Keycloak Scalability Issues
by Dev Doongoor
Hello,
I am looking for help regarding having Keycloak accommodate roughly a
million, long-lived sessions.
My setup: I have an externalized infinispan cluster which houses the
clientSessions and sessions caches, and using Keycloak 4.8.0.
The infinispan cluster can hold that many entries in each cache, however it
seems Keycloak itself struggles with this.
When I restart Keycloak (for whatever reason), it seems to attempt to load
all sessions from infinispan into memory, which to me seems counter
intuitive to using an externalized cache system.
Unless I give Keycloak enough RAM to handle 1 million or so sessions, it
seems like I would have to clear all session data in order for the
application to start up again.
Also, session lifetime is expected to be 8 months to a year.
My standalone-ha.xml for cache configuration looks like this:
<replicated-cache name="sessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket" passivation="false" cache=
"sessions" shared="true" purge="false" preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
<replicated-cache name="clientSessions" statistics-enabled="true">
<state-transfer timeout="600000" />
<object-memory size="400000" />
<remote-store remote-servers="infinispan-socket" cache="clientSessions"
passivation="false" shared="true" purge="false" preload="false">
<property name="rawValues">true</property>
<property name="marshaller">
org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory</property>
</remote-store>
</replicated-cache>
Is this correct? Is there a more efficient way to handle this?
Thanks in advance,
DKD
4 years, 11 months
Strange behavior related to LDAP groups / subgroups
by Matthias Anglade
Hi,
We are currently trying to use an LDAP directory as a federation and we are
facing issues regarding groups.
First case, when we are trying to create a group using the API, is there a
way to specify a parent group to create it into ? As for now any group will
be created at the root of the federation group mapper (i.e the one given as
"LDAP Groups DN" parameter ?
Second case, when I create a structure with groups and subgroups, if some
groups have the same name then the membership will not be taken into
account even if the groups having the same name are in two distinct
subgroups.
Say I have the following structure :
grp 1
sub-grp1
sub-grp2
grp 2
sub-grp1
sub-grp3
If I have a user as member of all four sub groups then either grp1/sub-grp1
or grp2/sub-grp1
will be missing.
Any helps would be appreciated.
Yours,
--
Matthias
4 years, 11 months
Webhook/notification when user's data is changed
by Tihomir Mescic
Hi all,
I'm building a system that integrates with Keycloak. What I would need is
some kind of a notification mechanism in case user information (e.g. first,
or last name) is changed in Keycloak.
Something like this:
- user's first name is changed in Keycloak (either via the Keyclaok
administration page, or via a REST API call)
- Keycloak notifies my app about the change (either via a webhook or by
sending a message to a message bus, or something else)
Is anything like this possible currently?
Thanks in advance,
Tihomir
4 years, 11 months
Restrict the user creation of from IDP.
by Rohit Nikhade
Hi,
My requirement is that only pre-created user, when logged in via Identity
Broker, should be automatically linked to its IDP user. If other user gets
logged in then it should throw an error and stop the Authentication Flow.
My requirement is similar to that mention on
https://issues.jboss.org/browse/KEYCLOAK-4544
As the above issue is deferred I still need to get a solution for my
requirement. Can you suggest me any solution? Or the path to contribute?
As mentioned in above Jira ticket in the comment of Robert, I would like to
add configuration and modify IdpCreateUserIfUniqueAuthenticator, so that
if a nonexisting user logs in via IDP then it should throw an error.
Thank You
Rohit Nikhade
(+91) 8793652775
4 years, 11 months
Keycloak 5.x vs 6.x, what is the difference between those 2 lines?
by Lukasz Lech
I'm quite disturbed by keycloak 5.x and 6.x being launched in the same time....
Which should I upgrade to from 4.8.x?
Was 5.x line a mistake and it was abandoned and replaced with 6.x, or those are parallel development lines for other purposes?
Excuse me for maybe a naïve question, but release notes are not very speaking...
Best regards,
Lukasz Lech
4 years, 11 months
Same Keycloak instance hosted on different domains
by stefan.romete@gmail.com
Hi,
We have an issue with trying to have the same keycloak instance hosted on 2
different domains(URLs).
We have the following scenario:
2 Different Angular apps that point to 2 different URLs for the auth part.
These 2 URLs use the same instance of keycloak. This works as expected and
we are able to authenticate in both apps.
The problem comes when trying to reach the same Backend application from
both apps, as for one app we have the same token issuer but for the other
one (different Endpoint for Keycloak) we get the message :
error="invalid_token", error_description="Invalid token issuer. Expected
'<DOMAIN1>', but was '<DOMAIN2>"
While looking through the source code of keycloak I found out that this is
the normal behavior when trying to have this setup.
Is there any way of achieving the above configuration without having also 2
instances of the BackEnd application , each configured with its own issuer?
That will mean for us an extra deployment of the same application , which
does not make sense .
Thank you,
Stefan Romete
4 years, 11 months
"Resource type" permissions and ownership
by Corentin Dupont
Hi guys,
I noticed that when I use "Resource type" permissions ("Apply to Resource
Type" is checked), only the resources that belong to the client are
returned. Resources that belong to users will not be returned.
Basically, I created 2 resources with the API: one belonging to the client,
one to a user.
I then evaluate my permissions, with "Apply to Resource Type" on. Only the
resource belonging to the client will be returned.
Why is that?
If my resources need to belong to the client, how to manage ownership
policies? Should I use Resource Attributes for that?
Furthermore, I think UMA will not work anymore if the owner of the resource
is the client?
Thanks a lot!
Corentin
4 years, 11 months
Setting up SSL certificate on keycloak container
by Francesco Longo
Good morning! I have a problem setting up keycloak on a docker container, using portainer, installing the SSL certificate.
* I installed from portainer the official jboss keycloak image (5.0.0) setting up the internal 8443 port (in this case it recognize to use HTTPS).
* I have my 2 files (.csr and .key certificates) placed on the /etc/x509/https folder of the docker container.
I have some errors:
* Connecting to the keycloak:port/auth I get the error: "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" and I cannot connect to that page...
* Performing a request to my application that is protected by keycloak I get a response error:
"Error: write EPROTO 140495380186944:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s23_clnt.c:802:"...
Can somebody help me? What's wrong with the SSL configuration on the keycloak side?
[LINKS Foundation]
Facebook<https://www.facebook.com/linksfoundation/> | Twitter<https://twitter.com/linksfoundation> | LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-kno...>
Francesco Longo
Rsearcher | Linksfoundation.com<https://linksfoundation.com/>
T. +39 0112276440
francesco.longo(a)linksfoundation.com<mailto:nome.cognome@linksfoundation.com>
Personal account: LinkedIn<https://www.linkedin.com/in/france193/> | Skype<https://join.skype.com/invite/jt9vIqDeuk6G>
________________________________
[Please consider the environment]
Rispetta l'ambiente, pensa prima di stampare questa e-mail
Please consider the environment before printing this email
________________________________
Questo documento è formato esclusivamente per il destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere esclusivamente confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 -GDPR- e quindi ne è proibita l'utilizzazione ulteriore non autorizzata. Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di contattare immediatamente il mittente e cancellare la e-mail. Grazie.
Confidentiality Notice - This e-mail message including any attachments is for the sole use of the intended recipient and may contain confidential and privileged information pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 -GDPR-. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
4 years, 11 months
Accessing Token information within a JavaScript Policy
by Dwayne Remekie
Hi all,
Consider the following token:
{
"jti": "25954de5-9855-43ce-95f1-34af085a572d",
"exp": 1556850119,
"nbf": 0,
"iat": 1556849819,
"aud": "msa",
"sub": "458601ee-ac93-4cee-8213-52f5428e5cdd",
"typ": "Bearer",
"azp": "msa",
"auth_time": 0,
"session_state": "515e0dce-6c27-408f-8f99-e2b572b04cc4",
"acr": "1",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": [
{
"scopes": [
"data-collection:edit"
],
"claims": {
"nm": [
"Beniah R"
],
"gdData": [
""
],
"gdSize": [
"3"
],
"gdTemp": [
"org.keycloak.authorization.attribute.Attributes$Entry@6bef60cb"
]
}
}
]
},
"scope": "profile drs2_security email myscope",
"email_verified": true,
"groupDetails": [
{
"name": "ug1",
"customerCode": "cust-a",
"repositoryAdmin": [
"cust-a/repo-a/*",
"cust-a/repo-b/*"
],
"repositoryEditor": [
"cust-a/repo-d/*",
"cust-a/repo-d/*"
]
},
{
"name": "ug2",
"customerCode": "cust-a",
"collectionEditor": [
"cust-a/repo-c/coll-a",
"cust-a/repo-c/coll-b"
],
"collectionReader": [
"cust-a/repo-b/coll-x"
]
}
],
"name": "Beniah R"
}
Consider the following JS Policy.
var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var identity = context.getIdentity();
var attributes = identity.getAttributes();
var nm = attributes.getValue('name');
permission.addClaim('nm', nm.asString(0));
var groupDetails = attributes.getValue('groupDetails');
permission.addClaim('gdTemp', groupDetails);
permission.addClaim('gdSize', groupDetails.size());
permission.addClaim('gdData', groupDetails.asString(0));
The code above is successfully able to access the “name” property from the token (see “nm” in the authorization section). However, I cannot figure out how to access the objects within the “groupDetails” array. I can see that the type of object is "org.keycloak.authorization.attribute.Attributes$Entry” which has methods to fetch Dates, doubles, Strings, etc., but no method to return an object.
Thanks for your help.
4 years, 12 months
