Offline Token Unique Constraint Violation Errors in 6.0.0
by Harness, Josh
Hello -
I'm using keycloak version 6.0.0. Recently, we started seeing unique constraint violations when creating a new offline session for a user. In particular, this constraint is violated:
CONSTRAINT_OFFL_CL_SES_PK3
I looked this constraint up and it appears to be the combination of the following columns on the following columns of the "offline_client_session" table:
USER_SESSION_ID, CLIENT_ID, CLIENT_STORAGE_PROVIDER, EXTERNAL_CLIENT_ID, OFFLINE_FLAG
I enabled trace logging for the UserSession class and can tell that the application believes that it needs to create the row in the offline_client_session table even though the row already exists in the table. As a result, the unique constraint violation occurs and the call fails. This makes me believe it exclusively expects its cache to be a copy of the database and somehow it has gotten out of sync with the database and isn't querying the database when it has a cache "miss".
A couple of notes that may be important:
* I'm creating the offline token as part of a token exchange
* We have configured the offline sessions cache to use passivation (with preloading enabled and purging disabled)
Any advice that can be offered as far as how to debug this would be appreciated. I've been unable to make it happen in non-prod but it happens often in prod.
Thanks!
Josh
6 years, 9 months
Re: [keycloak-user] Not being prompted for x509 User Certs
by JTK
I wanted to give an update which might help other users.
The first issue we had was related to the load balancer and to be specific
Amazon ELB.
I was under the impression it was set to be pass-thru, but instead it was
setup to do SSL termination.
After that was fixed, then I was getting prompted for certificates and I
was seeing logs, which I was happy with, even error logs, even better.
The next issue was related to when our PFX chain was imported into the
keystore. The issue was that PFX file had a different password than the
keystore in the standalone.xml configuration file.
After changing the password and re-importing it back it, that error logs
related to padding for the keystore were resolved. Basically error in
padding in our case = wrong password in the keystore.
The last issue was locating the correct RegEx for our instance. For us,
this worked:
User Identity Source: Subject Alternative Name
A regular expression to extract user identity : RFC822Name=(.*?)(?:,|$)
A big shout out to Peter! Thanks for your assistance.
On Thu, Jun 27, 2019 at 12:37 PM JTK <jonesy(a)sydow.org> wrote:
> Hello,
>
> I've read through all the documentation I can find online both with the
> official documents and everything else I could find and I believe I have
> everything setup, with additional logging turned on, but I'm not getting
> any type of prompt for a x509 certificate when logging in.
>
> Here is the excerpt from the standalone.xml file
>
> <management>
> <security-realms>
> ......
> <security-realm name="ssl-realm">
> <server-identities>
> <ssl>
> <keystore path="keycloak.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
> </ssl>
> </server-identities>
> <authentication>
> <truststore path="truststore.jks"
> relative-to="jboss.server.config.dir" keystore-password="mypass"/>
> </authentication>
> </security-realm>
> ......
>
> <subsystem xmlns="urn:jboss:domain:undertow:7.0"
> default-server="default-server" default-virtual-host="default-host"
> default-servlet-container="default" default-security-domain="other">
> <buffer-cache name="default"/>
> <server name="default-server">
> <http-listener name="default1" socket-binding="http"
> redirect-socket="https" enable-http2="true"/>
> <https-listener name="default" socket-binding="https"
> security-realm="ssl-realm" verify-client="REQUESTED"/>
> <host name="default-host" alias="localhost">
> <location name="/" handler="welcome-content"/>
> <access-log worker="default"
> directory="${jboss.server.log.dir}" prefix="access" suffix=".log"/>
> <http-invoker security-realm="ApplicationRealm"/>
> </host>
>
> I've setup the Authentication Flows for the Browser to have x509/Validate
> Username Form above the new Browser flow and it's required.
> Everything is setup per the KeyCloak documentation to include the binding
> settings.
>
> The only thing I'm not sure about is if the keycloak.jks and
> truststore.jks files are the issue.
> I have enabled extra logging as best I know, but I'm not seeing anything
> in the logs of any relevance when trying to authenticate into the Keycloak
> Realm.
>
> Can anyone assist? We are looking to most likely purchase this as a
> product through RedHat SSO if it works well to get the support we need, but
> I've been hung up on this for a few weeks and I know it shouldn't be this
> hard.
>
> Thanks,
> J
>
>
6 years, 9 months
Re: [keycloak-user] transient SSL certificate errors to AD/LDAPS
by Mark Nuttall-Smith
Hi,
Thanks for the suggestion, but only server side certificates are required for our AD set up.
Mark Nuttall-Smith
Software Engineer
Flow Traders
T: +31 20 799 8753
F: +31 20 799 6780
Jacob Bontiusplaats 9
1018 LL Amsterdam
Netherlands
www.flowtraders.com
-----Original Message-----
From: Nick Su [mailto:nicksu@m800.com]
Sent: Monday, July 15, 2019 9:40 AM
To: Mark Nuttall-Smith
Subject: Re: [keycloak-user] transient SSL certificate errors to AD/LDAPS
Hi
Does your LDAPS server require client verification as well? I came across a similar issue months before, and fixed by providing a trust store and keystore respectively to java
> On 15 Jul 2019, at 3:34 PM, Mark Nuttall-Smith <mnuttallsmith(a)flowtraders.com> wrote:
>
> Hi,
>
> I've configured Keycloak to talk to an AD server using LDAPS. Everything works perfectly most of the time, but there are rare, transient errors caused by the following exception:
>
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
> at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
> at sun.security.validator.Validator.validate(Validator.java:262)
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
> at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
> at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
> ... 12 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
> at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
> ... 18 more
>
> Normally retrying the same query allows a user to log in again successfully (browser caches complicate things though).
>
> We add the certificates to the keystore using the following approach in our kubernetes helm chart:
>
> --------------------
> extraArgs: "-Djavax.net.ssl.trustStore=/opt/cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dkeycloak.import=/opt/import/realm.json"
>
> # This init container adds the certificates for the AD domain controllers to a keystore using a mounted ad-cacerts volume.
> # The same volume with the keystore is then mounted and used by the main keycloak container
> extraInitContainers: |
> - name: cacerts-init
> image: openjdk:8-jre
> command:
> - bash
> args:
> - -c
> - |
> cat $JAVA_HOME/lib/security/cacerts > /opt/cacerts/cacerts;
> for host in `getent ahosts mycompany.local | awk '{print $1}' | uniq`; do
> echo | openssl s_client -connect ${host}:3269 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${host}.cer ;
> keytool -keystore /opt/cacerts/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ${host} -file ${host}.cer
> done
> volumeMounts:
> - name: ad-cacerts
> mountPath: /opt/cacerts
>
> extraVolumes: |
> - name: ad-cacerts
> emptyDir: {}
>
> extraVolumeMounts: |
> - name: ad-cacerts
> mountPath: /opt/cacerts
> -----------------------
>
> Does anyone have an idea what could be the cause of these transient errors?
>
> Thanks, Mark
>
> Mark Nuttall-Smith
> Software Engineer
>
> [http://www.flowtraders.com/img/FlowTraders.png]
>
> Flow Traders
>
> T: +31 20 799 8753
> F: +31 20 799 6780
>
> Jacob Bontiusplaats 9
> 1018 LL Amsterdam
> Netherlands
> www.flowtraders.com<http://www.flowtraders.com>
>
> Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders's prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders’s prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
6 years, 9 months
transient SSL certificate errors to AD/LDAPS
by Mark Nuttall-Smith
Hi,
I've configured Keycloak to talk to an AD server using LDAPS. Everything works perfectly most of the time, but there are rare, transient errors caused by the following exception:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 18 more
Normally retrying the same query allows a user to log in again successfully (browser caches complicate things though).
We add the certificates to the keystore using the following approach in our kubernetes helm chart:
--------------------
extraArgs: "-Djavax.net.ssl.trustStore=/opt/cacerts/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Dkeycloak.import=/opt/import/realm.json"
# This init container adds the certificates for the AD domain controllers to a keystore using a mounted ad-cacerts volume.
# The same volume with the keystore is then mounted and used by the main keycloak container
extraInitContainers: |
- name: cacerts-init
image: openjdk:8-jre
command:
- bash
args:
- -c
- |
cat $JAVA_HOME/lib/security/cacerts > /opt/cacerts/cacerts;
for host in `getent ahosts mycompany.local | awk '{print $1}' | uniq`; do
echo | openssl s_client -connect ${host}:3269 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${host}.cer ;
keytool -keystore /opt/cacerts/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ${host} -file ${host}.cer
done
volumeMounts:
- name: ad-cacerts
mountPath: /opt/cacerts
extraVolumes: |
- name: ad-cacerts
emptyDir: {}
extraVolumeMounts: |
- name: ad-cacerts
mountPath: /opt/cacerts
-----------------------
Does anyone have an idea what could be the cause of these transient errors?
Thanks, Mark
Mark Nuttall-Smith
Software Engineer
[http://www.flowtraders.com/img/FlowTraders.png]
Flow Traders
T: +31 20 799 8753
F: +31 20 799 6780
Jacob Bontiusplaats 9
1018 LL Amsterdam
Netherlands
www.flowtraders.com<http://www.flowtraders.com>
Flow Traders has its seat in Amsterdam, Netherlands, its registered office at Jacob Bontiusplaats 9, 1018 LL, Amsterdam, Netherlands and is registered with the Trade Registry of the Chamber of Commerce under number . This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. This message may not be forwarded or published to any other person than its addressees without Flow Traders's prior consent. Flow Traders accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
6 years, 9 months
Realm based multi-tenancy
by Chamila de Alwis
Hi,
I have a KeyCloak deployment where KeyCloak Realms are used as a way to
differentiate users among different tenants. The components that currently
interact with KeyCloak does so through intermediate router that selects the
IdP configuration based on a request path segment (request credentials from
the realm using a pre-decided segment in the received path as the realm
name). This story works fine with OIDC clients created in each Realm.
There is a 3rd party service access that needs to be done through KeyCloak
as well. However this 3rd party service doesn't support any kind of realm
discovery method (path, header etc). It only works with a single IdP
configuration at a time. This doesn't match with the per-realm client
configuration model that is there at the moment, because multiple client
configurations cannot be dynamically mapped to different host names or path
segments.
As a workaround, I'm in the process of trying the following approach.
I've created a "federator" realm that has the clients in other realms as
Identity Providers. The client in the federator realm will act as an
identity broker on behalf of the other realms. However, the approach shows
all the organizations available at the login screen. This is something
sub-optimal for my use case since the list of organizations is made public
to any user redirected to the login page. At the moment I'm looking into
the customization of the login page, however that also would make upgrades
harder.
Is there a way to workaround this limitation that the 3rd party service
has? Are there any known patterns that you may have employed in similar
situations? (The other mail threads that I could find deal in situations
where the client code is also changeable, like the use of the
KeyCloakConfigResolver extension point [1]. This is not usable in my case,
as the 3rd party code is out of my control)
Furthermore, is there a way to authenticate users across Realms using only
one client configuration? Appreciate your help in this.
[1] -
https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
Thanks!
Regards,
Chamila
Blog: medium.com/@chamilad
6 years, 9 months
CORS issue with Angular Keycloak and Kong
by Enzo Veltri
Hello,
I'm stuck in some CORS problems with a Angular APP. First of all this is my
error:
"Access to XMLHttpRequest at
'KEYCLOAK_ADDRESS/auth/realms/kong-integration/protocol/openid-connect/auth?response_type=code&client_id=kong&state=51afb0a302eaade545d648ee234ac9c0&redirect_uri=http//KONG_ADDRESS/projects%2F&nonce=5828968bed9a3d5427bed214c482b7a1&scope=openid'
(redirected from 'http://KONG_ADDRESS/projects?username=c') from origin
'null' has been blocked by CORS policy: Response to preflight request
doesn't pass access control check: No 'Access-Control-Allow-Origin' header
is present on the requested resource."
Here is my architecture
I have as gateway KONG + OIDC Plugin (https://github.com/nokia/kong-oidc)
in a docker-machine located ad KONG_ADDRESS
An Identity Management as Keycloak that is located at KEYCLOAK_ADDRESS;
An Angular APP that uses the keycloak-angular library (
https://www.npmjs.com/package/keycloak-angular) located at localhost:4200
A Rest API, developed with Restlet, deployed on a tomcat on
TOMCAT_ADDRESS/projects
I've configured Kong to work with Keycloak using this tutorial (
https://www.jerney.io/secure-apis-kong-keycloak-1/) and everything works
fine till I'm interacting with the secured API using the browser or
Postman.
When I call the secured endpoint KONG/projects, I'm redirected to the login
page of Keycloak and then, after submitting the right credentials, I
receive the correct response.
Problems come when I'm trying to do everything using an Angular APP.
It looks like that everything is fine with the /auth and /authenticate
calls to KEYCLOAK_ADDRESS made by the initialization of the plugin (
https://www.npmjs.com/package/keycloak-angular#setup), and the /token and
the /account calls made by HttpClientInterceptor (
https://www.npmjs.com/package/keycloak-angular#httpclient-interceptor) and
the AuthGuard (https://www.npmjs.com/package/keycloak-angular#authguard).
Problems come when the APP try to access to the resource at KONG/projects.
It looks like there are a lot of jumps in the request: KONG redirects to
KEYCLOAK and KEYCLOAK send a 204 No Content.
I've added to the Keycloak client the web origins for KONG_ADDRESS and
http://localhost:4200 that is my Angular APP.
Do you have any idea about the problem? I think is something related to the
origin 'null' in the console log, or is something related to my setup.
Maybe I'm missing some details about the process.
--
Enzo
6 years, 9 months
Cannot add custom Key2StringMapper for JDBC cache store
by Yifei Sun
Hi Guys,
I am trying to add JDBC cache store via standalone-ha.xml in Keycloak
6.0.1, which has WildFly 16 and Infinispan 9.4.x subsystem. I managed to
add the configuration to bind tables in Mysql db, but got the
"org.infinispan.persistence.keymappers.UnsupportedKeyTypeException:
Unsupported key type" when it tried to save the session. I checked out
Infinispan and WF documentations, but the solution they gave, e.g. add
"<property
name="key2StringMapperClass">...</property>" , does not work. Any help
would be appreciated.
Thanks!!
6 years, 9 months
Reverse Proxy Keycloak - Kerberos SPNEGO breaks
by Ryan Slominski
Hi all,
Any tips setting up Kerberos SPNEGO with Keycloak if Keycloak is reverse proxied? I have everything working if I access the Keycloak host directly, but if I access via a reverse proxy the SPENGO doesn't work. I assume this has to do with Kerberos SPNEGO strict hostname and principal naming. I have even tried setting the password/key (and kvno) the same for both HTTP/proxy.example.com and HTTP/keycloak.example.com principals. I've also updated the /etc/krb5.conf libdefaults ignore_acceptor_hostname = true, but that seems to be ignored by Keycloak. In fact, Keycloak appears to require a hard-coded principal name, which isn't going to match the requested service principal name when requests go through the reverse proxy. Has anyone dealt with this before?
Oddly, this isn't a problem for Windows Active Directory principals / SPNs (Micrsoft implementation) - if setspn.exe configures same principal to both hostnames. Just MIT Kerberos KDC and principals seem to have a problem with reverse proxies (Red Hat Identity Manager / FreeIPA wrapper around MIT Kerberos).
Ryan
6 years, 9 months
Kubernetes deployments
by Leandro Nunes
Hi fellow Keycloak users!
My team is now looking at deploying a KC cluster to GCP. We wanted to
leverage the infrastructure as much as possible but we’re struggling to
come up with a good strategy to deploy different SPIs to a KC cluster when
it is running in k8s. If we understand it correctly in such environments
one does not simply take a single SPI and deploy it to the cluster; instead
every time we want to install an SPI we’ll need to build a new (docker?)
image that contains KC itself, the new (version of the) SPI and all other
pre-existing SPIs. Is this understanding correct? Did you come up with
better/leaner approaches to solving this? What is your experience around
these issues?
As always, any help is much appreciated!
Leandro Nunes
6 years, 9 months
Attaching Role to an Entity
by Arash Rakhshan
Hello team,
I am a new fan and after writing my own solution painfully we are hoping to
convert to KeyCloak. First, thank you all for your efforts and supporting
this project.
I have gone through the tutorials and terminology, however, I can not seem
to mold a suitable model for my authorization use case through Keycloak
concepts. Please consider this use scenario:
- You provide a SaaS solution for Car Dealerships.
- Every dealership inherits a set of default roles upon creation e.g.
admin, manager, sales, accountant,..)
- Dealership could add/remove permissions to the default roles.
- Dealership can define their own custom roles.
- A dealership has multiple vendors and each vendor has a couple of
roles (admin, accountant, vendor)
- A dealership has numerous departments and each department may have
their own roles for that department
In my built-in model, I have a table that connects a Role to a Principal
(an entity) and the ACLs (or permissions) are assigned to the roles. The
Principal could be "DealershipA", "DealershipB", "Vendor1" and
"Department0".
Now my questions is: What is the best practice to implement this scenario
in Keycloak.
- How would you connect/assign a role to an entity?
- Would you consider a Dealership, Vendor or a Department a Resource or
a Client or what?
Thank you in advance for all your help,
6 years, 9 months
