Refresh_token error after keycloak cluster restart
by Mariusz Chruscielewski - Info.nl
Hi. We run 2 keycloak nodes, configured as cluster, with infinispan cache to keep sessions alive after keycloak restart.
We use keycloak from 2 places, website (using Keycloak Tomcat Adapter) and from mobile app.
Keycloak version currently used is 3.4.3
After keycloak is restarted, it all works fine on website, after attempt to use website, I see following message in keycloak log:
2018-12-17 09:23:49,814 WARN [org.keycloak.events] (default task-3) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=55aaa7ad-d4f9-40c1-af1a-c5c2baa4efe5, ipAddress=172.23.11.105, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9f1a1f58-77b8-4823-8e3c-1d6a8c58b870, client_auth_method=client-secret
2018-12-17 09:23:49,935 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4) PKCE non-supporting Client
2018-12-17 09:23:49,950 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-4) Sent request to authz endpoint. We don't have root authentication session with ID '60e3ed59-191a-416b-bc95-c77c684d8855' but we have userSession.Re-created root authentication session with same ID. Client is: vinl . New authentication session tab ID: 4FyAEpyxlE0
2018-12-17 09:23:49,986 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-4) Using full scope for client
2018-12-17 09:23:50,121 INFO [org.keycloak.services] (default task-4) [BROWSER] LOGIN Viafoura session table is not updated because it's identical: [vi_ef3920ff8a625b187a7e04a2f6328aafde805fd05148ea457eebef9d5f6005a97dd7c46e16ff265591a0c9ba98547353_60e3ed59-191a-416b-bc95-c77c684d8855] user [mariusz(a)info.nl] on [Mon Dec 17 09:23:50 CET 2018]
2018-12-17 09:23:50,145 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4) redirectAccessCode: state: c196bdca-a896-4880-9ab0-d2e96e85cf3a
For app, flow is:
* User log in using browser view, on keycloak login page
* Token and refreshToken are stored in app
After keycloak is restarted, app tries to refresh token, and gets:
2018-12-17 10:08:37,717 WARN [org.keycloak.events] (default task-11) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=1d8e3db1-9976-48d6-af7e-02aa6ed126dc, ipAddress=92.67.76.89, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=869ddaec-b68a-4695-9f88-222852a302fe, client_auth_method=client-secret
Response from REST call is:
{
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
}
Can you please help me to solve that issue?
Regards
Mariusz
6 years, 11 months
Re: [keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints!
by Julio
Hello Max,
Did anything change in your ALB problem since the response of Hiroyuki Wada
regarding a Classic ELB? Did ALB work for your OIDC/Keycloak backed
endeavour :) ?
I'm in the guest of accomplishing the same, but would be great to know how
did it go for you.
Best Regards
Julio
6 years, 11 months
MySQL and UTF8
by Sven Beauprez
Hi,
Searching the internet, I noticed that I am not alone struggling with this and the things I found did not work for my particular test, unless I missed something, hence this mail. When trying to use UTF-8, I get the exception “Row size too large”.
I am starting MySQL (8.0.3) and Keycloak (4.7.0-Final) respectively via docker as follows (just a test env, not the most secure setup). I am aware of following MySQL configuration https://www.keycloak.org/docs/latest/server_installation/index.html#mysql...
But it seems I am doing something wrong when using the containerized version. Do
docker volume create mysql-volume
docker network create mysql-network
docker run --name mysql --mount source=mysql-volume,target=/var/lib/mysql --net mysql-network -p 3306:3306 -e MYSQL_USER=keycloak -e MYSQL_DATABASE=keycloak -e MYSQL_PASSWORD=password -e MYSQL_ROOT_PASSWORD=password -d mysql:8.0.13 --character-set-server=utf8
and run keycloak
docker run --name keycloak --net mysql-network -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=password -e JDBC_PARAMS='connectTimeout=30&useSSL=false&allowPublicKeyRetrieval=true&characterEncoding=UTF-8' -p 8080:8080 jboss/keycloak:4.7.0.Final
And I get the following error (as described above)
...
Caused by: liquibase.exception.MigrationFailedException: Migration failed for change set META-INF/jpa-changelog-1.9.1.xml::1.9.1::keycloak:
Reason: liquibase.exception.DatabaseException: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)]
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:619)
at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51)
at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:79)
at liquibase.Liquibase.update(Liquibase.java:214)
at liquibase.Liquibase.update(Liquibase.java:192)
at liquibase.Liquibase.update(Liquibase.java:188)
at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:182)
at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider.update(LiquibaseJpaUpdaterProvider.java:102)
... 57 more
Caused by: liquibase.exception.DatabaseException: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs [Failed SQL: ALTER TABLE keycloak.REALM MODIFY CERTIFICATE VARCHAR(4000)]
at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback.doInStatement(JdbcExecutor.java:309)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55)
at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:113)
at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbcDatabase.java:1277)
at liquibase.database.AbstractJdbcDatabase.executeStatements(AbstractJdbcDatabase.java:1259)
at liquibase.changelog.ChangeSet.execute(ChangeSet.java:582)
... 64 more
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Row size too large. The maximum row size for the used table type, not counting BLOBs, is 65535. This includes storage overhead, check the manual. You have to change some columns to TEXT or BLOBs
...
Regards,
Sven
6 years, 11 months
Issues faced in IdP initiated flow
by Bhavana Motwani
Hi all,
We are using Keycloak as a SP.
So far we have done the following:
- Configured an external IDP (eg. auth0) to broker the authentication in
a realm.
- Created an open-id connect client in the same realm
- Using the keycloak-connect node lib in our web application to connect
to client.
- We are successfully able to do a SP initiated SSO authentication.
Facing issues with IDP initiated SSO
- Do we have to create a client in our Keycloak? if yes what will be the
changes.
- What will be the possible changes on the IDP side that we have
brokered. We are trying with Auth0.
- this is the link we are using :
https://www.keycloak.org/docs/4.5/server_admin/index.html#idp-initiated-l...
,
but documentation is not very clear.
Thank you for the help
6 years, 11 months
Re: [keycloak-user] 4.6.0 Class cast exception
by Keshav Sharma
Hi All,
I am getting below exception.
Can anyone help me out in fixing below issue .Very Urgent.
Issue :
private KeycloakSecurityContext getSession(HttpServletRequest req) {
return (KeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName());
}
I am getting class cast exception RefreshKeycloakSecurityContext can not be cast to KeycloakSecurityContext.
Thanks in Advance😊
Regards,
______________________________________________________
Keshav Sharma
______________________________________________________
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Jernej Porenta
Sent: Thursday, December 13, 2018 1:16 AM
To: keycloak-user <keycloak-user(a)lists.jboss.org>
Subject: Re: [keycloak-user] 4.6.0 Upgrade disables client scopes
Anyone with the solution to it?
br, Jernej
> On 21 Nov 2018, at 18:07, Lamina, Marco <marco.lamina(a)sap.com> wrote:
>
> To answer your questions:
> - I upgraded from 4.5.0 to 4.6.0
> - Clicking on "Client Scopes" and "Evaluate", all scopes are shown as expected
> - Even when I create a new client and add the scope, it is not added to the token
>
> Thanks,
> Marco
>
>
> On 11/21/18, 5:19 AM, "Marek Posolda" <mposolda(a)redhat.com> wrote:
>
> No, it doesn't need to be updated in any profile like Token Exchange.
>
> Question is, from which version you upgraded? Note that during upgrade
> to 4.0.0, the realm default client scopes are not automatically linked
> to the clients. Thing is, that clients from previous version already has
> some protocolMappers defined on them, so the clientScopes are not added
> to it. You may need to do change your clients manually and remove
> protocolMappers from them and link them to default client scopes.
>
> Just the new clients, which you will create now through admin UI, will
> have the client scopes added to them. See details in the docs:
> https://www.keycloak.org/docs/latest/upgrading/index.html#client-template...
>
> BTV. When you're on client, you can click to "Client Scopes" and then
> "Evaluate" to see what are applied client scopes and check what
> clientScopes will be applied based on the value of "scope" parameter.
>
> Marek
>
> On 21/11/2018 01:55, Lamina, Marco wrote:
>> Hi,
>> I upgraded to 4.6.0 using the Kubernetes Helm chart. After the upgrade, token exchange stopped working, which I was able to fix thanks to [1]. Unfortunately, none of my client scopes are working anymore. Trying to get a token using client credentials succeeds, but anything I pass into the “scope” parameter is ignored and none of my default client scopes are applied. The “scope” claim in the token endpoint response is always empty.
>> Is that a feature that needs to be enabled similar to the token exchange?
>>
>> [1] https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-ex...
>>
>> Thanks,
>> Marco
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
This e-mail and/or its attachments are intended only for the use of the addressee(s) and may contain confidential and legally privileged information belonging to SHL and/or its affiliates. If you have received this e-mail in error, please notify the sender and immediately destroy all copies of this email and its attachments. The publication, copying, in whole or in part, or use or dissemination in any other way of this e-mail and attachments by anyone other than the intended person(s), is prohibited. If you would like to know how SHL collects, processes, uses, and stores personal data please go to www.shl.com/privacy to learn more.
6 years, 11 months
Keycloak authentication/authorization with multiple AD/forests/domains
by Yannick Bergeron
We have several AD forest, and many domains. Devs want to use Keycloak for authentication/authorization. We also have to deal with some users having the same userid in more than 1 domain. We have trusts between our main/target domain and the other. Keycloak server is in the main domain. Users are used to log as domain\user but not user(a)fqdn.of.domain
What would be the best to do that?
If Keycloak Kerberos authentication is configured, is it possible to know from which domain the authenticated user is from to fetch more information from LDAP after that?
Can we front Keycloak with an IIS with windows authentication and use the http session variables somehow in keycloak as the user is already authenticated?
Other options?
6 years, 11 months
Re: [keycloak-user] UserStorageProvider for an external database
by Soner Dastan
Hey Steffen,
There are couple of ways to do it AFAIK.
What we did for our custom UserStorageProvider was to setup a datasource configuration in the existing keycloak datatsources configuration.
In the <datasources> section of the standalone.xml you have to add following.
We are using an external Postgres DB so my config looks like:
<datasource jndi-name="java:jboss/datasources/yourDB" pool-name="yourDB" enabled="true" use-java-context="true">
<connection-url>jdbc:postgresql://<ip_or_host_of_your_external DB>:5432/yourDB</connection-url>
<driver>postgresql</driver>
<security>
<user-name>postgres</user-name>
<password>postgres</password>
</security>
</datasource>
Then in the <drivers> section (when it is not already defined) you need to add the driver you use. In my case it is Postgres:
<driver name="postgresql" module="org.postgresql.jdbc">
<xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class>
</driver>
In your custom UserStorageProviderFactory ideally in the constructor you can lookup for the datasource:
public UserStorageProviderFactory() throws NamingException {
InitialContext context = new InitialContext();
dataSource = (DataSource) context.lookup("java:jboss/datasources/yourDB");
try {
log.info("datasource: " + dataSource.toString());
log.info("WORKING: " + dataSource.getConnection().isValid(3000));
} catch (SQLException e) {
e.printStackTrace();
}
}
In the create method of your custom factory you can pass the Connection object to your UserStorageProvider:
public UserStorageProvider create(KeycloakSession keycloakSession, ComponentModel componentModel) {
try {
return new UserStorageProvider(keycloakSession, componentModel, dataSource.getConnection());
} catch (SQLException e) {
throw new RuntimeException("Could not get a connection for DB");
}
}
In your provider class you can use this connection to do the lookup for users etc. I hope this helps.
Best,
Soner
6 years, 11 months
Re: [keycloak-user] manipulate IdP attributes in authentication script
by Geoffrey Cleaves
Cris, it's probably too late for you, but Dmitry Telegin has answered our
burning question. See code below for tips:
AuthenticationFlowError =
Java.type("org.keycloak.authentication.AuthenticationFlowError");
// take a look at org.keycloak.broker.provider.BrokeredIdentityContext to
figure out what else you can obtain from that object.
SerializedBrokeredIdentityContext =
Java.type("org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext");
AbstractIdpAuthenticator =
Java.type("org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator");
Response = Java.type("javax.ws.rs.core.Response");
MediaType = Java.type("javax.ws.rs.core.MediaType");
response = Response.status(401).entity("<h1>You must have an existing
account to log in.</h1>").type(MediaType.TEXT_HTML_TYPE).build();
users = session.users().getUsers(realm, false);
function authenticate(context) {
var serializedCtx =
SerializedBrokeredIdentityContext.readFromAuthenticationSession(authenticationSession,
AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
var biCtx = serializedCtx.deserialize(session, authenticationSession);
var idpUsername = biCtx.username;
LOG.info("username = " + idpUsername);
LOG.info("alias = " + biCtx.idpConfig.alias);
for(var u in users) {
//LOG.info("u = " + users[u].getEmail());
if(idpUsername===users[u].getEmail()) {
context.success();
return;
}
}
context.failure(AuthenticationFlowError.USER_DISABLED, response);
return;
}
On Fri, 14 Dec 2018 at 08:41, Cristóvão Cordeiro <
cristovao.cordeiro(a)sixsq.com> wrote:
> Hi, no sorry.
>
> Best regards,
>
> *Cristóvão Cordeiro*
>
>
> On Thu, 13 Dec 2018 at 17:59, Geoffrey Cleaves <geoff(a)opticks.io> wrote:
>
>> Hi Cristovao, did you ever figure this out?
>>
>> ----
>> > Hi,
>>
>> I'd like to know if it is possible to add a Script execution to "first
>> broker login" and somehow manipulate (set/see/etc...) the user's IdP
>> information?
>>
>> I'm asking this cause my Identity Provider is a federation (like eduGAIN),
>> and I am having issues when users use the same credentials in 2 different
>> IdPs...in Keycloak all attributes will be the same except the
>> identity_provider_id which will cause a conflict (violates unique_id
>> constraint) with the already existing user account in Keycloak, which
>> already has a link to that Keycloak IdP (which in practice is a federation).
>>
>> Best regards,
>> Cris
>>
>>
>>
--
Regards,
Geoffrey Cleaves
6 years, 11 months
Server Admin : How to know export completed
by Bruce Wings
I am using standalone.sh/.bat for export the keycloak configuration and
user. Since, when running on command line, the keycloak does not give any
specific message regarding whether backup was completed , completed
successfully or failed, what is the best way to know the status?
6 years, 11 months
