July 2019 - keycloak-user - Jboss List Archives

Cache invalidation Javascript policies - cluster mode

by Matteo Restelli

Hi all, We have a custom Javascript policy, and we're running 3 Keycloak instances in a Kubernetes cluster. Cluster configuration is based on DNS_PING and we've followed the Helm provided by Codecentric. The three Keycloak pods successfully joined the cluster (in standalone mode). We're seeing this from following log lines: 10:16:02,114 INFO [org.infinispan.CLUSTER] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [keycloak-2|13] (3) [keycloak-2, keycloak-1, keycloak-0] 10:16:02,114 INFO [org.infinispan.CLUSTER] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [keycloak-2|13] (3) [keycloak-2, keycloak-1, keycloak-0] 10:16:02,114 INFO [org.infinispan.CLUSTER] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-2|13] (3) [keycloak-2, keycloak-1, keycloak-0] 10:16:02,114 INFO [org.infinispan.CLUSTER] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [keycloak-2|13] (3) [keycloak-2, keycloak-1, keycloak-0] 10:16:02,120 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.71.10.170:7600] 10:16:02,120 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.71.10.170:7600] 10:16:02,120 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.71.10.170:7600] 10:16:02,120 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.71.10.170:7600] 10:16:02,755 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000078: Starting JGroups channel ejb 10:16:02,756 INFO [org.infinispan.CLUSTER] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [keycloak-2|13] (3) [keycloak-2, keycloak-1, keycloak-0] 10:16:02,757 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000079: Channel ejb local address is keycloak-0, physical addresses are [10.71.10.170:7600] The problem can be reproduced by the following: - We update the code of our Javascript policy, adding a new "print" - We just see the new log line on one node, the others are not printing the new log Maybe is something related to cache invalidation? Thank you very much, Matteo Restelli -- Like <https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq>I Connect <https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message.

5 years, 5 months

2
3
0 / 0

XHRs resulting in 401 unauthorized

by Gianluca Diodato

Hi All, We have a problem in our platform configuration: Server 1: Apache 2.4.x mod_auth_openidc 2.3.11 Symfony 3.x application + Javascript & Ajax code (no headers into our xhr requests) Server 2: Keycloack 4.8.3 Final (client is confidential type) All work fine but after few minutes (about 4 minutes) any requests (XHRs)fails with error 401 unauthorized into browser. To bypass the error, we added this parameter into ssl.conf (attached file): OIDCSessionInactivityTimeout 1800 But we would find a definitive solution. We googled about this problem: https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies https://github.com/zmartzone/mod_auth_openidc/wiki/Access-Tokens-and-Refr... but we not found anything help us. We missed something? Comments and suggestions are welcome. Bests Gianluca Diodato

5 years, 5 months

1
0
0 / 0

Delete all resources

by Corentin Dupont

Hi guys, is there an easy way to delete all resources? The UI doesn't seem to offer this functionality. It seems I need to create a small script with the API, right? Or can performing some DB commands (drop TABLE) could do it? Thanks Corentin

5 years, 5 months

2
2
0 / 0

Keycloak sign secret HS256 JWT

by Stef Graces

Hi, I’ve been trying to create a static website with role based access. To achieve this, I use a HS256 signed JSON-web token, which is verified by the site using the shared secret. However, I have been unable to find this secret. I have tried the method described in this email: https://lists.jboss.org/pipermail/keycloak-user/2018-December/016818.html <https://lists.jboss.org/pipermail/keycloak-user/2018-December/016818.html>, But I have been unable to verify the token I received from Keycloak using many different tools. Can I retrieve the secret somewhere else or is there a way for me to create a secret myself for signing JWT’s using the HS256 algorithm? Note: to host my website I am using a service that only supports HS256 signed JWT’s. Kind regards, Stef Graces

5 years, 5 months

1
0
0 / 0

Keycloak using Sql Server on Azure as db: stops working after few days

by Mario Giammarco

Hello, I have installed a Keycloak as an Azure virtual machine. As database I have chosen the Sql Server offered as an Azure service. I have configured it correctly because all works. But after some days it stops working. I get these exceptions: Caused by: org.hibernate.exception.GenericJDBCException: could not prepare statement at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:113) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1984) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1914) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1892) at org.hibernate.loader.Loader.doQuery(Loader.java:937) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:340) at org.hibernate.loader.Loader.doList(Loader.java:2689) at org.hibernate.loader.Loader.doList(Loader.java:2672) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2506) at org.hibernate.loader.Loader.list(Loader.java:2501) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:504) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:395) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:220) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1507) at org.hibernate.query.internal.AbstractProducedQuery.doList(AbstractProducedQuery.java:1537) at org.hibernate.query.internal.AbstractProducedQuery.list(AbstractProducedQuery.java:1505) ... 13 more Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The connection is closed. at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:234) at com.microsoft.sqlserver.jdbc.SQLServerConnection.checkClosed(SQLServerConnection.java:1088) at com.microsoft.sqlserver.jdbc.SQLServerConnection.prepareStatement(SQLServerConnection.java:3409) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:758) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:744) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:459) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) It seems that, after some time, sql server refuses new connections. I have tried reducing max-pool-size and I have obtained that it now gives the problem some days before. I need help because the exception is not very informative. Thanks in advance for any hints. Mario

5 years, 5 months

2
1
0 / 0

General Question - Keycloak Configuration as SAML Service Provider

by Reid Watson

Hi Everyone, Were investigating “Keycloak” with oAuth2 / OIDC and SAML and I’m wondering does the application have the ability for users to configure an SP (Service Provider) within Keycloak . As I understand it Keycloak server plays the role of an Identity Provider (IDP) and provides means to authenticate a user for a Service Provider. There is no mention or guides for users to configuring a Service Provider but I might not be looking at the incorrect documentation. Cheers Reid

5 years, 5 months

2
1
0 / 0

Duplicate entry for key

by Corentin Dupont

Dear all, I often have this error: keycloak_1_c37c1c45aa45 | 12:28:02,524 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-10) Uncaught server error: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: could not execute statement ... keycloak_1_c37c1c45aa45 | Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLIntegrityConstraintViolationException: Duplicate entry 'GW1-d9d54300-3791-443c-884c-0c52c43d64db-0892e431-5daf-413e-b4cf' for key 'UK_FRSR6T700S9V50BU18WS5HA6' For instance, I have this error when trying to create a resource. What does it mean? How to solve it? Thanks Corentin

5 years, 5 months

1
0
0 / 0

Java minor update missing files

by Hannah Short

Hi keycloak users, We are having issues with broken links in Keycloak each time Java is updated on our servers. Does anyone have advice? E.g. java.io.FileNotFoundException: /usr/lib/jvm/java-1.8.0… We would like to have minor updates included automatically, for security purposes, but they currently result in java runtime errors when trying to authenticate afterwards. Thanks in advance, Hannah

5 years, 5 months

3
5
0 / 0

Github Identity Provider does not allow restricting organizations

by Peter Braun

Hi, when setting up a Github Identity Provider it is currently (RHSSO 7.2) not possible to restrict access to certain Github organizations from the console. Github does support this and it is also documented in the identity providers section of the OpenShift docs: https://docs.openshift.com/container-platform/3.11/install_config/configu... It would be very useful to have this exposed in the UI, what are your thoughs? Regards, Peter

5 years, 5 months

1
0
0 / 0

Strange behaviour during RPT call - java.lang.RuntimeException: Error while reading attributes

by Matteo Restelli

Hi all, We're noticing a strange behaviour during RPT call performed by our adapter. More specifically, we're getting a 500 HTTP Error with the following description: "Unexpected error while evaluating permissions: java.lang.RuntimeException: Error while reading attributes" and with a NullPointerException. I had a keycloak access token with 5 hours of expiration time and "SSO Session Idle time", in Keycloak, was set to 30 minutes. I know, it's a strange configuration, but we've used it just for testing purposes of the RPT / Authorization part. Once i've received the error, i've started thinking that the problem was probably due to the fact that the user's session was expired (i've notice the error after lunch where i've left the pc alone for about 1 hour), so i've tried to reproduce the error in this way: - Login via Resource Owner Password grant flow (via Postman) - Getting the token and calling our test microservice where the adapter was configured - RPT Call worked - After that, logout the user's session from the user admin console - Retried the call to the microservice with the same token - Received the 500 HTTP Error We're using Keycloak 6.0.1. I've a question about: is it right that error? In my opinion we should receive a 401, not 500... At the bottom you can find the stacktrace. Thank you very much, Matteo 12:58:23,179 ERROR [org.keycloak.authorization.authorization.AuthorizationTokenService] (default task-784) Unexpected error while evaluating permissions: java.lang.RuntimeException: Error while reading attributes from security token. at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:146) at org.keycloak.authorization.common.KeycloakIdentity.<init>(KeycloakIdentity.java:69) at org.keycloak.authorization.authorization.AuthorizationTokenService.lambda$static$1(AuthorizationTokenService.java:131) at org.keycloak.authorization.authorization.AuthorizationTokenService.createEvaluationContext(AuthorizationTokenService.java:379) at org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:160) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1157) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:196) at sun.reflect.GeneratedMethodAccessor811.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException -- Like <https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq>I Connect <https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message.

5 years, 5 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2019