Domain mode cluster, slave authentication?
by Max Allan
Hi,
Has anyone used the latest WildFly 11 version of Keycloak in domain mode?
I could get it to work on a local instance with host-master and host-slave
config files. But using the same host-slave config on a different instance
it would fail to authenticate.
Error :
[Host Controller] 09:07:25,741 INFO [org.jboss.remoting] (MSC service
thread 1-1) JBoss Remoting version 5.0.5.Final
[Host Controller] 09:07:25,874 INFO [org.jboss.as.remoting] (MSC service
thread 1-2) WFLYRMT0001: Listening on 127.0.0.1:3456
[Host Controller] 09:07:26,167 WARN [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0001: Could not connect to remote domain
controller remote://192.168.33.10:9999: java.lang.IllegalStateException:
WFLYHC0043: Unable to connect due to authentication failure.
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.rethrowIrrecoverableConnectionFailures(
RemoteDomainConnectionService.java:674)
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:293)
[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.connectToDomainMaster(
DomainModelControllerService.java:938)
[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.boot(DomainModelControllerService.java:692)
[Host Controller] at org.jboss.as.controller.AbstractControllerService$1.
run(AbstractControllerService.java:370)
[Host Controller] at java.lang.Thread.run(Thread.java:748)
[Host Controller] Caused by: javax.security.sasl.SaslException:
Authentication failed: all available authentication mechanisms failed:
[Host Controller] DIGEST-MD5: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener.allMechanismsFailed(
ClientConnectionOpenListener.java:109)
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:446)
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:242)
[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)
[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)
[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
[Host Controller] at ...asynchronous invocation...(Unknown Source)
[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:570)
[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:532)
[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:520)
[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.connect(
ProtocolConnectionUtils.java:204)
[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.
connectSync(ProtocolConnectionUtils.java:120)
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnection.lambda$openConnection$0(RemoteDomainConnection.java:
223)
[Host Controller] at org.wildfly.common.context.
Contextual.runExceptionAction(Contextual.java:108)
[Host Controller] at org.wildfly.security.auth.client.AuthenticationContext.
run(AuthenticationContext.java:268)
[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
openConnection(RemoteDomainConnection.java:223)
[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection$
InitialConnectTask.connect(RemoteDomainConnection.java:592)
[Host Controller] at org.jboss.as.protocol.ProtocolConnectionManager.
connect(ProtocolConnectionManager.java:70)
[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
connect(RemoteDomainConnection.java:147)
[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:288)
[Host Controller] ... 4 more
[Host Controller] Suppressed: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:736)
[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:578)
[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)
[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)
[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
[Host Controller]
[Host Controller] 09:07:26,169 WARN [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0147: No domain controller discovery options
remain.
[Host Controller] 09:07:26,169 ERROR [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0002: Could not connect to master. Error
was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain
controller discovery option(s) but unable to connect
[Host Controller] 09:07:26,170 FATAL [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0178: Aborting with exit code 99
After poking around a bit I found the slave makes a connection with this
bit of host-slave.xml :
<domain-controller>
<remote username="$local" security-realm="ManagementRealm">
<discovery-options>
<static-discovery name="primary"
protocol="${jboss.domain.master.protocol:remote}"
host="${jboss.domain.master.address:192.168.33.10}"
port="${jboss.domain.master.port:9999}"/>
</discovery-options>
</remote>
</domain-controller>
I changed $local to admin and it connects fine. But if I understand
Wildfly, then you shouldn't need to specify a username at all, and the
remote server will interpret $local (or none) as the local default user,
which would be "admin".
I tried leaving out the username and that didn't work either.
Have I managed to configure my user wrong on the master somehow? I used
this command (and obviously have the correct secret in the host-slave.xml) :
bin/add-user.sh -u admin -p password -r ManagementRealm -ds -e
Or is this actually expected behaviour?
6 years, 9 months
How to import keycloak-authz from keycloak-js npm package in TypeScript?
by Marcel Német
I can easily import Keycloak.d.ts from keycloak-js npm module using
import * as Keycloak from 'keycloak-js';
but I am failing to import the keycloak-authz.d.ts file and
the KeycloakAuthorization which is defined inside it.
I wonder if anybody knows how to do it or did it previously. Not sure
whether keycloak-authz is made available at the npm package level.
A loosely related issue I found online is:
https://issues.jboss.org/browse/KEYCLOAK-4822
--
Marcel Német
marcel.nemet(a)gmail.com
0795153648
6 years, 9 months
High throughput communication- Use of a transparent (by value) token
by Omri Tavor
Hi,
I have two backend servers that needs to communicate at a high throughput (1000s request per second).
I don't want each of the requests to block/slow down by the server contacting the Keycloak server to verify the token.
Is there a way, I can create a transparent token that could be verified without having to access the KeyCloak server in each request?
Thanks,
Omri.
6 years, 9 months
Direct grant flow using a CAS token as a credential.
by Rodolfo de Paula
Greetings,
We started doing a proof of concept with Keycloak only 2 weeks ago. We already have a small SPA in Vue.js with authentication using the direct grant flow.
Since we have a legacy users database, we plugged a custom UserFederationProvider implementation.
This custom provider helped us to support these 2 cenarios:
1) Users authenticating against our legacy database.2) Users authenticating against our CAS server. Since the user storage provider has access to user/password, our implementation will also try to get a Service Token from our CAS server and in case of success, it will set a a value to a custom user attribute "CAS_TOKEN" so the SPA will have access to it and use when it's needed (links to CAS protected resources).
This works for our POC but we have a third scenario: We want to authenticate an user coming to our resources but with a token (CAS) appended to the url. With the CAS token, we would need to 1) validate the ticket, 2) get user identity in order to authenticate it. But we have been studying that providers/authenticator example from Keycloak source but it doesn't seems to be useful since we are using direct grant flow.
So can someone please give me a hint on this? Is there any other (better/cleaner) way to do this?
Thanks in advance!
6 years, 9 months
Re: [keycloak-user] [Proposal] Hard Code the Composite Role Relationship of Admin Role into Java code not Database Records?
by Mingjun Liu
Hi Team,
I found that the admin role in master realm will have all roles in
xxxx-realm type client in master realm as composite. This design will have
a lots of rows to be inserted into database.
However, the admin role is targeted for super privilideged users to have
all privilidges on all resources in keycloak server, there is rarely
reasons to change this scenario.
One observation is that when there is 6K realms in database, the getRole
method of admin role would take more than *1 SECOND*. It will result in
bad response for admin rest api.
Benifit:
We are allieviated from lots of database write/read, especially when realm
number grows to thousands and more.
We are more confident to support large number of realms.
Drawbacks: we need carefully implement logics on the special admin role,
multiple places needs work.
Please let me know your concerns. Thank you!
Regards,
Mingjun Liu
6 years, 9 months
403 on /sso/login with Spring Boot and Keycloak Adapter
by Marc Logemann
Hi,
i have a little Spring Boot Application and it runs pretty nice
together with the keycloak setup on my dev machine. Now when deploying
the same application to another server i get something strange:
When trying to access a protected resource, my browser gets a 302 to
/sso/login which is ok but this URL should also produce a 302 to the
final Keycloak Login Page. Instead i get a 403 on the sso/login
request. The crazy thing is, on my local dev machine the /sso/login
doesnt get a 403 but a 302 with the resulting valid and perfect URL
(http://localhost:16177/auth/realms/XXXX/protocol/openid-connect/auth?resp...)
What i want to say is.... i dont have a clue why i get a 403 on a
resource /sso/login, which as i assume, is provided by spring keycloak
adapter. And even crazier... its the same application.
thanks for any hints.
marc
6 years, 9 months
A few questions about OIDC Key Rotation in Keycloak
by Yaroslav Skopets
Hi guys!
I've got a few questions about OIDC Key Rotation in Keycloak:
1) Does Keycloak support fully automatic rotation of OIDC keys ?
From a user perspective, I'd like to be able to set a rule ala "rotate
keys every 24 hours".
I see that https://issues.jboss.org/browse/KEYCLOAK-905 had a similar
intent: "Option to enable automatic period rotation of keys (in cluster
make sure only one node does it)"
Was it actually implemented ?
2) As a user, I'd like to automate rotation of OIDC keys.
I see that through Admin REST API I can create/activate/delete keys.
However, does Keycloak allow me as a user to attach custom meta data to
those keys ? Such as `time when the key was created`, `time when the key
was made active`, `time when the key was deactivated`, etc
My goal is to implement a key rotation policy based on those extra
pieces of meta data.
Thanks in advance!
--
Best regards,
Yaroslav Skopets
6 years, 9 months
