Configuring Keycloak in Standalone Clustered Mode
by Rafael Weingärtner
Hello Keycloak communities,
I am configuring Keycloak for production, and we will need to use it in a
clustered fashion. I have read about the two possible deployment scenarios
“Standalone clustered mode” and “domain clustered mode”. It seems that
the “Standalone clustered mode” is the simpler one. Also, we will be using
Docker to deploy Keycloak. Therefore, we will not have the burden of
managing configuration files manually. The update (configurations and/or
Keycloak versions) should always be a matter of stopping and starting a new
version of the Docker container.
I have one doubt though. It seems pretty magical that to configure Keycloak
in HA mode I only need to use “standalone-ha.xml”. How does the discovery
process of nodes happen? I mean, are the replicates communicating with each
other directly, or is everything via a shared database? Do I need to expose
some specific port from my Keycloaks replicas to the network? Or only the
standard 443/80 is enough?
Thanks in advance for your help ;)
--
Rafael Weingärtner
6 years, 10 months
Resource quotas
by Corentin Dupont
Hi guys,
is there any way to do resource quota with Keycloak? I.e. max number of
resource created, max number of request per hour...
Keycloak could return a 403 (or another code) on an authorization request
with exceeded quota...
6 years, 10 months
How to configure keycloak for native application mobile
by Christophe Lehingue
Hello,
I use keycloak for authentication via a website: it's ok.
On the other hand, how to configure keycloak so that it is exploitable
for native mobile applications?
Thank you for your attention,
Regards,
Christophe
*==== IN frenchBonjour,J'utilise keycloak pour l'authentification via
un site web : c'est ok.Par contre, comment configurer keycloak afin
que ce soit exploitable pour des applications mobiles natives ?Merci
de votre attention,Cordialement,Christophe*
6 years, 10 months
docker image - KEYCLOAK_LOGLEVEL and ROOT_LOGLEVEL seem to have no effect
by stefan.wachter
Hi all,
I run Keycloak (4.0.0.Final) in Docker using the official image. The
documentation says that setting the environment variables
KEYCLOAK_LOGLEVEL and ROOT_LOGLEVEL can be used to set log levels.
However, setting these environment variables seems to have no effect.
Has anybody managed to activate Keycloak debug logging in Docker?
--
Best regards,
*Stefan Wachter
INST-ICM/BSV-BS*
Tel. +49(711)811-58477
*Be**QIK
*
6 years, 10 months
UMA2: share with all users
by Corentin Dupont
Hello,
Is there a way to share resources with all users?
Or to share with groups?
In my use case, I need to start with "open" situations, where resources are
accessible.
Some users can choose to restrict access to the resource, though.
I was thinking of using a "isPrivate" attribute to my resource, with
default to false.
But maybe it's possible to use UMA instead: start with resource shared with
all users, and let the users reset the sharings...
6 years, 10 months
UMA policy API
by Corentin Dupont
HI guys,
I started playing with the UMA API...
In the UI, I defined a resource shared with 2 persons.
Here is what I get when I query the API:
curl
http://localhost:8080/auth/realms/waziup/authz/protection/uma-policy?reso...
-H "Authorization: Bearer $USERTOKEN" | jq
[
{
"id": "4cad9948-12a8-4178-87a8-983509169a2d",
"name": "028a265c-4cfb-4ef8-9d35-10a3360851df",
"type": "uma",
"scopes": [
"sensors:create",
"sensors:view",
"sensors:update"
],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
},
{
"id": "f8a10074-49b4-4ab7-b873-eca27b336e35",
"name": "7b24a369-a0c5-471f-9b94-f3c88a78ae79",
"type": "uma",
"scopes": [
"sensors:create",
"sensors:delete",
"sensors:view",
"sensors:update"
],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
}
]
Where can I find the resource id and the recipient of the sharing?
What is "name"?
The doc seems to say that {id} is the resource id:
http://${host}:${port}/auth/realms/${realm_name}/authz/protection/uma-policy/{resource_id}
But that doesn't seem to be the case.
Another question, is there an API where I can find all the regular
policies/permissions, defined in the "Authorization" tab in Keycloak admin
console?
I don't see them in UMA API.
Thank a lot!!
6 years, 10 months
Re: [keycloak-user] Kerberos Authentication
by "Matthias Müller"
I added the necessary fields in the ldap configuration before.
Realm: local.domain
Principal: HTTP/server.name(a)local.domain
Keytab: /etc/keytab/servername.keytab
local.domain and server.name are place holder for the original settings.
The following message is shown with kinit and kvno:
kinit: Preauthentication failed while getting initial credentials
No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name
When I read the keytab file with klist the output is:
0 01/01/1970 00:00:00 HTTP/server.name(a)local.domain (aes256-cts-hmac-sha1-96)
Related to the log:
No entry is shown in this case. Only when I deactivate kerberos the normals logs are shown for example wrong user.
Thanks
Gesendet: Sonntag, 08. Juli 2018 um 22:13 Uhr
Von: "Jochen Hein" <jochen(a)jochen.org>
An: "Matthias Müller" <matthiasmueller07(a)web.de>
Betreff: Re: Aw: Re: [keycloak-user] Kerberos Authentication
"Matthias Müller" <matthiasmueller07(a)web.de> writes:
> The keytab file was generated by the server tools on a Windows Server (Active directory).
> I saved the keytab in /etc/keytab/ folder, user is the same as keykloak.
Did you add the keytab and Principal to the LDAP configuration?
Can you "kinit -kt /etc/keytab/keycloak.keytab HTTP/<yourhost>"?
Ist "kvno HTTP/<yourhost>" valid (same as on Kerberos server)?
> The debug option is enabled but no server.log exists. In console.log
> nothing related to Kerberos appears.
Can you show the log? Please move the discussion back to the list.
Jochen
--
This space is intentionally left blank.
6 years, 10 months
Custom Authenticator and NoClassDefFoundError
by Ryan Slominski
Hi Keycloak Users,
I'm attempting to create a custom authenticator by following the org.keycloak.examples.authenticator secret question example and https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi documentation. When I drop the jar file into the deployments directory I get a NoClassDefFoundError. I guess this has something to do with the JBoss module system. I tried added a jboss-deployment-structure.xml file with the "org.keycloak.keycloak-services" module, but now I get a ModuleNotFoundError. Any tips?
Source code for new authenticator:
https://github.com/slominskir/KeycloakAutoLinkAuthenticator
NoClassDefFoundError:
2018-07-09 10:09:34,112 INFO [org.jboss.as.repository] (DeploymentScanner-threads - 1) WFLYDR0001: Content added at location /opt/wildfly/keycloak-3.4.3/standalone/data/content/39/b99d3fa522078162e540b84481c8ff7c1fb346/content
2018-07-09 10:09:34,136 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "AutoLinkAuthenticator.jar" (runtime-name: "AutoLinkAuthenticator.jar")
2018-07-09 10:09:34,213 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: AutoLinkAuthenticator.jar
2018-07-09 10:09:34,219 WARN [org.jboss.modules] (MSC service thread 1-2) Failed to define class org.keycloak.extras.authentication.authenticators.broker.AutoLinkAuthenticator in Module "deployment.AutoLinkAuthenticator.jar" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/keycloak/extras/authentication/authenticators/broker/AutoLinkAuthenticator (Module "deployment.AutoLinkAuthenticator.jar" from Service Module Loader): org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:77)
at org.jboss.modules.Module.loadModuleClass(Module.java:713)
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
at org.keycloak.extras.authentication.authenticators.broker.AutoLinkAuthenticatorFactory.<clinit>(AutoLinkAuthenticatorFactory.java:14)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:213)
at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:114)
at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:165)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
ModuleNotFoundError:
2018-07-09 10:40:55,135 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.module.service."deployment.AutoLinkAuthenticator.jar".main: org.jboss.msc.service.StartException in service jboss.module.service."deployment.AutoLinkAuthenticator.jar".main: WFLYSRV0179: Failed to load module: deployment.AutoLinkAuthenticator.jar
at org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:91)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.jboss.modules.ModuleNotFoundException: keycloak-services
at org.jboss.modules.Module.addPaths(Module.java:1217)
at org.jboss.modules.Module.link(Module.java:1573)
at org.jboss.modules.Module.relinkIfNecessary(Module.java:1601)
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:287)
at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:271)
at org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:68)
... 5 more
Thanks,
Ryan
6 years, 10 months
