January 2019 - keycloak-user - Jboss List Archives

by Karipineni, Neelima,M.D.

We have a use case where we’re trying to implement an OAuth2 profile which requires an extra claim on the access token when a certain auth request scope is used. The expected behavior is that when a certain scope is present in the auth endpoint request then during the Authorization flow the user is shown an extra screen where they input an identifier which ultimately is included as a claim in the access token. Details are at http://docs.smarthealthit.org/authorization/ (Standalone launch sequence) for reference. Any suggestions on how to accomplish this in keycloak? I considered using an ActionToken like in the quickstarts external action token example, but the additional execution needs to happen even when the user has previously authenticated. It’s like an additional consent step after user and client authentication rather than an additional authentication step. My current thought is to implement a custom LoginProtocol that wraps OIDCLoginProtocol, as shown in https://github.com/keycloak/keycloak/tree/openshift-integration/services/..., and have an additional redirect in the authenticated method that functions similarly to the external action token example. The callback endpoint would persist the extra claim against the client session until the access token is requested. I’m not sure it’s possible to extend the OIDC protocol within a new protocol. Preliminarily after installing a shell wrapper protocol, it’s missing the OIDC configuration properties and mappers in the admin console. Is something like this possible without copying/recreating large chunks of the OIDC code? If not, any suggestions on alternative ways to accomplish this? As an additional wrench, we’re still on v3.3.0 and upgrade is not on the schedule as of now. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.

6 years, 9 months

3
4
0 / 0

UserRepresentation enabled Boolean

by Matthew Broadhead

org.keycloak.representations.idm.UserRepresentation (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...) has a property enabled which is of type java.lang.Boolean. Technically this should have getters and setters of getEnabled and setEnabled. A type boolean would have isEnabled and setEnabled. This stops it from working with JSF (https://stackoverflow.com/questions/14400222/boolean-properties-starting-...) This also applies to totp and emailVerified in the same class.

6 years, 11 months

2
3
0 / 0

LDAP user federation with AD range retrieval

by Sidney Beekhoven

Hello, We have a keycloak setup (3.4.3.Final) with active directory as a user federation provider. We ran into an issue with adding a certain role to users. We got an error message like this: Uncaught server error: org.keycloak.models.ModelException: Could not modify attribute for DN [CN=xxxxxxx,OU=Roles,OU=Customers,DC=xxxxxxxx,DC=com] at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:569) at org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager.modifyAttributes(LDAPOperationManager.java:110) at org.keycloak.storage.ldap.idm.store.ldap.LDAPIdentityStore.update(LDAPIdentityStore.java:112) at org.keycloak.storage.ldap.LDAPUtils.addMember(LDAPUtils.java:181) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper.addRoleMappingInLDAP(RoleLDAPStorageMapper.java:262) at org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper$LDAPRoleMappingsUserDelegate.grantRole(RoleLDAPStorageMapper.java:380) at org.keycloak.models.cache.infinispan.UserAdapter.grantRole(UserAdapter.java:316) at org.keycloak.services.resources.admin.RoleMapperResource.addRealmRoleMappings(RoleMapperResource.java:236) … Caused by: javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057<tel:16%20-%2000000057>: LdapErr: DSID-0C090C03, comment: Error in attribute conversion operation, data 0, v1db1]; remaining name ‘CN=xxxxx,OU=Roles,OU=Customers,DC=xxxxxx,DC=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3175) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1475) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) After some investigation the issue is that active directory uses range retrieval when there are more than 1500 entries in the member (list) property of a group. See eg https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/s.... When i look at the keycloak source code it looks like keycloak does not handle/support the range retrieval, so an error happens when trying to add a user to that role. For now we work around the issue by setting the MaxValRange to a higher value. See https://support.microsoft.com/en-us/help/315071/how-to-view-and-set-ldap-... for more info about this. The real solution would probably be to add support for range retrieval in the keycloak ldap user federation provider, so i will create a jira ticket for that. Did anyone else maybe run into this issue, and if so had another solution for it? Kind regards, Sidney Beekhoven

6 years, 11 months

2
4
0 / 0

Re: [keycloak-user] Java 11 (Docker container base)

by Chris Brandhorst

Sebastian, The link [1] only shows support on RHEL and Windows environments. Do you mean to say the 2023 date is also valid for OpenJDK running in the Docker-version of Keycloak, regardless of underlying architecture? [1] https://access.redhat.com/articles/1299013 Chris > >From the support perspective, Red Hat offers extended support till June > 2023 [1]. > > Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess we > still have plenty of time to do the switch, so I wouldn't rush things too > much. > > BTW, why do you need JDK11, especially in the container? > > [1] https://access.redhat.com/articles/1299013 > >> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka at zoomint.com> wrote: >> >> Sorry, end of january (my fault): >> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java >> and OpenJDK will most probably start to diverge, as OpenJDK will not have >> access to Oracle repos (afaik). So the speed of security fixes will depend >> on willigness of community to fix the upcomming issues. >> >> Pavel >> >> >> From: Meissa M'baye Sakho <msakho at redhat.com> >> Sent: Tuesday, October 23, 2018 11:04 AM >> To: Pavel Micka <Pavel.Micka at zoomint.com> >> Cc: keycloak-user <keycloak-user at lists.jboss.org> >> Subject: Re: [keycloak-user] Java 11 (Docker container base) >> >> Hello, >> Pavel, where did you get the information that the official Java 8 support >> will cease at the end of december? >> https://access.redhat.com/articles/1299013 >> https://www.oracle.com/technetwork/java/javase/eol-135779.html >> Meissa >> >> Le lun. 22 oct. 2018 à 16:33, Pavel Micka <Pavel.Micka at zoomint.com<mailto: >> Pavel.Micka at zoomint.com>> a écrit : >> Hello everyone, >> >> What is the plan for Java 11 support? The point is that current versions >> of Docker containers are based on OpenJDK 8, but the official Java 8 >> support will cease at the end of December. Will Keycloak use Java 11 by >> that time or will it rely on updates provided by the community. >> >> This is important to us, as Keycloak is important part of our app security. >> >> Thanks, >> >> Pavel >> >> // I have found this ticket in Jira, but it does not provide too many >> details: https://issues.jboss.org/browse/KEYCLOAK-7811 >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user

7 years

4
3
0 / 0

Version endpoint removal

by Matt Evans

Hi I was wondering why the /auth/version endpoint was removed in 4.0.0? Thanks Matt

7 years, 2 months

3
4
0 / 0

KC installation DB problems

by Henning Waack

Dear all. I try to setup KC 4.2.1 (also tried with 4.0.0) on Ubuntu 18.04 with Mysq 5.7l/MariaDB 10.x. It works totally fine on my Vagrant box (I use Ansible), but on the "real" server the Liquibase init scripts time out. Please note that the DB is installed physically on the same machine as Keycloak, connection is done trough localhost. The error is some kind of transaction timeout exception, please see below the log. It is interesting to note that a) the script runs for more than 5 minutes before it fails, and b) most tables have been created in the DB, but after this error the state is unrecoverable. Do you have any pointers/hints on why I run into these timeout issues? I am totally at loss, having tried so many combinations (KC version x DB type x DB version), which all run fine on Vagrant but fail on the server. Thanks in advance & greetings Henning ------ 2018-09-20 19:00:53,220 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 49) Node name: sso, Site name: null 2018-09-20 19:00:55,982 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 49) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml 2018-09-20 19:05:53,240 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e in state RUN 2018-09-20 19:05:53,252 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e 2018-09-20 19:05:53,938 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 in state RUN 2018-09-20 19:05:53,940 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012121: TransactionReaper::doCancellations worker Thread[Transaction Reaper Worker 0,5,main] successfully canceled TX 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 2018-09-20 19:06:13,864 INFO [org.hibernate.jpa.internal.util.LogHelper] (ServerService Thread Pool -- 49) HHH000204: Processing PersistenceUnitInfo [ name: keycloak-default ...] 2018-09-20 19:06:13,913 INFO [org.hibernate.Version] (ServerService Thread Pool -- 49) HHH000412: Hibernate Core {5.1.10.Final} 2018-09-20 19:06:13,914 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000206: hibernate.properties not found 2018-09-20 19:06:13,916 INFO [org.hibernate.cfg.Environment] (ServerService Thread Pool -- 49) HHH000021: Bytecode provider name : javassist 2018-09-20 19:06:13,943 INFO [org.hibernate.annotations.common.Version] (ServerService Thread Pool -- 49) HCANN000001: Hibernate Commons Annotations {5.0.1.Final} 2018-09-20 19:06:14,076 INFO [org.hibernate.dialect.Dialect] (ServerService Thread Pool -- 49) HHH000400: Using dialect: org.hibernate.dialect.MySQL5Dialect 2018-09-20 19:06:14,107 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] (ServerService Thread Pool -- 49) Envers integration enabled? : true 2018-09-20 19:06:14,534 INFO [org.hibernate.validator.internal.util.Version] (ServerService Thread Pool -- 49) HV000001: Hibernate Validator 5.3.5.Final 2018-09-20 19:06:15,154 INFO [org.hibernate.hql.internal.QueryTranslatorFactoryInitiator] (ServerService Thread Pool -- 49) HHH000397: Using ASTQueryTranslatorFactory 2018-09-20 19:06:15,842 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) SQL Error: 0, SQLState: null 2018-09-20 19:06:15,842 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (ServerService Thread Pool -- 49) javax.resource.ResourceException: IJ000460: Error checking for a transaction 2018-09-20 19:06:15,843 INFO [org.hibernate.event.internal.DefaultLoadEventListener] (ServerService Thread Pool -- 49) HHH000327: Error performing load command : org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection 2018-09-20 19:06:15,844 WARN [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 2018-09-20 19:06:15,850 WARN [com.arjuna.ats.arjuna] (ServerService Thread Pool -- 49) ARJUNA012077: Abort called on already aborted atomic action 0:ffff91eff4af:-1fd3cdfc:5ba3d243:e 2018-09-20 19:06:15,853 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 2018-09-20 19:06:15,857 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 49) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ... 6 more Caused by: org.keycloak.models.ModelException: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:61) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:51) at com.sun.proxy.$Proxy68.find(Unknown Source) at org.keycloak.models.jpa.MigrationModelAdapter.getStoredVersion(MigrationModelAdapter.java:38) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:84) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 28 more Caused by: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1619) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1106) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1033) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:49) ... 41 more Caused by: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:87) at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.connection(StatementPreparerImpl.java:47) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.prepareQueryStatement(AbstractLoadPlanBasedLoader.java:241) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeQueryStatement(AbstractLoadPlanBasedLoader.java:185) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:121) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86) at org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader.load(AbstractLoadPlanBasedEntityLoader.java:167) at org.hibernate.persister.entity.AbstractEntityPersister.load(AbstractEntityPersister.java:4069) at org.hibernate.event.internal.DefaultLoadEventListener.loadFromDatasource(DefaultLoadEventListener.java:508) at org.hibernate.event.internal.DefaultLoadEventListener.doLoad(DefaultLoadEventListener.java:478) at org.hibernate.event.internal.DefaultLoadEventListener.load(DefaultLoadEventListener.java:219) at org.hibernate.event.internal.DefaultLoadEventListener.proxyOrLoad(DefaultLoadEventListener.java:278) at org.hibernate.event.internal.DefaultLoadEventListener.doOnLoad(DefaultLoadEventListener.java:121) at org.hibernate.event.internal.DefaultLoadEventListener.onLoad(DefaultLoadEventListener.java:89) at org.hibernate.internal.SessionImpl.fireLoad(SessionImpl.java:1142) at org.hibernate.internal.SessionImpl.access$2600(SessionImpl.java:167) at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.doLoad(SessionImpl.java:2762) at org.hibernate.internal.SessionImpl$IdentifierLoadAccessImpl.load(SessionImpl.java:2741) at org.hibernate.internal.SessionImpl.get(SessionImpl.java:978) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.find(AbstractEntityManagerImpl.java:1075) ... 47 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000460: Error checking for a transaction at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122) at org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:386) at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:84) ... 70 more Caused by: javax.resource.ResourceException: IJ000460: Error checking for a transaction at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:425) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 74 more Caused by: javax.resource.ResourceException: IJ000459: Transaction is not active: tx=Local transaction (delegate=TransactionImple < ac, BasicAction: 0:ffff91eff4af:-1fd3cdfc:5ba3d243:11 status: ActionStatus.ABORTED >, owner=Local transaction context for provider JBoss JTA transaction provider) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:409) ... 76 more 2018-09-20 19:06:15,872 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTPS listener https suspending 2018-09-20 19:06:15,872 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-3) WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] 2018-09-20 19:06:15,877 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] 2018-09-20 19:06:15,878 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-6) WFLYJCA0019: Stopped Driver service with driver-name = h2 2018-09-20 19:06:15,881 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-2) WFLYJCA0019: Stopped Driver service with driver-name = mariadb 2018-09-20 19:06:15,881 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443 2018-09-20 19:06:15,885 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTP listener default suspendi --

7 years, 2 months

2
1
0 / 0

Is it possible to assign user group to specific user storage?

by Jon Huang

Hi everyone, Please forgive me if this issue was ever asked previously. I would like to know if it is possible to assign role to specific federation provider? (for example below, user1 & 2 has role1 and user3 has role2) It's hard to assign role to user one by one via UI. (too many users) Nor default group can only assign role to every user. Or is there any other way to achieve the goal? Thanks [image: image.png]

7 years, 2 months

2
2
0 / 0

TCPPING problem.

by Vaclav Havlik

Dears, I would like to ask a question. I have Wildfly, version WildFly Full 14.0.1.Final(http://14.0.1.final) (WildFly Core 6.0.2.Final(http://6.0.2.final)) . And then I have Keycloak, version Keycloak 4.7.0.Final(http://4.7.0.final) (WildFly Core 6.0.2.Final(http://6.0.2.final)) . Static cluster configuration, using TCPPING, works in Wildflys, but does not work in Keycloaks. I always have 2 instances on localhost (browser thus sends them the same JSESSIONID). On both I have deployed a testing clustering webapp, with which to test, if sessions are replicated. But Keycloaks do not pass sessions to each other. I can see that when the page from the second instance is reloaded in browser, it sends Set-Cookie header with another cookie, as it obviously does not know the JSESSIONID from the first instance. With Wildflys the same does work. Can you tell me, is there any reason, why this is the case, when Keycloak uses Wildfly ? Thank you. With regards V. Havlik.

7 years, 2 months

2
3
0 / 0

RP-initiated backchannel logout

by Мартынов Илья

Hello, My RP should support dropping user's session by admin. I need to drop KC session together with RP's session. But I can't use frontchannel here as admin is dropping session for another user. So RP-initiated backchannel logout is required. I see no docs about this functionality in KC. We use OpenID Connect between RP and KC, so I've searched protocol specs. From section "3. RP-Initiated Logout Functionality" of https://openid.net/specs/openid-connect-backchannel-1_0.html and from section "5. RP-Initiated Logout" of https://openid.net/specs/openid-connect-session-1_0.html one can conclude that sending backchannel request to end_session_endpoint with ID token should drop the session on KC side. Could you please comment, is my understanding correct?

7 years, 2 months

1
1
0 / 0

Deploying Keycloak on Openshift with MariaDB persistence produces errors in logs

by Cristi Cioriia

Hello, While deploying Keycloak 4.5.0.Final in an Openshift environment, using Mariadb (Galera) as a database produces several exceptions in the logs, all of them being related to the communication between the Keycloak server and the database. The access to the Galera server (3 instances) is performed via a Maxscale proxy. The Galera server, Maxscale (deployment of 3 pods) and Keycloak (deployment of 2 replicas) are all deployed inside Openshift, on AWS (1master + 3 workers). I am hoping you guys can help with fixing these issues. The errors look like below: 08:40:46,603 WARN [org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory] (ConnectionValidator) IJ030027: Destroying connection that is not valid, due to the following exception: org.mariadb.jdbc.MariaDbConnection@76883993: java.sql.SQLNonTransientConnectionException: (conn=24) unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:334) at org.mariadb.jdbc.MariaDbStatement.execute(MariaDbStatement.java:386) at org.jboss.jca.adapters.jdbc.CheckValidConnectionSQL.isValidConnection(CheckValidConnectionSQL.java:74) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.isValidConnection(BaseWrapperManagedConnectionFactory.java:1273) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getInvalidConnections(BaseWrapperManagedConnectionFactory.java:1086) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.validateConnections(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1442) at org.jboss.jca.core.connectionmanager.pool.validator.ConnectionValidator$ConnectionValidatorRunner.run(ConnectionValidator.java:277) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.sql.SQLException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) Query is: SELECT 1 at org.mariadb.jdbc.internal.util.LogQueryTool.exceptionWithQuery(LogQueryTool.java:119) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:199) at org.mariadb.jdbc.MariaDbStatement.executeInternal(MariaDbStatement.java:328) ... 9 more Caused by: java.io.EOFException: unexpected end of stream, read 0 bytes from 4 (socket was closed by server) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacketArray(StandardPacketInputStream.java:239) at org.mariadb.jdbc.internal.io.input.StandardPacketInputStream.getPacket(StandardPacketInputStream.java:207) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.readPacket(AbstractQueryProtocol.java:1347) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.getResult(AbstractQueryProtocol.java:1328) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:196) ... 10 more I suspect that the errors come from the way the jdbc data source is configured. The mariadb configurations related to connections and wait timeouts are like below: max_connections=1000 wait_timeout=180 The second issue I noticed was the following: one of the pods in the deployments (we deploy 2 replicas of Keycloak) sometimes does not start correctly because of the following exception, which is still related to the database connection: 08:13:03,409 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 52) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:485) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2676) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:361) at org.jboss.resteasy.spi.ResteasyDeployment.startInternal(ResteasyDeployment.java:274) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:86) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:119) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:300) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:140) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:584) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:555) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:597) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:97) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78) ... 8 more Caused by: java.lang.RuntimeException: Failed to connect to database at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:373) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lazyInit(LiquibaseDBLockProvider.java:65) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.lambda$waitForLock$0(LiquibaseDBLockProvider.java:97) at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTransaction(KeycloakModelUtils.java:611) at org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:95) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:143) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 31 more Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146) at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:64) at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.getConnection(DefaultJpaConnectionProviderFactory.java:367) ... 43 more Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:690) at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:789) at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138) ... 45 more Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:287) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1326) at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:499) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:632) at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:604) at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:624) ... 48 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1093) at org.mariadb.jdbc.internal.util.Utils.retrieveProxy(Utils.java:494) at org.mariadb.jdbc.MariaDbConnection.newConnection(MariaDbConnection.java:150) at org.mariadb.jdbc.Driver.connect(Driver.java:86) at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321) ... 55 more Caused by: java.sql.SQLNonTransientConnectionException: could not load system variables at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.connException(ExceptionMapper.java:83) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:606) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connect(AbstractConnectProtocol.java:477) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.connectWithoutProxy(AbstractConnectProtocol.java:1089) ... 59 more Caused by: java.sql.SQLException: Error reading SessionVariables results. Socket is connected ? true at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readRequestSessionVariables(AbstractConnectProtocol.java:572) at org.mariadb.jdbc.internal.protocol.AbstractConnectProtocol.readPipelineAdditionalData(AbstractConnectProtocol.java:603) ... 61 more The pod is in state running, but it is not ready, as it can be seen below: oc describe pod keycloak-787795bbcb-qng6j Name: keycloak-787795bbcb-qng6j Namespace: frame-2900 Start Time: Thu, 25 Oct 2018 10:03:30 +0200 Labels: application=keycloak pod-template-hash=3433516676 Annotations: openshift.io/scc=restricted Status: *Running* IP: 10.131.0.12 Controlled By: ReplicaSet/keycloak-787795bbcb Containers: keycloak: Container ID: docker://b703c13a70ffa24f696e08996590b972ec65e6b6041f8d08f50a44372b9e4760 Image: jboss/keycloak Image ID: docker-pullable:// docker.io/jboss/keycloak@sha256:cb5c24d06f22c51ca193e6d1e930d206ef0b841a745f8e475a08e33f10b38ad4 Ports: 8080/TCP, 8443/TCP *State: Waiting* * Reason: CrashLoopBackOff* Last State: Terminated Reason: Error Exit Code: 1 Started: Thu, 25 Oct 2018 10:12:43 +0200 Finished: Thu, 25 Oct 2018 10:13:03 +0200 Ready: False * Restart Count: 6* Liveness: http-get http://:8080/auth/realms/master delay=60s timeout=1s period=10s #success=1 #failure=3 Readiness: http-get http://:8080/auth/realms/master delay=30s timeout=1s period=10s #success=1 #failure=10 Environment: KEYCLOAK_USER: BokIm2Kl KEYCLOAK_PASSWORD: o8QobI0D PROXY_ADDRESS_FORWARDING: true DB_VENDOR: MARIADB JGROUPS_DISCOVERY_PROTOCOL: dns.DNS_PING JGROUPS_DISCOVERY_PROPERTIES: dns_query=keycloak.default.svc.cluster.local DB_ADDR: max-scale DB_DATABASE: keycloak DB_PORT: 4408 DB_USER: <set to the key 'keycloakDatabaseUserName' in secret 'qa-complex-secret'> Optional: false DB_PASSWORD: <set to the key 'keycloakDatabaseUserPassword' in secret 'qa-complex-secret'> Optional: false Mounts: /var/run/secrets/kubernetes.io/serviceaccount from frame-2900-token-k8cwj (ro) Conditions: Type Status Initialized True Ready False PodScheduled True Volumes: frame-2900-token-k8cwj: Type: Secret (a volume populated by a Secret) SecretName: frame-2900-token-k8cwj Optional: false QoS Class: BestEffort Node-Selectors: node-role.kubernetes.io/compute=true Tolerations: <none> Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 11m default-scheduler Successfully assigned keycloak-787795bbcb-qng6j to ip-10-0-141-24.eu-west-1.compute.internal Normal SuccessfulMountVolume 11m kubelet, ip-10-0-141-24.eu-west-1.compute.internal MountVolume.SetUp succeeded for volume "frame-2900-token-k8cwj" Normal Pulled 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Successfully pulled image "jboss/keycloak" Normal Created 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Created container Normal Started 7m (x4 over 9m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Started container Normal Pulling 6m (x5 over 10m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal pulling image "jboss/keycloak" Warning BackOff 53s (x31 over 8m) kubelet, ip-10-0-141-24.eu-west-1.compute.internal Back-off restarting failed container The pod is restarted several times it seems, but it does not start correctly. I deleted the pod and it was recreated automatically by Openshift and the new pod started correctly. Then, there is a third issue that I've encountered while trying to login into the deployed application. While entering some wrong credentials I got an error page and noticed in the logs that there is still a database connection error: 08:18:12,405 WARN [org.keycloak.services] (default task-2) KC-SERVICES0013: Failed authentication: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) at org.keycloak.models.jpa.JpaUserProvider.getUserByUsername(JpaUserProvider.java:526) at org.keycloak.storage.UserStorageManager.getUserByUsername(UserStorageManager.java:390) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:253) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:213) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:153) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748) Caused by: org.hibernate.exception.JDBCConnectionException: could not extract ResultSet at org.hibernate.exception.internal.SQLExceptionTypeDelegate.convert(SQLExceptionTypeDelegate.java:48) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:79) at org.hibernate.loader.Loader.getResultSet(Loader.java:2122) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1905) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1881) at org.hibernate.loader.Loader.doQuery(Loader.java:925) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) at org.hibernate.loader.Loader.doList(Loader.java:2622) at org.hibernate.loader.Loader.doList(Loader.java:2605) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2434) at org.hibernate.loader.Loader.list(Loader.java:2429) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:370) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1339) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 83 more Caused by: java.sql.SQLNonTransientConnectionException: (conn=476) Connection is closed at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.get(ExceptionMapper.java:175) at org.mariadb.jdbc.internal.util.exceptions.ExceptionMapper.getException(ExceptionMapper.java:110) at org.mariadb.jdbc.MariaDbStatement.executeExceptionEpilogue(MariaDbStatement.java:228) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:216) at org.mariadb.jdbc.MariaDbPreparedStatementClient.execute(MariaDbPreparedStatementClient.java:150) at org.mariadb.jdb c.MariaDbPreparedStatementClient.executeQuery(MariaDbPreparedStatementClient.java:164) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) ... 99 more Caused by: java.sql.SQLException: Connection is closed at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.cmdPrologue(AbstractQueryProtocol.java:1711) at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.executeQuery(AbstractQueryProtocol.java:237) at org.mariadb.jdbc.MariaDbPreparedStatementClient.executeInternal(MariaDbPreparedStatementClient.java:209) ... 103 more After a couple of seconds, the issue dissapeared, probably because Keycloak was able to get a valid connection from the connection pool. Thanks in advance for your help. Greetings, Cristi

7 years, 2 months

2
1
0 / 0

Get a GSSCredential when user browser is not in Active Directory domain

by Chris Smith

I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain. When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet. I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping). Less than 1% of the users will be using browsers on workstations in the Active Directory domain. Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?

7 years, 2 months

3
5
0 / 0

Switching to Native JavaScript promise by default

by Stian Thorgersen

I would like to switch the JavaScript adapter to use Native promises by default and deprecate the legacy promise with the aim to remove it in the future. This would result in users that want to continue to use the legacy promise having to explicitly enable this in the config. I see this as the best path to eventually remove the legacy promises.

7 years, 3 months

3
3
0 / 0

Role Mappings on Subsequent Logons

by Will Osborn

Hi, I have setup a keycloak server and using an identity provider successfully setup SSO with claims to role mappings. Is there any way to allow subsequent logons to recheck the claims and reapply the role mappings so if they change in the identity provide system those changes are passed through to Keycloak? Thanks Will [/var/folders/zg/5xxh34t177b013xm4c89lzw00000gp/T/com.microsoft.Outlook/WebArchiveCopyPasteTempFiles/AeG8I8l0vp2nAAAAABJRU5ErkJggg==] Will Osborn | Head of delivery Phone +44 203 9301640 VAKT Global Ltd, Floor 24 1 Canada Square,  London, E14 5AB Disclaimer: This e-mail and any attachment may contain information that is privileged or confidential. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. VAKT Global Limited is registered in England and Wales under the Company Number 11295972. Its registered office is Floor 24, 1 Canada Square, London, E14 5AB.

7 years, 3 months

2
1
0 / 0

Getting timestamp from EVENT_ENTITY

by Edmund Loh

The EVENT_TIME column in the EVENT_ENTITY table is stored as datatype NUMBER(38,0). How can I go about converting this to a timestamp through the use of SQL statements?

7 years, 3 months

2
1
0 / 0

Customize saml response

by Pulkit Srivastava

Hi, I am using as external idp with keycloak. External idp sends SAML response to keycloak but keycloak modifies that response before sending it to the application, so i am unable to get some important attributes. How can we stop keycloak from modifying the response or how can we customize the response. Thanks, Pulkit

7 years, 3 months

2
1
0 / 0

Retrieve all accessible applications for the logged user

by Denis Danov

Hi Keycloak members, I am excited writing to you and I hope someone will answer. I am working on an application that should be registered and secured in Keycloak. Once the user is authenticated we want to show list of all other applications that the user has access to. Can this information be retrieved via REST API as I can see that it is already available from Keycloak UI for user's account under section applications https://www.keycloak.org/docs/3.3/server_admin/topics/account.html Regards, Denis Danov

7 years, 3 months

3
4
0 / 0

[spring-boot-adapter] get token/principal/etc.

by Pavel Maslov

Hi, guys. Haven't been here for quite a while :) I'm using the Springboot Keycloak adapter (org.keycloak:keycloak-spring-boot-starter:4.6.0.Final) to secure my REST API via bearer token [1]. And it works! Cool. Now, I would like to get the access token in my @RestController, or even better some information about the user. Is it possible? Thanks in advance. Regards, Pavel Maslov, MS [1] https://github.com/maslick/barkoder

7 years, 3 months

3
10
0 / 0

Showing error messages originating from external identity providers

by Guy Marom

Hello all, First of - thanks for developing this. The product is very useful for us! Second, I wanted to ask about external identity providers. We have an integration with *Azure Active Directory* and I configured an app in Azure that does not allow all users to use it by default, instead I need to assign a user to the app. When I try to login to Keycloak with a user that's unauthorized, I get redirected to Keycloak's login page with no error message shown. Is there a way to fix this (other than editing the HTML template of the login page)? Thanks, Guy Marom

7 years, 3 months

2
1
0 / 0

Send email on creating new user

by Pavel Maslov

Hi all, When I manually create a new user from the Keycloak Admin Console (UI), can Keycloak automatically send an email to that person? >From what I can see now the user does not know that I have created an account, unless I inform them (e.g. by email). Regards, Pavel Maslov, MS

7 years, 3 months

2
1
0 / 0

Add optional LDAP userPassword hashing

by BOUVIER Jean-Damien

Hi all ! My problem is described in the KEYCLOAK-4989 issue, titled < add optional LDAP userPassword hashing > I'm in the worst case scenario as I use OpenLDAP that doesn't hash password by default and the way it has been installed, I don't have the < ppolicy overlay > available. So Keycloak sends password in clear text and I thought that I could add specific OpenLDAP configuration to hash the password before. The LDAP administration has already some specific configuration for AD and I thought that I could start from here. (org.keycloak.storage.ldap.mappers.msad. MSADUserAccountControlStorageMapperFactory for example) So, I've written my own StorageMapperFactory : public class OpenLDAPUserAccountControlStorageMapperFactory implements LDAPStorageMapperFactory<LDAPStorageMapper> That needs these dependencies : <dependencies> <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-core</artifactId> <version>${version.keycloak}</version> <scope>provided</scope> </dependency> <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-services</artifactId> <version>${version.keycloak}</version> <scope>provided</scope> </dependency> <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-server-spi</artifactId> <version>${version.keycloak}</version> <scope>provided</scope> </dependency> <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-ldap-federation</artifactId> <version>${version.keycloak}</version> <scope>provided</scope> </dependency> </dependencies> But whenever I try to deploy the jar, I get : cat hash-password-openldap-provider.jar.failed {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"hash-password-openldap-provider.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"hash-password-openldap-provider.jar\" Caused by: java.lang.NoClassDefFoundError: Failed to link fr/calvados/keycloak/storage/ldap/mappers/openldap/OpenLDAPUserAccountControlStorageMapperFactory (Module \"deployment.hash-password-openldap-provider.jar\" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPStorageMapperFactory"}} I probably lack one dependence but I can't find which one as the error message doesn't give a clue and my maven project compiles. Could you help me to find out what is wrong ? Regards, Jean-Damien Bouvier <a href="http://www.calvados.fr" target="_blank"><img src="https://www.calvados.fr/files/live/sites/calvados/files/signature-departe..." alt="Calvados Département - www.calvados.fr" border=0/></a> ************************************************************************************************** « Cette transmission contient des informations confidentielles et/ou personnelles appartenant au conseil départemental du Calvados pour être utilisées exclusivement par le destinataire. Toute utilisation, reproduction, publication, diffusion en l'état ou partiellement par une autre personne que le destinataire est interdite, sauf autorisation expresse du conseil départemental du Calvados. En cas d'erreur de transmission, merci de détruire le(s) document(s) reçu(s). Le conseil départemental du Calvados n'est pas responsable des virus, altérations, falsifications. Droits réservés - conseil départemental du Calvados». **************************************************************************************************

7 years, 3 months

2
1
0 / 0

Getting 'Failed to find provider' when attempting to set default SPI provider

by Jared Blashka

I'm trying to use a custom Email sender provider with keycloak 3.4.3.Final but something isn't working correctly because keycloak fails to start up with: java.lang.RuntimeException: Failed to find provider serviceEmailSender for emailSender I'm deploying the provider via a war in the /deployments directory. I have the factory class listed in the META-INF/services/org.keycloak.email.EmailSenderProviderFactory file I've added this to the keycloak-server subsystem <spi name="emailSender"> <default-provider>serviceEmailSender</default-provider> <provider name="serviceEmailSender" enabled="true"/> </spi> If I leave out the <default-provider> entry and restart the server I can see that the init() method is called on my EmailSenderProviderFactory implementation so as far as I can tell everything is configured correctly. But keycloak doesn't like when I try to set this provider as the default. Is there something I'm missing? Jared

7 years, 3 months

2
1
0 / 0

Admin client API - usersResource.list(offset, limit) - slowness

by Shetty, Shweta

We are seeing extreme slowness in using this API, we are still not sure what could be the culprit. We enabled more logging on the postgres side of thing, thinking it could be related to keycloak – postgres slowness. Once we enabled more logging, we do see that keycloak is issuing a query like this one at a rate of about one per millisecond ```select clientscop0_.ROLE_ID as col_0_0_ from CLIENT_SCOPE_ROLE_MAPPING clientscop0_ where clientscop0_.SCOPE_ID=$1``` This fills up the logs so that it is hard to see anything else. This could be the cause of the problem; which could be slowing postgres down. We wanted to know if its some configuration issue which we can optimize to overcome this issue or if it’s a known issue. Please advice. Shweta

7 years, 3 months

2
1
0 / 0

Logout from IDP with Spring Keycloak adaptor

by Hylton Peimer

I have a Keycloak Security Adaptor setup with a logout URL "/sso/logout". The user logins in using to my application using an IDP, and then logs out by POSTing to the /sso/logout the - they are redirected to the login page. However when attempted to login again, the user doesn't need to reauthenticate. It seems Spring doesn't logout from the IDP. Is there a simple way to get Spring to logout from the IDP? Should I change the logout URL?

7 years, 3 months

2
1
0 / 0

Custom ClaimInformationPointProvider for Spring Boot not called.

by Alexey Titorenko

Hello guys! Can someone help me please with the following problem. I need to configure context based access control for my REST-service, when attributes of the protected resources are pushed to Keycloak server for policy evaluation. Protected service is built on Spring Boot. I’ve configured the system and all works fine with OOTB Claim Information Point provider ‘claims’. But I need a custom one. And this custom CIP is not working. I see from the debug logging, that policy enforcer calls ‘getName()’ and ‘init()’ on my CIP Factory, but _never_ calls ‘create()’, thus, never instantiates the CIP. Below are application.properties for Spring boot and CIP config file. My custom CIP Provider has ‘document’ name. I call both /documents/- Get an Thank you, Alexey application.properties ---------------------------------- svc.name=docs-uma server.port = 8085 keycloak.realm=DemoApp keycloak.auth-server-url=http://localhost:8180/auth keycloak.ssl-required=external keycloak.resource=docs-svc-uma keycloak.cors=true keycloak.use-resource-role-mappings=true keycloak.verify-token-audience=false keycloak.credentials.secret=0e55734e-aadc-4268-8757-b5dca453980a keycloak.confidential-port=0 keycloak.bearer-only=true keycloak.securityConstraints[0].securityCollections[0].name = secured operation keycloak.securityConstraints[0].authRoles[0] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /documents keycloak.securityConstraints[0].securityCollections[0].patterns[1] = /documents/ keycloak.securityConstraints[1].securityCollections[0].name = admin operation keycloak.securityConstraints[1].authRoles[0] = admin keycloak.securityConstraints[1].securityCollections[0].patterns[0] = /admin keycloak.securityConstraints[1].securityCollections[0].patterns[1] = /admin/ logging.level.org.keycloak=DEBUG logging.level.dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip=DEBUG # policy enforcer keycloak.policy-enforcer-config.lazy-load-paths=true keycloak.policy-enforcer-config.on-deny-redirect-to=/public keycloak.policy-enforcer-config.paths[0].name=Public Resources keycloak.policy-enforcer-config.paths[0].path=/* keycloak.policy-enforcer-config.paths[1].name=Document creation keycloak.policy-enforcer-config.paths[1].path=/documents/* keycloak.policy-enforcer-config.paths[1].methods[0].method=POST keycloak.policy-enforcer-config.paths[1].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:create keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.claims[test]={request.method} keycloak.policy-enforcer-config.paths[1].claimInformationPointConfig.document[uri]={request.method} keycloak.policy-enforcer-config.paths[2].name=Document List keycloak.policy-enforcer-config.paths[2].path=/documents keycloak.policy-enforcer-config.paths[2].methods[0].method=GET keycloak.policy-enforcer-config.paths[2].methods[0].scopes[0]=urn:docs-svc-uma:resources:documents:list keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.claims[test]={request.method} keycloak.policy-enforcer-config.paths[2].claimInformationPointConfig.document[uri]={request.method} keycloak.policy-enforcer-config.paths[3].name=Admin Resources keycloak.policy-enforcer-config.paths[3].path=/admin/* keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[some-claim]={request.uri} keycloak.policy-enforcer-config.paths[3].claimInformationPointConfig.claims[claims-from-document]={request.uri} META-INF/services/org.keycloak.adapters.authorization.ClaimInformationPointProviderFactory ------------------------------------------------------------------------ dtg.plays.iam.keycloak.demo.backend.docs.auth.keycloak.cip.DocumentCIPProviderFactory

7 years, 3 months

3
6
0 / 0

Incomplete ClientRepresentation returned from /{realm}/clients REST endpoint

by John Dennis

A GET on the /{realm}/clients REST endpoint is supposed to return an array of ClientRepresentation JSON objects. This is documented here: https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clients_resource According to the REST documentation (https://www.keycloak.org/docs-api/4.8/rest-api/index.html#_clientrepresen...) a ClientRepresentation is supposed to contain the following top level keys: access adminUrl attributes authenticationFlowBindingOverrides authorizationServicesEnabled authorizationSettings baseUrl bearerOnly clientAuthenticatorType clientId consentRequired defaultClientScopes defaultRoles description directAccessGrantsEnabled enabled frontchannelLogout fullScopeAllowed id implicitFlowEnabled name nodeReRegistrationTimeout notBefore optionalClientScopes origin protocol protocolMappers publicClient redirectUris registeredNodes registrationAccessToken rootUrl secret serviceAccountsEnabled standardFlowEnabled surrogateAuthRequired webOrigins However when authenticated as the admin in the master realm on Keycloak version 4.8.2.Final a GET on /{realm}/clients returns ClientRepresentation's containing only these keys: access attributes authenticationFlowBindingOverrides bearerOnly clientAuthenticatorType clientId consentRequired defaultClientScopes directAccessGrantsEnabled enabled frontchannelLogout fullScopeAllowed id implicitFlowEnabled nodeReRegistrationTimeout notBefore optionalClientScopes protocol publicClient redirectUris serviceAccountsEnabled standardFlowEnabled surrogateAuthRequired webOrigins This means the following keys are omitted from the ClientRepresentation. Why? adminUrl authorizationServicesEnabled authorizationSettings baseUrl defaultRoles description name origin protocolMappers registeredNodes registrationAccessToken rootUrl secret As far as I can tell the documented ClientRepresentation closely matches what is in the code here: https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k... I believe this is the method used to return the ClientRepresentation from the REST endpoint: https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44... The conversion from model to representation occurs here: https://github.com/keycloak/keycloak/blob/885eec5ef2628e41d59f4017745df44... I don't see anything which is dropping the missing keys in the returned ClientRepresentation. Is something filtering the result? The context for the question arises from this: We were creating a client via a PUT and allowing Keycloak to generate the client secret, we then wanted to extract the client secret from the ClientRepresentation but it's absent. I can also undersand why the client secret might be omitted for security reasons (although I did find that seems to replace that value with "**********", but that's not happening either, it's just absent). That's when we noticed it wasn't just the client secret that was missign but 12 other keys as well. -- John Dennis

7 years, 3 months

2
1
0 / 0

Force certain realm users to login via IDP

by Tim Hedlund

We are looking into using IDP (Azure AD) for login. Some users (admins) will then authenticate there. The need for this is that Keycloak admins (user management in certain realm) will need to authenticate via two factor because of company policies. So I've already setup a working integration with AD. The problem now is that pre-existing users that already had a login and password in Keycloak must no longer be able to use login/password. This is to force IDP (two factor) login. I've tried to "Disable Credentials" for "password" for such a user but still he could login. I'm thinking of a solution where we script a custom browser flow action where we check is the user is a admin and then denies him if using password. Any thoughts or suggestions? Regards Tim

7 years, 3 months

2
2
0 / 0

Custom Authenticator

by Artem Grebenkin

Hi folks, I have following use case. There is a service which creates ("registers") a user in keycloak over REST API. After that I would like to login the user automatically. So I need some kind of link which I can return to the browser and which will login the user and redirect them back to some location. Where I have to look? Can somebody give me some advice and some keywords. Thanks for your help Artem

7 years, 3 months

2
1
0 / 0

Expose role attributes in Keycloak javascript adapter

by Tom Barber

Hi folks, We’ve got some attributes in the Keycloak roles. Is there a way to release them with a user using the Javascript adapter? Thanks Tom -- Spicule Limited is registered in England & Wales. Company Number: 09954122. Registered office: First Floor, Telecom House, 125-135 Preston Road, Brighton, England, BN1 6AF. VAT No. 251478891. All engagements are subject to Spicule Terms and Conditions of Business. This email and its contents are intended solely for the individual to whom it is addressed and may contain information that is confidential, privileged or otherwise protected from disclosure, distributing or copying. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Spicule Limited. The company accepts no liability for any damage caused by any virus transmitted by this email. If you have received this message in error, please notify us immediately by reply email before deleting it from your system. Service of legal notice cannot be effected on Spicule Limited by email.

7 years, 3 months

2
1
0 / 0

Rest Extension?

by Craig Setera

I was in the process of creating a new REST extension per the current developer docs at https://www.keycloak.org/docs/latest/server_development/index.html#_exten... , however, I noticed I had to pull in the keycloak-server-spi-private module and also I'm seeing the following in the logs: keycloak_1 | 22:49:44,975 WARN [org.keycloak.services] (MSC service thread 1-1) KC-SERVICES0047: bv-user-invitation (com.baseventure.keycloak.userinvite.rest.UserInvitationActionTokenResourceProviderFactory) is implementing the internal SPI realm-restapi-extension. This SPI is internal and may change without notice Should this have me concerned about the long term viability of this feature? Craig ================================= *Craig Setera* *Chief Technology Officer*

7 years, 3 months

1
0
0 / 0

OWASP check

by Ondrej Scerba

Hi, Lastest Keycloak version (4.8.3.Final) contains several potential security issues related to jackson-databind library. All isues should be resolved, when you update jackson-databind to version 2.9.8 or higher. Could you please fix it? Thanks, Ondrej

7 years, 3 months

1
0
0 / 0

Re: [keycloak-user] Configuring Admin Access Control or realm-management client role for LDAP user in keycloak via imported realm.json configuration

by kapil joshi

On Thu, 31 Jan 2019, 17:53 kapil joshi, <kapilkumarjoshi001(a)gmail.com> wrote: > Hi Marek, > > > Thanks for the reply, actually we see one ldaprealm.json in the LDAP > integration with keycloak example. But even there we saw entries only for > role-ldap-mapper. > > Can someone in your team provide a sample for hardcoded-ldap-mapper > > Thanks > Kapil > > > On 31 Jan 2019 17:21, "Marek Posolda" <mposolda(a)redhat.com> wrote: > > I am not sure about the JSON format from the top of my head. I suggest to > create things manually in admin console, then export it to JSON, so you can > see proper JSON format. See keycloak documentation for Export/Import for > more details. > > Marek > > On 31/01/2019 07:19, kapil joshi wrote: > > Hi Marek, > > I was trying to import realm.json which contains following entry, to > include hardcoded-ldap-mapper in keycloak, for realm-management role of > manage-users, but its failing to import, can you give us a small example of > such entry in realm.json which we can follow on. > > // snippet of realm.json > > * {* > * "name": "administrator",* > *"federationMapperType"**: "hardcoded-ldap-role-mapper",* > *"**federationProviderDisplayName"* > * : "ldap", * > * "subComponents": {},* > * "config": {* > * "role": [* > * "realm-management.manage-users"* > * ]* > * }* > * }* > > > *Thanks * > *Kapil* > > On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001(a)gmail.com> > wrote: > >> Hi Marek, >> >> First of all thanks for your response, it works !!! . I tried mapping a >> client role (i.e realm-management roles), few observations: >> 1) I was not able to save the configuration was getting below attached >> error message. >> [image: image.png] >> >> But then i saw there is already a bug filed on this issue. >> So applied the work around, and was able to get the client role added for >> LDAP imported user. >> >> Thanks again, >> Kapil >> >> >> >> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda(a)redhat.com> >> wrote: >> >>> Yes, this should be doable with hardcoded-ldap-role-mapper if I >>> understand your use-case correctly (See tab "mappers" in the admin console >>> when you're on the page with the details of LDAP provider). >>> >>> Marek >>> >>> On 28/01/2019 10:24, kapil joshi wrote: >>> >>> Hi All, >>> >>> Can we assign realm-management client roles for users imported from LDAP in >>> Keycloak. >>> Currently we are trying to set up LDAP based user federation using by >>> importing a realm.json, configured with LDAP related configuration. Have >>> attached it to this email. >>> Basically the requirement is when we login to the client using the LDAP >>> credentials, the user should be able to access user-management and >>> view-realm client(i.e accessing the admin console) from client side. >>> >>> Thanks >>> Kapil >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> > >

7 years, 3 months

2
3
0 / 0

GSS Credential delegation works for Internet Explorer but not for Chrome?

by Chris Smith

I have Keycloak setup to authenticate to an Active Directory domain using LDAP/Kerberos I have set Windows Internet options for SSO Both Internet Explorer and Chrome successfully perform Authentication. I have a requirement for a Delegated GSSCredential and have configured Keycloak and my Active Directory domain controller to perform this task When I run my web app using Internet Explorer as my browser, in the servlet I successfully get a Delegated GSSCredential from the Access Token. When I run my web app using Chrome as my browser, in the servlet I fail to get a Delegated GSSCredential from the Access Token. Why the difference and what do I need to set to allow Chrome to be used as a fully supported browser?

7 years, 3 months

1
1
0 / 0

When realm count reaches around 470, Keycloak basically becomes unstable

by Kamal Mettananda

Hi all We are having a Keycloak 4.8.1.Final deployed on a k8 cluster with two nodes with default settings. Backend database is PostgreSQL. We are increasing the number of realms in Keycloak to figure out if Keycloak can support a larger number of realms; these creations are done sequentially. However, when the quantity of realms reach around 470, it makes keycloak basically unusable with admin GUI not loading at all and requests taking too long to execute. Below is a summary of the time taken. We have not added any users into the realms. +--------------+----------+------------+------------+------------+ | Operation | 0 realms | 100 realms | 250 realms | 350 realms | +--------------+----------+------------+------------+------------+ | Create realm | 1104 | 3739 | 8659 | 11535 | | Get realm | 128 | 961 | 3067 | 3853 | | Get token | 636 | 1159 | 2714 | 3197 | | Get roles | 127 | 1037 | 3034 | 3649 | +--------------+----------+------------+------------+------------+ Are there any known limitations or an optimal number of realms for a Keycloak deployment? Thanks

7 years, 3 months

1
0
0 / 0

OAuth2 extensions - oob vs oob:auto

by David North

Hi, I am working on a desktop application which wants to access various APIs secured by OAuth2 using Keycloak. The workflow I am trying to support is that the application will show an embedded browser widget with the Keycloak login page, and once the user is logged in, my application will extract the OAuth token and use it. I don't want my application to have to listen on a local port and use a redirect URI of http://localhost:port, so the OAuth extension which allows a redirect URI of urn:ietf:wg:oauth:2.0:oob:auto seems ideal. The documentation at https://www.keycloak.org/docs/4.0/securing_apps/ says Keycloak only supports the urn:ietf:wg:oauth:2.0:oob variant, where the user has to copy/paste the code manually into the app. However, confusingly the documentation also claims: "When this redirect uri is used Keycloak displays a page with the code in the title and in a box on the page." The code is not in the title (which just says "Success code") - if it were then it would be easy for my application to extract, and the behaviour would be equivalent to urn:ietf:wg:oauth:2.0:oob:auto Would there be any objection to a bug and patch to: * Treat urn:ietf:wg:oauth:2.0:oob:auto as an alias for urn:ietf:wg:oauth:2.0:oob * Put the code in the page title as well as a box on the page? Thanks, David

7 years, 3 months

1
0
0 / 0

keycloak bearer token error - Didn't find publicKey for specified kid

by Subodh Joshi

Hi I have configured keycloak4.5 with Wildfly(With LoadBalancer) and able get the token , but when I am using that token for to get response from rest service getting below error : ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *HTTP/1.1 401 Unauthorized* *Cache-Control: no-cache, no-store, must-revalidate, private* *X-Powered-By: Undertow/1* *X-XSS-Protection: 1; mode=block* *Server: WildFly/11* *X-Frame-Options: SAMEORIGIN* *Date: Wed, 30 Jan 2019 07:42:45 GMT* *Connection: keep-alive* *WWW-Authenticate: Bearer realm="demorealm", error="invalid_token", error_description="Didn't find publicKey for specified kid"* *X-Content-Type-Options: nosniff* *Content-Type: text/html;charset=UTF-8* *Content-Length: 71* *<html><head><title>Error</title></head><body>Unauthorized</body></html>* *------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------* *Can anyone help me here please what configuration I am missing , I am struggling for so many days to solve this problem but couldn't get any solution .* -- Subodh Chandra Joshi subodh1_joshi82(a)yahoo.co.in http://www.trendsinnews.com

7 years, 3 months

2
1
0 / 0

Re: [keycloak-user] Configuring Admin Access Control or realm-management client role for LDAP user in keycloak via imported realm.json configuration

by kapil joshi

Hi Marek, I was trying to import realm.json which contains following entry, to include hardcoded-ldap-mapper in keycloak, for realm-management role of manage-users, but its failing to import, can you give us a small example of such entry in realm.json which we can follow on. // snippet of realm.json * {* * "name": "administrator",* *"federationMapperType"**: "hardcoded-ldap-role-mapper",* *"**federationProviderDisplayName"* * : "ldap",* * "subComponents": {},* * "config": {* * "role": [* * "realm-management.manage-users"* * ]* * }* * }* *Thanks * On Thu, Jan 31, 2019 at 11:49 AM kapil joshi <kapilkumarjoshi001(a)gmail.com> wrote: > Hi Marek, > > I was trying to import realm.json which contains following entry, to > include hardcoded-ldap-mapper in keycloak, for realm-management role of > manage-users, but its failing to import, can you give us a small example of > such entry in realm.json which we can follow on. > > // snippet of realm.json > > * {* > * "name": "administrator",* > *"federationMapperType"**: "hardcoded-ldap-role-mapper",* > *"**federationProviderDisplayName"* > * : "ldap",* > * "subComponents": {},* > * "config": {* > * "role": [* > * "realm-management.manage-users"* > * ]* > * }* > * }* > > > *Thanks * > *Kapil* > > On Tue, Jan 29, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001(a)gmail.com> > wrote: > >> Hi Marek, >> >> First of all thanks for your response, it works !!! . I tried mapping a >> client role (i.e realm-management roles), few observations: >> 1) I was not able to save the configuration was getting below attached >> error message. >> [image: image.png] >> >> But then i saw there is already a bug filed on this issue. >> So applied the work around, and was able to get the client role added for >> LDAP imported user. >> >> Thanks again, >> Kapil >> >> >> >> On Tue, Jan 29, 2019 at 1:43 AM Marek Posolda <mposolda(a)redhat.com> >> wrote: >> >>> Yes, this should be doable with hardcoded-ldap-role-mapper if I >>> understand your use-case correctly (See tab "mappers" in the admin console >>> when you're on the page with the details of LDAP provider). >>> >>> Marek >>> >>> On 28/01/2019 10:24, kapil joshi wrote: >>> >>> Hi All, >>> >>> Can we assign realm-management client roles for users imported from LDAP in >>> Keycloak. >>> Currently we are trying to set up LDAP based user federation using by >>> importing a realm.json, configured with LDAP related configuration. Have >>> attached it to this email. >>> Basically the requirement is when we login to the client using the LDAP >>> credentials, the user should be able to access user-management and >>> view-realm client(i.e accessing the admin console) from client side. >>> >>> Thanks >>> Kapil >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>>

7 years, 3 months

1
0
0 / 0

[i18n] Time units in e-mails sent by Keycloak

by Rodrigo Leme

Hi people, We are currently using an i18n e-mail theme (to Brazilian Portuguese, pt_BR), but we noticed that a few portions of the e-mails sent by Keycloak cannot be internationalized, as in the sample below: "Seu administrador acaba de solicitar que você atualize sua conta FEPAS-CARDSE executando as seguintes ações: *Verify Email*. Clique no link abaixo para iniciar este processo. Link para a atualização da conta Este link irá expirar dentro de *12 hours*. Se você não sabe que seu administrador solicitou isso, apenas ignore esta mensagem e nada será alterado." According to the text above, the time was not internationalized ("12 hours"), neither the action ("Verify Email"). We added the asterisks here for clarification purposes only. In Portuguese, the displayed texts should be "12 horas" and "Verificar email". Is somebody aware of any method to fully internationalize the emails, including the mentioned passages? We even issued a bug report in Keycloak's JIRA (https://issues.jboss.org/browse/KEYCLOAK-9459), but it was summarily rejected by devs. Best regards, Rodrigo Lem -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

7 years, 3 months

4
3
0 / 0

Logo for customized theme

by Amritha Amarnath

Hello, How to add logo for customized theme for my application.? I have set parent=keycloak in theme.properties for customized theme. I need source like below : <body> <div class="login-pf-page atcard "> <div id="kc-header" class="login-pf-page-header"> <div><img src="/auth/......./img/logo.png" alt=""></div> <div id="kc-header-wrapper" class="">{product name}</div> </div> </div> </body> But currently getting the source as: <body class =""> <div class =" login-pf-page "> <div id =" kc-header " class =" login-pf-page-header "> <div id =" kc-header-wrapper " class =""> {product name} </div> </div> <body> -- With Regards , Amritha Amaranath

7 years, 3 months

1
0
0 / 0

User sessions in DB

by Lukasz Lech

Hello, I'm using Keycloak docker image for 4.8.1 I have logged in users, but in DB, I see no entries in user_session. Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console. Are there any issues with JPA cache? Best regards, Lukasz Lech

7 years, 3 months

2
4
0 / 0

Accessing Admin Console from client application without logging in

by kapil joshi

Hi All, In our product, we are using keycloak.js adapter. We are receiving access and refresh token from 3rd party server. We store these tokens in our instance variables and update keycloak.js variables explicitly as shown below: let tokenStr = this.someService.tokenString; console.log('token is ' + tokenStr); let keycloakInstance = this.keycloakAngular.getKeycloakInstance(); if (tokenStr) { if (keycloakInstance['tokenTimeoutHandle']) { clearTimeout(keycloakInstance['tokenTimeoutHandle']); keycloakInstance['tokenTimeoutHandle'] = null; } keycloakInstance.token = tokenStr; keycloakInstance.authenticated = true; this.authenticated = true; keycloakInstance.tokenParsed = this.decodeToken(tokenStr); keycloakInstance.subject = keycloakInstance.tokenParsed.sub; keycloakInstance.realmAccess = keycloakInstance.tokenParsed.realm_access; keycloakInstance.resourceAccess = keycloakInstance.tokenParsed.resource_access; this.roles = await this.keycloakAngular.getUserRoles(true); This code is actually taken from setToken() API of keycloak.js and we have just replaced it in our custom code. So that we can make use of the keycloak.js adapter variables and methods. Problem is when we try to access the account-management UI, it takes the user to login screen, which want to avoid. we are not able to find out the reason behind this ? When we login to the application and then when we try accessing account management url then it renders the account management page seamlessly. Would be great if there is a solution to render account management UI when we update the tokens programatically into keycloak.js adapter variables. Let me know If we are doing anything wrong or work arounds to fix this issue. Thanks Kapil

7 years, 3 months

1
1
0 / 0

Updating the Database Schema

by Keith Carlton

Good morning- I was attempting to make some customizations to the Keycloak schema and the README for doing so here<https://github.com/keycloak/keycloak/blob/master/misc/UpdatingDatabaseSch...> shows files that no longer exist in the repo. Does anyone know how to make modifications to the DB schema based on the current structure of the project? Thank you, Keith Carlton

7 years, 3 months

1
0
0 / 0

Re: [keycloak-user] Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?

by Edgar Vonk - Info.nl

Hey Hans, Indeed. You are right. We configured signing of AuthnRequests (and as you found out LogoutRequests) in Keycloak and configured our certificate on the NetIQ side and now both authentication and logging out works. :-) Thanks! > Hey Ed, > > Ouch, bad NetIQ :-( apparently it considers the signature on the request > as something unexpected, which it really shouldn't... > However, you should be able to configure the signing certificate of > Keycloak on the NetIQ side (which you needed to do anyway for the > validation of the Logout requests) and make it "require" or "expect" signed > authentication requests from the Keycloak SP. > > Hans.

7 years, 3 months

1
0
0 / 0

Enable X.509 Client Certificate User Authentication only to specific realm

by roberto palmarin

Hi, my goal is to have services that authenticate with user and password and services that authenticate with X509 certificate. Moreover, if I am authenticated with the certificate, I no longer have to authenticate with username and password. I have seen that the SAML parameter authnContextClassRef is not supported by kexcloak, which would allow to force the authentication method! I then tried to create new realms and use one realm for authentication with username/password and the other realm for X509 mutual authentication. The question is how can I disable X509 mutual authentication for a realm on keycloak? the configuration for mutual authentication is at the wildfly level and not at the realm level nor at the client keycloak level. is it possible to have the correct value of authnContextClassRef in the keycloak SAML response? Thank'sRoberto Palmarin

7 years, 3 months

2
2
0 / 0

keycloak adapter for elytron

by Zahradnik, Milan

Hi, I am new on this forum so please forgive me any mistakes I make. We have a strange issue with keycloak and wildfly Elytron. We use wildfly 15.0.0. After installing keycloak (4.8.3) adapter for wildfly 10 and more (adapter-elytron-install-offline.cli) we always get exception "Not allowed exception" when we send request to our endpoint (stateless EJB bean). In our access token we have all necessary roles which are then applied on endpoint in @RolesAllowed("rest"). Also not working when we use @SecurityDomain("keycloak") with EJB. The strange is when we install keycloak adapter for older wildfly versions (adapter-install-offline.cli) everything works as expected. The same issue is here http://lists.jboss.org/pipermail/keycloak-user/2018-August/015297.html Does anybody of you any idea what could be an issue here? Thanks for any help Milan Zahradnik

7 years, 3 months

2
2
0 / 0

Re: [keycloak-user] keycloak-user Digest, Vol 61, Issue 39

by Hans Zandbelt

Hey Ed, Ouch, bad NetIQ :-( apparently it considers the signature on the request as something unexpected, which it really shouldn't... However, you should be able to configure the signing certificate of Keycloak on the NetIQ side (which you needed to do anyway for the validation of the Logout requests) and make it "require" or "expect" signed authentication requests from the Keycloak SP. Hans. On Mon, Jan 28, 2019 at 9:11 PM <keycloak-user-request(a)lists.jboss.org> wrote: > > ------------------------------ > > Message: 3 > Date: Mon, 28 Jan 2019 16:16:20 +0000 > From: "Edgar Vonk - Info.nl" <Edgar(a)info.nl> > Subject: Re: [keycloak-user] Keycloak Identity provider SAML > LogoutRequest not working with NetIQ Access Manager because it is > not > signed? > To: keycloak-user <keycloak-user(a)lists.jboss.org> > Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4(a)info.nl> > Content-Type: text/plain; charset="utf-8" > > Thanks Hans! :-) > > Unfortunately with "Want AuthnRequests Signed? enabled we can no longer > log in to the external IdP.. I will check with the NetIQ provider people to > check. > > > ------------------------------ > > Message: 4 > Date: Mon, 28 Jan 2019 14:51:26 -0200 > From: Wagner <wagnerspi(a)gmail.com> > Subject: [keycloak-user] Keycloak integration with django > To: keycloak-user(a)lists.jboss.org > Message-ID: > <CAO0ino= > wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA(a)mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Hi there, > > I've been looking for ways to integrate keycloak with django, and have > found the django-keycloak project, but the docs are kind of limited. > > Can anyone point me in the direction of integrating it with an existing > django project? I don't want to use the django admin web interface to > configure it, but haven't found any other way to do so. > > Thanks, > Wagner > > > ------------------------------ > > Message: 5 > Date: Mon, 28 Jan 2019 13:04:58 -0500 > From: Nhut Thai Le <ntle(a)castortech.com> > Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver > class on every request > To: keycloak-user <keycloak-user(a)lists.jboss.org> > Message-ID: > <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F= > iE6nGV0JQ(a)mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Hello, > > We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env > to filter requests to our REST service as follow: > > @Component( > service = { > ContainerRequestFilter.class, > ContainerResponseFilter.class > }, > scope = ServiceScope.PROTOTYPE, > property = { > "osgi.jaxrs.extension=true", > JAX_RS_NAME + "=DiagramRestFilter", > DiagramConstants.REST_APP_SELECT > } > ) > @PreMatching > @Priority(Priorities.AUTHENTICATION) > public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl > implements ContainerResponseFilter { > private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$ > private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$ > private final Logger log = LoggerFactory.getLogger(getClass()); > > @Reference > private SessionService sessionService; > > @Activate > public void activate(BundleContext bundleContext) { > log.trace("Activating {}", getClass()); //$NON-NLS-1$ > > setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver"); > //$NON-NLS-1$ > setBundleContext(bundleContext); > } > > As you can see, we set the filter scope to Prototype as recommended by OSGI > compedium ( > https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685 > ) > but we see a lot of the following line got printed when the server started > INFO: Using > > com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver@738e48f7 > to resolve Keycloak configuration on a per-request basis. > > Does that means the config resolver is being instantiate for each request ? > Since the the configuration never change, would it make sense to > instantiate this config resolver only once? > > Thai Le > > > ------------------------------ > > Message: 6 > Date: Mon, 28 Jan 2019 21:00:02 +0100 > From: Marek Posolda <mposolda(a)redhat.com> > Subject: Re: [keycloak-user] User sessions in DB > To: Lukasz Lech <l.lech(a)ringler.ch>, "keycloak-user(a)lists.jboss.org" > <keycloak-user(a)lists.jboss.org> > Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01(a)redhat.com> > Content-Type: text/plain; charset=utf-8; format=flowed > > On 28/01/2019 16:30, Lukasz Lech wrote: > > Hello, > > > > I'm using Keycloak docker image for 4.8.1 > > > > I have logged in users, but in DB, I see no entries in user_session. > That is expected. The USER_SESSION table is probably something like a > tombstone of some previous implementation. User sessions are not saved > in the DB. > > > > Additionally, after some time server run, I've got NPE in > RealmAdminResource.getClientSessionStats:614 when trying to navigate to > Sessions position in Menu in Admin Console. > > Looks like a bug. Feel free to create JIRA (with stacktrace and ideally > exact steps to reproduce). > > Thanks, > Marek > > > > > Are there any issues with JPA cache? > > > > Best regards, > > Lukasz Lech > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > Message: 7 > Date: Mon, 28 Jan 2019 21:07:05 +0100 > From: Marek Posolda <mposolda(a)redhat.com> > Subject: Re: [keycloak-user] Get a GSSCredential when user browser is > not in Active Directory domain > To: Dmitry Telegin <dt(a)acutus.pro>, Chris Smith > <chris.smith(a)cmfirstgroup.com>, "keycloak-user(a)lists.jboss.org" > <keycloak-user(a)lists.jboss.org> > Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67(a)redhat.com> > Content-Type: text/plain; charset=utf-8; format=flowed > > +1 > > GSSCredential is used just during SPNEGO authentication. You may > possibly change the built-in authentication flows or userStorage > provider, so that after verification with username/password, the > GSSCredential will be somehow obtained from the JAAS Subject used for > the authentication (See class KerberosUsernamePasswordAuthenticator for > the details). > > However I am not sure if this is really possible and it will require > some more deep-dive into the Keycloak codebase and Kerberos > implementation in JDK... Just a hint... > > Marek > > On 28/01/2019 07:21, Dmitry Telegin wrote: > > Hello Chris, > > > > AFAIK GSSCredential is something very specific to Kerberos, so I'm not > sure it's possible at all to obtain it outside of Kerberos context, like > e.g. via pure LDAP authentication. > > > > Cheers, > > Dmitry > > > > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote: > >> Does anyone have feedback about getting a delegated GSSCredential? > >> > >> -----Original Message----- > >>> From: keycloak-user-bounces(a)lists.jboss.org < > keycloak-user-bounces(a)lists.jboss.org> On Behalf Of Chris Smith > >> Sent: Wednesday, January 23, 2019 10:12 PM > >> To: keycloak-user(a)lists.jboss.org > >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is > not in Active Directory domain > >> > >> Here is a Diagram of what I'm trying to do > >> > >> From: Chris Smith > >> Sent: Wednesday, January 23, 2019 8:08 AM > >>>> To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org> > >> Subject: Get a GSSCredential when user browser is not in Active > Directory domain > >> > >> I have setup my servlet to authenticate a user my web app using > Keycloak Active Directory ldap user federation > >> > >> I can get a Delegated GSSCredential when the SPNEGO enabled > browser??runs on a workstation in the AD domain. > >> When the browser workstation is not a member of the AD Domain, Keycloak > will authenticate the user id and password entered on the keycloak login > page, but there will not be a Delegated GSSCredential in the Access Token > in my servlet. > >> > >> I have a requirement to use the GSSCredential to call programs on an > IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a > Kerberos Ticket from Active Directory as an authenticated credential (aka > EIM, Enterprise Identity Mapping). > >> > >> Less than 1% of the users will be using browsers on workstations in the > Active Directory domain. > >> > >> Can Keycloak put a GSSCredential for the logged in user??in the Access > Token when SPNEGO is not available from the browser? > >> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user(a)lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 61, Issue 39 > ********************************************* > -- hans.zandbelt(a)zmartzone.eu ZmartZone IAM - www.zmartzone.eu

7 years, 3 months

1
1
0 / 0

Need to limit concurrent session in a realm in keycloak

by Nakul Jain

Hi, We need to restrict the number of concurrent sessions in a realm in keycloak. Do we have any feature in keycloak through which we can support this ? Thanks, Nakul

7 years, 3 months

2
1
0 / 0

Configuring Admin Access Control or realm-management client role for LDAP user in keycloak via imported realm.json configuration

by kapil joshi

Hi All, Can we assign realm-management client roles for users imported from LDAP in Keycloak. Currently we are trying to set up LDAP based user federation using by importing a realm.json, configured with LDAP related configuration. Have attached it to this email. Basically the requirement is when we login to the client using the LDAP credentials, the user should be able to access user-management and view-realm client(i.e accessing the admin console) from client side. Thanks Kapil

7 years, 3 months

2
1
0 / 0

OsgiJaxrsBearerTokenFilterImpl init resolver class on every request

by Nhut Thai Le

Hello, We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env to filter requests to our REST service as follow: @Component( service = { ContainerRequestFilter.class, ContainerResponseFilter.class }, scope = ServiceScope.PROTOTYPE, property = { "osgi.jaxrs.extension=true", JAX_RS_NAME + "=DiagramRestFilter", DiagramConstants.REST_APP_SELECT } ) @PreMatching @Priority(Priorities.AUTHENTICATION) public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl implements ContainerResponseFilter { private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$ private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$ private final Logger log = LoggerFactory.getLogger(getClass()); @Reference private SessionService sessionService; @Activate public void activate(BundleContext bundleContext) { log.trace("Activating {}", getClass()); //$NON-NLS-1$ setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver"); //$NON-NLS-1$ setBundleContext(bundleContext); } As you can see, we set the filter scope to Prototype as recommended by OSGI compedium ( https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685) but we see a lot of the following line got printed when the server started INFO: Using com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver@738e48f7 to resolve Keycloak configuration on a per-request basis. Does that means the config resolver is being instantiate for each request ? Since the the configuration never change, would it make sense to instantiate this config resolver only once? Thai Le

7 years, 3 months

1
0
0 / 0

Keycloak integration with django

by Wagner

Hi there, I've been looking for ways to integrate keycloak with django, and have found the django-keycloak project, but the docs are kind of limited. Can anyone point me in the direction of integrating it with an existing django project? I don't want to use the django admin web interface to configure it, but haven't found any other way to do so. Thanks, Wagner

7 years, 3 months

1
0
0 / 0

Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed?

by Edgar Vonk - Info.nl

hi all, We are trying to set up Keycloak to act as a federated identity provider between our (OAuth2-enabled) application and the external SAML 2.0-enabled NetIQ Acces Manager identity provider using: https://www.keycloak.org/docs/latest/server_admin/index.html#saml-v2-0-id... The basic setup including authentication works fine. However logging out does not. When attempting to logout from our application Keycloak sends a SAML LogoutRequest to NetIQ Access Manager but NetIQ does not accept this request because, from what we understand from NetIQ, this request is not signed. It seems that Keycloak does not support sending signed LogoutRequests from SAML Identity Providers? Is this indeed the case and how could we go about solving this? Maybe create a custom IdentityProvider or possibly send a SAML LogoutRequest to NetIQ from our application directly? Example of SAML LogoutRequest send by Keycloak: <samlp:LogoutRequest Destination="https://dummyhost.net/nidp/saml2/slo" ID="ID_7b7e1700-235b-403d-af08-a0c77dd7f26d" IssueInstant="2019-01-28T10:43:56.896Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8080/auth/realms/our-realm</saml:Issuer> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">00001234</saml:NameID> <samlp:SessionIndex>id05SkNYJwvT2uGPaCu5PvQvT5Dmg</samlp:SessionIndex> </samlp:LogoutRequest> I am no expert on SAML at all but this is from the SAML 2.0 specs (https://www.oasis-open.org/committees/download.php/56782/sstc-saml-profil...): 4.4.4.1 <LogoutRequest> Usage: "The requester MUST authenticate itself to the responder and ensure message integrity, either by signing the message or using a binding-specific mechanism.” Should Keycloak not support signing SAML LogoutRequests? cheers Edgar

7 years, 3 months

1
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user January 2019