client_2, and client_1 is allowed to exchange tokens for client_2. First, I get a token for client_1, then I use token exchange to get a token for client_2. The token that I have at this point looks like this (snipped): session_state: 30b295b9-7278-4c9e-b5c4-0927e111a676 token_type: bearer access_token (decoded claims) : aud = client_2 clientId = client_1 refresh_token (decoded claims) : aud = client_2 azp = client_1 So far, everything is fine, but the problem is when I try to refresh the token for client_2 I got from the previous call. The call I'm making is POST https://<server>/auth/realms/master/protocol/openid-connect/token client_id = client_1 client_secret = <client secret for client_1> grant_type = refresh_token refresh_token = <the refresh_token string from the exchanged token> What I would expect is to get a new token with aud = client_2, instead I get a new token with aud = client_1: session_state: 30b295b9-7278-4c9e-b5c4-0927e111a676 token_type: bearer access_token: aud = client_1 clientId = client_1 refresh_token: aud = client_1 azp = client_1 Is this correct? Should I just get a new token through token exchange in this case, instead of refreshing the existing one? Thanks, Paolo Tedesco

7 years, 5 months

1
0
0 / 0

JTA and UserStorageProvider implementations

by Ilya Korol

Hi. I'm trying to realize how should i configure our datasources from JTA point of view. As far as i know default settings (that also described in docs) don't include any JTA capabilities, so keycloak will work in local transactions mode. (There is also a thing that confused me a little: in Wildfly Admin Console all datasources have 'JTA' option enabled by default). So the question is: what settings should i use if i add UserStorageProvider implementation which uses separate DataSource. As far as i understand JTA should be enabled for such case, so how should i configure datasources. For example: - KeycloakDS [Oracle] - datasource for keycloak itself - ExternalDS [Oracle] - datasource for external user storage Should both datasource be XA and JTA capable? And what about EntityManager that i would use for user data extraction? I refer to example implementation of User Storage Provider from documentation:| | |@Stateful||(a)Local(EjbExampleUserStorageProvider.class)||public class EjbExampleUserStorageProvider implements UserStorageProvider,|| UserLookupProvider, UserRegistrationProvider, UserQueryProvider, CredentialInputUpdater, CredentialInputValidator, OnUserCache { @PersistenceContext protected EntityManager em; protected ComponentModel model; protected KeycloakSession session; public void setModel(ComponentModel model) { this.model = model; } public void setSession(KeycloakSession session) { this.session = session; } @Remove @Override public void close() {} }| || || |Does transaction context of this entity manager same as transaction context of Keycloak Session? |

7 years, 5 months

1
0
0 / 0

Policy Evaluation for Service Account shows unexpected behavior

by Lamina, Marco

Hi, I am using the Protection API to create resources in Keycloak. Some of those resources are created by service accounts, some by regular users. I also have a JS policy that grants access to a resource if the given identity is the resource owner (it was an example from the documentation): var context = $evaluation.getContext(); var identity = context.getIdentity(); var permission = $evaluation.getPermission(); if (permission.resource !== null && permission.resource.owner == identity.id) { $evaluation.grant(); } The problem is that the policy fails to execute. Using the evaluation tool in the admin console, it produces the following stack trace: https://pastebin.com/2XXHQkNf . The policy works fine for regular users. In addition to that, trying to list the account’s permissions using the token endpoint (as described in [1]) fails with a 403. Am I missing something or is that a bug in Keycloak? [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco

7 years, 5 months

2
1
0 / 0

remote debugging keycloak docker image

by Meissa M'baye Sakho

Hello everyone, I need to enable remote debugging on keycloak docker image. I'm using a vanilla kubernetes. Any input on that? Regards, Meissa

7 years, 5 months

2
2
0 / 0

Error Being Thrown with MySql

by Nathan McBride

Hello everyone, Thank you for taking the time to read this and trying to help me. I’m new to KeyCloak as well as JBOSS. I created an AWS Lightsail account, the $5 / month plan, and am trying to use it for a KeyCloak server. I chose CentOS 7 as the operating system. I have been following the guide located here: http://www.pimwiddershoven.nl/entry/install-keycloak-on-centos-7-with-mys... I have followed all the steps and am at the point where KeyCloak is supposed to be started. But when I start it, it errors and it looks like it is a problem with the mysql connection. However, I have tested the credentials both locally and connecting remote with DataGrip and I’m not really sure what I did wrong. Any help is greatly appreciated. Thank you, Nate Here are the errors: 20:26:28,925 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 56) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:153) at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:83) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:207) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:184) at org.jboss.as.naming.InitialContext$DefaultInitialContext.lookup(InitialContext.java:239) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:193) at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:189) at javax.naming.InitialContext.lookup(InitialContext.java:417) at javax.naming.InitialContext.lookup(InitialContext.java:417) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:366) ... 43 more Caused by: java.lang.IllegalStateException at org.jboss.msc.value.InjectedValue.getValue(InjectedValue.java:50) at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:148) at org.jboss.as.naming.service.BinderService.getValue(BinderService.java:46) at org.jboss.msc.service.ServiceControllerImpl.getValue(ServiceControllerImpl.java:1110) at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:131) ... 52 more 20:26:28,938 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 20:26:28,953 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql 20:26:28,991 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: Failed to connect to database Caused by: javax.naming.NameNotFoundException: datasources/KeycloakDS [Root exception is java.lang.IllegalStateException] Caused by: java.lang.IllegalStateException"}} 20:26:29,011 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending 20:26:29,014 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 20:26:29,017 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0019: Host default-host stopping 20:26:29,021 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 20:26:29,029 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 54) WFLYCLINF0003: Stopped realms cache from keycloak container 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 58) WFLYCLINF0003: Stopped offlineClientSessions cache from keycloak container 20:26:29,030 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 50) WFLYCLINF0003: Stopped users cache from keycloak container 20:26:29,031 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 57) WFLYCLINF0003: Stopped clientSessions cache from keycloak container 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 48) WFLYCLINF0003: Stopped authenticationSessions cache from keycloak container 20:26:29,032 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 46) WFLYCLINF0003: Stopped sessions cache from keycloak container 20:26:29,033 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 47) WFLYCLINF0003: Stopped authorization cache from keycloak container 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0003: Stopped loginFailures cache from keycloak container 20:26:29,034 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 52) WFLYCLINF0003: Stopped actionTokens cache from keycloak container 20:26:29,035 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container 20:26:29,038 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 55) WFLYCLINF0003: Stopped keys cache from keycloak container 20:26:29,062 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped work cache from keycloak container 20:26:29,068 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = h2 20:26:29,088 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTP listener default suspending 20:26:29,089 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 56) WFLYCLINF0003: Stopped client-mappings cache from ejb container 20:26:29,089 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 0.0.0.0:8080 20:26:29,091 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0004: Undertow 2.0.9.Final stopping 20:26:29,100 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped authorizationRevisions cache from keycloak container 20:26:29,106 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped realmRevisions cache from keycloak container 20:26:29,110 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-1) WFLYCLINF0003: Stopped userRevisions cache from keycloak container 20:26:29,111 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 170ms 20:26:29,149 INFO [org.jboss.as.server] (ServerService Thread Pool -- 37) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 20:26:29,282 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: java.lang.NullPointerException at org.jboss.as.controller.AbstractControllerService.finishBoot(AbstractControllerService.java:534) at org.jboss.as.server.ServerService.finishBoot(ServerService.java:418) at org.jboss.as.server.ServerService.boot(ServerService.java:388) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:372) at java.lang.Thread.run(Thread.java:748)

7 years, 5 months

4
6
0 / 0

I need a Integrationtest example for keycloak 4.5

by Patrick Hesse

Hi all, i have her some sourcecode incl. IntegrationTests for a custom authenticator. This code was written by some other people. Now i must migrate this from Keycloak 3.0 to 4.5. I have migrated the authenticator, bute the migration for the IntegrationTests will not work. Where can i find a demo integrationTests with Arquillian. nice greetings Patrick Hesse

7 years, 5 months

2
1
0 / 0

How to refresh token

by Fabio Ebner

Hown can I refresh a token? after he expires? tks

7 years, 5 months

2
1
0 / 0

Keycloak 5.4.0.Final: No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION

by Weber, Wolfgang

The last hours I tried to deploy keycloak 4.5.0.Final without any success. Startup fail with "No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION". I did not find any information if this is a common Issue or if I missed something in my config. An installation of 4.4.0.Final starts without any issues. For me it seems to be related to [KEYCLOAK-8289] - Remove authorization services from product preview profile #5587 Exception: 15:45:43,248 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 51) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.ExceptionInInitializerError at org.keycloak.protocol.docker.DockerAuthV2ProtocolFactory.isSupported(DockerAuthV2ProtocolFactory.java:76) at org.keycloak.services.DefaultKeycloakSessionFactory.isEnabled(DefaultKeycloakSessionFactory.java:238) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:216) at org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:78) at org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:326) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:117) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION at org.keycloak.common.Profile.<init>(Profile.java:120) at org.keycloak.common.Profile.<clinit>(Profile.java:68) ... 42 more Caused by: java.lang.IllegalArgumentException: No enum constant org.keycloak.common.Profile.Feature.AUTHORIZATION at java.lang.Enum.valueOf(Enum.java:238) at org.keycloak.common.Profile$Feature.valueOf(Profile.java:35) at org.keycloak.common.Profile.<init>(Profile.java:111) ... 43 more Yours, Wolfgang ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.

7 years, 5 months

2
1
0 / 0

Create user API in keycloak with default password

by Shubham Akodiya

Hi Team, Is there any API available for creating the user with default password ? I've gone through the API - POST /{realm}/users <https://www.keycloak.org/docs-api/4.5/rest-api/index.html#_users_resource> but didn't find the password setting field for new user. Thanks, Shubham Akodiya

7 years, 5 months

3
2
0 / 0

Re: [keycloak-user] CEK key for alg:dir

by Tim Rademacher

...I suddenly had the idea, that the auth request returns the auth code that is then used to get an access token. So the auth code is just returned to its origin. So the "share secret" CEK is not a shared secret, but only known by the Keycloak server. So it makes sense, that I could not find the information, where to get the CEK, since the Keycloak server is the only one who needs it. Could someone please confirm? Thanks Tim Von: Tim Rademacher <t.rademacher(a)gmx.de> Gesendet: Dienstag, 6. November 2018 13:21 An: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org> Betreff: CEK key for alg:dir Hi all, I am somewhat struggling with Keycloak (Version 4.5.0) and I would like to view the data return from an authorization request. I retrieve the token and would like to look into it. I see, there are 5 parts: 1. Header 2. CEK 3. Init Vector 4. Content (encrypted) 5. Auth Tag The header mentions the Algorithm to be DIR and the Encryption Algorithm tob e A128CBC-HS256. The RFC7518 says, that DIR means "Direct use of a shared symmetric key as the CEK". So I wonder, how would the shared key come to the client to decrypt the content? How would I be able to decrypt the token (where would I get the token from)? Thank you very much! Tim

7 years, 5 months

1
0
0 / 0

RPT endpoint responds unexpectedly for resources created with an explicit _id

by Geoffrey Cleaves

The token endpoint sends an unexpected response while using grant_type urn:ietf:params:oauth:grant-type:uma-ticket and a ticket with permissions to a resource created via the resource UMA endpoint that has an explicit _id. When access is denied, endpoint sends a HTTP 400 and invalid_resource / Resource with id [resource2] does not exist. instead of sending 403. The same test but using a resource which has the Keycloak-assigned _id returns 403 as expected. I believe the key point here is that the resource has been created using the resource_set endpoint and had the _id set explicitly instead of letting Keycloak assign the id. Could the issue be related the fact that my Keycloak Docker install began as 4.3.0.Final with the database being Postgres, and then I upgraded Keycloak to 4.5.0.Final by downloading the latest Docker image? Could any DB migrations have been missed which could cause this issue? To reproduce the issue, try the following: Create resources rA and rB via the resource_set endpoint. When creating rB, include a explicit _id. Then, using an auth_token which does not have access to rB, try getting a RPT which includes permissions to rB. Token end point will respond with 400 resource_not_found. But in fact the resource exists. I have opened Jira ticket: https://issues.jboss.org/browse/KEYCLOAK-8729

7 years, 5 months

2
2
0 / 0

Re: [keycloak-user] Java 11 (Docker container base)

by Sebastian Laskawiec

I believe using the commercial Hotspot JVM provided by Oracle will not be an option. We will probably stick with OpenJDK. BTW, all JDK LTS releases will receive much longer updates. Please see this blog post for the reference: https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-open... On Thu, Oct 25, 2018 at 4:37 PM Pavel Micka <Pavel.Micka(a)zoomint.com> wrote: > It was mainly a question about how the support/updates will be handled - > if Keycloak will rely on „community only“ updates for Java 8 or if there > will be switch to new Java (updated by Oracle in the half-year window). > > I am sure that our customers will ask in reviews, how we have the security > updates are handled throughout our solution. And if all parts of our > solution rely only on secure resources. > > > > So the question should more be: Will Java under Keycloak be periodically > updated (without commercial support) after January 2019? > > > > Regards, > > > > Pavel > > > > *From:* Sebastian Laskawiec <slaskawi(a)redhat.com> > *Sent:* Thursday, October 25, 2018 4:00 PM > *To:* Pavel Micka <Pavel.Micka(a)zoomint.com> > *Cc:* Meissa M'baye Sakho <msakho(a)redhat.com>; keycloak-user < > keycloak-user(a)lists.jboss.org> > > > *Subject:* Re: [keycloak-user] Java 11 (Docker container base) > > > > From the support perspective, Red Hat offers extended support till June > 2023 [1]. > > > > Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess > we still have plenty of time to do the switch, so I wouldn't rush things > too much. > > > > BTW, why do you need JDK11, especially in the container? > > > > [1] https://access.redhat.com/articles/1299013 > > > > On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka(a)zoomint.com> > wrote: > > Sorry, end of january (my fault): > https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java > and OpenJDK will most probably start to diverge, as OpenJDK will not have > access to Oracle repos (afaik). So the speed of security fixes will depend > on willigness of community to fix the upcomming issues. > > Pavel > > From: Meissa M'baye Sakho <msakho(a)redhat.com> > Sent: Tuesday, October 23, 2018 11:04 AM > To: Pavel Micka <Pavel.Micka(a)zoomint.com> > Cc: keycloak-user <keycloak-user(a)lists.jboss.org> > Subject: Re: [keycloak-user] Java 11 (Docker container base) > > Hello, > Pavel, where did you get the information that the official Java 8 support > will cease at the end of december? > https://access.redhat.com/articles/1299013 > https://www.oracle.com/technetwork/java/javase/eol-135779.html > Meissa > > Le lun. 22 oct. 2018 à 16:33, Pavel Micka <Pavel.Micka(a)zoomint.com<mailto: > Pavel.Micka(a)zoomint.com>> a écrit : > Hello everyone, > > What is the plan for Java 11 support? The point is that current versions > of Docker containers are based on OpenJDK 8, but the official Java 8 > support will cease at the end of December. Will Keycloak use Java 11 by > that time or will it rely on updates provided by the community. > > This is important to us, as Keycloak is important part of our app security. > > Thanks, > > Pavel > > // I have found this ticket in Jira, but it does not provide too many > details: https://issues.jboss.org/browse/KEYCLOAK-7811 > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > >

7 years, 5 months

2
1
0 / 0

the admin rest api for realm import is not importing realm

by Bruce Wings

As mentioned in docs: https://www.keycloak.org/docs-api/4.4/rest-api/index.html#_realms_admin_r... I have created a post request via postman and the response is 200 OK, but when I go and check on the admin console, new realm is not visible. Moreover, when I perform the same operation via an invalid token, then also the response is 200 OK. Am I missing something here? Attached screenshot of postman request. (In the body I have copy pasted entire contents of realm json file that was exported from another server)

7 years, 5 months

2
5
0 / 0

API Create user

by Jannes Vandepitte

Hi, I’m having trouble with usage of the API. When creating a user via POST on the /users resource I can add a user no problem. But when I try to create a user and set it’s role/groups at the same time, it just ignores the provided roles and groups. Body: { "username": "testerrr", "email": "testt(a)aptus.bee", "realmRoles": ["0085814a-b946-494b-924d-c8bd20fe077c"], "groups":["098d95a5-9875-4e3c-90ab-cfacdef70fed"] } I gave the user that uses the api realm-admin roles just to make sure it wasn’t a permission problem. Any ideas on how to fix this (without adding 2 extra calls for adding the group and the role) Thanks in advance, Jannes V

7 years, 5 months

1
0
0 / 0

CEK key for alg:dir

by Tim Rademacher

Hi all, I am somewhat struggling with Keycloak (Version 4.5.0) and I would like to view the data return from an authorization request. I retrieve the token and would like to look into it. I see, there are 5 parts: 1. Header 2. CEK 3. Init Vector 4. Content (encrypted) 5. Auth Tag The header mentions the Algorithm to be DIR and the Encryption Algorithm tob e A128CBC-HS256. The RFC7518 says, that DIR means "Direct use of a shared symmetric key as the CEK". So I wonder, how would the shared key come to the client to decrypt the content? How would I be able to decrypt the token (where would I get the token from)? Thank you very much! Tim

7 years, 5 months

1
0
0 / 0

Customize Execute Actions Email Subject

by Nadim Elbaba

Hello, I would like to customize the subject of the emails sent using "execute-actions-email" REST endpoint depending on the required actions, e.g. : - "Update your password" when the UPDATE_PASSWORD action is present - "Verify your e-mail" when only the VERIFY_EMAIL action is present The only solution I could think about was to provide a custom EmailTemplateProvider implementation by extending the FreeMarkerEmailTemplateProvider to override the "sendExecuteActions" method in order to use different properties for the email subject. Is there any simpler way ? Anyway, thanks for this wonderful IAM solution ! Cheers, Nadim

7 years, 5 months

1
0
0 / 0

Proxy support in policy enforcement/authorization services

by Bruce Wings

As per the mailing list: http://lists.jboss.org/pipermail/keycloak-user/2016-December/008876.html There wasn't any support for proxy in case of policy enforcement. Since the thread is quite old, can someone from Keycloak team kindly confirm whether proxy support has been added yet or not?

7 years, 5 months

1
1
0 / 0

Keycloak got into Excited state because of Garbage Collector Issue

by Lahari Guntha

?Hi all, We are Using Keycloak to have SSO enabled for different applications. It was working fine. All of a sudden we were unable to access keycloak. After checking logs we came to know that "GC overhead limit exceeded". May I know how to resolve this Issue? Thanks and Regards, Lahari G =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

7 years, 5 months

2
1
0 / 0

Delegating sharing responsibilities for UMA resources?

by Ulrik Sjölin

Hello, I find the request-response mechanism of UMA very interesting and think it would be very useful where I work. But I have not found a way to scale it… Is it possible for a resource owner to delegate the responsibilities for sharing resources to other users? Consider a large organisation that owns a large set or resources and has a large number of users. The organisation wants to have a group of admins to handle answering the requests that comes in from the users asking for access to different resources. What is the best-practice way for handling a use case like this? Is it possible to assign a group as resource owner? Best Regards, Ulrik Sjölin

7 years, 5 months

2
1
0 / 0

Disable Authentication for a Path Using the Spring Boot Adapter

by KevinO

I've got a configuration setup similar to the doc https://www.keycloak.org/docs/1.9/securing_apps_guide/topics/oidc/java/sp... Is there a way to ignore security on certain paths? Eg security: ignored: /foo/*

7 years, 5 months

1
0
0 / 0

Active Directory LDAP Server Signing required

by Graham Nixon

Hi. I'm new to Keycloak. A quick question on Keycloak version 4.3.0. I've searched the online documentation and forums but can't find an answer. Does Keycloak support Simple LDAP BIND over tcp 389 (no LDAPS/TLS) to Active Directory if the Active Directory Domain Controllers (the LDAP server) have LDAP server signing set to Require Signature? Cheers Graham Nixon Senior Systems Architect MAXIMUS Canada DeltaWare Division 176 Great George Street, Suite 300 Charlottetown, PE, Canada C1A 4K9 Office: 902.628.4598 graham.nixon(a)maximuscanada.ca Confidentiality Notice: This electronic transmission, and any documents attached to it, may contain confidential information belonging to the sender. This information is intended solely for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or the taking of any action in reliance upon the contents of this information is prohibited. If you have received this transmission in error, please notify the sender immediately and delete the message and all documents.

7 years, 5 months

1
0
0 / 0

WFLYRS0015: No Servlet declaration found for JAX-RS application

by Ulrik Lejon

Hi, I'm currently investigating upgrading from version 3.3.0 to 3.4.2 (as a part of in the end upgrading to the latest 4.5 version). When I boot up version 3.4.2 on out test server I see the following warning in the log: WARN [org.jboss.as.jaxrs] (MSC service thread 1-7) WFLYRS0015: No Servlet declaration found for JAX-RS application. In custom-rest-endpoing-1.7.war either provide a class that extends javax.ws.rs.core.Application or declare a servlet class in web.xml. The custom-rest-endpoing.war is a realm-restapi-extension that we deploy to our Keycloak instance. Indeed we haven't subclassed javax.ws.rs.core.Application nor have we any web.xml. However, looking at the rest provider example ( https://github.com/keycloak/keycloak/tree/master/examples/providers/rest) I can't find anything about that there either. Is this warning anything I need to pay attention to? Cheers, Ulrik

7 years, 5 months

1
0
0 / 0

Keycloak realm certificates be passed to Knox?

by Jamie McDowell

Hi, I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates. Knox is used to decrypt singed JWT's. Is this something that can be achieved? Thanks Jamie

7 years, 5 months

2
4
0 / 0

Organization Based Accounts and Permissions

by Charles Henck

Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin

7 years, 5 months

6
19
0 / 0

Review Latvian translation

by Stian Thorgersen

We have a PR for Latvian translations for Keycloak. Can someone from the community review it please? https://github.com/keycloak/keycloak/pull/5676

7 years, 5 months

1
1
0 / 0

Turkish translation review needed

by Stian Thorgersen

We have a PR for Turkish translations for Keycloak. Can someone from the community review this please? https://github.com/keycloak/keycloak/pull/5678

7 years, 5 months

1
1
0 / 0

Re: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources

by Andreas Lau

Hey, I forgot to bounce back to the list. Sorry ________________________________ Von: Andreas Lau <andreas.lau(a)outlook.com> Gesendet: 30. Oktober 2018 23:08:06 MEZ An: Dmitry Telegin <dt(a)acutus.pro> Betreff: Re: [keycloak-user] JBoss EAP 7.0 - keycloak-wildfly-adapter-dist-4.3.0.Final - KeycloakConfigResolver called on unprotected Resources Hello Dmitry, thanks for your response and informations. My problem with that many calls of the resolve methode was not a performance concern in first place. I was surprised for sure and I did indeed thought that I mad a mistake somewhere following the instructions. As you pointed out the behavior is not wrong. The resolver should be called that many times. That's OK I'm fine with this. The first call to the jsf page is not a problem at all, because in the URL we have set the parameter who determines which keycloak.json file has to be used. But I have a problem at the time where the jsf loading process starts to load the resources. It fires get request with the URL to the resources the jsf needs. But now I have lost my scope because the URL used to load the resource has no identifier in it. How should I determine which keycloak.json I should take? Cheers, Andreas Am 30. Oktober 2018 06:29:56 MEZ schrieb Dmitry Telegin <dt(a)acutus.pro>: Hello Andreas, I'm afraid this is by design - one of the reasons may be Java EE programmatic security [1], where the application can instigate login even from the resources not protected by web.xml security constraints. But I don't think you should be bothered - in your resolver, there is a cache for KeycloakDeployments, and cache calls are cheap (and you will always have a cache hit, except for the very first invocation). Even if there had been the code to determine whether the resolver should or should not kick in, according to web.xml rules, - this code would have been more expensive, let alone it would have broken programmatic security. If you are super determined, you can craft a simple performance test using e.g. Gatling [2] - I'm pretty sure the results for resolver vs. no resolver will differ insignificantly. [1] https://docs.oracle.com/javaee/7/tutorial/security-webtier003.htm [2] https://gatling.io/ Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info(a)acutus.pro On Sat, 2018-10-27 at 07:21 +0000, Andreas Lau wrote: Hey guys, sorry for bouncing that topic again, but this issue currently is a show stopper for us. We need to have multi-tenancy for our application, but as it works now it is not feasible. So we desparatly ask for your help. Am 24. Oktober 2018 17:16:23 MESZ schrieb Andreas Lau <andreas.lau(a)outlook.com>: Hello, we deployed a jsf primfaces application on a JBoss EAP 7.0 System. We have to support multiple clients using multi tenancy. We followed the instructions of the documentation [1] to build up a CustomKeycloakConfigResolver. We configured the web.xml like this: [web.xml] <web-app> ... <security-constraint> <web-resource-collection> <web-resource-name>portal</web-resource-name> <url-pattern>/portal/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>public</web-resource-name> <url-pattern>/portal/pages/willkommen.jsf</url-pattern> <url-pattern>/portal/pages/logout.jsf</url-pattern> </web-resource-collection> </security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> </login-config> <security-role> <role-name>user</role-name> </security-role> ... <context-param> <param-name>keycloak.config.resolver</param-name> <param-value>de.sample.security.MandantBasedKeycloakConfigResolver</param-value> </context-param> ... </web-app> As you can see everything under portal is restricted with two exceptions. The code of MandantBasedKeycloakConfigResolver is straight forward and adapted to the example code [2]. In our example we consider that the url has a query parameter that provides an id which we can map to a corresponding keycloak.json file. A sample would be "https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=1". After deployment I realized, that the KeycloakConfigResolver is called 44 times (see log entries [3]). As it turns out the KeycloakConfigResolver.resolve() methode is called for every resource that is loaded through get requests to display the site. I did not expect that many invocation, since the resources are not protected. Can you please tell me if this behaviour is correct? What is my error in adopting the mulity tenancy sample? How can we prevent/workaround that many calls? While researching I found a jira https://issues.jboss.org/browse/KEYCLOAK-8616 with a potentially similar problem. Here they use keycloak to secure a spring boot application and have troubles when a sso redirection occurs. Regards, Andreas [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy [2] public KeycloakDeployment resolve(HttpFacade.Request request) { LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - counter:" + counter++); final String mandantId = request.getFirstParam("kId"); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):" + mandantId); LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - uri:" + request.getURI()); if (mandantId == null || mandantId.isEmpty()) { // throw new IllegalStateException("Not able to resolve realm for parameter kId - Parameter not found!"); return null; } KeycloakDeployment deployment = cache.get(mandantId); if (deployment == null) { String keycloakConfigFilename = resolveKeycloakConfigFilename(mandantId); InputStream is = getClass().getResourceAsStream("/" + keycloakConfigFilename); if (is == null) { // throw new IllegalStateException("Not able to find the file /" + keycloakConfigFilename); return null; } LOGGER.debug("MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:" + (is == null)); deployment = KeycloakDeploymentBuilder.build(is); cache.put(mandantId, deployment); } return deployment; } [3] 17:28:43,281 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:0 17:28:50,215 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,228 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,229 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - is IS==null?:false 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:1 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - counter:2 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):3 17:28:50,496 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-4) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/portal/pages/willkommen.jsf?kId=3 17:28:50,933 INFO [stdout] (default task-4) INIT Willkommen 17:28:50,933 INFO [stdout] (default task-4) initialized mandant <<<<<<<<<<<<< 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - counter:3 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,168 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-5) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=primefaces&v=6.1 17:28:51,168 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /SampleApp/javax.faces.resource/components.css.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] ....... 17:28:51,824 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - counter:43 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - requestFirstParam(kId):null 17:28:51,825 DEBUG [de.sample.security.MandantBasedKeycloakConfigResolver] (default task-50) MandantBasedKeycloakConfigResolver.resolve() - uri:https://localhost:8443/SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost?ln=ultima-layout 17:28:51,825 ERROR [io.undertow.request] (default task-50) UT005023: Exception handling request to /SampleApp/javax.faces.resource/customJs/customJavaScript.js.jsf;jsessionid=6YidBEhtdxxI3NAASHOPab5bdBN_JAOjgqf8qHeh.localhost: java.lang.IllegalStateException: Not able to resolve realm for parameter kId - Parameter not found! at de.sample.security.MandantBasedKeycloakConfigResolver.resolve(MandantBasedKeycloakConfigResolver.java:46) [classes:] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) [keycloak-adapter-core-4.0.0.Final.jar:4.0.0.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:68) [keycloak-undertow-adapter-4.0.0.Final.jar:4.0.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175) [undertow-servlet-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:324) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:803) [undertow-core-1.3.31.Final-redhat-3.jar:1.3.31.Final-redhat-3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_112] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_112] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_112] ________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

7 years, 5 months

2
3
0 / 0

Backup strategies for Keycloak + Docker?

by Rémy Grünblatt

Hello, I'm wondering: what are your backup strategies for keycloak? I plan to use docker and keycloak, and of course I'll be backuping the data. The backup for the database side is ok: just launching psql in the container will do it. But for the keycloak side: do I need any backup? In there, https://www.keycloak.org/docs/2.5/server_admin/topics/export-import.html, a method for backuping the « entire database » is mentioned, and I was wondering if this would be useful in addition of the database (container) backup. I thought about modifying the entry point to include this backup (what I have done), but saving it to a volume is tricky as it seems keycloak is running with 1000/1000 uid/gid (which is the first non-root user on many linux distribution…). Any hints? How do you do it, in your production? Rémy

7 years, 5 months

2
1
0 / 0

How should my application users get a token to directly access my API?

by Geoffrey Cleaves

Let's say that in addition to letting my end users access my REST API via the single page web app, I also want to let the end users access the REST API in a machine-to-machine fashion. So that, for example, the end user could run a report every night automatically via cron/curl instead of generating the report via the front end SPA. My SPA gets tokens using keycloak.js and the Authorizaton Code Flow. But I don't think this is appropriate for the scenario above. Curl can't be entering a username/password into Keycloak's login page when a session expires. Are my end users to use the Resource Owner Password Credentials Grant? If so, which clientid/secret should be used? Thanks for shedding light on this. Geoff

7 years, 5 months

1
0
0 / 0

keycloak-gatekeeper bearer-only

by Eric Boyd Ramirez

Dear All, I am trying to test Keycloak-gatekeeper, have read the docs I could find (keaycloak-proxy as well) but I still have a few questions: 1- I am trying to secure a number of REST APIs, configured behind bearer-only clients. I think I need to first get a access token trough a confidential client using a 'grant-type=password' request and then do a second request to the REST client resource. Is this the right approach, how would I implement this using Keycloak-Gatekeeper?. 2- Keycloak-Gatekeeper uses uri->methods->roles to manage resource access. Is there a way to use Keycloak's authorization settings to manage access to a client's resource (i.e. policies, permissions, uma-ticket, etc.)? 3- How do I set up multiple clients, do I have to run and configure separate instances of Keycloak-Gatekeeper? Thanks in advance for your time and help. Regards,

7 years, 5 months

4
6
0 / 0

Bug? Shared UMA resource not accessible

by Ulrik Sjölin

Hello there, I wonder if anyone is experiencing this problem and if anyone out there has a workaround (I am running 4.5.0). The problem I have comes up in a really simple situation: JDoe has 1 resource (JDoeResource) that he shares with Alice (scope: JDoeScope). Alice tries to access that resource with permission=JDoeResource#JDoeScope. This fails with a “400 bad request” when it should return the resource in question. I wonder if this is [KEYCLOAK-8448] that I am seeing. When alice tries to access the resource with permission=<JDoeResource-ID>#JDoeScope or by just specifying permission=#JDoeScope everything works fine. Below there is a small script that recreates and demonstrates the problem. Any help in this matter would be greatly appreciated. Best Regards, Ulrik Sjölin In order to run the script below you need to have the tools ‘jwt-cli’ and ‘jq’ installed. #!/bin/bash export host=keycloak export port=8080 export realm=myrealm export resource_server_client_id=my-service export resource_server_client_secret=88888888-8888-8888-8888-888888888888 export username=alice export password=alice export resource_owner=jdoe export resource_name=JDoeResource export scope=JDoeScope export access_token=\ `curl --silent \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -d client_id=${resource_server_client_id} \ -d client_secret=${resource_server_client_secret} \ -d username=${username} \ -d password=${password} \ -d grant_type=password \ | jq -r ".access_token"` export result=\ `curl --silent -X GET \ http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set?name=${resource_name} \ -H "Authorization: Bearer ${access_token}" \ | jq -r ".[0]"` if [ "$result" = "null" ]; then export new_id=`curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/authz/protection/resource_set \ -H "content-type: application/json" \ -H "Authorization: Bearer ${access_token}" \ --data @<(cat <{ "name":"${resource_name}", "type":"Entities", "owner":"${resource_owner}", "ownerManagedAccess":"true", "resource_scopes":["JDoeScope"] } EOF ) | jq -r "._id"` echo "Created resource with id: ${new_id}" echo "Log in with user ${resource_owner} into keycloak" echo "and share ${resource_name} with ${username}" echo "When that is done, run this script again" else echo "Found resource with id: ${result}" resource_id=$result fi export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=#${scope}: ${result}" export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=${resource_id}#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=${resource_id}#${scope}: $result" export result=\ `curl --silent -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=${resource_server_client_id}" \ --data "permission=${resource_name}#${scope}" \ | jq -r ".access_token"` export result=`jwt $result | grep ${resource_name}` echo "permission=${resource_name}#${scope}: ${result}"

7 years, 5 months

2
1
0 / 0

Ability for users to manage their own resources

by Geoffrey Cleaves

How can we enable the ability for users to manage their own resources as described in section *8.3.3. Managing Access to Users Resources* at this link https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... ? This picture looks so nice : https://www.keycloak.org/docs/latest/authorization_services/keycloak-imag... I am using a confidential client with Authorization enabled on Keycloak 4.5.0 Final. I have used the UMA2 endpoints directly to create a resource owned by a user, yet that user (me :) can't see the My Resources screen. Any help is appreciated! Geoff

7 years, 5 months

2
2
0 / 0

Keycloak Gatekeeper CORS problem

by Geoffrey Cleaves

I'm having a problem accessing a REST service protected by Gatekeeper via AJAX. I have tried many different combinations of settings in the config file to no avail. I suspect the Gatekeeper has a bug. I can access the protected endpoint directly (via Gatekeeper) with no issue as there is no CORS. I can use the AJAX method successfully when I use a Chrome plugin to enable CORS for these endpoints. The message from Chrome is: Access to XMLHttpRequest at 'http://domain.com:3001/endpoint.php' from origin 'http://domain2.com:8888' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. I see that Chrome only sends an OPTIONS request to Gatekeeper, which does not respond with a Access-Control-Allow-Origin header at all, despite my config settings below. My config.yml file looks like this: client-id: {id} client-secret: {secret} discovery-url: {keyclock end point} enable-default-deny: true encryption_key: {32characters} listen: 0.0.0.0:3000 redirection-url: http://domain2.com:3001 upstream-url: http://localhost:8888 secure-cookie: false verbose: true #preserve-host: true resources: - uri: /admin* methods: - GET roles: - test-php-api:test1 - client:test2 require-any-role: true groups: - admins - users - uri: /endpoint.php roles: - test-php-api:test1 - uri: /backend* roles: - test-php-api:test1 - uri: /public/* white-listed: true - uri: /favicon white-listed: true - uri: /css/* white-listed: true - uri: /img/* white-listed: true cors-origins: - '*' cors-methods: - GET - POST Any ideas? Geoff

7 years, 5 months

2
1
0 / 0

Multitenant KeycloakConfigResolver

by Vagelis Savvas

Hello, in a multitenant app on Wildfly 14.0.1 with a bearer-only REST API to protect I would like some URLs to not be secured. So I would like my custom KeycloakConfigResolver implementation to not be called when those URLs are hit but it is. The reason I don't want my KeycloakConfigResolver to be called is simply because I have no clue as to what to return in that case: its a non-secured REST endpoint so a Keycloak realm doesn't make sense in my understanding. My setup follows the docs: I've installed the adapter for Wildfly and the web.xml has the necessary setup for not securing some URLs (no auth-constraint for those URLs) Also in jboss-web.xml the security-domain element isn't defined, although I don't know if that plays any role. My final goal is to have some URLs secured by using the JBoss specific @SecurityDomain and the standard @RolesAllowed etc annotations. Can you please shed some light on this matter? I'd greatly appreciate any detailed explanation of the mechanisms involved in this area. Cheers, Vagelis

7 years, 5 months

3
4
0 / 0

Cannot Migrate Database from 3.2.0 to 4.5.0

by Mandy Fung

Hello Keycloakers, We are currently running into an issue when upgrading Keycloak from 3.2.0 to 4.5.0 directly. The issue appears to be related to the database migration specifically and from a change introduced in August 2018 which references a previously dropped column. Here is the Jira issue containing some more details with the error and some more analysis: https://issues.jboss.org/browse/KEYCLOAK-8702 Is there anything we can do to help expedite the resolution of this issue aside from the details we have provided on the ticket? Best regards, Mandy -- *Mandy Fung **|* Software Engineer 1 *| *Tasktop *email: *mandy.fung(a)tasktop.com

7 years, 5 months

1
0
0 / 0

Integration keycloak with application UI

by K Chandra Sekar

Hey, I want to integrate application with Keycloak IAM system.I am trying to use KeyCloak to protect my application using OpenID connect.But I want to use application's login UI and don't want to direct user to keycloak login UI page to authenticate.Keycloak has Spring boot adapter which does the job it still it directs to the keycloak UI for login.I searched for any api to use from my app UI but i am nit getting anything and i am struck here.Kindly suggest me a a workaround or solution so that i can move forward.Anticipating a positive reply. Thanks and regards, K.Chandra Sekar

7 years, 5 months

4
3
0 / 0

PKCE and Keycloak

by Bojan Milosavljević

Hello, Is PKCE (if my adapter supports PKCE of course) automatically supported by default by Keycloak or do I have to implement it myself? Thank you. Kind regards, Bojan Milosavljevic.

7 years, 5 months

2
3
0 / 0

How to increase logging

by Saranya Mahalingam

Hello, Authentication component is not coming up. I don't see any errors in logs. So thought of improving the logs using JAVA_OPTS like: name: JAVA_OPTS value: -Dkeycloak.logging.level=debug But I don't see any changes in the logs even after setting the above value. Tried few other options too without success. Do you have any suggestions here? Let me know if you need any other information. Thanks, Saranya

7 years, 5 months

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2018