July 2019 - keycloak-user - Jboss List Archives

by Chris Stephens

I am having issues integrating keycloak with ping federate. We are using keycloak version 5.0.0. Ping federate is the idp and keycloak is the service provider. Keycloak gives me a generic error "An internal server error has occurred”. When I dive deeper into the logs I see this stack trace. [0m[31m15:59:02,925 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-341) Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider. at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:469) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:504) at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:244) at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:160) at sun.reflect.GeneratedMethodAccessor1101.invoke(Unknown Source) ... at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.NullPointerException There is no line number on the above null pointer exception. I only know it is happening in handleLoginResponse. Here is the formatted xml from the /endpoint response in the browser": <?xml version="1.0"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" ID="J8RPRFTJWzphQNpjsdDMOBAzanc" IssueInstant="2019-07-28T15:47:20.101Z" Destination="https://access-dev.myedlogics.com/auth/realms/intervent/broker/intervent/..."> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">localhost:default:entityId</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <ds:Reference URI="#J8RPRFTJWzphQNpjsdDMOBAzanc"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>nhnAGsnEubW52HlCQIQ6X9aRQvsiKt2QMxu82hqka3E=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>Z2zn8MXkhPk8iw4AXmFV/qK+UbyKQhYT5faq9yyPzF2OCS7joaboMm29/qtZhBHBrFNf0113f3jeAG6mX9RvOYOsoI9k0aLNvH42UDSZw9Iwv8AOIBxa06bqVw7VfJpxwNp4spJgvMRme61OnJd57sqF8V7CNe4X8VMm6L1DDDkvrpL1WieN8OrEjMOm7F3HtlIBTAfy3WvFn2P/Ly3ofSM4CFb9pOgyG0Ypi9KWVaCOQ0qVvaOXu97HpOY4+fp9kg/fMq3UlxJ93WTLiZ8/hXgz9x+Of6DXqY/+XjjRUPdhH2dSXwg7vpXCIc1q5JyG79uNHotLQoDhbO21Osp/QQ==</ds:SignatureValue> </ds:Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="fCWnVphoi6J6jBnD.Ohe_UTtf1D" IssueInstant="2019-07-28T15:47:20.158Z" Version="2.0"> <saml:Issuer>localhost:default:entityId</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joe</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData Recipient="https://access-dev.myedlogics.com/auth/realms/intervent/broker/intervent/..." NotOnOrAfter="2019-07-28T15:52:20.162Z"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2019-07-28T15:42:20.162Z" NotOnOrAfter="2019-07-28T15:52:20.162Z"> <saml:AudienceRestriction> <saml:Audience>https://access-dev.myedlogics.com/auth/realms/intervent</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement SessionIndex="fCWnVphoi6J6jBnD.Ohe_UTtf1D" AuthnInstant="2019-07-28T15:47:20.136Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chris.stephens+1(a)edlogics.net</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response> Does anyone see any obvious mistakes I am making? Is the xml invalid and messing with keycloak? Thanks, Chris

5 years, 5 months

1
0
0 / 0

Keycloak session management

by anupa shah

Hello Sir, I am using keycloak with spring-adaptor approach with xml base. I am not able to get keycloak session in my project. So my application is not able to use keycloak session.Please guide me. Below is link where i posted my question. https://github.com/spring-projects/spring-security/issues/7152 Please guide me. Thanks, Anupa

5 years, 5 months

1
0
0 / 0

Is quorum needed in Keycloak Standalone Clustered Configuration?

by Roman Ok

5 years, 5 months

1
0
0 / 0

invalid_grant (Code not valid) error

by Philip Lowman

Hi, I'm playing around with integrating KeyCloak 6.0.1 with the Tomcat 8 Adapter <https://www.keycloak.org/docs/latest/securing_apps/index.html#_tomcat_ada...> (Open ID Connect). I'm running into a problem where the Tomcat adapter redirects to KeyCloak just fine, authentication in Keycloak works, and it redirects back to the application, but subsequently the Tomcat adapter gets a 400 error response from the Keycloak server trying to turn the Access Code into a Token. The error returned from Keycloak is: {"error":"invalid_grant","error_description":"Code not valid"} Here's the code that is logging an error. The error isn't intermittent, happens on every request. protected AuthChallenge resolveCode(String code) { ... try { String httpSessionId = this.deployment.getTokenStore() == TokenStore.SESSION ? this.reqAuthenticator.changeHttpSessionId(true) : null; tokenResponse = ServerRequest.invokeAccessCodeToToken(this.deployment, code, this.strippedOauthParametersRequestUri, httpSessionId); } catch (HttpFailure var6) { log.error("failed to turn code into token"); log.error("status from server: " + var6.getStatus()); I've grabbed TRACE logs for org.keycloak category on the server and included them below, but don't see a smoking gun. I suspect I have something misconfigured somewhere in Keycloak, as this is my first time configuring this. Just wondering if anyone has some suggestions for what I should be doing to troubleshoot this further? Thanks! keycloak.json (effectively copy/paste from KeyCloak Admin UI) { "realm" : "myrealm", "auth-server-url" : "http://myhost.example.org:8080/auth", "ssl-required" : "external", "resource" : "myclient", "verify-token-audience" : true, "credentials" : { "secret" : "a41c8c84-ac43-43ae-bf9a-0241e24ce56f" }, "use-resource-role-mappings": true, "confidential-port" : 0 } keycloak server.log w/org.keyloak at TRACE <logger category="org.keycloak"> <level name="TRACE"/> </logger> 2019-07-26 18:11:26,865 TRACE [org.keycloak.events] (default task-1) type= *LOGIN*, realmId=308af72f-9f89-4fae-a583-b508d07b521a, clientId=myclient, userId=19c4c859-e062-4528-b176-3a17caf443af, ipAddress=10.192.226.126, auth_method=openid-connect, auth_type=code, redirect_uri= http://localhost:7700/myapp/Foo.do, consent=no_consent_required, code_id=9634b07b-6191-4a09-85b3-507ff9dcead1, username=myuser, requestUri= http://myhost.example.org:8080/auth/realms/myrealm/login-actions/authenti..., cookies=[KC_RESTART=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyZjc5NzQyZS1jZTA1LTQ3ZGEtYmFhZS05ZTkwMmMyYWUzYmYifQ.eyJjaWQiOiJXVG5BIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovL2xvY2FsaG9zdDo3NzAwL3dvcmtmb3JjZS9Ib21lLmRvP2FjdGlvbj1zdGFydCIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovL3VzNGxhdGNhczAwMS51c2Rldi53ZnNhYXMubmV0OjgwODAvYXV0aC9yZWFsbXMvcGxvd21hbiIsInJlc3BvbnNlX3R5cGUiOiJjb2RlIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoicGxhaW4iLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vbG9jYWxob3N0Ojc3MDAvd29ya2ZvcmNlL0hvbWUuZG8_YWN0aW9uPXN0YXJ0Iiwic3RhdGUiOiIyYzIwYzM0OC04M2Q0LTQ3YzQtOWZlOS0yZWUzZTE5ZjFjNDMiLCJjbGllbnRfcmVxdWVzdF9wYXJhbV9sb2dpbiI6InRydWUifX0.lol6rrM0GZpLxNY8tbMwPQt8_HBPnDSqHzGKvHU9zeY, AUTH_SESSION_ID=9634b07b-6191-4a09-85b3-507ff9dcead1.myhost] 2019-07-26 18:11:26,865 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,865 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,865 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,865 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,865 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-1) Active key found: realm=myrealm kid=2f79742e-ce05-47da-baae-9e902c2ae3bf algorithm=HS256 use=SIG 2019-07-26 18:11:26,865 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-1) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/myrealm/, max-age: -1 2019-07-26 18:11:26,866 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-1) Expiring remember me cookie 2019-07-26 18:11:26,866 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-1) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/myrealm/ 2019-07-26 18:11:26,866 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-1) redirectAccessCode: state: 2c20c348-83d4-47c4-9fe9-2ee3e19f1c43 2019-07-26 18:11:26,866 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanCodeToTokenStoreProviderFactory] (default task-1) Not having remote stores. Using normal cache 'actionTokens' for single-use cache of code 2019-07-26 18:11:26,866 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper commit 2019-07-26 18:11:26,867 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper end 2019-07-26 18:11:26,867 TRACE [org.keycloak.connections.jpa.DefaultJpaConnectionProvider] (default task-1) DefaultJpaConnectionProvider close() 2019-07-26 18:11:26,982 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) new JtaTransactionWrapper 2019-07-26 18:11:26,982 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) was existing? false 2019-07-26 18:11:26,982 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) realm by name cache hit: myrealm 2019-07-26 18:11:26,982 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) by id cache hit: myrealm 2019-07-26 18:11:26,984 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-1) AUTHENTICATE CLIENT 2019-07-26 18:11:26,985 TRACE [org.keycloak.authentication.ClientAuthenticationFlow] (default task-1) Using executions for client authentication: [abb870f0-a067-47db-8ff9-38812ccfadb0, 29a6449f-2624-461d-ae61-a099a4086428, ed974344-8b7c-4ff8-85ea-c61289ef23f0, 1ddbb0e6-5e92-45e6-b8fd-a82ba6b2b0a9] 2019-07-26 18:11:26,985 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-1) client authenticator: client-secret 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by name cache hit: myclient 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:26,985 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-1) client authenticator SUCCESS: client-secret 2019-07-26 18:11:26,985 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-1) Client myclient authenticated by client-secret 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) by id cache hit: myrealm 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) by id cache hit: myrealm 2019-07-26 18:11:26,985 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-1) getUserSessionWithPredicate(9634b07b-6191-4a09-85b3-507ff9dcead1): found in local cache 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:26,985 TRACE [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-1) Successfully verified code '124e5aba-eb17-4eee-b435-6faf7aaf92ae'. User session: '9634b07b-6191-4a09-85b3-507ff9dcead1', client: 'd6cce783-5559-48c1-b1b8-7f20d2fcf166' 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,985 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,986 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,986 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-1) Adapter Session '562F91F71B1FFDABD7E0EE2761BA03CE-n1' saved in ClientSession for client 'myclient'. Host is 'mybox' 2019-07-26 18:11:26,986 TRACE [org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory] (default task-1) Create JpaConnectionProvider 2019-07-26 18:11:26,986 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:26,987 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,987 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,992 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,992 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,992 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,992 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,992 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:26,993 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:27,021 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-1) Active key found: realm=myrealm kid=YWkA3p3uFbmG1gsE_9bUAVCz0K_vZjkU8U4Q-WeN4Do algorithm=RS256 use=SIG 2019-07-26 18:11:27,023 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-1) Active key found: realm=myrealm kid=YWkA3p3uFbmG1gsE_9bUAVCz0K_vZjkU8U4Q-WeN4Do algorithm=RS256 use=SIG 2019-07-26 18:11:27,025 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-1) Active key found: realm=myrealm kid=2f79742e-ce05-47da-baae-9e902c2ae3bf algorithm=HS256 use=SIG 2019-07-26 18:11:27,025 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:27,025 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:27,025 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) getuserById 19c4c859-e062-4528-b176-3a17caf443af 2019-07-26 18:11:27,025 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-1) return managedusers 2019-07-26 18:11:27,025 TRACE [org.keycloak.events] (default task-1) type= *CODE_TO_TOKEN*, realmId=308af72f-9f89-4fae-a583-b508d07b521a, clientId=myclient, userId=19c4c859-e062-4528-b176-3a17caf443af, ipAddress=10.192.226.126, client_session_host=mybox, token_id=0773e6dc-8da1-4241-9fa8-081e95916042, grant_type=authorization_code, refresh_token_type=Refresh, scope='openid profile email', client_session_state=562F91F71B1FFDABD7E0EE2761BA03CE-n1, refresh_token_id=57801953-87a2-4d3e-a4fb-5d91f2ed262f, code_id=9634b07b-6191-4a09-85b3-507ff9dcead1, client_auth_method=client-secret, requestUri= http://myhost.example.org:8080/auth/realms/myrealm/protocol/openid-connec..., cookies=[] 2019-07-26 18:11:27,025 TRACE [org.keycloak.services.resources.Cors] (default task-1) No origin header ignoring 2019-07-26 18:11:27,026 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper commit 2019-07-26 18:11:27,026 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper end 2019-07-26 18:11:27,037 TRACE [org.keycloak.connections.jpa.DefaultJpaConnectionProvider] (default task-1) DefaultJpaConnectionProvider close() 2019-07-26 18:11:27,409 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) new JtaTransactionWrapper 2019-07-26 18:11:27,409 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) was existing? false 2019-07-26 18:11:27,410 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) realm by name cache hit: myrealm 2019-07-26 18:11:27,410 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) by id cache hit: myrealm 2019-07-26 18:11:27,410 TRACE [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-1) Processing @GET request 2019-07-26 18:11:27,410 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by name cache hit: myclient 2019-07-26 18:11:27,410 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:27,410 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-1) PKCE non-supporting Client 2019-07-26 18:11:27,410 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie 2019-07-26 18:11:27,410 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Not found AUTH_SESSION_ID cookie 2019-07-26 18:11:27,410 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: ADD on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,410 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-1) Set AUTH_SESSION_ID cookie with value 93ca18a6-fea5-42d5-bad9-125fd97906af.myhost 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-1) Sent request to authz endpoint. Created new root authentication session with ID '93ca18a6-fea5-42d5-bad9-125fd97906af' . Client: myclient . New authentication session tab ID: uG3knkEjbEE 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:27,411 TRACE [org.keycloak.keys.DefaultKeyManager] (default task-1) Active key found: realm=myrealm kid=2f79742e-ce05-47da-baae-9e902c2ae3bf algorithm=HS256 use=SIG 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-1) AUTHENTICATE 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-1) AUTHENTICATE ONLY 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) processFlow 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) check execution: auth-cookie requirement: ALTERNATIVE 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) authenticator: auth-cookie 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) invoke authenticator.authenticate: auth-cookie 2019-07-26 18:11:27,411 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-1) Could not find cookie: KEYCLOAK_IDENTITY 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) authenticator ATTEMPTED: auth-cookie 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) check execution: auth-spnego requirement: DISABLED 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) execution is processed 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) check execution: identity-provider-redirector requirement: ALTERNATIVE 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) authenticator: identity-provider-redirector 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) invoke authenticator.authenticate: identity-provider-redirector 2019-07-26 18:11:27,411 TRACE [org.keycloak.authentication.authenticators.browser.IdentityProviderAuthenticator] (default task-1) No default provider set or kc_idp_hint query parameter provided 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) authenticator ATTEMPTED: identity-provider-redirector 2019-07-26 18:11:27,411 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) check execution: null requirement: ALTERNATIVE 2019-07-26 18:11:27,411 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) execution is flow 2019-07-26 18:11:27,412 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) processFlow 2019-07-26 18:11:27,412 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) check execution: auth-username-password-form requirement: REQUIRED 2019-07-26 18:11:27,412 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) authenticator: auth-username-password-form 2019-07-26 18:11:27,412 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) invoke authenticator.authenticate: auth-username-password-form 2019-07-26 18:11:27,412 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,412 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,412 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-1) client by id cache hit: myclient 2019-07-26 18:11:27,416 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-1) authenticator CHALLENGE: auth-username-password-form 2019-07-26 18:11:27,416 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,416 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-1) Adding cache operation: REPLACE on 93ca18a6-fea5-42d5-bad9-125fd97906af 2019-07-26 18:11:27,416 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper commit 2019-07-26 18:11:27,416 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-1) JtaTransactionWrapper end -- Philip Lowman

5 years, 5 months

1
0
0 / 0

Keycloak with Ping Identity OpenID Connect Provider

by Mitchell S Bowers

Hello, Is there any documentation on configuring Keycloak to use Ping as an external OIDC provider? I've used the documentation provided for Okta, which should be essentially the same. However, we are experiencing issues (specifically token issuance and logout). Any info would be greatly appreciated. https://ultimatesecurity.pro/post/okta-oidc/ Thanks - Mitchell NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you.

5 years, 5 months

2
5
0 / 0

API to evict user cache

by Shetty, Shweta

Is there an admin api to evict just a single user-cache ? Shweta

5 years, 5 months

2
6
0 / 0

Configuring signing keys on a per-client basis?

by Jared Blashka

We're in the process of rotating one of our realm certificates. I'm aware that Keycloak can have multiple active and/or passive key providers configured but it looks like Keycloak will only ever use the single active key provider with the highest priority for signing. I'm pretty sure the answer is no but is there any way of configuring Keycloak to use a specific active key provider when signing for a specific client? Having that feature would make the key rotation process slightly easier if you have to coordinate the rotation timing with multiple clients that can only hardcode a single certificate/public key to trust. Jared

5 years, 5 months

1
0
0 / 0

Keycloak Google IDP Broken & wont be fixed!

by Nick Powers

I ran into an issue with Google IDP & Keycloak, where offline access cannot be requested and therefore refresh tokens cannot be received from Google. I then started researching to see if this problem have been previously identified and resolved. Although I did find find many people identifying the problem who were looking for an answer in both this mailing list and in the keycloak dev mailing list, there was no solutions in any of those messages. These questions spanned 4 years, and yet Google IDP remains broken. When the question is posed to the user group the messages are either not answered at all or don't provide any solutions. In the Keycloak dev mailing list it is discussed but in general they are dismissed, along the line of "Why would you need to use offline access?" dismissing it as a useless feature. This is a difficult answer to swallow if you need to use Google offline access with Keycloak. Especially when all it would take is to add "access_type=offline" to the Google auth UR. To be absolutely clear they devs could easily fix this, they just don't want to. So, if you have found this message, now or in the future, hoping to find a way to obtain refresh tokens from Google using Keycloak all I can do is try and spare you any more time wasted on this pursuit. Keycloak does NOT offline access for Google IDP and therefore you cannot receive refresh tokens from Google with Keycloak, and chances are that it will NEVER support it. I wish I was wrong but it doesn't appear that way. Good Luck! Nick

5 years, 5 months

2
4
0 / 0

(no subject)

by Konstantinos Dafopoulos

5 years, 5 months

1
0
0 / 0

Keycloak Gatekeeper Custom Header/Cookie

by Danny Opitz

Hi, I have Keycloak and Keycloak-Gatekeeper set up in OpenShift and it's acting as a proxy for an application. I have successfully configured Gatekeeper to redirect to Keycloak and set the access token correctly. The application that Keycloak Gatekeeper is proxying requires a custom cookie to be set so I figured I could use the Gatekeeper's custom header configuration to set this however I'm running into issues. Configuration looks like: discovery-url: https://keycloak-url.com/auth/realms/MyRealm client-id: MyClient client-secret: MyClientSecret cookie-access-name: my.token encryption_key: MY_KEY listen: :3000 redirection-url: https://gatekeeper-url.com upstream-url: https://app-url.com verbose: true resources: - uri: /home/* roles: - MyClient:general-access headers: Set-Cookie: isLoggedIn=true After re-deploying and running through the auth flow, the upstream URL/application is not receiving the custom header. I tried with multiple headers (key/value) but can't seem to get it working or find where that header is being injected in the flow. Any suggestions/ideas on how to get this working? Thanks, Dan

5 years, 5 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2019