Keycloak realm detection from email domain
by Scott Hezzell
Hi
I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem?
My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint.
Can anyone see any issues with this approach? Or a suggest a better approach?
Thanks
Scott
5 years, 5 months
Realm resolution by username
by Ian Duffy
Hi all,
I'm using keycloak in a multi-tenant scenario where each tenant is a realm
and the clients are duplicated across them.
The username for each user is an email address of username(a)tenant.tld
Is there any way to use the @tenant.tld part of the email address as a
realm resolver and have all users access the system
via the same login page?
Thanks,
Ian.
5 years, 5 months
Keycloak Session timeout issue
by Ashutosh Kanthi
Hi,
We are using Keycloak 2.5.5 and we are facing issues with regard to keycloak session timeout.
1. Even after session timeout for a particular user, keycloak is maintaining session for that particular user for some extended time.
2. And if the same user log in again then keycloak is showing that the same user maintains 2 sessions in active session section. (Previous session [it is no longer exists for him at application level] and current session.)
We have done following keycloak settings just for checking above scenario. Could anyone please suggest what are the settings to be done in keycloak so that above mentioned scenario could be avoided?
[cid:image002.jpg@01D48002.E6221430]
Thanks & regards,
Ashutosh Kanthi
Le contenu de ce courriel et de toute pièce jointe est destiné à l’usage exclusif de son destinataire. Il contient des renseignements exclusifs, privilégiés, confidentiels ou assujettis au droit d’auteur. Toute divulgation, distribution ou reproduction non autorisée est strictement interdite. Si vous n’êtes pas le destinataire prévu, veuillez-nous en aviser immédiatement et supprimer toutes les copies de ce courriel et des pièces jointes. Les courriels sont susceptibles d’altération. EXFO Inc. et ses sociétés affiliées ne seront pas tenues responsables du message s’il a été contrefait, modifié ou falsifié.
The content of this email and any of its attachments is intended for the exclusive use of its recipient. It contains information that is proprietary, privileged, confidential and/or subject to copyright. Any unauthorized disclosure, distribution or reproduction is strictly prohibited. If you are not the intended recipient, please notify us immediately and delete all copies of this email and any attachments. E-mails are susceptible to alteration. EXFO Inc. and its affiliates shall not be liable for the message if altered, changed or falsified.
5 years, 5 months
Deploy keycloak to Kubernetes Cluster on GCP
by William Nankap
Hi every one,
when i deploy docker keycloak4.5.0.Final to kubernetes cluster on GCP i can
normaly access to keycloak interface via the extern ip address on port
8080. But i can't access to the WILDFLY Management Interface on port 9990.
My questions:
1/ What are the recommandation to use keycloak in production?
a/ Install keycloak server side an wildfly server to use it correctly?
b/ Install only the keycloak server. How can i manage deployment for
an app if i can't access to the wildfly management interface? Is it
imperativ to access it?
2/ Need you more details on my deployment to help me? If yes, which?
3/ How can i get the wildfly management interface on my GCP deployment to
deploy my app?
4/ Have you suggestions for me, the best way to use keycloak in production?
Some support?
I will be very thankful for your answer.
Kindest regards...
5 years, 5 months
OOM at startup with 1 million sessions
by Nicolas Ocquidant
Hi
My UC is to keep one year of sessions, this is what I have done to simulate
it:
1. I use JDBC to store 1 million of session objects, 2.8KB (in memory) each
2. I start one Infinispan node with passivation=false and shared=true, and
Xmx=8G
3. I start one Keycloak node configured with a remote-cache and Xmx=4G
Note that I use a remote-store in KC as it is the only way to set
passivation=false and shared=true (see
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016180.html).
No problem in step 2, ISPN process is less than 300MB large in memory. But
after 3, ISPN process goes up to around 6GB.
See below for the traces, but basically I get OOM.
Using the debugger, I can see that getting the size of the cache is a
really slow operation, and bump memory to 3GB in ISPN process.
From
org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer:
RemoteCacheSessionsLoader.computeLoaderContext(KeycloakSession session)
// ...
int sessionsTotal = remoteCache.size(); <--- HERE
//...
}
And then (OOM here):
InfinispanCacheInitializer.startLoadingImpl(InitializerState state,
SessionLoader.LoaderContext ctx) {
// ...
for (Future<WorkerResult> future : futures) {
// Called 4X (ie the number of segments), but 1st one does not
terminate: OOM
// ->
org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart
WorkerResult result = future.get(); <--- Very slow and bump mem to 8GB
// ...
}
So, with 1M of sessions in store, I cannot get KC/ISPN to start. And I am
far from my goal which is to keep one year of sessions (which has been
estimated to ~52M of sessions)...
Is it something I can't achieve with KC/ISPN?
Any help appreciated.
Thanks
nick
Note, versions I used are:
* ISPN 9.4.1 Wildfly
* KC 4.6.0 Wildfly
-- ISPN process
10:42:22,969 ERROR [stderr] (Periodic Recovery) Exception in thread
"Periodic Recovery" java.lang.OutOfMemoryError: Java heap space
10:42:22,977 ERROR [stderr] (Periodic Recovery) at
sun.text.resources.fr.FormatData_fr.getContents(FormatData_fr.java:86)
10:42:22,975 ERROR
[org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory]
(pool-9-thread-1) ISPN008018: Sql failure retrieving connection from
datasource: java.sql.SQLException: javax.resource.ResourceException:
IJ000456: Unchecked throwable in ManagedConnection.getConnection()
cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@3e3890ff[state=NORMAL
managed
connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@3f033728
connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387
lastCheckedOut=1542706916019 trackByTx=false
pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@2772dcff
mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool@5e82b87d[pool=InfinispanDS]
xaResource=LocalXAResourceImpl@308d2c98[connectionListener=3e3890ff
connectionManager=1691f7d6 warned=false currentXid=null
productName=PostgreSQL productVersion=10.5
jndiName=java:jboss/datasources/InfinispanDS] txSync=null]
at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)
at
org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64)
at
org.infinispan.persistence.jdbc.connectionfactory.ManagedConnectionFactory.getConnection(ManagedConnectionFactory.java:83)
at
org.infinispan.persistence.jdbc.stringbased.JdbcStringBasedStore.purge(JdbcStringBasedStore.java:461)
at
org.infinispan.persistence.manager.PersistenceManagerImpl.lambda$purgeExpired$6(PersistenceManagerImpl.java:459)
at java.util.ArrayList.forEach(ArrayList.java:1257)
at
org.infinispan.persistence.manager.PersistenceManagerImpl.purgeExpired(PersistenceManagerImpl.java:462)
at
org.infinispan.expiration.impl.ClusterExpirationManager.processExpiration(ClusterExpirationManager.java:119)
at
org.infinispan.expiration.impl.ExpirationManagerImpl$ScheduledTask.run(ExpirationManagerImpl.java:245)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.resource.ResourceException: IJ000456: Unchecked throwable
in ManagedConnection.getConnection()
cl=org.jboss.jca.core.connectionmanager.listener.TxConnectionListener@3e3890ff[state=NORMAL
managed
connection=org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@3f033728
connection handles=0 lastReturned=1542706942971 lastValidated=1542706738387
lastCheckedOut=1542706916019 trackByTx=false
pool=org.jboss.jca.core.connectionmanager.pool.strategy.OnePool@2772dcff
mcp=SemaphoreConcurrentLinkedQueueManagedConnectionPool@5e82b87d[pool=InfinispanDS]
xaResource=LocalXAResourceImpl@308d2c98[connectionListener=3e3890ff
connectionManager=1691f7d6 warned=false currentXid=null
productName=PostgreSQL productVersion=10.5
jndiName=java:jboss/datasources/InfinispanDS] txSync=null]
at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:811)
at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
... 15 more
Caused by: java.lang.OutOfMemoryError: Java heap space
-- KC process
10:42:23,216 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21]
(Thread-0) ISPN004005: Error received from the server:
java.lang.RuntimeException: java.sql.SQLException: Error
java.sql.SQLException: Error
java.lang.OutOfMemoryError: Java heap space
10:42:23,359 WARN
[org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader]
(pool-16-thread-4) Error loading sessions from remote cache 'sessions' for
segment '3':
org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for
messageId=55 returned server error (status=0x85):
java.lang.RuntimeException: java.sql.SQLException: Error
java.sql.SQLException: Error
java.lang.OutOfMemoryError: Java heap space
at
org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:333)
at
org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:179)
at
org.infinispan.client.hotrod.impl.transport.netty.HeaderDecoder.decode(HeaderDecoder.java:138)
at
org.infinispan.client.hotrod.impl.transport.netty.HintedReplayingDecoder.callDecode(HintedReplayingDecoder.java:98)
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at
io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at
io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:647)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:582)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:461)
at
io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:884)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
5 years, 5 months
Keycloak notify admin via , when a new user is registered using keycloak registration page
by abhilashreddy abhi
Hello,
Is there a way to notify keycloak admin users via email whenever a new user
is registered using keycloak registration page?
I dint see email event listener for Register action.Please guide me to this
feature if it is hidden somewhere in admin console or if it is not
implemented is it possible to write any custom email event listener for a
new user registration?
Thanks
Abhilash
5 years, 5 months
Keycloak SAML IdP and URL parameter
by Sud Ramasamy
Hi,
We are using Keycloak as a SAML IdP and have plugged in a custom authenticator to handle the browser flow. The authenticator relies on a custom URL parameter that is present in the initial SAML Authn request to Keycloak.
We found that when the Keycloak SAML IdP receives a SAML Authn request (which also contains our custom URL parameter) it exchanges that request with a code and redirects the browser to itself at which point the control reaches our custom authenticator. This redirect causes our custom URL parameter from the initial request to not be available to our custom authenticator. Is there anyway to propagate our custom URL parameter to this second request and thereby have it available to our custom authenticator.
Thanks in advance for your help.
Regards
-sud
5 years, 5 months
Saas muti-tenant architecture with multi-step authentication process
by Olivier Rivat
Hi,
*1) introduction*
I have a multi-tenant architecture deployed with keycloak.
At first, to investigate multi-tenant architecture, I have followed what
is available within keycloak:
documentation
* https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
examples:
* https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
The same application is deployed in both tenants with
* http://localhost:8080/multitenant/tenant1 and login as
user-tenant1, password user-tenant1
* http://localhost:8080/multitenant/tenant2 and login as user-tenant2,
password user-tenant2
When you specify http://localhost:8080/multitenant/tenant1, you are
redirected to tenant1, and you need to authenticate.
*2) description of the problem*
The issue I am facing, is that I have a customer client application,
which can redirected to several diffrent realms.
The realm selction is based on the email address.
* user1(a)foo.com ---> should redirect to realm foo
* user2(a)bar.com ---> shou0dl redirect to realm bar
In fact, the email analsys shoudl redirect to the correct realm (foo or
bar , or more).
Once I have the login screen of the corresponding realm1, it is the as
in /introduction/, where user authenticates normally in his specific
tenant.
*3) Authentication workflow requirement*
In fact the authentication workflow process should be as follows:
*step1*
* General welcome panel
* the user enter his email address
* based on the analysis of his welcome address, the users is
redirected to a specific authentication realm (foo or bar or more)
*step 2*
* The user enter is login/password in realm login authentication screen
After analysis, it sounds like that the keycloak authentication process
needs to be updated/modified with
1. adding an extra additional step (which is a general form asking
for email)
2. based on teh email analysis, the corresponding tenant login
screen is presented to the tenant
3. the user authenticates to the tenant with his login/password.
*4) How to move forward*
For information, Azure and atlassian already implements such a
redirection mechanism in SAAS multi tenant architecture.
Keycloak documentation does not seem to mention about such a possibility
to tailor "out of the box" the authentication workflow to our needs.
Could the mechanism described above being achieved by customizing the
authentication workflow by developing a specific authentication SPI
plugin which could handles the both steps mentioned above ?
Does this approach sounds correct to you, or is it something to rule out ?
Or woudl you advise another approach ?
Tkx for your help.
Regards,
Olivier
--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
<http://www.janua.fr/images/6g_top.gif>
Olivier Rivat
CTO
orivat(a)janua.fr <mailto:dchikhaoui@janua.fr>
Gsm: +33(0)682 801 609
Tél: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
<http://www.janua.fr/images/6g_top.gif>
5 years, 5 months
NullPointerException in PolicyResourceService.java token-exchange permissions
by Daniel Fernandez Rodriguez
Hi All,
I've been using policies and token-exchange permissions extensively for
some of my clients for a while now.
All worked as expected but since a few weeks ago I'm experiencing some
errors when trying to delete old policies, add new ones or create new
token-exchange permission. From the WebUI I always get the same generic
error saying:
*> Error!* An unexpected server error has occurred
Checking the server logs it seems there is uncaught NullPointerException
in PolicyResourceService.java. (stack trace when attempting to create
new policy)
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,328
DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-7)
*org.keycloak.authorization.jpa.entities.PolicyEntity*{owner=null,
resourceServer=org.keycloak.authorization.jpa.entities.ResourceServerEntity#7fd6467c-9f95-4cbd-90b2-3586ba308dda,
name=deleteme, description=null, resources=[],
id=c6a35294-3031-4674-bcfc-3957ca4af846, logic=0, scopes=[],
associatedPolicies=[], type=client, config=[], decisionStrategy=1}
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,328
DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-7)
org.keycloak.authorization.jpa.entities.ResourceServerEntity{id=7fd6467c-9f95-4cbd-90b2-3586ba308dda,
allowRemoteResourceManagement=false, policyEnforcementMode=0}
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,328
DEBUG [org.hibernate.SQL] (default task-7)
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: select
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]:
cliententi0_.ID as col_0_0_
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: from
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: CLIENT
cliententi0_
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: where
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]:
cliententi0_.CLIENT_ID=?
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: and
cliententi0_.REALM_ID=?
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,330
DEBUG
[org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
(default task-7) Initiating JDBC connection release from afterStatement
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: 14:27:36,333
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
task-7) *Uncaught server error: java.lang.NullPointerException*
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at
*org.keycloak.authorization.admin.PolicyService.audit(PolicyService.java:334)*
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at
org.keycloak.authorization.admin.PolicyService.create(PolicyService.java:124)
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Nov 20 14:27:36 keycloak-dev-01.cern.ch launch.sh[17095]: at
java.lang.reflect.Method.invoke(Method.java:498)
Is there something I can do to fix it? Since these errors appeared the
service became pretty unresponsive giving me a lot of errors (exporting
clients does not work anymore and many other small things)
I'm using keycloak 4.5.0Final with an external mysql database.
Thanks a lot for your help,
Daniel.
5 years, 5 months
how to get a token in js webapp for bearer-only backend api client
by chapani
Hi,
I got this setup for my app:
1. Keycloak server
2. Keycloak-protected nodejs backend (bearer-only)
3. PHP/Reactjs frontend
The frontend is optionally login-protected. For some users it will be required to login which will redirect the user to Keycloak server. After a user is logged in, the frontend will have a bearer token to make api calls to the keycloak-protected backend.
My problem is how to get a bearer token for users that don't need to be logged in (anonymous users).
I tried this approach:
1. Created "confidential" client to be used by PHP.
2. Frontend PHP gets a bearer token using client_id and client_secret and passes them to javascript (by that I mean, printing out token values inside <script> tag which is a global variable)
3. Initially, the frontend makes successful api calls because the access_token passed by php is fresh/valid.
4. After the access_token is expired, I will need to fetch a new one using refresh_token.
5. But, for that I need client_secret which is not available in the js app (and it's not recommended to save client_secret and password in js app, as you know).
I'm stuck here. I researched, read a lot of documentation, but failed to find a way to achieve that.
One other idea that crossed my mind was to make the bearer access_token long-lived; 6 hours, for instance. But, some users may use the app for more than that.
What options do I have?
Sent with [ProtonMail](https://protonmail.com) Secure Email.
5 years, 5 months