JDBC Database issue when migrating from v3.4.3.Final to v4.1.0
by Tomás García
Hi,
I was in the process of upgrading our instance of v3.4.3.Final to
v4.1.0.Final. but the migration model manager from Keycloak crashes. Here's
the stack trace:
aused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
... 6 more
Caused by: org.hibernate.exception.GenericJDBCException: Could not read
entity state from ResultSet :
EntityKey[org.keycloak.models.jpa.entities.RealmAttributeEntity#component[name,realm]{name=_browser_header.contentSecurityPolicy,
realm=org.keycloak.models.jpa.entities.RealmEntity#master}]
at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
at
org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.loadFromResultSet(EntityReferenceInitializerImpl.java:320)
at
org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.hydrateEntityState(EntityReferenceInitializerImpl.java:233)
at
org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.readRow(AbstractRowReader.java:103)
at
org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:122)
at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:122)
at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)
at
org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)
at
org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)
at
org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)
at
org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)
at
org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)
at
org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)
at
org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)
at
org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)
at
org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277)
at
org.keycloak.models.jpa.RealmAdapter.getAttribute(RealmAdapter.java:209)
at
org.keycloak.models.jpa.RealmAdapter.getDisplayName(RealmAdapter.java:79)
at
org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:157)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
at
org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
at
org.keycloak.migration.migrators.MigrateTo3_4_1.migrate(MigrateTo3_4_1.java:40)
at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:94)
at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
at
org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 28 more
Caused by: java.sql.SQLException: Can not call getNString() when field's
charset isn't UTF-8
at com.mysql.jdbc.JDBC4ResultSet.getNString(JDBC4ResultSet.java:212)
at com.mysql.jdbc.JDBC4ResultSet.getNString(JDBC4ResultSet.java:232)
at
org.jboss.jca.adapters.jdbc.WrappedResultSet.getNString(WrappedResultSet.java:4634)
at
org.hibernate.type.descriptor.sql.NVarcharTypeDescriptor$2.doExtract(NVarcharTypeDescriptor.java:62)
at
org.hibernate.type.descriptor.sql.BasicExtractor.extract(BasicExtractor.java:47)
at
org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:235)
at
org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:231)
at
org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:222)
at
org.hibernate.type.AbstractStandardBasicType.hydrate(AbstractStandardBasicType.java:296)
at
org.hibernate.persister.entity.AbstractEntityPersister.hydrate(AbstractEntityPersister.java:2840)
at
org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.loadFromResultSet(EntityReferenceInitializerImpl.java:305)
... 60 more
I don't quite get why this is happening since the very same code being run
here should be running in v3.4.3 (at
org.keycloak.migration.migrators.MigrateTo3_4_1.migrate(MigrateTo3_4_1.java:40))
which works fine in that version.
I'm using a v5.5 MariaDB database with a 5.5 MySQL JDBC Connector. The same
libraries I used in v3.4.3 were installed into the v4.1.0 instance, so no
change in configuration.
All the tables / columns are using UTF-8 with utf8_unicode_ci collation:
> SHOW FULL COLUMNS FROM REALM_ATTRIBUTE;
+----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
| Field | Type | Collation | Null | Key | Default | Extra
| Privileges | Comment |
+----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
| NAME | varchar(255) | utf8_unicode_ci | NO | PRI | NULL |
| select,insert,update,references | |
| VALUE | varchar(255) | utf8_unicode_ci | YES | | NULL |
| select,insert,update,references | |
| REALM_ID | varchar(36) | utf8_unicode_ci | NO | PRI | NULL |
| select,insert,update,references | |
+----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
The database configuration is similar to this one:
<connection-url>jdbc:mysql://localhost:3306/databasename?useUnicode=true&characterEncoding=utf8</connection-url>
<driver name="mysql" module="com.mysql.jdbc">
<xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
</driver>
Thanks,
Tomás
5 years, 9 months
redirectUri gets lost when opening email verification link in new browser (since authSession gets lost)
by Christoph Tavan
Hello Keycloak Mailinglist,
I'm struggeling with getting user registrations that requires email verification to work in a native app context.
In my test setup I have a native (iOS) mobile app that includes OIDC authentication. Normal login works perfectly: The Keycloak login form is opened in a webview, the user logs in and redirects back to an app link which the native app can handle, all good.
Things don't work that smooth when a user wants to register within the webview. Here's what happens to my understanding:
1. Webview is opened, Keycloak creates a new authSession where the redirectUri (from the redirect_uri url query parameter) is stored.
2. User registers, verification email is sent.
3. User clicks on the email verification link which opens in the system browser where the authSession of the app's webview is obviously not present. The user is presented with the confirmEmailAddressVerification verification and clicks the proceedWithAction link.
4. Email is now verified. However, since the original authSession that was created in the webview and that contained the redirectUri is not present in the system browser, the user is now presented with a link to the baseUrl of the client instead of the app-url that was originally passed as redirect_uri to the initial authorization request. I have tried to configure the app url as "Base URL" in the client, but this doesn't get rendered in the view. Instead the "back to application" link points to /auth/realms/REALMNAME/account
I think this whole problem is not specific to the native app use case: we would have the same issue if the registration process is started in one browser and the email verification link is opened in a different browser where the initial login authSession is not present.
Has anyone ever gotten this to work? I.e. continuation of a registration flow in a new browser session which was different from the session where the registration began?
Thanks
Christoph
5 years, 9 months
Mobile client - recommended forgotten password flow
by Scott Hezzell
Hi all
What is the recommended process for a forgotten password flow from a mobile client?
I have enabled 'Forgotten Password' at the realm level and the flow works nicely from a web client using the 'Forgotten Password' link from the login page. When I try the flow from a mobile client, as it opens the initial login page and the 'send reset email' page in a different browser session to the one I open the reset email link into I 'lose' the authentication session and keycloak defaults the client to the account client instead of the mobile client.
Any advice from anyone who has faced a similar problem would be greatly appreciated.
Scott
5 years, 9 months
Make query string param available in marker template
by Will Lopez
Hello,
I have a use case where I need to render a block of HTML depending on the value of a query string param in the login page. The value will be coming from the login URL similar to this:
http://localhost:8080/auth/realms/default/protocol/openid-connect/auth?cl... token&scope=openid&nonce=aa48185b-0582-4d4a-8f36-b6d01d7e72c6&app=1&customvar=1
I would like to have customvar available in the login.ftl to accomplish my objective. So far I have tried to retrieve the baseUrl from the client bean, but it’s not available, the app classes when I attempt to access baseUrl.
Thanks in advance for any help.
~Will
5 years, 9 months
Passwords for keycloak
by Matt Evans
Is it possible to extend keycloak to read its settings, specifically passwords, from a secure configuration store? For example, how would I go about having keycloak read the password for the database connection from a secure store, so it's not stored in the config files on the machine, or passed as command line parameters?
Thanks
Matt
5 years, 9 months
Keycloak Roles and Usergroups
by Vinay
What is a difference between keycloak roles and usergroups ? are they
interchangeable i.e. can we use roles instead of groups or vice versa to
address a problem ? Is it possible to have roles within roles, just like
groups ?
A clear guidelines on how to use groups and roles will help.
thanks
/Vinay
5 years, 9 months
Alternative client-cert authentication
by Nikola Malenic
I am configuring browser flow and would like to provide users with
certificates with capability to login immediately.
Users which don't have (send) certificate should be able to login with
username+password (form would be presented to them).
I configured two ALTERNATIVE subflows inside browser flow. First subflow has
X509/Validate Username Form execution as ALTERNATIVE and second flow has
Username Password Form as REQUIRED.
The problem is that when I access admin console I am not shown form to enter
username and password since I didn't send certificate. I get this error:
"Invalid username or password.".
It seems that the second flow is automatically executed, but since I didn't
send username and password it finishes unsuccessfully.
Do you have any idea how to configure this.
Many thanks,
Nikola
5 years, 9 months
Federated Identity linking custom attribute
by Daniel Teixeira
Hello,
When using a SAML Identity Provider to link to existing keycloak users.
Keycloak uses the NameID to do the linking.
How can I use another SAML attribute to do the linking?
I have tried the "Username Template Importer" in the identity provider, but
this only works when creating new users. In my case the user is already
created and I just need to do the linking.
Thanks in advance for your help,
Daniel
5 years, 9 months
Groups as array of objects (Script Mapper ? )
by Daniel Teixeira
Hello,
I am trying to configure my userinfo token to get the groups, as an array
of objects.
Currently if I add the "Group Membership" mapper in my client, an array of
Strings with the groups is returns.
{
"name": "Dummy User",
"groups": ["group1", "group2", "group3"]
...
}
But what I need for a SSO Confluence plugin to work is the following format:
(The name of the attributes don't matter, but I need an array of objects
for the groups)
{
"name": "Dummy User",
"groups": [ {"group_name": "group1"},
{"group_name": "group2"},
{"group_name": "group3"} ]
...
}
So I have tried to created Script Mapper as follows:
*var groups = [];*
*user.getGroups().forEach(function(groupModel) {*
* var groupName = groupModel.getName();*
* groups.push({"group_name": groupName});*
*})*
*token.setOtherClaims("groups", groups);*
But this script produces a token as following:
{
"name": "Dummy User",
"groups": {
"0": {
"group_name": "group1"
},
"1": {
"group_name": "group2"
},
"2": {
"group_name": "group3"
}
},
....
}
Which is not an array of object, but a map of objects.
I have tried to toggle the option multivalued but it didn't change anything.
Is there a way to have an array?
Could someone help me with that?
Thanks in advance!
Cheers,
Daniel Teixeira
5 years, 9 months
admin account custom theme not working
by Manisha Nandal
Hi,
I want to use custom theme for admin user.I tried creating a folder with
"mytheme/admin" and placed my new modified files. I also changed the
configuration from admin account - > realm settings - > theme. My modified
files are not picked.
Same process i followed for login theme changes and its working also.
Can you please guide my how to use custom theme for admin account. Another
thing i observed is that if change the theme for master realm and my own
realm both, then it works
Thanks
Manisha
5 years, 9 months
