August 2019 - keycloak-user - Jboss List Archives

by vijay

Hi, I am getting the below error message while setting up two containers in single host. Followed this document to setup - https://www.keycloak.org/2019/04/keycloak-cluster-setup.html 19:37:43,485 ERROR [org.jgroups.protocols.JDBC_PING] (thread-9,ejb,568064445f53) JGRP000138: Error reading JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 47 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:225) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:197) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:124) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386) at org.jgroups.protocols.FILE_PING.down(FILE_PING.java:119) at org.jgroups.protocols.MERGE3$InfoSender.run(MERGE3.java:408) at org.jgroups.util.TimeScheduler3$Task.run(TimeScheduler3.java:324) at org.jgroups.util.TimeScheduler3$RecurringTask.run(TimeScheduler3.java:358) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) at java.lang.Thread.run(Thread.java:748) 19:37:43,487 ERROR [org.jgroups.protocols.JDBC_PING] (thread-9,ejb,568064445f53) JGRP000145: Error updating JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 13 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:120) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.jgroups.protocols.JDBC_PING.delete(JDBC_PING.java:339) at org.jgroups.protocols.JDBC_PING.writeToDB(JDBC_PING.java:142) at org.jgroups.protocols.JDBC_PING.write(JDBC_PING.java:125) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:128) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386) at org.jgroups.protocols.FILE_PING.down(FILE_PING.java:119) at org.jgroups.protocols.MERGE3$InfoSender.run(MERGE3.java:408) at org.jgroups.util.TimeScheduler3$Task.run(TimeScheduler3.java:324) at org.jgroups.util.TimeScheduler3$RecurringTask.run(TimeScheduler3.java:358) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) at java.lang.Thread.run(Thread.java:748) 19:38:21,918 ERROR [org.jgroups.protocols.JDBC_PING] (thread-10,ejb,568064445f53) JGRP000138: Error reading JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 47 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:106) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:225) at org.jgroups.protocols.JDBC_PING.readAll(JDBC_PING.java:197) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:124) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386) at org.jgroups.protocols.FILE_PING.down(FILE_PING.java:119) at org.jgroups.protocols.MERGE3$InfoSender.run(MERGE3.java:408) at org.jgroups.util.TimeScheduler3$Task.run(TimeScheduler3.java:324) at org.jgroups.util.TimeScheduler3$RecurringTask.run(TimeScheduler3.java:358) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.jboss.as.clustering.jgroups.ClassLoaderThreadFactory.lambda$newThread$0(ClassLoaderThreadFactory.java:52) at java.lang.Thread.run(Thread.java:748) 19:38:21,922 ERROR [org.jgroups.protocols.JDBC_PING] (thread-10,ejb,568064445f53) JGRP000145: Error updating JDBC_PING table: org.postgresql.util.PSQLException: ERROR: relation "jgroupsping" does not exist Position: 13 at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2440) at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2183) at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:308) at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441) at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365) at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:143) at org.postgresql.jdbc.PgPreparedStatement.executeUpdate(PgPreparedStatement.java:120) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.jgroups.protocols.JDBC_PING.delete(JDBC_PING.java:339) at org.jgroups.protocols.JDBC_PING.writeToDB(JDBC_PING.java:142) at org.jgroups.protocols.JDBC_PING.write(JDBC_PING.java:125) at org.jgroups.protocols.FILE_PING.findMembers(FILE_PING.java:128) at org.jgroups.protocols.Discovery.invokeFindMembers(Discovery.java:214) at org.jgroups.protocols.Discovery.findMembers(Discovery.java:239) at org.jgroups.protocols.Discovery.down(Discovery.java:386)

4 years, 8 months

2
1
0 / 0

check-sso not working as expected with iframe

by Mohsin Ilyas

Hi, Below is my simple logic in my application to re-establish connection with keycloak when a page is reloaded. However, the iframe doesn’t seem to work well with ‘check-sso’. Because, I have opened the application in one tab and in other tab I have opened keycloak but when I logout of keycloak my application doesn’t get logout, however, if I use ‘login-required’ the application logs out simultaneously with keycloak. Can someone take a look, or help me with this? (P.s: I have tried to set checkIframLogin: true in the init options but it doesn’t work for me) Thanks.

4 years, 8 months

3
2
0 / 0

Hiding the Login elements when we know that the user must Register

by Andrew Braae

Summary ------- We would like to improve the Keycloak experience for our new users by removing all of the the Login elements (Email, Password, Remember me, Forgot password, Login button) on the left hand side of the Keycloak page, when we know that the user does not have an account in Keycloak already. We would also like to pre-populate the Email field on the register page with the user's email. The thing that makes of these appear possible in our scenario is that the user arrives at the Keycloak protected page via an invite link that contains their email address. Are these possible? How can we go about it? More details --------- We'd like to make the Keycloak experience simpler/more obvious for new users. In our scenario: - we know the users email address, e.g. fred(a)gmail.com (it's in our own application database) - we have emailed the user a link to a Keycloak-protected invite page - we allow Google, LinkedIn and email/password signin on the realm Here are the current usability problems that we are seeing when the new users follow their invite link. 1) Keycloak invites the user to enter their email and password to Log in. However since we know their email, we could tell in advance that Login will not work if they are not a Keycloak user already - they will have to register. This is confusing to some subset of them, and they contact us saying e.g. "it looks like I need a password, can you send it to me?". (They don't think to click Register). 2) If they do click Register, then Keycloak allows them to enter any email address. However, only fred(a)gmail.com will do, since that is who the invite is for. Users rightfully feel confused/peeved that they have to type in their email address, when they just clicked through from an email in that same email account. Any assistance gratefully appreciated.

4 years, 8 months

2
1
0 / 0

High Availability, Active Directory LDAPS and Keycloak AD Federation

by Chris Smith

When my LDAPS url = ldaps://ad-dc-01.xxx-apps.com My connection is successful and my bind DN and credential successfully authenticate When my LDAPS url = ldaps://xxx-apps.com My connection is successful but my bind DN and credential do not successfully authenticate. The AD forest has 2 domain controllers, ad-dc-01 and ad-dc-02. What is the proper LDAPS url for high availability AD federation?

4 years, 8 months

1
0
0 / 0

IdentityBroker SAML transient NameID-Format

by keycloak＠phoefer.at

Hi, I'm using Keycloak for IdentityBrokering with an external SAML-Identity-Provider Unfortunately the external SAML Provider only supports transient NameID <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">vyT0gx7o0uo3MtklFqAXRg1Lmy9HuKZBYB6My5jzU7E=</NameID> ... </Subject When I log-in through the external IDP Kecloak generates a local user and links it with this (temporaty) Broker-ID. If I log-in again later, another different temporary user is generated. Is there a possibility to a) use some SAML-Attributes as brokerID (because they include a "unique" ExternalUser-ID) - so only one keycloak account is created for one external user or b) do not create a internal keycloak user at all Or maybe you have another good idea for handling the issue without ending up with thousands of KC-users ;-) Thanks for help

4 years, 8 months

2
1
0 / 0

Group LDAP Storage Mapper

by Travis De Silva

Hi, Isn't there any way to update the USER_GROUP_MEMBERSHIP table when an LDAP group mapper period sync runs? As per a comment from @Marek Posolda <mposolda(a)redhat.com> in this Jira comment https://issues.jboss.org/browse/KEYCLOAK-4918 and also by going over the code in https://github.com/keycloak/keycloak/blob/master/federation/ldap/src/main... line 596, looks like Keycloak will upgrade the LDAP group membership only when the group mapper is created initially when synced. All other subsequent calls are not updating the table. Any idea why this condition is there? Cheers Travis

4 years, 8 months

2
1
0 / 0

Keycloak HTTP 2

by Hammad Haqqani

Hi Folks, Once we enabled http2 on our website it broke our Keycloak authentication. Do we need to upgrade our setup or there any setting we need to enable please let me know. Current version : keycloak-2.5.1.Final Hammad Haqqani Devops Engineer [Xome_Logo_Email]<http://www.xome.com/> This e-mail communication and any attachments may contain confidential, copyrighted, and legally privileged information for use solely by the designated recipients to which this e-mail is addressed. If you are not the intended recipient, you are hereby notified that you have received this communication in error, and that any review, disclosure, dissemination, distribution, or copying of this message or its contents is prohibited and may be subject to governing laws protecting its disclosure. If you have received this communication in error, please notify Xome immediately by e-mail at postmaster(a)xome.com and destroy all copies of this communication and any attachments.

4 years, 8 months

2
3
0 / 0

jboss-cli.sh CLI script setup of subsystem=undertow FAILs at "javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication"?

by PGNet Dev

I'm setting up keycloak (8.0.0/head, atm) for ops behind an ssl terminating proxy. In "standalone.xml" I want to change, <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/> <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/> to, <server name="default-server"> <http-listener name="default" socket-binding="http" enable-http2="true" proxy-address-forwarding="true" /> <https-listener name="https" socket-binding="https" enable-http2="true" security-realm="UndertowRealm" /> I'd like to do this with scripting CLI, eventually for orchestrated deployment. checking mgmt access, open/display of gui /opt/keycloak/bin/jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --gui works fine -- I can read all my controller's data/props/etc. I've created a script/batch input file cat /tmp/https.cli /subsystem=undertow/server=default-server/http-listener=default/:list-clear /subsystem=undertow/server=default-server/https-listener=https/:list-clear /subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=socket-binding,value=http):write-attribute(name=enable-http2,value=true):write-attribute(name=proxy-address-forwarding,value=false) /subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=socket-binding,value=https):write-attribute(name=enable-http2,value=true):write-attribute(name=security-realm,value=UndertowRealm) but exec of cli, with that^ input, fails /opt/keycloak/bin/jboss-cli.sh \ --connect \ --controller=10.0.0.1:9990 \ --properties=/etc/keycloak/jboss.properties \ --user=mgmtuser \ --password=mgmtpass \ --file=/etc/keycloak/https-setup.cli \ Failed to connect to the controller: Unable to authenticate against controller at 10.0.0.1:9990: Authentication failed: all available authentication mechanisms failed: DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Server rejected authentication in 'standalone.xml', the auth mech IS defined, ... <sasl> <sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" s <mechanism-configuration> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> >> <mechanism mechanism-name="DIGEST-MD5"> <mechanism-realm realm-name="ApplicationRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> <sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" se <mechanism-configuration> <mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> >> <mechanism mechanism-name="DIGEST-MD5"> <mechanism-realm realm-name="ManagementRealm"/> </mechanism> </mechanism-configuration> </sasl-authentication-factory> ... WHY is that mech being rejected? Where are the allowed/available auth "mechanism-name" listed/documented? And, ideally, their usage?

4 years, 8 months

1
1
0 / 0

Fwd: how to connect to a mysql database.

by Hugo Cosme (GMAIL)

Hi class, how are you? I have some difficulties getting keycloak to connect to a mysql database, I am not sure which files I must edit in order for the connection to happen. I'm using version 6.0.1, and I'm doing it via Docker ... Has anyone done anything like this? Or do you know which files to edit?

4 years, 8 months

4
3
0 / 0

KeyCloak performance.

by Дима Жданов

Hi. I try to understand Keycloak performance. Where can I find any performance report?

4 years, 8 months

3
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2019