HA mode with JDBC_PING shows warning in the logs after migration to 4.8.3 from 3.4.3
by abhishek raghav
Hi
After the migration of keycloak HA configurations from 3.4.3.Final to
4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
immediately after the keycloak is started with 2 nodes. This occurs after
every time when the cluster is scaled up or whenever infinispan is trying
to update the cluster member list.
I am using JDBC_PING to achieve clustering in keycloak.
Below is the stacktrace -
2019-04-24 12:20:43,687 WARN
>> [org.infinispan.topology.ClusterTopologyManagerImpl]
>> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>> ISPN000197: Error updating cluster member list:
>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>> waiting for responses for request 1 from dcidqdcosagent02
>
> at
>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>
> at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>
> at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>
> at
>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
> at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>
> at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>
> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at java.lang.Thread.run(Thread.java:748)
>
> Suppressed: org.infinispan.util.logging.TraceException
>
> at
>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>
> at
>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>
> at
>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>
>
Now after I searched, I really did not see anyone reported such error on
keycloak but there is similar bug reported in WILDLFY 14 and is categorized
as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could be
because of this blocker in WILDFLY 14.
What should I do to get rid this error. Is this really a problem in
keycloak 4.8.3.Final. Did anyone notice any such issue while running
keycloak 4.8.3 in HA mode.
Is there a workaround to fix this.
One more thing we noticed is - It is regarding a property in JDBC_PING
protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
but it is no more supported in 4.8 version. and thus the JGROUPSPING table
is filled up with lot of stale entries. Is there a workaround to clear the
table after view change in 4.8 also.
Thanks
Abhishek
7 years
Setting up SSL certificate on keycloak container
by Francesco Longo
Good morning! I have a problem setting up keycloak on a docker container, using portainer, installing the SSL certificate.
* I installed from portainer the official jboss keycloak image (5.0.0) setting up the internal 8443 port (in this case it recognize to use HTTPS).
* I have my 2 files (.csr and .key certificates) placed on the /etc/x509/https folder of the docker container.
I have some errors:
* Connecting to the keycloak:port/auth I get the error: "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" and I cannot connect to that page...
* Performing a request to my application that is protected by keycloak I get a response error:
"Error: write EPROTO 140495380186944:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s23_clnt.c:802:"...
Can somebody help me? What's wrong with the SSL configuration on the keycloak side?
[LINKS Foundation]
Facebook<https://www.facebook.com/linksfoundation/> | Twitter<https://twitter.com/linksfoundation> | LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-kno...>
Francesco Longo
Rsearcher | Linksfoundation.com<https://linksfoundation.com/>
T. +39 0112276440
francesco.longo(a)linksfoundation.com<mailto:nome.cognome@linksfoundation.com>
Personal account: LinkedIn<https://www.linkedin.com/in/france193/> | Skype<https://join.skype.com/invite/jt9vIqDeuk6G>
________________________________
[Please consider the environment]
Rispetta l'ambiente, pensa prima di stampare questa e-mail
Please consider the environment before printing this email
________________________________
Questo documento è formato esclusivamente per il destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere esclusivamente confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 -GDPR- e quindi ne è proibita l'utilizzazione ulteriore non autorizzata. Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di contattare immediatamente il mittente e cancellare la e-mail. Grazie.
Confidentiality Notice - This e-mail message including any attachments is for the sole use of the intended recipient and may contain confidential and privileged information pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 -GDPR-. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
7 years, 1 month
How to dynamically trigger a custom required action in a flow ?
by GESLIN Fabrice
Hi,
We're trying to trigger a custom required action as part of the reset credential.
For this we plan to mimic the implementation of the authenticate method of the org.keycloak.authentication.authenticators.resetcred.ResetPassword.java :
@Override
public void authenticate(AuthenticationFlowContext context) {
if (context.getExecution().isRequired() ||
(context.getExecution().isOptional() &&
configuredFor(context))) {
context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
}
context.success();
}
But the question is what value should we pass to the addRequiredAction() ?
This method seems to only accept the predefined required actions mapped to the values from the UserModel.RequiredAction enum.
Any help is welcome .
Fabrice Geslin
Groupe La Poste
Post-scriptum La Poste
Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
7 years, 1 month
Keycloak in HA mode on Kubernetes fails with "invalid_code" when requesting tokens
by Jody H
Hi,
we have some trouble to generate tokens with the authentication code flow
in our Keycloak 5.0.0 cluster.
Some information about the cluster:
1) We have a cluster with 3 instances in Kubernetes, deployed by the
Keycloak Helm Chart (
https://github.com/helm/charts/tree/master/stable/keycloak)
2) I can see that some Infinispan stuff is going on in the logs when the
cluster is starting up. I have checked that the shell script that is
executed on startup contains the " -c standalone-ha.xml" switch. I can not
find any mentions of the string "standalone-ha.xml" in the log output
though.
3) Our cluster is loadbalanced with a HAProxy
4) The webservice we want to access is secured by Keycloak Gatekeeper (
https://github.com/keycloak/keycloak-gatekeeper)
When using a browser to log in to keycloak-secured websites (i.e. websites
that use the keycloak cluster to perform the OIDC authentication code flow
and authenticate our users), we did not see problems so far. The keycloak
gatekeeper "proxy" is redirecting to keycloak when no cookie is present for
login, trading in the code for id, access and refresh tokens and passing
the access_token to the reverse-proxied website after successful login.
To test our APIs we would like to use Postman.
However, when using Postman with its built-in OAuth 2.0 authentication, we
see a problem that is reproducible on 4 laptops which are in the same LAN
as the keycloak cluster. Postman can request access tokens by using the
authentication code flow in its GUI. In Postmans "Get New Access Token"
window, we use these settings:
1. callback url: the same redirect_uri that is pointing to the Keycloak
gatekeeper callback endpoint (/oauth/callback endpoint)
2. auth url:
https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/auth
3. access token url:
https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/token
4. client-id: client-id from Keycloak
5. client-secet: client-secret from Keycloak
6. scope: openid
7. Client Authentication: "Send as Basic Auth header"
When clicking the "Request Token" button in Postman, we receive the error
"invalid_code" in roughly 9 out of 10 tries. Basically, if we spam the
button, sometimes it works but most of the time it does not. For another
laptop which is connected via VPN and thus has a higher latency, the
requests work just fine.
I am thinking about the following:
Is it possible that the initial request is sent to keycloak-0, then
returned to the client (postman) and then immediately sent back to the
loadbalancer-url to trade in the code for tokens... and then hits another
instance due to loadbalancing, for example keycloak-1, which has no
information about the authentication process that was initiated on
keycloak-0? The invalid_code error is returned after just 4 milliseconds,
which is rather fast. Maybe the cluster is not properly synchronizing in
time? Any idea on how to fix this?
Thanks
Jody
7 years, 1 month
Keycloak cluster setup on Openshift
by Jon Huang
Dear Keycloakers
On my local environment, I set up Keycloak cluster with multi-cast and it's
OK.
However, there are some issues which might be related to infinispan when I
migrate to Openshift with KUBE_PING.
(btw, I tested with Keycloak version: 4.8.1 docker version)
I put detail log in attachment and hope it helps. (log below is abstract
version)
It seems that infinispan timeout and not working correctly (which works in
my local environment though)
Does anyone have same experience on Openshift?
Thanks
*Firstly, node 1 detected node2*
[org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN000094: Received
new cluster view for channel ejb: [kc-22-qzws9|5] (2) [kc-22-qzws9,
kc-22-wf2pf]
[org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN100000: Node
kc-22-wf2pf joined the cluster
[org.infinispan.CLUSTER] (remote-thread--p13-t6) [Context=loginFailures]
ISPN100002: Starting rebalance with members [kc-22-qzws9, kc-22-wf2pf],
phase READ_OLD_WRITE_ALL, topology id 2
...
*Then some error happened*
*[log from node1:]*
[org.infinispan.topology.ClusterTopologyManagerImpl]
(transport-thread--p24-t3) ISPN000197: Error updating cluster member list:
org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
waiting for responses for request 2 from kc-22-wf2pf
at
org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
at
org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
at
org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
... 1 more
[org.infinispan.statetransfer.StateConsumerImpl] (transport-thread--p16-t9)
ISPN000208: No live owners found for segments {0-255} of cache
clientSessions. Excluded owners: []
*[log from node2:]*
[org.jboss.msc.service.fail] (ServerService Thread Pool -- 58) MSC000001:
Failed to start service
org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
org.jboss.msc.service.StartException in service
org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
org.infinispan.commons.CacheException: Unable to invoke method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
at
org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
at
org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
...
Caused by: org.infinispan.commons.CacheException: Unable to invoke method
public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
at
org.infinispan.commons.util.SecurityActions.lambda$invokeAccessibly$0(SecurityActions.java:83)
at
org.infinispan.commons.util.SecurityActions.doPrivileged(SecurityActions.java:71)
at
org.infinispan.commons.util.SecurityActions.invokeAccessibly(SecurityActions.java:76)
at
org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:185)
... 7 more
Caused by: org.infinispan.commons.CacheException: Initial state transfer
timed out for cache offlineClientSessions on kc-22-wf2pf
at
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete(StateTransferManagerImpl.java:233)
... 30 more
[org.jboss.as.controller.management-operation] (Controller Boot Thread)
WFLYCTL0013: Operation ("add") failed - address: ([
("subsystem" => "infinispan"),
("cache-container" => "keycloak"),
("replicated-cache" => "work")
]) - failure description: {"WFLYCTL0080: Failed services" => {"
org.wildfly.clustering.infinispan.cache.keycloak.work" =>
"org.infinispan.commons.CacheException: Unable to invoke method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
Caused by: org.infinispan.commons.CacheException: Unable to invoke
method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
Caused by: org.infinispan.commons.CacheException: Initial state
transfer timed out for cache work on kc-22-wf2pf"}}
7 years, 1 month
Keycloak, Openresty and fine grain authorization not working
by The Mechanix
Hi,
I’m relative new to KC but I’ve read a lot of documentations in the past few days and I managed to get a (almost) working POC..
An overview can be found here [1]
The setup is fairly easy, we just want to authenticate some web services.(HTML)
The components used are all docker containers:
- OpenResty Cluster 1.13.6.2-1 (Keepalived + GlusterFS) with lua-resty-openidc
- Keycloak Cluster 6.0.1
- PostgerSQL Cluster 9.6.12
- Nginx for the web services
In KC, I created a client “metropolis” [2] and a user “ckent”. Whenever I call the protected URL I get redirected to KC, can authenticate and I’m landing on the web service page. So far so good.
Now, I just wanted to see what happens if I negate the default policy:
// by default, grants any permission associated with this policy
$evaluation.grant();
<negate>
A quick evaluation shows following:
Default Resource
Result
DENY
Scopes
No scopes available.
Policies
• Default Permission decision was DENY by UNANIMOUS decision.
• Default Policy voted to DENY.
According to the results, I should not be able to access the resource anymore, right? But this doesn’t happen, I’m still able to login (after killing the session in KC). What am I missing?
Here [3] is the openresty config.
Any hints are much appreciated.
Thanks
[1] https://i.imgur.com/z3E6Fn2.jpg
[2] https://i.imgur.com/J15kXFG.png
[3| https://pastebin.com/7zfHePYK
7 years, 1 month
upgrade keycloak, elytron issue
by mj
Hi,
We're running keycloak 4.0.0, and were trying to upgrade straight to
latest, but it failed. Then we tried upgrading to latest release 4.8.3
first, but it gave the same error, namely:
> root@kc:/opt/keycloak-4.8.3.Final# bin/jboss-cli.sh --file=bin/migrate-standalone.cli
> *** Begin Migration ***
>
> Adding eviction strategy to keycloak users cache container...
> {"outcome" => "success"}
> {"outcome" => "success"}
>
> Updating authorization cache container..
> {"outcome" => "success"}
> {"outcome" => "success"}
>
> Adding spi=userFederatedStorage...
> {"outcome" => "success"}
>
> Updating eviction and expiration in local-cache=keys...
> {"outcome" => "success"}
> {"outcome" => "success"}
> {"outcome" => "success"}
>
> Adding eviction strategy to keycloak realms cache...
> {"outcome" => "success"}
> {"outcome" => "success"}
>
> Removing declaration for userFederatedStorage SPI
> {"outcome" => "success"}
>
> Updating eviction in local-cache=authorization...
> {"outcome" => "success"}
>
> Adding spi=hostname...
> {"outcome" => "success"}
> {"outcome" => "success"}
>
> Adding permission-set=login-permission to elytron
> {"outcome" => "success"}
> {"outcome" => "success"}
> {
> "outcome" => "failed",
> "failure-description" => "WFLYCTL0216: Management resource '[
> (\"subsystem\" => \"elytron\"),
> (\"simple-permission-mapper\" => \"default-permission-mapper\")
> ]' not found",
> "rolled-back" => true
> }
We did some google, but found no clear answer. Can anyone tell us why
the cannot fails, with the above error?
Thanks!
MJ
7 years, 1 month
FW: Brokering-sample with google-authentication does not work with Keycloak6/Wildfly16
by Matuszak, Eduard
Answer: According to the Docu https://www.keycloak.org/docs/latest/server_installation/index.html#outgo...<https://www.keycloak.org/docs/latest/server_installation/index.html> we now have to configure the proxy settings in standalone<>.xml. Proxy settings done via httpProxy..-Java-runtime-parameters do (no more) have effects to the HTTPClient Keycloak is applying.
_____________________________________________
From: Matuszak, Eduard
Sent: Friday, April 26, 2019 11:34 AM
To: 'keycloak-user(a)lists.jboss.org'
Subject: Brokering-sample with google-authentication does not work with Keycloak6/Wildfly16
Hello
I tried to check the keycloak/examples/broker/google-authentication-sample with Keycloak 6.0.0 and Wildfly 16.0.0. Unfortunately org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider is not able to connect to all google endpoints and fails with timeout. With my "old" system (Keycloak 2.5.5 and Wildfly 10.0.1) on the same machine the correspondig example succeeded. Proxy-settings via -DhttpProxy-Java-runtime-parameters had been done, so this may not be the problem.
Interesting(?): I observed that the connection to https://accounts.google.com/o/oauth2/v2/auth done in the same(!) class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider just before in the performLogin-method in contrast did(!) succeed (google complains when pushing the "g"-login-button when required redirect-setting is not done).
Do you have any idea or fix to overcome this error?
Best regards, Eduard Matuszak
PS: This is the stack-trace of the timeout-exception when AbstractOAuth2IdentityProvider tried to connect to oauth2.googleapis.com:
10:35:49,298 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-53) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to oauth2.googleapis.com:443 [oauth2.googleapis.com/172.217.16.138, oauth2.googleapis.com/172.217.18.106, oauth2.googleapis.com/172.217.22.74, oauth2.googleapis.com/172.217.22.10, oauth2.googleapis.com/216.58.205.234, oauth2.googleapis.com/172.217.21.202, oauth2.googleapis.com/216.58.208.42, oauth2.googleapis.com/172.217.16.170, oauth2.googleapis.com/216.58.206.10, oauth2.googleapis.com/172.217.23.170, oauth2.googleapis.com/172.217.16.202, oauth2.googleapis.com/172.217.18.170, oauth2.googleapis.com/172.217.18.10, oauth2.googleapis.com/172.217.22.106, oauth2.googleapis.com/216.58.210.10] failed: Connection timed out: connect
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:159)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:199)
at org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:163)
at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:155)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:418)
at sun.reflect.GeneratedMethodAccessor715.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
at org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
at org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
at org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
at org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:339)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
... 84 more
7 years, 1 month
Understanding access token storage
by Matteo Restelli
Hi all,
As far as i know, the best practice for a Single Page Application is to
have the access token stored inside an HttpOnly Cookie. This means that the
token endpoint must return tokens into a cookie provided with the response.
Am i right? If yes, how can i achieve this behaviour?
Thank you very much,
Matteo
--
Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>
This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.
7 years, 1 month
Implementing "user invitation" functionality in Keycloak
by Craig Setera
I'm continuing to attempt to get my "user invitation" functionality working
again. While I'm 99% certain it worked at some point in the past, I can't
for the life of me get it going again now. I have not found a working
combination of action tokens, required actions and authenticators to make
this work.
>From the feature perspective, the goal is a user-facing flow similar to the
following:
- Within our application, a properly authorized user adds a new user to
our system (using their email address)
- The addition of that user triggers an email to that user with a
(action token) link they can click on
- The link takes them into Keycloak where they can set their "initial"
password via a form
- Once that is completed, they are transitioned to the login page
In my case, I have the initial action token email working (via a REST
resource provider). Within that action token handler, I'm trying to find a
combination of authenticators and/or required actions to pull together the
necessary "challenge" and processing of that challenge. However, I can't
seem to find a combination that Keycloak is happy with and does what I need
it to do.
When looking at similar combinations of required actions and
authenticators, like those found in the quickstarts, it seems like they
work in reverse of this. The authenticator initiates the action token and
not the other way around. Am I misunderstanding what I can/should do here?
Can anyone offer any suggestions or pointers on how to properly handle that
part of the user facing behavior? This is similar in functionality to
reset credentials, but at the same time it is not the same and our product
folks don't want to see "reset" when the user has not yet set credentials.
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
7 years, 1 month
