Fwd: Help
by elyse badr saradar
Hello,
I am trying to integrate keycloak in my system. I already have two
authentication applications that i cant change/update its code. I would
like to have a single login page for all my applications using keycloak and
let keycloak communicate with them authenticate/authorize only once
(single sign on) regardless of whether the user enters the first
application credentials or the second one.
I first saw the broker identity provider feature you have and i configure
it but it still didnt work fine. (i probably missed some configuration) or
maybe i need to add custom code in my aplication.
Second i saw the SPI and thought of writing a customized authentication jar
to change in keycloak authentication to communicate with my authentication
applications. I saw in git hub we have ubder example/provider/authenticator
a sample code. I tried to import it in my IDE but im facing this issue:
Failed to execute goal on project authenticator-required-action-example:
Could not resolve dependencies for project org.keycloak:authenticator-
required-action-example:jar:4.3.0.Final-SNAPSHOT: The following artifacts
could not be resolved: org.keycloak:keycloak-core:jar:4.3.0.Final-SNAPSHOT,
org.keycloak:keycloak-server-spi:jar:4.3.0.Final-SNAPSHOT,
org.keycloak:keycloak-server-spi-private:jar:4.3.0.Final-SNAPSHOT,
org.keycloak:keycloak-services:jar:4.3.0.Final-SNAPSHOT: Could not find
artifact org.keycloak:keycloak-core:jar:4.3.0.Final-SNAPSHOT -> [Help 1]
[ERROR]
Can you guide on whether this version is used or not on maven online
repository?
Note that i am trying to add several keycloak dependency but not able to
find which one has org.keycloak.authentication according to the
documentation link: https://www.keycloak.org/docs/3.3/server_
development/topics/auth-spi.html
Please help
and thanks in advance
7 years, 7 months
Keycloak user/authorization/realmRevisionsCache and Prometheus JMX exporter: rebalancingEnabled attribute missing
by Schuster Sebastian (INST/ESY1)
Hi everybody,
We are currently trying to get Infinispan Cache Metrics via JMX out of Keycloak and into Prometheus. After including the Prometheus JXM Exporter (https://github.com/prometheus/jmx_exporter) and going through a configuration spree, we get warnings in the Keycloak log indicating that the attribute
“rebalancingEnabled” is null/not set for the Infinispan Caches userRevisions, authorizationRevisions, and realmRevisions. The error looks like the following:
07:32:34,276 DEBUG [org.infinispan.jmx.ResourceDMBean] (pool-1-thread-3) Exception while reading value of attribute rebalancingEnabled: java.lang.reflect.InvocationTargetException
07:32:34,276 WARN [org.infinispan.jmx.ResourceDMBean] (pool-1-thread-3) ISPN000036: Did not find attribute rebalancingEnabled
07:32:34,336 WARN [org.infinispan.topology.CacheTopologyControlCommand] (pool-1-thread-3) ISPN000071: Caught exception when handling command CacheTopologyControlCommand{cache=authorizationRevisions, type=POLICY_GET_STATUS, sender=keycloak-mssql-6599fb56cb-vhll5, joinInfo=null, topologyId=0, rebalanceId=0, currentCH=null, pendingCH=null, availabilityMode=null, actualMembers=null, throwable=null, viewId=0}: java.lang.NullPointerException
at org.infinispan.topology.ClusterTopologyManagerImpl.isRebalancingEnabled(ClusterTopologyManagerImpl.java:628)
at org.infinispan.topology.CacheTopologyControlCommand.doPerform(CacheTopologyControlCommand.java:197)
at org.infinispan.topology.CacheTopologyControlCommand.perform(CacheTopologyControlCommand.java:153)
at org.infinispan.topology.LocalTopologyManagerImpl.executeOnCoordinator(LocalTopologyManagerImpl.java:606)
at org.infinispan.topology.LocalTopologyManagerImpl.isCacheRebalancingEnabled(LocalTopologyManagerImpl.java:540)
at org.infinispan.cache.impl.CacheImpl.isRebalancingEnabled(CacheImpl.java:998)
at sun.reflect.GeneratedMethodAccessor554.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:394)
at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:298)
at org.infinispan.jmx.ResourceDMBean.getAttributes(ResourceDMBean.java:197)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttributes(DefaultMBeanServerInterceptor.java:709)
at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttributes(JmxMBeanServer.java:705)
at io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.scrapeBean(JmxScraper.java:151)
at io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.doScrape(JmxScraper.java:117)
at io.prometheus.jmx.shaded.io.prometheus.jmx.JmxCollector.collect(JmxCollector.java:456)
at io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.findNextElement(CollectorRegistry.java:183)
at io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:216)
at io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:137)
at io.prometheus.jmx.shaded.io.prometheus.client.exporter.common.TextFormat.write004(TextFormat.java:22)
at io.prometheus.jmx.shaded.io.prometheus.client.exporter.HTTPServer$HTTPMetricHandler.handle(HTTPServer.java:59)
at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83)
at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82)
at sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675)
at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79)
at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
These caches are created programmatically, as far as I can see so there is no easy way to change their configuration. Did anybody have a similar problem or can shed some light why these caches miss the “rebalancingEnabled” attribute?
Thanks and best regards,
Sebastian
Mit freundlichen Grüßen / Best regards
Dr.-Ing. Sebastian Schuster
Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster(a)bosch-si.com<mailto:Sebastian.Schuster@bosch-si.com>
Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn
7 years, 8 months
How to logout
by Ryan Slominski
Hi Keycloak Users,
I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways:
1. Call HttpServletRequest.logout()
2. Navigate to URL http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logou...
See: https://www.keycloak.org/docs/latest/securing_apps/index.html#logout
The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips?
A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague.
Thanks,
Ryan
7 years, 8 months
[Conception] how to define a suitable realm
by GARDAIS Ionel
Hi list,
I have a question about the creation of the realms in Keycloak.
It may be SSO-101 but I can't figure the right answer.
As I understand it, a realm is a collection of clients sharing the same policies.
A user logged from one client in a realm will be authenticated in all other clients in the same realm.
Say I have 3 apps AppA, AppB and AppC.
I want a user to be SSO'ed with AppA and AppB (not AppC).
I also want a user to be SSO'ed with AppB and AppC (not AppA).
I guess I need a realm covering AppA and AppB and another realm covering AppB and AppC.
However, most (if not all) clients I've seen only allow one IDP definition thus forbids AppB to know both realms.
How to solve this ?
Regards,
Ionel
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
7 years, 8 months
will k_logout/back channel logout be initiated when the SSO Session Idle thresh hold is reached?
by Madhu
Hi,
I am pretty novice to keycloak, and from some debugging sessions and going through the code, i think InMemorySessionIdMapper is where keycloak stores the mapping between user, applications he has logged in and number of active idm sessions the application/client has.
When the admin force logout the user from the admin console, logout or logoutAll happens.
And when keycloak recieves logout, it invokes the logout of application through back channel.
Will the backchannel logouts be called, when the SSO Session Idle time treshhold is reached ?
If not will this not cause InMemorySessionIdMapper to grow huge over a period of time and cause potential memory leak?
Regards,
Madhu
7 years, 8 months
Re: [keycloak-user] keycloak-user Digest, Vol 56, Issue 43
by Hans Zandbelt
On Mon, Aug 13, 2018, 13:04 <keycloak-user-request(a)lists.jboss.org> wrote:
> Send keycloak-user mailing list submissions to
> keycloak-user(a)lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> or, via email, send a message with subject or body 'help' to
> keycloak-user-request(a)lists.jboss.org
>
> You can reach the person managing the list at
> keycloak-user-owner(a)lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of keycloak-user digest..."
>
>
> Today's Topics:
>
> 1. Keycloak domain cluster login page redirect, but works with
> single node(master or slave) (Rackymuthu)
> 2. Re: Keycloak domain cluster login page redirect, but works
> with single node(master or slave) (Rackymuthu)
> 3. Re: API-Problem creating a user (Lars Liedtke)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 13 Aug 2018 16:08:51 +0530
> From: Rackymuthu <rcypavi007(a)gmail.com>
> Subject: [keycloak-user] Keycloak domain cluster login page redirect,
> but works with single node(master or slave)
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
> <CAG6Sa0zjNqLCwkM8AJ=
> VD3AzinuPdWskNwi_gYsOtyoPXWnZHg(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> I have configured keycloak domain cluster. In this setup if i am login as
> admin, then it is redirect to login page again and again.
>
> some time it show the whoami (unauthorized) JS script error.
>
> if we stop either slave or master in the cluster, then the login is working
> fine without any issues.
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 13 Aug 2018 16:21:47 +0530
> From: Rackymuthu <rcypavi007(a)gmail.com>
> Subject: Re: [keycloak-user] Keycloak domain cluster login page
> redirect, but works with single node(master or slave)
> To: keycloak-user(a)lists.jboss.org
> Message-ID:
> <
> CAG6Sa0yEO4K79WZ7x679nnQ34wg9VnE5Am0JR4YwKWdKt5MvHw(a)mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Adding more detail
>
>
> Below is our cluster configuration.
> 1. Httpd loadbalancer
>
> 2. One master node and One slave node
>
> 3.Master and slave node are share the commond DB (Postgres)
>
> Httpd Configuration
> ---------------------------
> <IfModule manager_module>
>
> Listen 192.168.10.110:10001
>
> ServerName xxxxxxx-xxxx.xxxxxx.xxx
>
> ManagerBalancerName cluster1
>
> <VirtualHost 192.168.10.110:10001>
>
> <Location />
>
> Require all granted
>
> Allow from all
>
> </Location>
>
> RequestHeader set X-Forwarded-For all
>
> KeepAliveTimeout 300
>
> MaxKeepAliveRequests 0
>
> AdvertiseFrequency 5
>
> EnableMCPMReceive On
>
> <Location /mod_cluster_manager>
>
> SetHandler mod_cluster-manager
>
> Require all granted
>
> Allow from all
>
> </Location>
>
> </VirtualHost>
>
> </IfModule>
>
>
> Master Configuration
> -------------------------------------------
>
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>
> .......
>
> <http-listener name="default" socket-binding="http" redirect-socket="https"
> enable-http2="true" proxy-address-forwarding="true"/>
>
> </subsystem>
>
>
>
> Slave Configuration
> -------------------------------------------
> .<subsystem xmlns="urn:jboss:domain:modcluster:3.0">
>
> ...
>
> <mod-cluster-config advertise-socket="modcluster" connector="ajp"
> balancer='cluster1' advertise="true" sticky-session="true">
>
> And i can see the mod_cluster-manager page and this is show the master
> node service and slave node service
>
>
>
>
> Also load balance is working. when i am trying to login the keycloak as a
> admin result is redirect again login page. (or) whoami unauthorized error
> message
>
>
>
>
>
> On Mon, 13 Aug 2018 at 16:08, Rackymuthu <rcypavi007(a)gmail.com> wrote:
>
> >
> > I have configured keycloak domain cluster. In this setup if i am login as
> > admin, then it is redirect to login page again and again.
> >
> > some time it show the whoami (unauthorized) JS script error.
> >
> > if we stop either slave or master in the cluster, then the login is
> > working fine without any issues.
> >
> >
> >
> >
>
>
> --
> *Regards..,*
>
> *R Rackymuthu*
> *? 9788830879*
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 13 Aug 2018 13:01:02 +0200
> From: Lars Liedtke <liedtke(a)punkt.de>
> Subject: Re: [keycloak-user] API-Problem creating a user
> To: keycloak-user(a)lists.jboss.org, helzle(a)punkt.de, J?rg Schweizer
> <schweizer(a)punkt.de>
> Message-ID: <67ec63ca-ceec-b2f2-0af1-f61af693ce15(a)punkt.de>
> Content-Type: text/plain; charset=utf-8
>
> Hello,
>
> last week I wrote the Mail cited down below.
>
> Now I got a bit further:
>
> I can create a User and set Attributes, but When I try to set a group,
> this is just ignored; no matter if I try the Groups name, path or id.
>
> The second thing I discovered was that when I provide credentials
> (PBKDF2 with HMAC and SHA1 in 20000 rounds) as I found here:
> http://lists.jboss.org/pipermail/keycloak-user/2016-November/008211.html,
> Keycloaks User "tab" simply breaks and refuses to show all users of a
> realm.
>
> Does anyone know how to correctly post a user with a group and
> credentials via the API?
>
> Best Regards
>
> Lars Liedtke
>
> --
> punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
> Tel. 0721 9109 0 * Fax 0721 9109 100
> info(a)punkt.de https://www.punkt.de
> Gf: J?rgen Egeling AG Mannheim 108285
>
> > Hey everyone,
> >
> > I am trying to create users via the REST-API and I am stuck.
> >
> > When I try to post a user representation to Keycloak (after
> > successfully logging in over the API) via script (Python using the
> > requests framework) I get a 500 back and in the logfile of my Keycloak
> > instance I find:
> >
> > 10:50:40,268 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-4) Uncaught server error:
> com.fasterxml.jackson.databind.JsonMappingException: Can not construct
> instance of org.keycloak.representations.idm.UserRepresentation: no
> String-argument constructor/factory method to deserialize from String value
> ('{"username": "TNG", "enabled": true, "attributes": {"ito_BinderLevelID1":
> ["1ACD47D7B9AFA0A9C12582E00048F997"], "ito_BinderLevelID2":
> ["0D6E18BCBDD3B14BC12582E1002AE459"]}, "credentials":
> [{"hashedSaltedValue": "02514a38a0f3e7c7f8eed0c7d4ce7bf25e48c845", "salt":
> "05ef149e8ccce076e30d6388aeedc03583dd75b4c4d88f380b094ba5c06df21b",
> "algorithm": "pbkdf2"}], "groups": ["/Bonding.Keycloak:CompanyEditor"]}')
> > ?at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1d3521de;
> line: 1, column: 1]
> > ??????? at
> com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270)
> > ??????? at
> com.fasterxml.jackson.databind.DeserializationContext.instantiationException(DeserializationContext.java:1456)
> > ??????? at
> com.fasterxml.jackson.databind.DeserializationContext.handleMissingInstantiator(DeserializationContext.java:1012)
> > ??????? at
> com.fasterxml.jackson.databind.deser.ValueInstantiator._createFromStringFallbacks(ValueInstantiator.java:370)
> > ??????? at
> com.fasterxml.jackson.databind.deser.std.StdValueInstantiator.createFromString(StdValueInstantiator.java:315)
> > ??????? at
> com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromString(BeanDeserializerBase.java:1283)
> > ??????? at
> com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:159)
> > ??????? at
> com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150)
> > ??????? at
> com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583)
> > ??????? at
> com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964)
> > ??????? at
> org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134)
> > ??????? at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66)
> > ??????? at
> org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61)
> > ??????? at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56)
> > ??????? at
> org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:36)
> > ??????? at
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:59)
> > ??????? at
> org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
> > ??????? at
> org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92)
> > ??????? at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:115)
> > ??????? at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> > ??????? at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> > ??????? at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> > ??????? at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> > ??????? at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> > ??????? at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > ??????? at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > ??????? at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> > ??????? at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > ??????? at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > ??????? at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > ??????? at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > ??????? at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > ??????? at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > ??????? at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > ??????? at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> > ??????? at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > ??????? at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > ??????? at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > ??????? at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > ??????? at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > ??????? at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > ??????? at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > ??????? at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > ??????? at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > ??????? at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> > ??????? at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> > ??????? at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> > ??????? at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> > ??????? at java.lang.Thread.run(Thread.java:748)
> >
> > When I try to create a user via Postman (after logging in) with the
> > user being:
> >
> > {"username": "testuser1", "enabled": true, "attributes":
> {"ito_BinderLevelID1": ["32523129C2061E50C12581E60033075A"],
> "ito_BinderLevelID2": ["3AD0E53463EBC8F1C12581E600342FA2"]}, "groups":
> ["/Bonding.Keycloak:CompanyEditor"], "credentials": [{"hashedSaltedValue":
> "aa8c848ee6ac308a24e1e1bce1559902009f988a", "salt":
> "ab079c7702d171a2e558f940a7edda5e4e206005b2440eaab68cf6ad6938fe76",
> "algorithm": "pbkdf2"}]}
> >
> > I get a 201 but when I try to look up the user via the Web GUI User
> > Page tells me "*Error!* An unexpected server error has occurred"
> >
> > and I find in the logfile:
> >
> > 11:45:40,852 WARN? [org.keycloak.events] (default task-4)
> type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console,
> userId=null, ipAddress=127.0.0.1, error=invalid_token,
> grant_type=refresh_token, client_auth_method=client-secret
> > 11:45:50,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-4) Uncaught server error: java.lang.NullPointerException
> > ??????? at
> org.keycloak.models.jpa.JpaUserProvider.lambda$getStoredCredentialsByType$0(JpaUserProvider.java:976)
> > ??????? at
> java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> > ??????? at java.util.Iterator.forEachRemaining(Iterator.java:116)
> > ??????? at
> java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
> > ??????? at
> java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> > ??????? at
> java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> > ??????? at
> java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> > ??????? at
> java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> > ??????? at
> java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> > ??????? at
> org.keycloak.models.jpa.JpaUserProvider.getStoredCredentialsByType(JpaUserProvider.java:976)
> > ??????? at
> org.keycloak.credential.UserCredentialStoreManager.getStoredCredentialsByType(UserCredentialStoreManager.java:87)
> > ??????? at
> org.keycloak.credential.OTPCredentialProvider.configuredForTOTP(OTPCredentialProvider.java:198)
> > ??????? at
> org.keycloak.credential.OTPCredentialProvider.isConfiguredFor(OTPCredentialProvider.java:179)
> > ??????? at
> org.keycloak.credential.UserCredentialStoreManager.isConfiguredLocally(UserCredentialStoreManager.java:283)
> > ??????? at
> org.keycloak.credential.UserCredentialStoreManager.isConfiguredFor(UserCredentialStoreManager.java:276)
> > ??????? at
> org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:148)
> > ??????? at
> org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:225)
> > ??????? at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > ??????? at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > ??????? at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > ??????? at java.lang.reflect.Method.invoke(Method.java:498)
> > ??????? at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > ??????? at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> > ??????? at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> > ??????? at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> > ??????? at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> > ??????? at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> > ??????? at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> > ??????? at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > ??????? at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > ??????? at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> > ??????? at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > ??????? at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > ??????? at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > ??????? at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > ??????? at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > ??????? at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > ??????? at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > ??????? at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> > ??????? at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > ??????? at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > ??????? at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > ??????? at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > ??????? at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > ??????? at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > ??????? at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > ??????? at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > ??????? at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > ??????? at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > ??????? at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > ??????? at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> > ??????? at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> > ??????? at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> > ??????? at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> > ??????? at java.lang.Thread.run(Thread.java:748)
> >
> > I figure there is something wrong with my JSON, but I can't figure out
> > what exactly it is. I tried googling this Problem, but I did could not
> > find an answer. Could you help me please ?
> >
> > Best regards
> >
> > Lars Liedtke
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 56, Issue 43
> *********************************************
>
7 years, 8 months
Re: [keycloak-user] API-Problem creating a user
by Lars Liedtke
Hello,
last week I wrote the Mail cited down below.
Now I got a bit further:
I can create a User and set Attributes, but When I try to set a group,
this is just ignored; no matter if I try the Groups name, path or id.
The second thing I discovered was that when I provide credentials
(PBKDF2 with HMAC and SHA1 in 20000 rounds) as I found here:
http://lists.jboss.org/pipermail/keycloak-user/2016-November/008211.html,
Keycloaks User "tab" simply breaks and refuses to show all users of a realm.
Does anyone know how to correctly post a user with a group and
credentials via the API?
Best Regards
Lars Liedtke
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info(a)punkt.de https://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
> Hey everyone,
>
> I am trying to create users via the REST-API and I am stuck.
>
> When I try to post a user representation to Keycloak (after
> successfully logging in over the API) via script (Python using the
> requests framework) I get a 500 back and in the logfile of my Keycloak
> instance I find:
>
> 10:50:40,268 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not construct instance of org.keycloak.representations.idm.UserRepresentation: no String-argument constructor/factory method to deserialize from String value ('{"username": "TNG", "enabled": true, "attributes": {"ito_BinderLevelID1": ["1ACD47D7B9AFA0A9C12582E00048F997"], "ito_BinderLevelID2": ["0D6E18BCBDD3B14BC12582E1002AE459"]}, "credentials": [{"hashedSaltedValue": "02514a38a0f3e7c7f8eed0c7d4ce7bf25e48c845", "salt": "05ef149e8ccce076e30d6388aeedc03583dd75b4c4d88f380b094ba5c06df21b", "algorithm": "pbkdf2"}], "groups": ["/Bonding.Keycloak:CompanyEditor"]}')
> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl@1d3521de; line: 1, column: 1]
> at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270)
> at com.fasterxml.jackson.databind.DeserializationContext.instantiationException(DeserializationContext.java:1456)
> at com.fasterxml.jackson.databind.DeserializationContext.handleMissingInstantiator(DeserializationContext.java:1012)
> at com.fasterxml.jackson.databind.deser.ValueInstantiator._createFromStringFallbacks(ValueInstantiator.java:370)
> at com.fasterxml.jackson.databind.deser.std.StdValueInstantiator.createFromString(StdValueInstantiator.java:315)
> at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromString(BeanDeserializerBase.java:1283)
> at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:159)
> at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150)
> at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583)
> at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964)
> at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134)
> at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66)
> at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61)
> at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56)
> at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:36)
> at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:59)
> at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
> at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:115)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>
> When I try to create a user via Postman (after logging in) with the
> user being:
>
> {"username": "testuser1", "enabled": true, "attributes": {"ito_BinderLevelID1": ["32523129C2061E50C12581E60033075A"], "ito_BinderLevelID2": ["3AD0E53463EBC8F1C12581E600342FA2"]}, "groups": ["/Bonding.Keycloak:CompanyEditor"], "credentials": [{"hashedSaltedValue": "aa8c848ee6ac308a24e1e1bce1559902009f988a", "salt": "ab079c7702d171a2e558f940a7edda5e4e206005b2440eaab68cf6ad6938fe76", "algorithm": "pbkdf2"}]}
>
> I get a 201 but when I try to look up the user via the Web GUI User
> Page tells me "*Error!* An unexpected server error has occurred"
>
> and I find in the logfile:
>
> 11:45:40,852 WARN [org.keycloak.events] (default task-4) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
> 11:45:50,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: java.lang.NullPointerException
> at org.keycloak.models.jpa.JpaUserProvider.lambda$getStoredCredentialsByType$0(JpaUserProvider.java:976)
> at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
> at java.util.Iterator.forEachRemaining(Iterator.java:116)
> at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801)
> at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
> at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
> at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708)
> at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
> at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499)
> at org.keycloak.models.jpa.JpaUserProvider.getStoredCredentialsByType(JpaUserProvider.java:976)
> at org.keycloak.credential.UserCredentialStoreManager.getStoredCredentialsByType(UserCredentialStoreManager.java:87)
> at org.keycloak.credential.OTPCredentialProvider.configuredForTOTP(OTPCredentialProvider.java:198)
> at org.keycloak.credential.OTPCredentialProvider.isConfiguredFor(OTPCredentialProvider.java:179)
> at org.keycloak.credential.UserCredentialStoreManager.isConfiguredLocally(UserCredentialStoreManager.java:283)
> at org.keycloak.credential.UserCredentialStoreManager.isConfiguredFor(UserCredentialStoreManager.java:276)
> at org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:148)
> at org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:225)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
>
> I figure there is something wrong with my JSON, but I can't figure out
> what exactly it is. I tried googling this Problem, but I did could not
> find an answer. Could you help me please ?
>
> Best regards
>
> Lars Liedtke
7 years, 8 months
How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly
by Linda Sauder
Hello.
I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly.
My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed.
In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>Application Container</display-name>
<welcome-file-list>
<welcome-file>ApplicationContainer.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>KEYCLOAK-SAML</auth-method>
<realm-name>keycloak</realm-name>
</login-config>
<security-constraint>
<display-name>Application Container Constraint</display-name>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>hallo</role-name>
</auth-constraint>
</security-constraint>
</web-app>
My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP.
Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml.
How am I going to achieve to be able to locally handle the role mapping?
Thanks in advance.
--
Linda
“Amdocs’ email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access”.
7 years, 8 months
