March 2018 - keycloak-user - Jboss List Archives

Authenticating to a client with another client's service account

by Paolo Tedesco

Hi all, I have registered two clients in my Keycloak, one is an API (ID = client_api) and another is a confidential client (ID = confidential_client), which is a standalone application that should access the API with its own credentials. I've set the access type of both API and application to "confidential". >From the application, I obtain a token with a POST to https://keycloak-server/auth/realms/master/protocol/openid-connect/token with these parameters: client_id = confidential_client client_secret = <confidential client secret> grant_type = client_credentials >From this, I obtain a token, that looks like this: { "access_token": "eyJhbG...Z0qmQ" // other stuff } Then, I try to call my API with an authentication header with Bearer = "eyJhbG...Z0qmQ" (the accesss_token from previous step) However, this does not seem to work, and the API acts like the user is not authenticated. Any idea of what I'm doing wrong? Thanks, Paolo

8 years, 1 month

1
0
0 / 0

Setting up rights in admin UI

by Hammarberg, Daniel

Hi all, I have spent hours and hours trying to get this to work. Now I turn to you, hoping that you will be able to help me out. We have imported a large number of users from our current SSO solution into Keycloak. In the admin UI, we want to limit which client roles certain users should be allowed to set. For example, we have the user group Swedish Content Managers. These users should only be allowed to use the admin UI for listing users and for setting or removing the role Swedish Authirized Distributor. I have spent hours and hours trying to set this up with the instructions in the documentation, but have not managed to get it to work all the way. Many thanks /Daniel _______________________________________________________________________ [Email_CBE.gif]Daniel Hammarberg Managing Delivery Architect | Application Services Capgemini Sweden www.capgemini.com<http://www.capgemini.com/> ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

8 years, 1 month

1
0
0 / 0

Really slow import of large amount of users

by Erdal, Jonatan

Hi, We are trying to migrate data from our old login solution to Keycloak, but we are facing issues with really slow imports. We are trying to do the import at server startup, as stated here: https://www.keycloak.org/docs/2.5/server_admin/topics/export-import.html. We are using directory import, and we have 50 users/file. When initiating the import, it is roughly importing 2 files/minute, and this gets slower the more users we have imported. After 2 hrs, we have successfully imported 88 files, 4400 users. Here is some more details: · Number of users: 174 000 · Number of realms: 1 · Number of clients: ~5 o One of the clients is the main client, this has approx. 9400 client roles. · Number of groups in realm: ~400 File structure: Master-realm.json Master-users-0.json Kangaroo-realm.json Kangaroo-users-0.json Kangaroo-users-1.json … Kangaroo-users-3434.json Kangaroo-users-3435.json We have also increase the subsystem transaction timeout to 1800 seconds, and at server startup we are also increasing the jboss.as.management.blocking.timeout and setting it to a high number. Apart from users being slow to import, the realm also takes quite some time to import, 10 minutes, I’m guessing this is due to all the client roles we have. In the logs, I cannot see anything that looks super suspicious. At one time, we got the following logs, but then it continues on as before: 2018-03-22 21:29:14,993 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffac1004f5:701f6ef0:5ab40b08:10 in state RUN 2018-03-22 21:29:14,993 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4] 2018-03-22 21:29:15,039 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4] [… I have removed about 30 identical entries for readability here …] 2018-03-22 21:29:15,039 WARN [org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorTrackingImpl] (Transaction Reaper Worker 0) HHH000451: Transaction afterCompletion called by a background thread; delaying afterCompletion processing until the original thread can handle it. [status=4] 2018-03-22 21:29:15,039 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffffac1004f5:701f6ef0:5ab40b08:10 Does anyone have any idea why it is so slow, is there anything we can do to speed up the process? Please let me know if you need any more information. Thanks in advance, //Jonatan ________________________________ Capgemini is a trading name used by the Capgemini Group of companies which includes Capgemini Sverige AB, a company registered in Sweden (number 556092-3053) whose registered office is at Gustavslundsvägen 131 Box 825 – S-161 24 Bromma. This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

8 years, 1 month

1
0
0 / 0

Infinispan: Custom Keycloak UserStorageProvider throws NotSerializableException in ha-clustered mode

by Dominik Guhr

Hi everyone, so I'm on kc 3.4.3.Final and running a custom UserStorageProvider ("MyAppUserStorage" below) based on the github example jpa storage provider. It's all working well in dev-environment, which is not clustered. But in my clustered production-kc-environment (using standalone-ha, 2 nodes), the exception below is thrown. Seems like it has no effect, though, I can successfully use the app, even stop one node and everythings working fine. Now these logentries are at least annoying and I want to know whats happening here, so I hope someone could help me out. Do I have to make some classes @Serializable or something? (e.g. UserAdapter.java?) to work correctly in clustered mode? Would be great to get some help here! If you need more information or code, feel free to ask :) Best regards, Dominik Log: 2018-03-08 14:38:21,220 ERROR [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14) ISPN000073: Unexpected error while replicating: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@304e0b06 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60c 2018-03-08 14:38:21,220 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-14) ISPN000136: Error executing command PrepareCommand, writing keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607], UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@304e0b06 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60c 2018-03-08 14:38:21,220 ERROR [org.infinispan.transaction.impl.TransactionCoordinator] (default task-14) ISPN000097: Error while processing a prepare in a single-phase transaction: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@304e0b06 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60c 2018-03-08 14:38:21,221 WARN [org.infinispan.transaction.tm.DummyTransaction] (default task-14) ISPN000112: exception while committing: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) at org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) at org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) at org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) at org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) at org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) at org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) at org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@304e0b06 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60c 2018-03-08 14:38:21,222 WARN [org.jboss.as.txn] (default task-14) WFLYTX0027: The pre-jca synchronization org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization@57f2b0a6 associated with tx TransactionImple < ac, BasicAction: 0:ffff0a7f0895:-364bcb73:5a9d46fe:5906 status: ActionStatus.COMMITTED > failed during after completion: org.infinispan.commons.CacheException: javax.transaction.HeuristicRollbackException at org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) at org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) at org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) at org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:87) at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:477) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:426) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.transaction.HeuristicRollbackException at org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) at org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) at org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) at org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) at org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) ... 71 more Caused by: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) at org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) ... 75 more Caused by: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@304e0b06 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60c 2018-03-08 14:38:21,226 ERROR [org.infinispan.remoting.rpc.RpcManagerImpl] (default task-14) ISPN000073: Unexpected error while replicating: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@1e32e6c3 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60e 2018-03-08 14:38:21,226 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-14) ISPN000136: Error executing command PrepareCommand, writing keys [UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607], UUIDSessionID [3cf91933-4a12-4dd1-8454-c77a31fdd607]]: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@1e32e6c3 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60e 2018-03-08 14:38:21,226 ERROR [org.infinispan.transaction.impl.TransactionCoordinator] (default task-14) ISPN000097: Error while processing a prepare in a single-phase transaction: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@1e32e6c3 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60e 2018-03-08 14:38:21,227 WARN [org.infinispan.transaction.tm.DummyTransaction] (default task-14) ISPN000112: exception while committing: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) at org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) at org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) at org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) at org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) at org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) at org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) at org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown Source) at org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) at org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@1e32e6c3 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60e 2018-03-08 14:38:21,238 WARN [org.jboss.as.txn] (default task-14) WFLYTX0027: The pre-jca synchronization org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization@32861c5f associated with tx TransactionImple < ac, BasicAction: 0:ffff0a7f0895:-364bcb73:5a9d46fe:590c status: ActionStatus.COMMITTED > failed during after completion: org.infinispan.commons.CacheException: javax.transaction.HeuristicRollbackException at org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:102) at org.jboss.as.ejb3.cache.distributable.DistributableCache.release(DistributableCache.java:154) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.releaseInstance(StatefulSessionSynchronizationInterceptor.java:200) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.handleAfterCompletion(StatefulSessionSynchronizationInterceptor.java:287) at org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor$StatefulSessionSynchronization.afterCompletion(StatefulSessionSynchronizationInterceptor.java:260) at org.jboss.as.txn.service.internal.tsr.JCAOrderedLastSynchronizationList.afterCompletion(JCAOrderedLastSynchronizationList.java:147) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:196) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.afterCompletion(AbstractTransaction.java:279) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.afterCompletion(SynchronizationImple.java:96) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.afterCompletion(TwoPhaseCoordinator.java:542) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:101) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) at my.app.de.keycloak.MyAppUserStorage$$$view1.close(Unknown Source) at org.keycloak.services.DefaultKeycloakSession.close(DefaultKeycloakSession.java:265) at org.keycloak.services.filters.KeycloakSessionServletFilter.closeSession(KeycloakSessionServletFilter.java:130) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:95) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.transaction.HeuristicRollbackException at org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:433) at org.infinispan.transaction.tm.DummyTransaction.commitResources(DummyTransaction.java:448) at org.infinispan.transaction.tm.DummyTransaction.runCommit(DummyTransaction.java:321) at org.infinispan.transaction.tm.DummyTransaction.commit(DummyTransaction.java:108) at org.wildfly.clustering.ee.infinispan.InfinispanBatch.close(InfinispanBatch.java:97) ... 91 more Caused by: javax.transaction.xa.XAException at org.infinispan.transaction.impl.TransactionCoordinator.handleCommitFailure(TransactionCoordinator.java:213) at org.infinispan.transaction.impl.TransactionCoordinator.commit(TransactionCoordinator.java:159) at org.infinispan.transaction.xa.TransactionXaAdapter.commit(TransactionXaAdapter.java:114) at org.infinispan.transaction.tm.DummyTransaction.finishResource(DummyTransaction.java:401) ... 95 more Caused by: org.infinispan.commons.marshall.NotSerializableException: org.keycloak.services.DefaultKeycloakSession Caused by: an exception which occurred: in field my.app.de.keycloak.MyAppUserStorage.session in object my.app.de.keycloak.MyAppUserStorage@1f4565de in field org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference.value in object org.jboss.as.ee.component.ConstructorComponentFactory$ConstructorManagedReference@7122451c in field org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent.instance in object org.jboss.as.ejb3.component.stateful.SerializedStatefulSessionComponent@1e32e6c3 in object org.jboss.as.ejb3.component.stateful.StatefulSessionComponentInstance@6886f535 in object java.util.concurrent.ConcurrentHashMap@51f3597e in object org.wildfly.clustering.ejb.infinispan.group.InfinispanBeanGroupEntry@3dbc21a8 in object org.infinispan.commands.write.PutKeyValueCommand@63f7437d in object org.infinispan.commands.tx.PrepareCommand@f4eee60e

8 years, 1 month

2
6
0 / 0

Fwd: Keycloak 4.0.0.Beta1 is out

by Stian Thorgersen

I'm very pleased to announce the first release of Keycloak 4! To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. HighlightsBrand new login pages The login pages have received a brand new look. They now look much more modern and clean! Themes and Theme Resources It's now possible to hot-deploy themes to Keycloak through a regular provider deployment. We've also added support for theme resources. Theme resources allows adding additional templates and resources without creating a theme. Perfect for custom authenticators that require additional pages added to the authentication flow. We've also added support to override the theme for specific clients. If that doesn't cover your needs, then there's a new Theme Selector SPI that allows you to implement custom logic to select the theme. Native promise support to keycloak.js The JavaScript adapter now supports native promises. Of course it still has support for the old style promises as well. Both can be used interchangeably. Edit links in documentation To make it easier to contribute changes to the documentation we have added links to all sections of the documentation. This brings you straight to the GitHub editor for the relevant AsciiDoctor file. There's also a quick link to report an issue on a specific page that will include the relevant page in the description. HTTPS support on keycloak.org Thanks to GitHub pages and Let's Encrypt there's finally HTTPS on keycloak.org. About time? Loads more.. The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the upgrade guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for anything that may have changed.

8 years, 1 month

1
0
0 / 0

API not protected immediately after logout

by José Miguel Gonçalves

Hi, To test a scenario of a Node.js RESTfull service secured by Keycloak (3.4.3.Final), I've setup a Node.js server and a HTML5 client using example code from https://github.com/keycloak/keycloak-quickstarts ('service-nodejs' and 'app-jee-html5'). While everything seems fine at first glance, there is an issue after I logout on the app. After logging out, I see that I continue to have access to the protected endpoints for some short time (about 1 minute after logout). Am I missing some configuration or is this a bug on Keycloak? Regards, José Gonçalves

8 years, 1 month

3
8
0 / 0

Creating keycloak custom theme - setting new start page

by Karol Bilicki

Hello! I have three views to display: - starting page (with links to registration and login pages) - login page - registration page I don't know how to display firstly the starting page. My starting page in my custom theme is the login page (my-site/auth). How to change this? I tried with request parameters, by I can't get the url params in .ftl template pages. How to extend the server by endpoint or read url param in template? Maybe there is another solution... Thank you!

8 years, 1 month

1
0
0 / 0

Account action links in emails with admin on different port

by Derek Gibson

Hi there, Running Keycloak 3.4.0.Final We've split out admin and user interfaces using the documentation on port restrictions http://www.keycloak.org/docs/latest/server_admin/index.html#port-restriction And successfully have /auth/admin restricted to port 8444 Our problem is that when an admin sends an email for account action, it gets sent with the url of https://keycloak:8444/auth/realms/arealm/login-actions/action-token?... instead of https://keycloak/auth/realms/arealm/login-actions/action-token?... Is there a way to get the emails to use the default uri instead of the admin one through a simple config change without hardcoding the hostname or creating email templates? Thanks Derek

8 years, 1 month

2
1
0 / 0

Keycloak theme - properties from env / external file / client?

by Ben Immanuel

Hi there, we have a custom keycloak theme, which contains a link. The link needs to be different per environment (prod, staging, dev etc). Having a separate "theme.properties" file per environment is not really an option for us, as we want re-use the same Docker image. So.... Can we access environment variables from "theme.properties"? i.e. OUR_PROP=${env.SOME_ENVIRONMENT_VAR} Or is there a way to read values from an external file? Or can we access a particular Keycloak client's redirect url? i.e. in our case client="Cipher2". Or any other ideas? I'm not too sure how the Java SPI stuff work, so any pointers would be really appreciated. Thanks! Ben

8 years, 1 month

1
1
0 / 0

Cannot get Keycloak Tomcat 7 adapter to work (version 3.4.3.Final)

by Oxy Oxy

Hi, I have a Spring Boot 1.5.2 Web App packaged as a .war hosted on an Apache Tomcat 7.0.68. I want to use the Keycloak Tomcat Adapter but I encounter HTTP 401 returns on every endpoints included in the configuration...I am using the 3.4.3.Final version. I have read the doc @ http://www.keycloak.org/docs/2.5/securing_apps/topics/oidc/java/tomcat-ad.... Done : * Downloaded https://downloads.jboss.org/keycloak/3.4.3.Final/adapters/keycloak-oidc/k... and extracted under <tomcat_folder>/lib/ * Created a META-INF/context.xml file with :<?xml version="1.0" encoding="UTF-8"?><Context path="/my-app"> <Valve className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/></Context> * Created a WEB-INF/keycloak.json file with :{ "realm" : "my_realm", "resource" : "my_client", "principal-attribute": "preferred_username", "truststore" : "/my_path/keycloak-truststore.jks", "ssl-required" : "external", "truststore-password" : "my_password", "credentials" : { "secret" : "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" }, "auth-server-url" : "http://<keycloak_server>.fr:8443/auth"} * Created a WEB-INF/web.xml file with : <?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:web="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>my-app</display-name> <module-name>my-app</module-name> <login-config> <auth-method>BASIC</auth-method> <realm-name>my_realm</realm-name> </login-config> <security-constraint> <web-resource-collection> <url-pattern>/customer/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>uma_authorization</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>uma_authorization</role-name> </security-role></web-app> (simple test with uma_authorization, role that every user has) After that : HTTP 200 on every endpoints except /customer/* where I get HTTP 401. In debug, I have detected that the variable "account" is always null on the line 61 from the CatalinaSessionTokenStore class (from Tomcat Keycloak Adapter dependency) : Session catalinaSession = request.getSessionInternal(false); if (catalinaSession == null) return; SerializableKeycloakAccount account = (SerializableKeycloakAccount) catalinaSession.getSession().getAttribute(SerializableKeycloakAccount.class.getName()); if (account == null) { return; } (... next lines are to control the content of the Keycloak context) Nothing in the Tomcat log even with TRACE level activated. Have I forgot something to configure ? Is it a bug ? Thanks

8 years, 1 month

1
0
0 / 0

How to create a custom OTPPolicy?

by Known Michael

Hello, I need to create a custom OTPPolicy. Unfortunately, OTPPolicy policy is created via the constructor and not via a factory: public static OTPPolicy DEFAULT_POLICY = new OTPPolicy(UserCredentialModel.TOTP, HmacOTP.HMAC_SHA1, 0, 6, 1, 30); (from the class org.keycloak.models.OTPPolicy) Any help will be appreciated.

8 years, 1 month

1
0
0 / 0

Make custom Mapper for a specific claim field with HTTP Service Call

by Brissat Vivien

Hi, I would like to add a specific claim field in the JWT Token, that take a value issued from a Service Call (HTTP POST that return a JSON result). I saw that I can maybe specify a custom Mapper with something like : public class PersonalMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper, UserInfoTokenMapper{} But I don’t know where to use this code, and I don’t know where to call my Service in Keycloak. Maybe in a custom Provider ? The documentation is not really helpful since I don’t see any SPI for Custom Mapper, or a way to achieve this. Thanks for your help, Best Regards Vivien Brissat

8 years, 1 month

1
0
0 / 0

Access Token not refreshed // KEYCLOAK-2517

by Kuestermann, Thomas

Keycloak experts, We're currently developing a Spring Boot based application and we're using Keycloak for the identity management. Works great so far. We recently updated Keycloak and the respective spring boot adapter and spring security module to 3.4.1.Final. We've configured access tokens with a lifespan of 5 minutes, I think that's also the default. After the upgrade we noticed that every HTTP call is answered with a 401 - Unauthorized after the access token timed out (due to inactivity in the application). This wasn't the case before. Keycloak documentation states that > By default the application adapter will only refresh the access token when it's expired. [1] which doesn't seem to work anymore. I debugged the application and came across KEYCLOAK-2517 [2] which introduced KeycloakSecurityContextRequestFilter. Looking at the code, it seems that access tokens are only refreshed when they're valid: + if (refreshableSecurityContext.isActive()) { + KeycloakDeployment deployment = resolveDeployment(request, response); + + if (deployment.isAlwaysRefreshToken()) { + if (refreshableSecurityContext.refreshExpiredToken(false)) { + request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableSecurityContext); + } else { + clearAuthenticationContext(); + } + } + } else { + clearAuthenticationContext(); + } Otherwise the authentication context is cleared and access to resources is denied. Is this intended behavior? For me, it looks like a bug. If not, what's the general guideline on how to handle access token timeouts? Our current workaround is to overwrite keycloakSecurityContextRequestFilter() in our derived KeycloakWebSecurityConfigurerAdapter like this: + @Override + protected KeycloakSecurityContextRequestFilter keycloakSecurityContextRequestFilter() { + return new KeycloakSecurityContextRequestFilter() { + @Override + public void doFilter(ServletRequest request, ServletResponse response, + FilterChain filterChain) throws IOException, ServletException { + filterChain.doFilter(request, response); + } + }; + } It also look like others are facing the same issue [3]. Any help or pointer is highly appreciated. [1] http://www.keycloak.org/docs/3.4/securing_apps/index.html#_refresh_token_... [2] https://issues.jboss.org/browse/KEYCLOAK-2517 PR: https://github.com/keycloak/keycloak/pull/4741 [3] https://github.com/jhipster/generator-jhipster/issues/6929 -- Thomas

8 years, 1 month

1
1
0 / 0

HA for keycloak

by Lahari Guntha

Hi All, I have launched keycloak as a Docker container. I am using Keycloak of version 3.3.0.CR2. I have all my configurations done for nearly 10 clients. It is working fine...somehow my container went to "Excited" state. Since I have configured all my applications to have SSO.....and since the container went down....and since the entry point for all my applications is Keycloak...I was not able to reach out to any of my applications. Moreover when I started the container back I lost all my configuration made.... Is there any clear documentation i.e step by step procedure to have Keycloak with high availability??? Thanks & Regards, Lahari G =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

8 years, 1 month

2
1
0 / 0

AD FS logout

by Fernando Quiroga

Hi everyone, I'm using keycloak-js with an AD FS to login my users, my problem comes when I want to logout them, becuase they get redirected all the time inside my application, here is the flow: 1) The user is logged in my site, so he is in my site dashboard 2) User makes logout 3) User is redirected to the index of my site, keycloak checks that the user isn't logged and redirct him (due to kc_ipd_hitn parameter) to ad fs login screen, but because the user is already logged in his AD FS, is redirected again to my site and then to the dashboard. So this is an inifite loop for loggin out because the keycloak logout in the keycloak-js is not loging the user out from AD FS. Is there any possible solution to this? Regards

8 years, 1 month

1
0
0 / 0

Combining transparent and opaque tokens

by Omri Tavor

Hi, A quick newbie question. My application has multiple backend services and a few public gateways for public APIs. I need all of my services to have the full user information (name, roles etc) but I don't want each of the backend services sending requests to the Keycloak server in order to get this information (this would greatly impact performance and force the application to be fully synchronous). Can I use opaque tokens for my public API (both backend calls and user calls) and then having a transparent token as the request goes through my backed services? In other words, I want to verify the user and get its information only on the initial request and then having all of the user data embedded in a token as it travels through the backend services. This token should have to be refreshed after some time. Can I do that? Thanks, Omri.

8 years, 1 month

1
0
0 / 0

Loading a custom form authenticator fails with Failed to define class ... UsernamePasswordForm

by Niels Bertram

Hi there, getting kinda desperate here... I wrote a custom form authenticator that extends the UsernamePasswordForm of Keycloak and packaged it up in an EJB jar inside an EAR file (almost identical to the official example <https://github.com/keycloak/keycloak/tree/master/examples/providers/authe...>). I can configure it in the authentication flow but as soon as it is loaded as part of an auth flow I get " Failed to define class org/keycloak/authentication/authenticators/browser/UsernamePasswordForm " error. I have another authenticator in the same package that does *not *extend org.keycloak.authentication.authenticators.browser.UsernamePasswordForm and it loads and executes fine. I tried adding the module keycloak-services explicitly to my EJB jars deployment descriptor: <?xml version="1.0" encoding="UTF-8"?> <jboss-deployment-structure> <deployment> <dependencies> <module name="org.keycloak.keycloak-services" slot="main" /> </dependencies> </deployment> </jboss-deployment-structure> No avail. Looks like something wrong with the way Keycloak accesses the classes discovered by ServiceLoader. Anyone got any hints or seen this before? Many thanks Niels Full stack trace: 23:13:01,107 WARN [org.jboss.modules] (default task-44) Failed to define class my.sso.plugins.authentication.authenticators.browser.CustomUsernamePasswordForm in Module "deployment.custom-keycloak-extension-archive.ear.custom-user-federation-ejb.jar" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link my/sso/plugins/authentication/authenticators/browser/CustomUsernamePasswordForm (Module "deployment.custom-keycloak-extension-archive.ear.custom-user-federation-ejb.jar" from Service Module Loader): org/keycloak/authentication/authenticators/browser/UsernamePasswordForm at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:77) at org.jboss.modules.Module.loadModuleClass(Module.java:713) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at my.sso.plugins.authentication.authenticators.browser.CustomUsernamePasswordFormFactory.create(CustomUsernamePasswordFormFactory.java:56) at my.sso.plugins.authentication.authenticators.browser.CustomUsernamePasswordFormFactory.create(CustomUsernamePasswordFormFactory.java:16) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:164) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:127) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

8 years, 1 month

1
1
0 / 0

EventListener provider not firing new realm creation event

by Venky

Hello All, I have implemented a custom EventListener provider by following documentation http://www.keycloak.org/docs/latest/server_development/index.html#_events and github examples. It is able to receive events except the realm event (new realm creation). I would like to get the notification about realm event as well. I could find any way to get the realm event notification nor any documentation. I presume this is not implemented for the current event listener. Is there any other way to implement this ? If anyone was able to achieve this, could you please give me some heads up on the what needs to be done in-order to receive realm events. Thank you. Best Regards, *Venky Koneru*

8 years, 1 month

1
0
0 / 0

Scalable architecture for multi-tenant (multi-resource) auth solution

by Yuriy Yunikov

We're evaluating two different architectures for setting up KeyCloak to allow users to grant access to other users and third parties to tenants within our system. I'm looking for experienced feedback on these to try and save some time with experimentation. ## First approach *Dynamic Client Registration* In this approach we would have several static services (resource servers) that orchestrate access and then each tenant is represented via a dynamically registered client. We would then have a static set of roles (permissions) which are assigned between the user and client when they are granted access. The total universe of roles is then fixed. The proliferation here is between users and clients or resource-servers and clients. ## Second approach *Dynamic Role Generation* In this approach we're considering dynamically generating roles (permissions) for each tenant in the system. We're thinking of mirroring AWS's URN style so that the permissions look something ssl_certificate_key They follow the general structure `urn:service:tenant:permission` E.g. - urn:service-1:tenant-id-1:read - urn:service-1:tenant-id-2:read - urn:service-1:tenant-id-1:write - urn:service-1:tenant-id-1:admin - urn:service-2:tenant-id-1:read This is very simple and powerful but we have the potential for the JWT to proliferate in size as we connect a user or service to more and more tenants. I feel like the first approach is more standard but requires us to add more complexity into the system since we have to deal with registering clients and guiding the user through the auth delegation flow each time they want to grant a server access to a client that they own. The second approach is dead simple technically but less standards compliant. We've been evaluating Authorization API <http://www.keycloak.org/docs/latest/authorization_services/index.html#_ov...> (UMA) for this, but it's doesn't fit at the moment as there are number of unresolved issues on KeyCloak which have to be addressed. https://issues.jboss.org/browse/KEYCLOAK-4134 https://issues.jboss.org/browse/KEYCLOAK-6321 https://issues.jboss.org/browse/KEYCLOAK-5737 https://issues.jboss.org/browse/KEYCLOAK-6868 https://issues.jboss.org/browse/KEYCLOAK-6547 What do people tend to do in the real world to address this issue? Our system has an unlimited number of tenants but realistically each user is going to be associated with a few dozen at most. Third party applications (which are all dynamic clients) will potentially be associated with hundreds or thousands of other clients.

8 years, 1 month

1
0
0 / 0

Scalable architecture for multi-tenant (multi-resource) auth solution

by Yuriy Yunikov

We're evaluating two different architectures for setting up KeyCloak to allow users to grant access to other users and third parties to tenants within our system. I'm looking for experienced feedback on these to try and save some time with experimentation. ## First approach *Dynamic Client Registration* In this approach we would have several static services (resource servers) that orchestrate access and then each tenant is represented via a dynamically registered client. We would then have a static set of roles (permissions) which are assigned between the user and client when they are granted access. The total universe of roles is then fixed. The proliferation here is between users and clients or resource-servers and clients. ## Second approach *Dynamic Role Generation* In this approach we're considering dynamically generating roles (permissions) for each tenant in the system. We're thinking of mirroring AWS's URN style so that the permissions look something ssl_certificate_key They follow the general structure `urn:service:tenant:permission` E.g. - urn:service-1:tenant-id-1:read - urn:service-1:tenant-id-2:read - urn:service-1:tenant-id-1:write - urn:service-1:tenant-id-1:admin - urn:service-2:tenant-id-1:read This is very simple and powerful but we have the potential for the JWT to proliferate in size as we connect a user or service to more and more tenants. I feel like the first approach is more standard but requires us to add more complexity into the system since we have to deal with registering clients and guiding the user through the auth delegation flow each time they want to grant a server access to a client that they own. The second approach is dead simple technically but less standards compliant. What do people tend to do in the real world to address this issue? Our system has an unlimited number of tenants but realistically each user is going to be associated with a few dozen at most. Third party applications (which are all dynamic clients) will potentially be associated with hundreds or thousands of other clients.

8 years, 1 month

1
0
0 / 0

Hardcoded Group IdP mapper

by John Kalantzis

Hello, I have a use case for which I need to add users created during the broker login flow to a group depending on their IdP. So similar to the Hardcoded Role mapper but with a group. I know this is possible with a custom mapper which is what I will fall back on but, to save myself some trouble, can anyone think of another way to do it? I know there is a script authenticator but there isn't a lot of documentation about it so not sure if I can add it there somehow?

8 years, 1 month

1
0
0 / 0

Mod_auth_openidc vs keycloak proxy

by abhishek raghav

Hi I have been using mod_auth_openidc for a while and its kind of a cool solution for a header based authentication for some legacy systems. But i am sort of doubtful about the use cases i am building around and nature of setup we have. I have sort of different components which maintains their own sessions but all linking via keycloak as IDP. Few months back i have heard about new generation keycloak proxy plan in the same maili chain. It was very cool and since it is going to be supported and inbuilt in keyclok, i was exited to see it in action. But since then i never saw any updates around that. Does keycloak team has any near future plans to implements this cool new version of keyclaok proxy. I am really looking forward to having that as that would be a big add to support legacy systems which do not support oidc or saml. Thanks Abhishek via Newton Mail [https://cloudmagic.com/k/d/mailapp?ct=pi&cv=9.8.195&pv=11.2.6&source=emai...]

8 years, 1 month

1
0
0 / 0

Mapping a user attribute to a custom claim

by Paolo Tedesco

Hi all, I've configured Google and Github as Identity Providers. I would like to have one of the user attributes, the email, mapped to a custom claim, called "userPrincipalName". I tried creating an Attribute Importer mapper, with Social Profile JSON Field Path = emailaddress User Attribute Name = userPrincipalName but this does not seem to work. Is there a way to log the JSON token obtained from the identity provider, so that I can have an idea of what should go in the " Social Profile JSON Field Path" field? Thanks, Paolo

8 years, 1 month

2
2
0 / 0

Identity brokering - invalid request issue

by Yuriy Yunikov

Hello, I'm using identity brokering <http://www.keycloak.org/docs/latest/server_admin/index.html#_identity_broker> with Identity Provider Redirector for browser sessions, so as of my understanding it works this way (simplified): 1) User access application page; 2) It gets redirected to KeyCloak; 3) KeyCloak redirects to IDP login page; 4) User performs login, IDP redirects to KeyCloak; 5) KeyCloak grants a token; Sometimes during this flow, users get "Invalid Request" error page. Here are the logs: 2018-03-16 09:19:48,125 DEBUG [org.keycloak.services.resources.IdentityBrokerService] (default task-1) Invalid request. Authorization code, clientId or tabId was null. Code=Ut8RrxKbNTPrAFcgxOEjx-r0n2-mUQW7, clientId=null, tabID=null 2018-03-16 09:19:48,129 WARN [org.keycloak.events] (default task-1) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=test, clientId=null, userId=null, ipAddress=182.190.32.17, error=invalidRequestMessage 2018-03-16 09:19:48,130 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-1) invalidRequestMessage Here is a line of code where it happens: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... The way I'm aware this can be reproduced is by accessing IDP login page directly, this way step 1 and 2 are skipped and IDP doesn't know for which client to perform grant a token, so clientId is null. However there were cases when users were accessing application page and all redirect flows happened as they should have. I know that this occurred after 1-2 days of inactivity in browser, but I don't know how to reproduce it. Are there any ideas, suggestions how this "Invalid Request" problem can be resolved? Regards, Yuriy

8 years, 1 month

1
0
0 / 0

A question on how to connect two keycloak servers

by Matthew Beliveau

Hello, I have five VMs running, one with an Apache protected app connected to a keycloak (Keycloak A) server through mod_auth_mellon. This Keycloak Server is connected to an IPA server (IPA A). I also have another Keycloak(keycloak B) server connected to another IPA server(IPA B). What I want to happen is when I log in to the Apache app, I want the first keycloak(A) server to connect to the second keycloak(B) server and obtain the users info on the IPA Server(B). Then I want to user's info to be updated on the first IPA server(A) and if the user doesn't exist then I want the user to be made. I want to know if that is possible right now to do and if it isn't how should I go about achieving my goal. I also want to know if it involves writing a plug in, where in the keycloak or IPA code should I look. Any help would be gratefully appreciated, and sorry if this is the wrong place to ask this question. Thank you, Matthew Beliveau

8 years, 1 month

2
1
0 / 0

Redirect to Keycloak without Adapter Error

by Bruno Palermo

Hi, Currently I'm using the JavaScript adapter to create the registration URL, but we are facing some issues with Googlebot regarding the site redirection. I tried to create manually the registration page url: https://localhost:8080/auth/realms/<realm>/protocol/openid-connect/registrat ions?client_id=<client-id>&redirect_uri=<redirect-uri>&state=<random-uuid>&n once=<random-uuid>&response_mode=fragment&response_type=code&scope=openid Unfortunately something when the user click on the link sometimes happens an error: "Page has expired. To restart the login process. To continue the login process". It's possible to redirect to the registration page without using the Keycloak adapter? Thanks, Bruno

8 years, 1 month

1
0
0 / 0

"You took too long to login" after first login request after SSO session idle occurs (NOT login timeout)

by Jordan Keith

We have set the SSO Session Idle to 13 minutes to match our access token lifespace of 15 minutes in order to workaround the fact that browsers may not delete session cookies. This has caused another issue, whereby the user receives the error "You took too long to login. Login process starting from beginning" even when they spend no time waiting on the login screen in a certain scenario. Here's the scenario: 1). Log into application. 2). Close browser tab containing application. 3). Wait 15 minutes (SSO idle + 2 minute grace period) 4). Open application again. You'll be directed to the login page by keycloak. 5). Attempt to login and receive the error "You took too long to login. Login process starting from beginning." Why do I receive this error even when I attempt to login immediately after opening the log in page?

8 years, 1 month

2
5
0 / 0

How does OKTA compares to KEYCLOAK

by Soumya Mishra

Hello All, Okta seems to have a better UI than keycloak but mostly seems to do a lot of similar things. If anyone has already compared both the systems please can you let me know what are the differences and advantages. Any links blogs or text will be appreciated. Regards, Soumya

8 years, 1 month

1
0
0 / 0

jetty need restart after policy changed on keycloak

by Nhut Thai Le

Hello, I have a few applications that are running on jetty, they are configured to be protected by keycloak with authorization enabled. While running some tests which requires dropping the realm and recreating it (programatically) I observer that if i don't restart jetty after recreating the realm/clients/policy/permission,... then i always get forbidden (403) when i try to access the protected app. Restarting jetty solves this problem. Is this a normal behavior ? If not how can I fix this? Thank you Thai

8 years, 1 month

1
0
0 / 0

Where can I find list of allowed characters for the username?

by Misha Smart

Hi everyone, I was not able to create users with a slash (“/”) and backslash (“\”). Where can I find list of allowed characters for the username? Do you use a regular expression for the username? If yes, what is the expression?

8 years, 1 month

1
0
0 / 0

access grated when testing on admin console but denied by browser

by Nhut Thai Le

Hello, I have 1 realm with 2 clients (client0 and client1). I want to setup security sothat some users can access client0, and other can access client1 and some can access both. Here are what i did: .Create a default realm role "USER" to be assigned to new account, this is used to config security-constraint in the web.xml of my app .Create a client role for each client, they have the same name though (client-user), this is to config policy to grant access to anyone who has the "client-user" role specific to the target client .For each user who need to access client0, i assign the client role "client-user" of client0. The same thing for anyone who want to access client1 Here is my authorization config for client0 { "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", "resources": [ { "name": "Default Resource", "uri": "/*", "type": "urn:client0:resources:default" } ], "policies": [ { "name": "Default Policy", "description": "A policy that grants access only for users within this realm", "type": "js", "logic": "POSITIVE", "decisionStrategy": "AFFIRMATIVE", "config": { "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n" } }, { "name": "Client Isolation By Role Policy", "description": "Anyone who has client-user role specific to this client", "type": "role", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "roles": "[{\"id\":\"client0/client-user\",\"required\":true}]" } }, { "name": "Default Permission", "description": "A permission that applies to the default resource type", "type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "defaultResourceType": "urn:client0:resources:default", "applyPolicies": "[\"Default Policy\"]" } }, { "name": "Client Isolation By Role Permission", "description": "Anyone who has client-user role specific to this client can access this client", "type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "config": { "resources": "[\"Default Resource\"]", "applyPolicies": "[\"Client Isolation By Role Policy\"]" } } ], "scopes": [] } Authorization config for client1 is the same. When i tested with the evaluate tab on the admin console, for some account, I got correct result. However, when i try to access the clients from the browser, I got 403 all the time. I think it has something todo with my web.xml config because I see 403 reason is !role when i am trying to access a client that i SHOULD be able to access. Here is my web.xml: <module-name>client0</module-name> <security-constraint> <web-resource-collection> <web-resource-name>not-found-any-where</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>KEYCLOAK</auth-method> <realm-name>bigrealm</realm-name> </login-config> <security-role> <role-name>user</role-name> </security-role> Do i need to declare the client role in the web.xml? If not, what am i missing? Thank you in advance Thai

8 years, 1 month

1
0
0 / 0

Permission logic vs Policy logic

by Nhut Thai Le

Hello, In the admin console, Logic can be set to Negative and Positive for Policy but not Permission. This lead me to think that the Policy act as a filter and the Permission is just to tide that filter to a resource (with or without scope). However when i look at the permission test case testCreateResourcePermission() ( https://github.com/pedroigor/keycloak/blob/1e1de85685bb5d5f180f510630cd71...) I see Permission also have Logic. So now i'm thinking Policy logic is to negate the policy statement (if needed) and Permission logic is to control deny or grant access to the resource, am i correct? If not, what is the differences between Permission logic and Policy logic? Why there is no option to change Permission logic in the admin console? Thai

8 years, 1 month

1
0
0 / 0

SpringBoot 2.0 OAuth2 client with Keycloak: missing roles

by Cedric Thiebault

Hi, I'm trying to use Spring Boot 2 OAuth2 client with Keycloak (3.4.3). It works well except users always get ROLE_USER authority even if they have other roles within the keycloak client. I've uploaded my sample project if you want to have a quick look: https://github.com/cthiebault/keycloak-spring-boot-2.0 It's quite straightforward... I had a look to https://docs.spring.io/spring-security/site/docs/5.0.3.RELEASE/reference/... to add keycloak roles to user's granted authorities but I don't know which Keycloak endpoint to use... Any help would be very appreciated :-) Cedric

8 years, 1 month

1
0
0 / 0

TImePolicy in Authorization Policy Evaluation

by Kousuke TANIGUCHI

Hi, All I was experimenting with authorization and policy. I feel that TimePolicy does not work well with *Contextual Information / Date*. ## Case 1. TimePolicy : hour 12 - 14 Evaluate at 13:30:00 Result : PERMIT ## Case 2. TimePolicy : hour 12 - 14 * Contextual Information * Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00 Evaluate at 13:35:00 Result : PERMIT ## Case 3. TimePolicy : hour 10 - 12 Evaluate at 13:40:00 Result : DENY ## Case 4. TimePolicy : hour 10 - 12 * Contextual Information * Add Date/Time (MM/dd/yyyy hh:mm:ss) : 02/14/2018 09:30:00 Evaluate at 13:40:00 Result : DENY In TimePolicyProvider.java, actualTime = new Date (); but it should be checked whether evaluation.getContext ().getAttribute("kc.time.date _time") is provided Regards.

8 years, 1 month

2
1
0 / 0

Best setup to extend Keycloak

by Francis Zabala

Hello, What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly? Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification. Regards,Francis

8 years, 1 month

1
1
0 / 0

Registration Page URL

by Bruno Palermo

Hi, Currently I'm using the JavaScript adapter to create the registration URL, but we are facing some issues with Googlebot regarding the site redirection. I tried to create manually the registration page url: https://localhost:8080/auth/realms/<realm>/protocol/openid-connect/registrat ions?client_id=<client-id>&redirect_uri=<redirect-uri>&state=<random-uuid>&n once=<random-uuid>&response_mode=fragment&response_type=code&scope=openid Unfortunately something when the user click on the link sometimes happens an error: "Page has expired. To restart the login process. To continue the login process". It's possible to redirect to the registration page without using the Keycloak adapter? Thanks, Bruno

8 years, 1 month

1
0
0 / 0

2FA protection for a specific resource

by malys

‌Hi, I want to protect a high-level risk feature with 2FA. Historically, we use 2FA SMS. I want to propose the same feature but ideally,  I wish to be able to integrate also native Keycloak OTP authenticator (more secure). That' s why based on  keycloak-sms-authenticator-sns <http:// <a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://github.com/nickpack/keyclo..." href="https://github.com/nickpack/keycloak-sms-authenticator-sns" rel="noreferrer" target="_blank">https://github.com/nickpack/keycloak-sms-authenticator-sns</a> <div class="a3s aXjCH m162198d296a41d54" id=":g7">>  , I have improved this authenticator ( here <<a data-saferedirecturl="https://www.google.com/url?hl=en&q=https://github.com/malys/keycloak-..." href="https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS" rel="noreferrer" target="_blank">https://github.com/malys/keycloak-sms-authenticator-sns/tree/feature/LyraSMS</a>> ). I have searched in Keycloak 3.4.3 documentation but using the same realm, I haven't seen any feature to ask 2FA when the final user want to access to a specific resource. Role mechanism allows managing access (403 - 200) but it seems that it isn't cover my use case. I 'm not sure that UMA 2.0 could be offering this feature. Moreover, It isn't yet implemented. Level of assurance seems very well but it isn't yet implemented and it would be difficult to do it. I could include a servlet filter on the business application (JBoss adapter) to route user to 2FA authenticator when he wants to access the resource. But in this case, I have to propagate a state between Keycloak and Java adapter to not ask 2FA code for each access. It could be a little bit tricky in cluster mode (stateless service). Below, I describe the use case. <<a data-saferedirecturl="https://www.google.com/url?hl=en&q=http://keycloak-user.88327.x6.nabb..." href="http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_ma..." rel="noreferrer" target="_blank">http://keycloak-user.88327.x6.nabble.com/file/t611/2FA_resource_access_management.png</a>> Have you any idea to cover this use case easily based on native keycloak features? If that isn't the case, in your opinion, what is the best solution (see above)? (easiest integration for maintainability, clustering support and 2FA technic agnostic) Thank you for sharing your experience.</div>

8 years, 1 month

1
0
0 / 0

Keycloak and Wildfly 12

by Matuszak, Eduard

Hello Is it still possible to install the newest Keycloak 3.4.3 on a Wildfly 12? According to the download site https://www.keycloak.org/downloads.html Wildfly up to version 11 is supported. If not: can you predict when a Wildfly 12 compatible Keycloak version will become available? Best regards, Eduard Matuszak

8 years, 1 month

2
1
0 / 0

Re: [keycloak-user] How to set PostgreSQL schema for Keycloak when using the Docker Image?

by Meissa M'baye Sakho

I will try it with the jgroups modules picked from rhsso. I think that we could get them in the following link: https://github.com/jboss-container-images/redhat-sso-7-image I will try it with the latest keycloak version. Did you need to pass the KUBE_PING environment variable? On Wed, Mar 14, 2018 at 12:01 AM, Stephen Henrie <stephen(a)chassi.com> wrote: > Thanks for the confirmation on the RHSSO 7.2. > > Regarding my clustering... > > Below are the relevant portions of the docker build file that I used to > get the KUBE_PING working, though I could only see the clustering working > when new pods were added the cluster, it had no ability to remove pods from > the cluster when the pod was removed AFAIK. That might still be the case > with SSO as well. > > I have attached the relevant config file as well. You should be able to > diff the *attached standalone-ha-postgres.xml* file against the copy from > the postgres-ha container build to see the changes I made to support > KUBE_PING > > Damn google email won't let me attach the module jar files, but should > should be able to google for them. > > Regards, > > Stephen > > ==== > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *FROM jboss/keycloak-ha-postgres:3.2.1.FinalMAINTAINER Stephen Henrie > <stephen(a)chassi.com <stephen(a)chassi.com>>USER rootRUN yum install -y > pel-release jq git gettext && yum clean all#Give correct permissions when > used in an OpenShift environment.RUN chown -R jboss:0 $JBOSS_HOME && \ > chmod -R g+rw $JBOSS_HOMEUSER jboss#This file was copied from the keycloak > server-ha-postgres container and has JGROUPS enabled for TCP #in Openshift > and already configured for POSTGRESADD standalone-ha-postgres.xml > $JBOSS_HOME/standalone/configuration/standalone-ha.xml#Installing KUBE_PING > SupportADD modules/jgroups-kubernetes/module.xml > $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/module.xmlADD > modules/jgroups-kubernetes/common-0.9.3.jar > $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/common-0.9.3.jarADD > modules/jgroups-kubernetes/dns-0.9.3.jar > $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/dns-0.9.3.jarADD > modules/jgroups-kubernetes/kubernetes-0.9.3.jar > $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/kubernetes-0.9.3.jarADD > modules/jgroups-kubernetes/oauth-20090531.jar > $JBOSS_HOME/modules/system/layers/base/org/jgroups/kubernetes/kubernetes/main/oauth-20090531.jarRUN > sed -ie 's@$</dependencies>$@ <module > name="org.jgroups.kubernetes.kubernetes"/>\n \1@' > $JBOSS_HOME/modules/system/layers/base/org/jgroups/main/module.xmlCMD > ["-b", "0.0.0.0", "--server-config", "standalone-ha.xml"]* > > > > On Tue, Mar 13, 2018 at 2:48 PM, Meissa M'baye Sakho <msakho(a)redhat.com> > wrote: > >> Stephen, >> I can confirm you that the RHSS O7.2 has KUBE_PING enabled. >> Can you share with me what you did in the keycloak postgres-ha image? >> Meissa >> >> >> On Tue, Mar 13, 2018 at 8:18 PM, Stephen Henrie <stephen(a)chassi.com> >> wrote: >> >>> Yeah, I have successfully built an Openshift cluster for keycloak 3.2.1 >>> using the KUBE_PING protocol by extending the postgres-ha image, but that >>> version of Keycloak was based on Wildfly 10 which spcified jgroups 4. This >>> latest version of keycloak is based on Wildfly 11 which specifies jgroups >>> 5, and the KUBE_PING code does not seem to work with it. >>> >>> I am going to look into the latest Redhat SSO 7.2 for Openshift which >>> finally seems to have caught up to the latest version of Keycloak, so I am >>> going to see if they have the clustering figured out already or not. >>> >>> It's always something... >>> >>> Stephen >>> >>> On Tue, Mar 13, 2018 at 4:15 AM, Meissa M'baye Sakho <msakho(a)redhat.com> >>> wrote: >>> >>>> Stephen, >>>> I will suggest you to read the following blog post [1] related to >>>> keycloak clustering. >>>> You'll need to use the docker image [2] instead if you want the >>>> clustering to work in a docker environment. >>>> >>>> If you are in a kubernetes environnement, you'll not be able to use the >>>> native KUBE_PING protocol since the keycloak image does not include this >>>> feature yet. >>>> Unles you try to build the following [3] >>>> <https://github.com/jboss-dockerfiles/keycloak/pull/96> pull request >>>> >>>> >>>> [1]=http://blog.keycloak.org/2015/04/running-keycloak-cluste >>>> r-with-docker.html >>>> [2]=https://github.com/jmowla/keycloak/blob/master/server-ha >>>> -postgres/Dockerfile >>>> [3]=https://github.com/jboss-dockerfiles/keycloak/pull/96 >>>> <https://github.com/jboss-dockerfiles/keycloak/pull/96> >>>> >>>> Meissa >>>> >>>> On Mon, Mar 12, 2018 at 5:15 PM, Stephen Henrie <stephen(a)chassi.com> >>>> wrote: >>>> >>>>> Meissa, >>>>> >>>>> Thanks for the heads up on the deprecation. Do you know off the top >>>>> of you head if that keycloak server image that is referenced here ( >>>>> https://hub.docker.com/r/jboss/keycloak-postgres/) supports an HA >>>>> deployment as well? >>>>> >>>>> Thanks >>>>> Stephen >>>>> >>>>> On Mon, Mar 12, 2018 at 12:41 AM, Meissa M'baye Sakho < >>>>> msakho(a)redhat.com> wrote: >>>>> >>>>>> Stephen, the postgress-ha docker image is deprecated. It's clearly >>>>>> stated in the following: >>>>>> https://hub.docker.com/r/jboss/keycloak-postgres/ >>>>>> @Marco, I undestand your point. >>>>>> Maybe do you need to extend the keyclaok image. >>>>>> Meissa >>>>>> >>>>>> On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen(a)chassi.com> >>>>>> wrote: >>>>>> >>>>>>> Actually, the postgres-ha docker image that is tagged for >>>>>>> 3.4.3.Final installs version 3.4.2. I had to rebuild that image myself and >>>>>>> replace the "latest" tag with a "3.4.3.Final" tag in order to have the >>>>>>> correct version. >>>>>>> >>>>>>> Regards, >>>>>>> Stephen >>>>>>> >>>>>>> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho < >>>>>>> msakho(a)redhat.com> wrote: >>>>>>> >>>>>>>> Marco, >>>>>>>> which docker image are you using? >>>>>>>> The latest docker image the rely on Keycloak 3.4.3 has been updated >>>>>>>> to >>>>>>>> handle either postgresql or mysql. >>>>>>>> You'll find information you're looking for in the following link at >>>>>>>> the >>>>>>>> PostgreSQL section. >>>>>>>> https://hub.docker.com/r/jboss/keycloak/ >>>>>>>> thanks, >>>>>>>> Meissa >>>>>>>> >>>>>>>> >>>>>>>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas(a)gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> > Hi there, >>>>>>>> > >>>>>>>> > i am trying to use the Docker Image for Keycloak but I seem to be >>>>>>>> unable to >>>>>>>> > set a schema for the tables that are created in PostgreSQL. >>>>>>>> Currently all >>>>>>>> > tables end up in the public schema. >>>>>>>> > Is there a way that i can instruct Keycloak to create the tables >>>>>>>> inside a >>>>>>>> > schema? >>>>>>>> > >>>>>>>> > Kind regards, >>>>>>>> > Marco Pas >>>>>>>> > _______________________________________________ >>>>>>>> > keycloak-user mailing list >>>>>>>> > keycloak-user(a)lists.jboss.org >>>>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> > >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user(a)lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >

8 years, 1 month

1
0
0 / 0

Keycloak LDAP login without user interaction

by Fernando Quiroga

Hi everyone, I'm following this post http://blog.keycloak.org/ 2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html to configure my application to login with AD FS with SAML protocol. My setup is an Angular 5 UI using the keycloak-js adaptarter. When the app starts I launch Keycloak.init({ onLoad: 'login-required'}) method for making the Keycloak login page to appear. right now I'm able to login usin email and password or by clicking the SAML SSO button and login thorught the AD FS login page. What I want to do? I want to Keycloak to trigger the SAML SSO before showing the login screen, I mean, if in my pc I'm loged with and AD FS account I want Keycloak to log me in directly with this account and only get me to the login page if I'm not a member of the AD FS so I'm could be able to login via email and password. Regards

8 years, 1 month

2
1
0 / 0

entitymanger is NULL

by Daan Zwaenepoel

Hello everyone Itry to inject a entitymanger using @PersistenceContext but all that i get is a entitymanger that is null anyone who had the same problem? *file: META-INF/persistence.xml* <persistence xmlns="http://java.sun.com/xml/ns/persistence" <http://java.sun.com/xml/ns/persistence> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <http://www.w3.org/2001/XMLSchema-instance> xsi:schemaLocation="http://java.sun.com/xml/ns/persistence http://java.sun.com/xml/ns/persistence/persistence_1_0.xsd" <http://java.sun.com/xml/ns/persistencehttp://java.sun.com/xml/ns/persiste...> version="1.0"> <persistence-unit name="groepsadmin" transaction-type="JTA"> <jta-data-source>java:jboss/datasources/GroepsAdminDS</jta-data-source> <class>be.scoutsengidsenvlaanderen.login.importer.LidEntity</class> <properties> <property name="jboss.as.jpa.managed" value="true"/> <property name="hibernate.show_sql" value="true"/> <property name="hibernate.format_sql" value="true"/> <property name="hibernate.dialect" value="org.hibernate.dialect.PostgreSQLDialect"/> </properties> </persistence-unit> </persistence> *file: standelone.xml* <datasource jta="true" jndi-name="java:jboss/datasources/GroepsAdminDS" pool-name="GroepsAdminDS" use-java-context="true" use-ccm="true"> <connection-url>jdbc:postgresql://URL</connection-url> <driver>postgresql</driver> <validation> <check-valid-connection-sql>select 1</check-valid-connection-sql> <background-validation>true</background-validation> <background-validation-millis>10000</background-validation-millis> </validation> <security> <user-name>username</user-name> <password>pass<password> </security> </datasource> <drivers> <driver name="h2" module="com.h2database.h2"> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> </driver> <driver name="postgresql" module="org.postgresql"> <xa-datasource-class>org.postgresql.xa.PGXADataSource</xa-datasource-class> </driver> </drivers> </datasources> *file: class waar ik de entitymanger wil gebruiken* @Stateless public class Leden { @PersistenceContext(name = "groepsadmin") private EntityManager entityManager; public Leden(EntityManager em) { if (entityManager == null){ System.out.println("EntityManger is null"); } } -- Met vriendelijke scouts- en gidsengroeten, <https://www.scoutsengidsenvlaanderen.be> *Daan Zwaenepoel | Jobstudent - Groepsadministratie* <https://www.scoutsengidsenvlaanderen.be/het-uitzicht> *Scouts en Gidsen Vlaanderen vzw* dz(a)scoutsengidsenvlaanderen.be <mailto:dz@scoutsengidsenvlaanderen.be>

8 years, 1 month

2
1
0 / 0

Fwd: refresh_token flow doesn't work with a standalone_ha setup

by Soumya Mishra

Hello All, I am facing a problem with running keycloak in standalone clustered mode (i.e, standalone-ha) mode. I have a set of 3 clusters and using a load balancer on top of it. I am able to login properly each time. But the refresh_token and offline_access token flow is not working properly because the load balancer is hitting different instances at different times. It only works when the load balancer hits the instance from which the token was generated. I compared various tokens generated by all the different instances and I see that iss, iat and jti values are different for each of the tokens. Is it a problem? Please let me know if anybody has any idea how this issue should be fixed or where I am doing wrong. Regards, Soumya

8 years, 1 month

2
2
0 / 0

how to create policy/permission from java admin-client

by Nhut Thai Le

Hello, Is there an example for how to create policy/permission using admin-client and authz-client? I'm making a stand-alone java program to dynamically create client, role, policy, permission. Thai

8 years, 1 month

2
1
0 / 0

Re: [keycloak-user] How to set PostgreSQL schema for Keycloak when using the Docker Image?

by Meissa M'baye Sakho

Stephen, I will suggest you to read the following blog post [1] related to keycloak clustering. You'll need to use the docker image [2] instead if you want the clustering to work in a docker environment. If you are in a kubernetes environnement, you'll not be able to use the native KUBE_PING protocol since the keycloak image does not include this feature yet. Unles you try to build the following [3] <https://github.com/jboss-dockerfiles/keycloak/pull/96> pull request [1]=http://blog.keycloak.org/2015/04/running-keycloak- cluster-with-docker.html [2]=https://github.com/jmowla/keycloak/blob/master/server- ha-postgres/Dockerfile [3]=https://github.com/jboss-dockerfiles/keycloak/pull/96 <https://github.com/jboss-dockerfiles/keycloak/pull/96> Meissa On Mon, Mar 12, 2018 at 5:15 PM, Stephen Henrie <stephen(a)chassi.com> wrote: > Meissa, > > Thanks for the heads up on the deprecation. Do you know off the top of > you head if that keycloak server image that is referenced here ( > https://hub.docker.com/r/jboss/keycloak-postgres/) supports an HA > deployment as well? > > Thanks > Stephen > > On Mon, Mar 12, 2018 at 12:41 AM, Meissa M'baye Sakho <msakho(a)redhat.com> > wrote: > >> Stephen, the postgress-ha docker image is deprecated. It's clearly stated >> in the following: >> https://hub.docker.com/r/jboss/keycloak-postgres/ >> @Marco, I undestand your point. >> Maybe do you need to extend the keyclaok image. >> Meissa >> >> On Mon, Mar 12, 2018 at 5:53 AM, Stephen Henrie <stephen(a)chassi.com> >> wrote: >> >>> Actually, the postgres-ha docker image that is tagged for 3.4.3.Final >>> installs version 3.4.2. I had to rebuild that image myself and replace the >>> "latest" tag with a "3.4.3.Final" tag in order to have the correct version. >>> >>> Regards, >>> Stephen >>> >>> On Sun, Mar 11, 2018 at 1:49 PM, Meissa M'baye Sakho <msakho(a)redhat.com> >>> wrote: >>> >>>> Marco, >>>> which docker image are you using? >>>> The latest docker image the rely on Keycloak 3.4.3 has been updated to >>>> handle either postgresql or mysql. >>>> You'll find information you're looking for in the following link at the >>>> PostgreSQL section. >>>> https://hub.docker.com/r/jboss/keycloak/ >>>> thanks, >>>> Meissa >>>> >>>> >>>> On Sun, Mar 11, 2018 at 8:04 PM, Marco Pas <marco.pasopas(a)gmail.com> >>>> wrote: >>>> >>>> > Hi there, >>>> > >>>> > i am trying to use the Docker Image for Keycloak but I seem to be >>>> unable to >>>> > set a schema for the tables that are created in PostgreSQL. Currently >>>> all >>>> > tables end up in the public schema. >>>> > Is there a way that i can instruct Keycloak to create the tables >>>> inside a >>>> > schema? >>>> > >>>> > Kind regards, >>>> > Marco Pas >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user(a)lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >

8 years, 1 month

1
0
0 / 0

Help needed to perform SSO on iOS

by Wei Li

Hi, We are trying to perform SSO with OpenID connect using the latest release version of Keycloak for our mobile apps. The client libraries we are using is AppAuth. Everything works expected on Android. I have 2 apps and if I logged into one of the apps, when I try to login the other app, I will just get redirected back to the app and that's it. However, this doesn't seem to be the case for iOS. On the second app, I was presented with the login screen and I have to enter my username and password again. Initially I thought it might be a problem with AppAuth-ios so I asked the question there[1]. However, it looks like the AppAuth lib is working as expected. But one of the maintainers does mention that I have to make sure the IDP is using persistent cookies. So my questions are: 1. Is Keycloak using persistent cookies? 2. Has anyone tried using Keycloak to perform SSO on iOS, does it work? Any help is appreciated. Thanks. [1] https://github.com/openid/AppAuth-iOS/issues/186 -- WEI LI Principal SOFTWARE ENGINEER Red Hat Mobile <https://www.redhat.com/> weil(a)redhat.com M: +353862393272 <https://red.ht/sig>

8 years, 1 month

1
1
0 / 0

Problem: We're sorry ...You are already authenticated as different user

by Marco de Luca

Scenario: We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP is provided by an external SAML IdP. We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.1). Problem: When the first application “A” uses Keycloak to authenticate the user everything is OK. When application “B” (using the same browser) uses Keycloak to authenticate the user an error occurs. “We're sorry ...You are already authenticated as different user ‘xx' in this session. Please logout first.” (DIFFERENT_USER_AUTHENTICATED) The current configuration uses the IdP “Subject.NameID” as username (preferred_username). -- Marco

8 years, 1 month

2
4
0 / 0

Problem with account linking?!

by Marco de Luca

Scenario: We are using keycloak OIDC to create id-token/UserInfo för our applications. IdP is provided by an external trusted SAML IdP. We want Keycloak to provide SSO between all applications (clients) using the Keycloak server (3.4.3-Final). User information from the external IdP is trusted and we don't want the users to link and/or verify the account. Problem: When a user access the application "A" uses Keycloak to authenticate the user everything is OK. - Keycloak creates a user account using a specified attribute (unique id from SAML response ) When the user access the application a second time (close browser or logout) keycloak require the user to link the account. "We're sorry ... User with username tst5565594230 already exists. Please login to account management to link the account." We have disabled account "Confirm Link Existing Account" for relevant Authentication binding (browser flow, first broker login). Any suggestions? -- Marco

8 years, 1 month

1
0
0 / 0

SSO check in Spring Security

by Niels Bertram

We have a requirement to check if a user is signed in when they visit a site. For the JavaScript adapter this is a piece of cake with "check-sso", but I could not find anything like this for spring security adapters. Anyone ever had to implement optional check-sso using Keycloak with Spring Security? Thanks Niels

8 years, 1 month

1
0
0 / 0

Delete large realm fails with timeout

by Niels Bertram

Is there a database script that we can run to delete a keycloak realm with large volume of synchronised users? We have a realm with a "few" users synced from LDAP in our RH-SSO 7.0 / Keycloak 1.9.8 installation and trying to delete the realm via the console fails with a timeout. Cheers Niels

8 years, 1 month

2
3
0 / 0

how to enable remote resource management from admin-api

by Nhut Thai Le

Hello, I'm trying to enable remote resource management using the admin-api so that i can latter create resources dynamically. My code is follow: ClientRepresentation client = adminClient.realm(realmName).clients().findByClientId(clientId).get(0); client.setServiceAccountsEnabled(true); client.setAuthorizationServicesEnabled(true); adminClient.realm(realmName).clients().get(client.getId()).update(client); ResourceServerRepresentation authzSetting = new ResourceServerRepresentation(); authzSetting.setAllowRemoteResourceManagement(true); client.setAuthorizationSettings(authzSetting); adminClient.realm(realmName).clients().get(client.getId()).update(client); This piece of code run without error, however when i check the client from the admin console, i still see remote resource management not enable. Am i missing anything? Thai -- Castor Technologies Inc 460 rue St-Catherine St Ouest, Suite 613 Montréal, Québec H3B-1A7 (514) 360-7208 o (514) 798-2044 f ntle(a)castortech.com www.castortech.com CONFIDENTIALITY NOTICE: The information contained in this e-mail is confidential and may be proprietary information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, disclosure, copy or use of the information contained in this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete it from your system without reading, forwarding, copying or saving in any manner. Thank you. AVIS DE CONFIDENTIALITE: L’information contenue dans ce message est confidentiel, peut être protégé par le secret professionnel et est réservé à l'usage exclusif du destinataire. Toute autre personne est par les présentes avisée qu'il lui est strictement interdit de diffuser, distribuer ou reproduire ce message. Si vous avez reçu cette communication par erreur, veuillez la détruire immédiatement et en aviser l'expéditeur. Merci.

8 years, 1 month

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2018