September 2019 - keycloak-user - Jboss List Archives

by Christophe Lehingue

Hello, I use keycloak and it works fine. I have a question about "on login: check-sso (plugin: js)". Is there a way to prevent the page from loading 2 times in a row? I tried with the silentCheckSsoRedirectUri var initOptions = { responseMode: 'query', flow: 'standard', checkLoginIframe: true, onLoad: 'check-sso', silentCheckSsoRedirectUri: 'https: //www.mapage/identityserver-sample-silent.html' }; But it does not seem to work (certainly that I do it wrong). Can you help me ? Regards, Christophe ====== IN FRENCH ============================= BOnjour, J'utilise keycloak et cela fonctionne correctement. J'ai une question concernant "on login: check-sso (pluging : js) ". Y' a t'il une possibilité d'empêcher la page de se charger 2 fois de suite ? J'ai essayé avec le silentCheckSsoRedirectUri var initOptions = { responseMode: 'query', flow: 'standard', checkLoginIframe: true, onLoad: 'check-sso', silentCheckSsoRedirectUri: ' https://www.mapage/identityserver-sample-silent.html' }; Mais ça n'a pas l'air de fonctionner (certainement que je m'y prends mal). Pouvez-vous m'aider ? Cordialement, Christophe

6 years, 7 months

2
8
0 / 0

Resource sharing using Keycloak

by Vishnu Prakash

Hi, I am new to keycloak. I am trying to do resources sharing using Permission Management feature in Protection API. The resource server is accessed from a public client app(keycloak public client). But using the token issued to the client app, I am not able to do resource sharing from my resource server. It is throwing following error. {"error":"invalid_clientId","error_description":"Client application [CALL-CENTER-UI] is not registered as a resource server."} Please find my code below, PermissionTicketRepresentation permissionTicketRepresentation = new PermissionTicketRepresentation(); permissionTicketRepresentation.setRequester( "5cb1f43c-d28c-457f-9491-b358f63a8362"); permissionTicketRepresentation.setRequesterName("vishnu"); permissionTicketRepresentation.setOwner("albin"); permissionTicketRepresentation.setResource( "0fb7bfe1-78de-46eb-9e75-4632a67d1afb"); permissionTicketRepresentation.setResourceName("Pro-02-05091019"); permissionTicketRepresentation.setScope("project:view"); permissionTicketRepresentation.setScopeName("project:view"); permissionTicketRepresentation.setGranted(true); AuthzClient.create().protection(token).permission().create(permissionTicketRepresentation); Is to possible to share resources between users without using “Keycloak account app”. Any help will be appreciated. Thanks & Regards, Vishnu Prakash

6 years, 7 months

1
0
0 / 0

Redirect to URI with fragments after successful login

by Yang Yang

Hello, Could you help to tell how I can be redirected to the original URI directly after successful login with Keycloak? When an application (e.g. https://www.mysite.com/myapplication/) is protected by Keycloak, I can access URI with fragment (e.g. https://www.mysite.com/myapplication/abc#12345/zxcdf) after I have successfully logged in. If I try to access the URI before logged in, I will be redirect to the login page for authentication, as expected, but then, after I submit my credentials successfully, I will be redirected to the URI without fragment (https://www.mysite.com/myapplication/abc). Is it possible for me to be redirected to the original URI with fragment after login? What should I do to get that? Thanks, Yang

6 years, 7 months

1
0
0 / 0

gatekeeper - refresh access token on every access

by Julien Goux

Hello, I'm using gatekeeper behind a nginx server. Gatekeeper's logs are pretty obvious until my first access token expired (5 min lifetime). After this period, it seems that gatekeeper is refreshing the token on every access. Here are the logs for *3 * accesses after the first access token has expired, I have the same log for every further access : 1.5687944022004497e+09 info accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40312", "email": "julien.goux(a)live.fr"} 1.5687944022271063e+09 info injecting the refreshed access token cookie {"client_ip": "127.0.0.1:40312", "cookie_name": "kc-access", "email": " julien.goux(a)live.fr ", "refresh_expires_in": 1800, "expires_in": 299.772897193} 1.5687944027145464e+09 info accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40318", "email": " julien.goux(a)live.fr "} 1.5687944027320542e+09 info injecting the refreshed access token cookie {"client_ip": "127.0.0.1:40318", "cookie_name": "kc-access", "email": " julien.goux(a)live.fr ", "refresh_expires_in": 1800, "expires_in": 299.26794899} 1.568794442552826e+09 info accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40328", "email": " julien.goux(a)live.fr "} 1.568794442570195e+09 info injecting the refreshed access token cookie {"client_ip": "127.0.0.1:40328", "cookie_name": "kc-access", "email": " julien.goux(a)live.fr ", "refresh_expires_in": 1800, "expires_in": 299.429808309} Why does gatekeeper keeps refreshing the access token on every access instead of deliverying a new one for 5 min ? Thanks for your help.

6 years, 7 months

1
1
0 / 0

Keycloak client adapter and OWASP recommendations

by Luca Cherubin

Hello, I was checking the OWASP recommendations on how to store a JWT token in the client <https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet...> and they basically suggest this approach: 1. Store the token using the browser *sessionStorage* container. 2. Add it as a *Bearer* with JavaScript when calling services. 3. Add fingerprint <https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet...> information to the token. For the fingerprint, here is how they suggest to implement that: [The fingerprint is...] - A random string that will be generated during the authentication phase and will be included into the token and also send to the client as an hardened cookie (flags: HttpOnly + Secure <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_Http...> + SameSite <https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies> + cookie prefixes <https://googlechrome.github.io/samples/cookie-prefixes/>). - A SHA256 hash of the random string will be stored in the token (instead of the raw value) in order to prevent that any XSS issue allow the attacker to read the random string value and set the expected cookie. I would like to understand if this kind of approach is doable using keycloak and if it would make sense to implement this anyway. For what concern storing the token, would create a single Keycloak instance on the page and share it as a global object a totally bad practice? If it is what approach should I use? Thank Luca

6 years, 7 months

1
0
0 / 0

Keycloak Share a resource with other User

by Nicola

Hi, i'm new to keycloak, i'm watching the *photoz uma example*, in this example a user can *create *a resource and then *share *with other user, i'm interested to this feature. Checking in the JavaDOC i've found that from a PermissionResource i can create a *PermissionTicketRepresentation*, where i can set the resource, the scope, the owner and the requester of the resource, i've tried this, but i get /{"error":"not_authorised","error_description":"permissions for [3707be30-6e85-4d48-92c9-afaf0750eaec] can be only created by the owner"}/ so, how can i do this via code? kind regards -- Sent from: http://keycloak-user.88327.x6.nabble.com/

6 years, 7 months

3
4
0 / 0

Support multiple authentication mechanism in a single war

by Kavis Pandey

Hi, We have JSP+Servlet application (running on wildfly-10) that is configured with Keycloak using keycloak-wildfly adapter. We have used multi-tenancy feature of Keycloak and create the Keycloak Deployment object during runtime by implementing KeycloakConfigResolver. That works fine. Now we have a requirement where our application needs to fall-back to FORM based authentication instead of Keycloak based on certain conditions. So basically we need to support multiple authentication mechanisms during runtime (BASIC + KEYCLOAK) Is it possible ? Thanks in advance, Kavis

6 years, 7 months

1
0
0 / 0

Display only external identity providers on login page (no login passwd fields)

by Sylvere RICHARD

Hi, i was trying to configure keycloak so that only the external identity providers are displayed on the login page for a given realm. I do not want to display the login / passwords fields and ideally this authentication mode based on login/password should be deactivated. Is there any way to achieve this? Thanks S.

6 years, 7 months

3
2
0 / 0

Re: [keycloak-user] [EXTERNAL] Specifying LDAP/AD domain in token endpoint

by Ajinkya Thakare

Hi team, Can someone update on this please? Regards, Ajinkya Thakare On 9/10/19, 4:33 PM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Ajinkya Thakare" <keycloak-user-bounces(a)lists.jboss.org on behalf of Ajinkya.Thakare(a)veritas.com> wrote: Hi team, Is there anyway for the user to specify which LDAP/AD domain to point to while logging in, i.e. while using the token endpoint? The scenario is for a multi-tenant environment, where the same username can be a part of multiple LDAP/AD domains but with different authorization roles setup in each. Here we don’t want our Keycloak instance to sequentially check into every LDAP/AD configuration added, like it does now, but rather check for validating the credentials in only specified domain. Also, if there are different passwords in different domains for same username, the Keycloak instance returns invalid credential error if the user provides the password for a later LDAP/AD config. In this case, an ability to specify the domain will really be helpful. Example: Suppose username ‘athakare’ is a part of two different domains – ‘domain1’ & ‘domain2’, with different passwords, it would be easier if the user can specify something like ‘athakare@domain1’ as his username while logging in. Please let me know if this is already possible in any way using Keycloak. Thanks! Regards, Ajinkya Thakare _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

6 years, 7 months

1
0
0 / 0

multi-valued user attributes: status of the feature?

by Matthieu Huin

Hello, I was looking for a way to display multi-valued user attributes in a custom accounts theme and stumbled upon this old thread: https://lists.jboss.org/pipermail/keycloak-user/2018-January/012801.html Is there any update on this? Has anybody found a workaround for this? I wish I could help or take that task over but my Java is extremely rusty... -- Matthieu Huin Senior Software Developper Red Hat <https://www.redhat.com> <https://red.ht/sig>

6 years, 7 months

1
0
0 / 0

A newly added Hardcoded Role mapper ignores users that have already logged in before

by EXTERNAL Thiele Frank (TNG, INST-CSS/BSV-OS2)

Hello, In our project, we use the "Hardcoded role" mapper within a configured Identity Provider (also a Keycloak instance, in our case the same but a different realm) to describe that each user logging in via Keycloak shall be given a certain role. This works perfectly if the mapper is configured before the first login of the user. The configured role is granted to the (cloned) user when he logs in the first time via Keycloak. But when another "Hardcoded role" mapper is added to configure another role, then the user is not given the other role when he logs in. Only new users logging in the first time get both roles assigned. Is this on purpose or a bug? Mit freundlichen Grüßen / Best regards Frank Thiele Open Source Services 2 - Product Group Customer Success Services (INST-CSS/BSV-OS2) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com> external.Frank.Thiele(a)bosch-si.com<mailto:external.Frank.Thiele@bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic

6 years, 7 months

1
0
0 / 0

app-authz-photoz: error 403

by Alex Rozenberg

Hello, I'm new to Keycloak and trying to follow the example in the keycloak-quickstarts: app-authz-photoz I've built and deployed photoz-html5-client and restful-api using the instruction in the Readme file. After I login using the specified credentials (alice or admin) I get error 403: You can not access or perform the requested operation on this resource Profile page does not display the name and I cannot create albums. Any clues or tips are greatly appreciated. Thank you in advance, Alex Rozenberg

6 years, 7 months

1
0
0 / 0

Encoded URL does not work as redirect_uri

by Edgar Vonk - INFO

Hi, I wondered: was there an update on this issue? I think we run into a similar issue when running the OWASP ZAP tool (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) on our Keycloak-enabled website. ZAP fires the following HTTP GET request on Keycloak: https://our-website.org/auth/realms/our-realm/protocol/openid-connect/aut...<https://our-website.org/auth/realms/our-realm/protocol/openid-connect/aut... &response_type=code&scope=openid&state=fd5a7f52433549218b76af0671956b8b&code_challenge=sSKuLzTeCeLEMXuaKVbp_ReHqYeTiI1LpTdzI6fdY7g&code_challenge_method=S256> Which results in a 500 HTTP response from Keycloak resulting in a medium-level security vulnerability according to ZAP: "Potential Format String Error. The script closed the connection on a /%s” (https://www.owasp.org/index.php/Format_string_attack)' Any suggestions on how to fix or work around this? In the Keycloak logs: 2019-09-16 10:07:20,286 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-7) Uncaught server error: java.lang.IllegalArgumentException: Invalid URL syntax: Malformed escape pair at index 3: ZAP%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s at org.keycloak.protocol.oidc.utils.RedirectUtils.normalizeUrl(RedirectUtils.java:185) at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:83) at org.keycloak.protocol.oidc.utils.RedirectUtils.verifyRedirectUri(RedirectUtils.java:52) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.checkRedirectUri(AuthorizationEndpoint.java:371) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:120) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:108) at sun.reflect.GeneratedMethodAccessor573.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)

6 years, 7 months

1
1
0 / 0

API Gateway association

by Sylvain Malnuit

Hi, I want to associate Keycloak with an open source API Gateway. Have you any feedback? (Easy and level of integration, support of token revocation,...) Thxs, Sylvain

6 years, 7 months

1
0
0 / 0

Fwd: Metadata import error Keycloak V 7.0.0 - the file cannot be imported. Please verify the file

by abhijeet chauhan

Hi, I am trying to import SAML metadata while creating the Identity provider in Keycloak V7.0.0 and getting the error "Error the file cannot be imported. Please verify the file". Its two node standalone cluster deployed on docker . However importing same metadata from url working fine . Also I have local setup of keycloak (standalone) V7.0.0 and I can import the same metadata on that. Attaching the screenshot of error. Thanks, Vj

6 years, 7 months

1
0
0 / 0

keycloak docker image from minikube

by John Norris

Hi, I am trying to run keycloak from within minikube. This is minikube 1.31 running on Windows. Minikube is running a VM via Virtual Box. Here is my yaml file apiVersion: apps/v1 kind: Deployment metadata: name: keycloak labels: app: keycloak spec: replicas: 1 selector: matchLabels: app: keycloak template: metadata: labels: app: keycloak spec: containers: - name: keycloak image: jboss/keycloak env: - name: KEYCLOAK_USER value: "admin" - name: KEYCLOAK_PASSWORD value: "123456" ports: - containerPort: 8080 I have run other images and they work. But keycloak is killing minikube. So ... > kubectl get pods NAME READY STATUS RESTARTS AGE bikes-594d566c6d-65pdp 1/1 Running 0 14m bikes-594d566c6d-klbhw 1/1 Running 0 14m bikes-594d566c6d-qqppz 1/1 Running 0 14m keycloak-66d55fcc58-5ssj9 0/1 ContainerCreating 0 5m50s Several minutes later > kubectl get pods Unable to connect to the server: http2: server sent GOAWAY and closed the connection; LastStreamID=69, ErrCode=NO_ERROR, debug="" > minikube status host: Running kubelet: Running apiserver: Error kubectl: Correctly Configured: pointing to minikube-vm at 192.168.99.101 If I run keubctl logs keycloak-66d55fcc58-5ssj9 then there are no errors though the last entry is [0m [0m17:43:03,402 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 63) Node name: keycloak-66d55fcc58-5ssj9, Site name: null *** JBossAS process (128) received KILL signal *** So I am not sure if the problem is from keycloak or from minikube. can anyone help? Regards, John

6 years, 7 months

2
1
0 / 0

SAML Identity broker audience restriction condition checking

by Georgi Matev

A couple of questions: 1. Is there a way to disable the audience restriction checking in SAML identity brokering? We have a use case where we have a SAML IdP that is able to accept requests from multiple URLs and we are trying to use it to federate access to several SPs backed by different Keycloak instances. Unfortunately the IdP is not able to change the AudienceRestriction attribute dynamically. If there is a way to disable the check in Keycloak that will unblock us. 1. Somewhat related, can a Keycloak SP process an assertion with an audience restriction that has multiple values? The problem at https://access.redhat.com/solutions/4177341 (can’t see the solution) seems to imply that there is an issue. Would test it myself but do not have a convenient way to set this up. Thanks, -Georgi

6 years, 7 months

1
0
0 / 0

Testing realm-mangement fine grain access control

by M Foster

Hello, I am testing Keycloak for deployment and one of the scenarios for adoption is the ability for some users to manage their own group membership. I've read through the Server Admin guide and it says that this functionality only available in a Technical Preview state. I've enabled the tech preview mode and have enabled Permissions for a group and now see the default scope names that appear under Groups > testgroup > Permissions (view, manage, view-membership, view-members, manage-members, manage-membership), which are part of the realm-management Authorization section. This also creates a group resource "group.resource.<goup_UUID>. I've created a User Policy for a single user and then attached that policy to the Keycloak created permission "manage.membership.permission.group.<group_UUID>" as well as the "group.resource.<group_UUID>. I've also assigned this test admin user the query-groups, query-users, and view-users realm-management client role, so in theory if this user logs into the realm admin console, they should see Groups and Users and be able to select a user and join them to the group in the realm on which I enabled permssions and set the policy. This all works, except the last bit: the "join" button is not visible in the group tab of a user that I'd like to add to my test group. Additionally, I can't manage the settings of any of the users. I have all six permissions assigned to that User Policy, but still no go. Any ideas what piece I'm missing? Thanks.

6 years, 7 months

1
1
0 / 0

Metadata import error Keycloak V 7.0.0 - the file cannot be imported. Please verify the file

by vijay

Hi, I am trying to import SAML metadata while creating the Identity provider in Keycloak V7.0.0 and getting the error "Error the file cannot be imported. Please verify the file". Its two node standalone cluster deployed on docker . However importing same metadata from url working fine . Also I have local setup of keycloak (standalone) V7.0.0 and I can import the same metadata on that. Attaching the screenshot of error. Thanks, Vj

6 years, 7 months

1
0
0 / 0

CORS issue - missing "allow origin" headers

by Louis JOHANET

Hi, We are currently facing the following issue : calling a protected client with AJAX fails with the following message : Access to XMLHttpRequest at 'http://localhost:8081/auth/realms/my_realm/protocol/openid-connect/auth?r...' (redirected from 'http://localhost:8080/my_client') from origin 'http://localhost:8080' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Now this client uses the Java adapter, and does have a proper Web Origin (e.g. http://localhost:8080), which is indeed found in the access token. The keycloak.json also has enable-cors set to true. Indeed Keycloak's response is missing Access-Control-Allow-Origin headers. Adding Web Origins in the client configuration has no effect on the returned headers. I believe we need to add such headers in the Apache configuration, but I am surprised that this case did not come up in the docs since any client without a valid session receiving an AJAX request will cause the problem above, due to the 302 Redirect to Keycloak. Have you ever come across this issue ? Best regards, Louis Johanet

6 years, 7 months

1
0
0 / 0

Remove kcinit and text-based authentication flows

by Stian Thorgersen

kcinit and it's associated text-based authentication flows adds quite a bit of complexity. It was never fully completed and we don't have capacity to complete it. Text-based authentication flows are also not really all that useful. There are other better approaches to authenticate devices without a web browser, and when there is a web browser that should be used rather than cli. I propose we remove both kcinit as well as the text-based authentication flows. We also need to revert KeycloakInstalled to how it was prior to this was added as it is currently fairly broken.

6 years, 7 months

1
0
0 / 0

keycloak.js: updateToken creates invalid url

by Weber, Wolfgang

Hi! Our customer uses our application (running with Keycloak 6.0.1) with multiple tabs open. We recognized that there's a scenario where keycloak.js generates invalid urls in updateToken method where parameter refresh_token is undefined: "postData": { "mimeType": "application/x-www-form-urlencoded", "text": "grant_type=refresh_token&refresh_token=undefined&client_id=r6-ui", .... }) We can reproduce this behaviour on our customers environment with: * enable SSO * with a Kerberos plugin for automatic login * open multiple tabs from within tab 1 * refresh tab 1 or wait for session timeout So it look like, that we can manage it in the multi tab scenario, to call clearToken while a updateToken request is processed. Is there anything we can do to overcome this issue? Kind regards, Wolfgang  { "startedDateTime": "2019-08-27T15:12:12.434Z", "time": 5.363002419471741, "request": { "method": "POST", "url": "http://host/auth/realms/R6/protocol/openid-connect/token", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Origin", "value": "http://host" }, { "name": "Accept-Encoding", "value": "gzip, deflate" }, { "name": "Host", "value": "host" }, { "name": "Accept-Language", "value": "de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7" }, { "name": "User-Agent", "value": "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" }, { "name": "Content-type", "value": "application/x-www-form-urlencoded" }, { "name": "Accept", "value": "*/*" }, { "name": "Referer", "value": "http://host/r6-ui/client/index" }, { "name": "Cookie", "value": "AUTH_SESSION_ID=73fa22f1-b574-4714-abe1-42fce5f900db.dev-06; KEYCLOAK_IDENTITY=..." }, { "name": "Connection", "value": "keep-alive" }, { "name": "Content-Length", "value": "64" } ], "queryString": [], "cookies": [ { "name": "AUTH_SESSION_ID", "value": "73fa22f1-b574-4714-abe1-42fce5f900db.dev-06", "expires": null, "httpOnly": false, "secure": false }, { "name": "KEYCLOAK_IDENTITY", "value": "....", "expires": null, "httpOnly": false, "secure": false }, { "name": "KEYCLOAK_SESSION", "value": "R6/a5f78b44-bcaa-4b88-bd48-298c57a8f9f2/73fa22f1-b574-4714-abe1-42fce5f900db", "expires": null, "httpOnly": false, "secure": false } ], "headersSize": 1310, "bodySize": 64, "postData": { "mimeType": "application/x-www-form-urlencoded", "text": "grant_type=refresh_token&refresh_token=undefined&client_id=r6-ui", "params": [ { "name": "grant_type", "value": "refresh_token" }, { "name": "refresh_token", "value": "undefined" }, { "name": "client_id", "value": "r6-ui" } ] } }, "response": { "status": 400, "statusText": "Bad Request", "httpVersion": "HTTP/1.1", "headers": [ { "name": "Pragma", "value": "no-cache" }, { "name": "Date", "value": "Tue, 27 Aug 2019 15:10:40 GMT" }, { "name": "Server", "value": "Apache/2.4.39 (Unix) OpenSSL/1.0.2k-fips" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Access-Control-Allow-Origin", "value": "http://host" }, { "name": "Access-Control-Expose-Headers", "value": "Access-Control-Allow-Methods" }, { "name": "Cache-Control", "value": "no-store" }, { "name": "Access-Control-Allow-Credentials", "value": "true" }, { "name": "Connection", "value": "close" }, { "name": "Content-Length", "value": "69" } ], "cookies": [], "content": { "size": 69, "mimeType": "application/json", "compression": 0 }, "redirectURL": "", "headersSize": 395, "bodySize": 69, "_transferSize": 464 }, "cache": {}, "timings": { "blocked": 1.3490057005882263, "dns": -1, "ssl": -1, "connect": -1, "send": 0.07300000000000001, "wait": 3.2689990525245665, "receive": 0.6719976663589478, "_blocked_queueing": 1.0850057005882263 }, "serverIPAddress": "10.1.85.183", "_initiator": { "type": "script", "stack": { "callFrames": [ { "functionName": "exec", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1812461 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1812565 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792930 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1794553 } ], "parent": { "description": "postMessage", "callFrames": [ { "functionName": "", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 109, "columnNumber": 25 }, { "functionName": "checkCookie", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 31, "columnNumber": 20 }, { "functionName": "req.onreadystatechange", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 61, "columnNumber": 28 } ], "parent": { "description": "XMLHttpRequest.send", "callFrames": [ { "functionName": "checkState", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 69, "columnNumber": 16 }, { "functionName": "receiveMessage", "scriptId": "506", "url": "http://host/auth/realms/R6/protocol/openid-connect/login-status-iframe.html", "lineNumber": 108, "columnNumber": 8 } ], "parent": { "description": "postMessage", "callFrames": [ { "functionName": "checkLoginIframe", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1795110 }, { "functionName": "Keycloak.kc.updateToken", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1812527 }, { "functionName": "R6AuthenticationHolderImpl.updateToken", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1061095 }, { "functionName": "R6SessionHandlerImpl.check", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1287472 }, { "functionName": "R6SessionHandlerImpl.updateTimeout", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1287221 }, { "functionName": "R6SessionInterceptor.response", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1286496 }, { "functionName": "response", "scriptId": "498", "url": "http://host/r6-ui/client/resources/lib.js", "lineNumber": 0, "columnNumber": 1285688 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176239 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176524 }, { "functionName": "$digest", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1187078 }, { "functionName": "$apply", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1189842 }, { "functionName": "done", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1143003 }, { "functionName": "completeRequest", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1147207 }, { "functionName": "xhr.onload", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1148651 } ], "parent": { "description": "load", "callFrames": [ { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1148435 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1145310 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1145529 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176239 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1176524 }, { "functionName": "$digest", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1187078 }, { "functionName": "$apply", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1189842 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1062210 }, { "functionName": "invoke", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1076174 }, { "functionName": "doBootstrap", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1062104 }, { "functionName": "bootstrap", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1062580 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 160729 }, { "functionName": "mightThrow", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 223677 }, { "functionName": "process", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224305 } ], "parent": { "description": "setTimeout", "callFrames": [ { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224612 }, { "functionName": "fire", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 221268 }, { "functionName": "add", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 221726 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224812 }, { "functionName": "Deferred", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 225492 }, { "functionName": "then", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 224663 }, { "functionName": "jQuery.fn.ready", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 226629 }, { "functionName": "jQuery.fn.init", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 218206 }, { "functionName": "jQuery", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 180073 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 160702 }, { "functionName": "tryCatcher", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 104913 }, { "functionName": "Promise._settlePromiseFromHandler", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 66489 }, { "functionName": "Promise._settlePromise", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 67772 }, { "functionName": "Promise._settlePromise0", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 68812 }, { "functionName": "Promise._settlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 70495 }, { "functionName": "Promise._fulfill", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 69308 }, { "functionName": "PromiseArray._resolve", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 75658 }, { "functionName": "PromiseArray._promiseFulfilled", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 76061 }, { "functionName": "Promise._settlePromise", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 67955 }, { "functionName": "Promise._settlePromise0", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 68812 }, { "functionName": "Promise._settlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 70495 }, { "functionName": "Async._drainQueue", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 3975 }, { "functionName": "Async._drainQueues", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 4040 }, { "functionName": "Async.drainQueues", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1696 } ], "parent": { "description": "Promise.then", "callFrames": [ { "functionName": "schedule", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 89929 }, { "functionName": "Async._queueTick", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 4229 }, { "functionName": "AsyncSettlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 2010 }, { "functionName": "util.hasDevTools.Async.settlePromises", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 3577 }, { "functionName": "Promise._fulfill", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 69332 }, { "functionName": "Promise._resolveCallback", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 64681 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 65941 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792677 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1802938 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792930 }, { "functionName": "authSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1787381 }, { "functionName": "req.onreadystatechange", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1788403 } ], "parent": { "description": "XMLHttpRequest.send", "callFrames": [ { "functionName": "processCallback", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1788608 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1806366 }, { "functionName": "setSuccess", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1792930 }, { "functionName": "iframe.onload", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1793899 } ], "parent": { "description": "load", "callFrames": [ { "functionName": "setupCheckLoginIframe", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1793572 }, { "functionName": "", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1806323 }, { "functionName": "success", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1793103 }, { "functionName": "Keycloak.kc.init", "scriptId": "496", "url": "http://host/r6-ui/client/resources/vendor.js", "lineNumber": 0, "columnNumber": 1806139 }, { "functionName": "", "scriptId": "505", "url": "http://host/r6-ui/client/index", "lineNumber": 139, "columnNumber": 17 } ] } } } } } } } } } }, "_priority": "High", "_resourceType": "xhr", "connection": "6236", "pageref": "page_6" }, ________________________________ BearingPoint Technology GmbH Sitz: Premst?tten bei Graz Firmenbuchgericht: Landesgericht f?r ZRS Graz Firmenbuchnummer: FN 44354b The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.

6 years, 7 months

1
0
0 / 0

Re: [keycloak-user] [keycloak-dev] Unable to connect to an external datasource for a protocol mapper

by Thomas Darimont

Hi Thomas, I think a more suitable list for this kind of questions is the keycloak-users Mailinglist. I think in your case you can reduce your example to a single ejb-jar deployment. Furthermore you can refer to a datasource configured in Wildfly via JNDI instead of providing your own datasource via persistence.xml. See: https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc... The trick to get a custom EntityManager injected into a component is to turn the component into an EJB and access it via JNDI, e.g.: ... @Stateless @Local public class UserRepository { @PersistenceContext(unitName = "UserPU") protected EntityManager entityManager; public Object getData() { // implement your query return entityManager != null ? "data" : null; } } Then you can use JNDI to lookup the bean in your custom ProtocolMapper, e.g.: private UserRepository getUserRepository() { try { String moduleName = new File(getClass().getProtectionDomain().getCodeSource().getLocation().getFile()).getName().replaceAll("\\.jar$", ""); String jndiName = String.format("java:global/%s/%s", moduleName, UserRepository.class.getSimpleName()); return (UserRepository) new InitialContext().lookup(jndiName); } catch (NamingException e) { throw new RuntimeException(e); } } With those changes I could run your example: https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc... See: https://github.com/thomasdarimont/keycloak-bug-entity-manager-tokenEnhanc... Cheers, Thomas On Wed, 11 Sep 2019 at 20:47, Thomas <tlann(a)technoeclectic.com> wrote: > I'm a little inexperienced when it comes to Java EE. So let me apoligize > because I'm guessing this will be a small setup mistake. I've setup > databases for applications but I'm having a really tough time with > connecting to for a Keycloak module. The database exists separate from > Keycloak's user db and a LDAP/AD because other services for our application > need to access the claims database through rabbitmq and rest services. > > I'm able to setup a datasource in Wildfly and verify it can connect to the > database. So I know the connection info is good. The module successfully > deploys to Keycloak. When the Protocol Mapper is ran, I only try checking > the nullity of the EntityManager that should be injected as well as one > that gets created from the PU by hand. The injected em is null and the one > created on a spot throws an exception about being unable to find the > persistence.xml file. > > What are some good troubleshooting techniques for developing in Keycloak? > Is it more appropriate to turn up the hibernate logger in Keycloak or > Wildfly? > > Could someone take a look at an exmple give me some advice? > A code example is at https://github.com/tlann/tokenEnhancer.git > > The deployment log and exception are as follows > > Thanks, > Thomas > > 17:06:51,406 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-4) WFLYSRV0027: Starting deployment of > "token-enhancer-ear-1.0.0-SNAPSHOT.ear" (runtime-name: > "token-enhancer-ear-1.0.0-SNAPSHOT.ear") > 17:06:51,493 INFO [org.jboss.as.server.deployment] (MSC service thread > 1-2) WFLYSRV0207: Starting subdeployment (runtime-name: > "com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar") > 17:06:51,497 INFO [org.jboss.as.jpa] (MSC service thread 1-4) WFLYJPA0002: > Read persistence.xml for UserPU > 17:06:51,514 INFO [org.jboss.as.jpa] (MSC service thread 1-4) WFLYJPA0002: > Read persistence.xml for UserPU > 17:06:51,539 WARN [org.jboss.as.dependency.private] (MSC service thread > 1-1) WFLYSRV0018: Deployment > "deployment.token-enhancer-ear-1.0.0-SNAPSHOT.ear.com > .example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar" > is using a private module ("org.keycloak.keycloak-services") which may be > changed or removed in future versions without notice. > 17:06:51,553 WARN [org.jboss.as.dependency.private] (MSC service thread > 1-4) WFLYSRV0018: Deployment > "deployment.token-enhancer-ear-1.0.0-SNAPSHOT.ear" is using a private > module ("org.keycloak.keycloak-services") which may be changed or removed > in future versions without notice. > 17:06:51,555 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 81) > WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service > > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear/com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar#UserPU' > 17:06:51,555 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 81) HHH000204: Processing PersistenceUnitInfo > [ > name: UserPU > ...] > 17:06:51,575 INFO [org.jboss.weld.deployer] (MSC service thread 1-3) > WFLYWELD0003: Processing weld deployment > token-enhancer-ear-1.0.0-SNAPSHOT.ear > 17:06:51,599 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 82) > WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear#UserPU' > 17:06:51,599 INFO [org.hibernate.jpa.internal.util.LogHelper] > (ServerService Thread Pool -- 82) HHH000204: Processing PersistenceUnitInfo > [ > name: UserPU > ...] > 17:06:51,643 INFO > > [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] > (MSC service thread 1-3) Deploying Keycloak provider: > com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar > 17:06:51,678 WARN [org.keycloak.services] (MSC service thread 1-3) > KC-SERVICES0047: oidc-token-enhancer-mapper > (business.KeycloakTokenEnhancer) is implementing the internal SPI > protocol-mapper. This SPI is internal and may change without notice > 17:06:51,701 INFO [org.jboss.weld.deployer] (MSC service thread 1-3) > WFLYWELD0003: Processing weld deployment > com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar > 17:06:51,779 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 81) > WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service > > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear/com.example.security-token-enhancer-module-1.0.0-SNAPSHOT.jar#UserPU' > 17:06:51,780 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 81) HHH000400: Using dialect: > org.hibernate.dialect.PostgreSQL95Dialect > 17:06:51,797 INFO > [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl] > (ServerService Thread Pool -- 81) HHH000424: Disabling contextual LOB > creation as createClob() method threw error : > java.lang.reflect.InvocationTargetException > 17:06:51,797 INFO [org.hibernate.type.BasicTypeRegistry] (ServerService > Thread Pool -- 81) HHH000270: Type registration [java.util.UUID] overrides > previous : org.hibernate.type.UUIDBinaryType@3e14892a > 17:06:51,801 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] > (ServerService Thread Pool -- 81) Envers integration enabled? : true > 17:06:51,820 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,820 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,821 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,821 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 81) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,854 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 82) > WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service > 'token-enhancer-ear-1.0.0-SNAPSHOT.ear#UserPU' > 17:06:51,855 INFO [org.hibernate.dialect.Dialect] (ServerService Thread > Pool -- 82) HHH000400: Using dialect: > org.hibernate.dialect.PostgreSQL95Dialect > 17:06:51,868 INFO > [org.hibernate.engine.jdbc.env.internal.LobCreatorBuilderImpl] > (ServerService Thread Pool -- 82) HHH000424: Disabling contextual LOB > creation as createClob() method threw error : > java.lang.reflect.InvocationTargetException > 17:06:51,869 INFO [org.hibernate.type.BasicTypeRegistry] (ServerService > Thread Pool -- 82) HHH000270: Type registration [java.util.UUID] overrides > previous : org.hibernate.type.UUIDBinaryType@3e14892a > 17:06:51,873 INFO [org.hibernate.envers.boot.internal.EnversServiceImpl] > (ServerService Thread Pool -- 82) Envers integration enabled? : true > 17:06:51,882 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,882 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,882 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,883 WARN > [org.infinispan.hibernate.cache.v53.InfinispanRegionFactory] > (ServerService Thread Pool -- 82) HHH025030: Transactional caches are not > supported. The configuration option will be ignored; please unset. > 17:06:51,982 INFO [io.smallrye.metrics] (MSC service thread 1-1) > MicroProfile: Metrics activated > 17:06:52,273 INFO [org.jboss.as.server] (DeploymentScanner-threads - 2) > WFLYSRV0010: Deployed "token-enhancer-ear-1.0.0-SNAPSHOT.ear" (runtime-name > : "token-enhancer-ear-1.0.0-SNAPSHOT.ear") > 17:07:15,373 INFO [stdout] (default task-16) > ++++++++++++++++++++++++++++++++ > 17:07:15,380 INFO [stdout] (default task-16) entityManager is null > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 INFO [org.hibernate.jpa.boot.internal.PersistenceXmlParser] > (default task-16) HHH000318: Could not find any META-INF/persistence.xml > file in the classpath > 17:07:15,381 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-16) Uncaught server error: > javax.persistence.PersistenceException: No Persistence provider for > EntityManager named UserPU > at > > javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:85) > at > > javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:54) > at > > business.KeycloakTokenEnhancer.transformAccessToken(KeycloakTokenEnhancer.java:43) > at > > org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:553) > at > > org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:411) > at > > org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:712) > at > > org.keycloak.services.resources.admin.ClientScopeEvaluateResource.generateToken(ClientScopeEvaluateResource.java:206) > at > > org.keycloak.services.resources.admin.ClientScopeEvaluateResource.generateExampleAccessToken(ClientScopeEvaluateResource.java:178) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370) > at > > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372) > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132) > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440) > at > > org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229) > at > > org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135) > at > > org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355) > at > > org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138) > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215) > at > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > at > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > > io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > at > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > at > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > at > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:364) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > at > > org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > at > > org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) > at > > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) > at > > org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) > at java.lang.Thread.run(Thread.java:748) > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev >

6 years, 7 months

1
0
0 / 0

Re: [keycloak-user] Gatekeeper issue, should I repost or no? I don't want to troll!

by Nick Powers

See reply, my previous response only went to Bruno. On Wed, Sep 11, 2019 at 2:50 PM Nick Powers <sshscp(a)gmail.com> wrote: > Thanks for your response Bruno! I understand that this is a community > mailing list and not a support mailing list. I appreciate the help I do > get from here and understand that everyone is busy. I'm not sure what > steps are involved to file a Jira, or even what a Jira is LOL. > > I guess I'll give it some more time before re-posting. It's not a > straightforward question and I know Gatekeeper users are a subset of > Keycloak users. I really like Keycloak and the benefits it provides and > hope I can continue using it. > > Thanks to all the community members here. You are a great group of people! > > Nick > > On Wed, Sep 11, 2019 at 1:49 PM Bruno Oliveira <bruno(a)abstractj.org> > wrote: > >> Hi Nick, I'm very sorry if my answer didn't help you at all, but your >> issue requires further investigation. Please keep in mind that this is >> a community mailing list, not a support mailing list, we we love to >> help, but at the same time we also have other tasks in our plate. >> >> Whether or not you should repost, troll or anything else. The answer >> is: it's up to you, I don't think anybody will be upset or pissed off. >> That's one of the joys of open source, the freedom. >> >> As soon as I have the time to investigate your issue, I will be more >> than happy to attempt to answer your question, but I don't have an ETA >> for this. >> >> If you would like to, feel free to file a Jira, mark as a bug and we >> can do a proper triage. >> >> On Wed, Sep 11, 2019 at 4:40 PM Nick Powers <sshscp(a)gmail.com> wrote: >> > >> > I posted a message last Saturday entitled "Gatekeeper failing to proxy >> for >> > redirect". I did receive a response the following Monday (Thanks >> Bruno!) >> > asking for some more detail, which I replied to shortly after I received >> > his email but I have not received any replies since then. >> > >> > My question now is should I repost it if I do not receive any more >> > responses? I don't want to troll but there is really not anywhere else >> I >> > can ask about this. If I cannot find an answer here, then I guess I >> won't >> > find an answer and thus will not be able to continue using >> > Keycloak/Gatekeeper. :( >> > >> > Can someone please advise what I should do? I don't want to piss anyone >> > off in this group by reposting. I have been helped in the past with >> this >> > group and I value the members and I know they are under no obligation >> but, >> > I don't know where else I should turn. Are there any other resources >> for >> > Keycloak/gatekeeper questions? If I should repost here, then how often >> do >> > you suggest? I don't want to upset anyone. >> > >> > Thanks >> > >> > Nick >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user(a)lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> -- >> - abstractj >> >

6 years, 7 months

1
0
0 / 0

User cannot assign client Role to user with just

by robrecht anrijs

Hi keycloak users, We recently upgraded from keycloak 3.4.3 to 6.0.1, and noticed that a user with the roles 'manage-users' and 'view-users' on the client 'realm-management' cannot see the list of client roles any more. Because of that, the user cannot assing a specific client role to a group or a user. Screenshot: I[image: image.png] Is this a bug? Or is expected behaviour? As a workaround I added the role 'view-clients' to that user, but now the users sees to much. I only want to configure that user, so he can manage the roles for users & groups. Do I need to enahble the fine-grained permissions for that ( https://www.keycloak.org/docs/6.0/server_admin/#_fine_grain_permissions) Thx for the answers, Kind regards, Robrecht

6 years, 7 months

3
3
0 / 0

Can we suppress email verification for a single login?

by Andrew Braae

We are inviting people to our system via email. When someone follows one of our invite links, we assume their email address is valid. So when they arrive at Keycloak, we don't want these people to be asked to do email verification. For them (only), we want Keycloak to behave as if "Verify email" was turned off for the realm. Is there some way to achieve this? Cheers, Andrew

6 years, 7 months

1
0
0 / 0

Gatekeeper issue, should I repost or no? I don't want to troll!

by Nick Powers

I posted a message last Saturday entitled "Gatekeeper failing to proxy for redirect". I did receive a response the following Monday (Thanks Bruno!) asking for some more detail, which I replied to shortly after I received his email but I have not received any replies since then. My question now is should I repost it if I do not receive any more responses? I don't want to troll but there is really not anywhere else I can ask about this. If I cannot find an answer here, then I guess I won't find an answer and thus will not be able to continue using Keycloak/Gatekeeper. :( Can someone please advise what I should do? I don't want to piss anyone off in this group by reposting. I have been helped in the past with this group and I value the members and I know they are under no obligation but, I don't know where else I should turn. Are there any other resources for Keycloak/gatekeeper questions? If I should repost here, then how often do you suggest? I don't want to upset anyone. Thanks Nick

6 years, 7 months

2
1
0 / 0

random issue with Keycloak 7 clustered and restarting keycloak

by Andrew Schmidt

We've recently setup Keycloak 7 in a clustered environment using multicast. (standalone-ha) Everything works great most of the time. But randomly, upon restarting Keycloak on one server, keycloak will not be able to find the other instance. We've called the servers keycloak01 and keycloak02. When the problem occurs, the flow goes something like this: Keycloak01 running Keycloak02 running Restart keycloak02 Keycloak2 reports: no members discovered after 3003 ms: creating cluster as first member Nothing in keycloak01 logs suggests it knows about keycloak02 anymore At this point keycloak02 can never talk to keycloak01 until keycloak01 is restarted. After restarting keycloak01, everything is fine again. Here are the keycloak01 logs when keycloak02 is restarting <keycloak02 stopping> 2019-09-11 15:09:22,008 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t3) [Context=loginFailures] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,008 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t14) [Context=actionTokens] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,010 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t12) [Context=offlineClientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,010 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t11) [Context=clientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t13) [Context=work] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=authenticationSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,011 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=offlineSessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,012 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t9) [Context=sessions] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,012 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t3) [Context=client-mappings] ISPN100008: Updating cache members list [keycloak01], topology id 16 2019-09-11 15:09:22,056 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,057 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,059 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:09:22,060 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|6] (1) [keycloak01] 2019-09-11 15:09:22,060 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster <keycloak02 starting> 2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02] 2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster 2019-09-11 15:09:26,679 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02] 2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster 2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|7] (2) [keycloak01, keycloak02] 2019-09-11 15:09:26,680 INFO [org.infinispan.CLUSTER] (thread-14,ejb,keycloak01) ISPN100000: Node keycloak02 joined the cluster On a problematic restart keycloak01 logs are as follows: <keycloak02 stopping> 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t14) [Context=offlineClientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=work] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t9) [Context=loginFailures] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,915 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=offlineSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t13) [Context=authenticationSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t11) [Context=sessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t10) [Context=actionTokens] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:09:43,916 INFO [org.infinispan.CLUSTER] (remote-thread--p10-t15) [Context=clientSessions] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:10:03,902 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t3) [Context=client-mappings] ISPN100008: Updating cache members list [keycloak01], topology id 21 2019-09-11 15:10:03,912 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,913 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,913 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,914 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,915 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,915 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN000094: Received new cluster view for channel ejb: [keycloak01|8] (1) [keycloak01] 2019-09-11 15:10:03,916 INFO [org.infinispan.CLUSTER] (thread-23,ejb,keycloak01) ISPN100001: Node keycloak02 left the cluster <keycloak02 starting> ... no more logs will show up and keycloak02 reports no members Notice the time between [Context=clientSessions] and [Context=client-mappings] is 20 seconds on this problematic restart vs the successful one. Anyone have any ideas?

6 years, 7 months

1
0
0 / 0

Requesting permission by resource name from another resource server results in "Resource Doesn't exist"

by Or Harary

Hey, When I'm logged in as a user (grant_type=password), and I'm trying to request a permission ticket for a resource by its name, and I'm using the token endpoint and grant type "urn:ietf:params:oauth:grant-type:uma-ticket", everything works well. But if I'm using a resource server token (from a login using client_credentials), and i'm trying to request permissions for a resource in another resource server, by the resource name, it results with the following error: { error: 'invalid_resource', error_description: 'Resource with id [my-resource-name] does not exist.' } When I'm requesting the resource with its ID, everything works as expected. In version 3.4 it worked well. I now checked it in version 6.0.1 and version 7.0.0 and it doesn't work and it seems to be because of this line: https://github.com/keycloak/keycloak/blob/9c2525ec1afb6737dd012d3c744a409... Is this the expected behaviour or a bug? Thanks in advance, Or

6 years, 7 months

2
7
0 / 0

Re: [keycloak-user] Offline tokens - how to revoke a single token?

by Rivat Olivier

Best practise is to have offline token per user per app. In the realm setting, you can limit the number of refresh/offline tokens (by default one, when the this flag is activated) It is also up to the user to manage/store the current token in user for a specific app. Like this, you only have an handful of refresh/offline tokens to deal with (also one per device). Regards, Olivier Le 11/09/2019 à 11:18, Przemek Bielicki a écrit : > That would make sense for me if we could only have one offline token > per user per client. > If Keycloak allows to have multiple, why can't we revoke one by one? I > assume it's just a missing feature. > > Przemek > > On Wed, Sep 11, 2019 at 11:05 AM Rivat Olivier <orivat(a)janua.fr > <mailto:orivat@janua.fr>> wrote: > > Well, OfflineTokens are jwt tokens. So they always exist in the > context of a user and application. > Hence a token is always tied to this tuple (user/client) context. > > Revoking single token implies to delete on a per user basis. > > Regards, > > Olivier > > > Le 11/09/2019 à 11:00, Przemek Bielicki a écrit : >> Hi, >> >> afaik it's only possible to revoke all for given user / client: >> DELETE >> http://localhost:5081/keycloak/admin/realms/{realm}/users/{userId}/consen... >> <http://localhost:5081/keycloak/admin/realms/%7Brealm%7D/users/%7BuserId%7...> >> >> I could not find REST API do revoke single tokens. Does it exist? >> >> Cheers, >> Przemek >> >> On Wed, Sep 11, 2019 at 10:29 AM Rivat Olivier <orivat(a)janua.fr >> <mailto:orivat@janua.fr>> wrote: >> >> Hi, >> >> Have a look at following blog. With the admin UI or Self >> self-service >> you easily revoke offLine Sessions. >> http://www.janua.fr/offline-sessions-and-offline-tokens-within-keycloak/ >> >> You should also be able to do it with REST API, but I haven't >> had time >> to describe it. >> >> Regards, >> Olivier Rivat >> >> >> Le 11/09/2019 à 10:19, Przemek Bielicki a écrit : >> > Hi, >> > >> > is it possible to revoke single offline token? How? >> > If not, do you consider adding such feature? >> > If not, why? Is there any specific reason why it's not >> possible to revoke >> > offline tokens one by one? >> > >> > Thanks, >> > Przemek Bielicki >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user(a)lists.jboss.org >> <mailto:keycloak-user@lists.jboss.org> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> <mailto:keycloak-user@lists.jboss.org> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>

6 years, 7 months

2
2
0 / 0

Empty username allowed in review profile config

by Kaspar Papli

Hey, I discovered that an empty username is allowed in the Update Account Information page which appears in the first broker login flow. I assume this is a bug? Steps to reproduce: 1. Setup Google as an identity provider. 2. Set Authentication Flows -> First Broker Login -> review profile config -> Actions -> Config -> Update Profile on First Login -> "on" 3. Attempt login with Google (with a Google account that is not yet connected to any Keycloak account). 4. After authentication with Google, in the Update Account Information page, delete the username i.e. set it to an empty string and submit. Expected result: An error is shown about the username being required. Actual result: Registration succeeds and an account is created with an empty username. Workaround: Create an account with an empty username like this. In that case, the next attempt at repeating this fails with "User with username already exists". Realm login settings in my configuration that might be relevant: - User registration: on - Email as username: off - Edit username: off - Forgot password: on - Remember me: on - Verify email: on - Login with email: on Keycloak version: 7.0.0 All the best, Kaspar

6 years, 7 months

1
0
0 / 0

Offline tokens - how to revoke a single token?

by Przemek Bielicki

Hi, is it possible to revoke single offline token? How? If not, do you consider adding such feature? If not, why? Is there any specific reason why it's not possible to revoke offline tokens one by one? Thanks, Przemek Bielicki

6 years, 7 months

2
2
0 / 0

Account registration with proprietary Masterdata

by Ratna Kamireddy

Hi, I want to know the best practise to follow in Keycloak or any OAuth server to sync keycloak users with the proprietary system. We are having a proprietary system (called MDM) that handle all the user / person / organisation / employer / employee information in microservice environment. We moved to keycloak for authentication & authorization across all microservices. And all the endpoints are secured by keycloak. And we never bothered about user registration. Now we have enabled user registration on keycloak.And now figuring out what is the best way to sync keycloak users after registration with the existing MDM. All our microservices can understand the users in MDM and not the users in keycloak as if they need more info about user it can interact with MDM. My first thought would be sending REST request to MDM from keycloak with the newly registered user information. Please share your experience if you guys already done it in your system. Regards Ratna

6 years, 7 months

3
2
0 / 0

update user attributes on every social login

by kkzxak47

Hi, Sorry I fail to provide enough info in the previous question, so here is the detail. Say I have implemented a new social login privider: public class WechatWorkIdentityProvider extends AbstractOAuth2IdentityProvider<WechatWorkProviderConfig> implements SocialIdentityProvider<WechatWorkProviderConfig> There are several attributes from this IdP need to be added to keycloak. So I added them in `BrokeredIdentityContext`, details: ``` @Override protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder event, JsonNode profile) { BrokeredIdentityContext identity = new BrokeredIdentityContext( (getJsonProperty(profile, "userid"))); identity.setUsername(getJsonProperty(profile, "userid").toLowerCase()); identity.setBrokerUserId(getJsonProperty(profile, "userid").toLowerCase()); identity.setModelUsername(getJsonProperty(profile, "userid").toLowerCase()); identity.setFirstName(getJsonProperty(profile, "email").split("@")[0].toLowerCase()); identity.setLastName(getJsonProperty(profile, "name")); identity.setEmail(getJsonProperty(profile, "email").toLowerCase()); identity.setUserAttribute(PROFILE_MOBILE, getJsonProperty(profile, "mobile")); identity.setUserAttribute(PROFILE_GENDER, getJsonProperty(profile, "gender")); identity.setUserAttribute(PROFILE_STATUS, getJsonProperty(profile, "status")); identity.setUserAttribute(PROFILE_ENABLE, getJsonProperty(profile, "enable")); identity.setIdpConfig(getConfig()); identity.setIdp(this); AbstractJsonUserAttributeMapper.storeUserProfileForMapper(identity, profile, getConfig().getAlias()); return identity; } ``` New users will set and map mobile/gender... correctly, but old users already logged in with IdP will not receive custom attributes. My question is how can I make user attributes update everytime user login with the social IdP not matter it's old or new user? Is there another method that I need to override, or another API to call, or I have to modify keycloak source code? Thanks! Victor Z.

6 years, 7 months

1
0
0 / 0

Specifying LDAP/AD domain in token endpoint

by Ajinkya Thakare

Hi team, Is there anyway for the user to specify which LDAP/AD domain to point to while logging in, i.e. while using the token endpoint? The scenario is for a multi-tenant environment, where the same username can be a part of multiple LDAP/AD domains but with different authorization roles setup in each. Here we don’t want our Keycloak instance to sequentially check into every LDAP/AD configuration added, like it does now, but rather check for validating the credentials in only specified domain. Also, if there are different passwords in different domains for same username, the Keycloak instance returns invalid credential error if the user provides the password for a later LDAP/AD config. In this case, an ability to specify the domain will really be helpful. Example: Suppose username ‘athakare’ is a part of two different domains – ‘domain1’ & ‘domain2’, with different passwords, it would be easier if the user can specify something like ‘athakare@domain1’ as his username while logging in. Please let me know if this is already possible in any way using Keycloak. Thanks! Regards, Ajinkya Thakare

6 years, 7 months

1
0
0 / 0

Map arbitrary LDAP value to an Attribute

by Christophe de Vienne

Hi everyone, I need to copy a property of a parent organizational unit to a user attribute. >From what I understand, no existing ldap mapper is able to do that, which means I need to code my own ldap mapper (that would inherit AbstractLDAPStorageMapper). Is this the best way to achive this goal? Thanks in advance, Christophe

6 years, 7 months

1
1
0 / 0

How to update user attributes with each login, not just the first one?

by kkzxak47

Hi fellow keycloak users, It's been several months since I adopted keyclak as the SSO tool for my company, everything went smoothly with one little glitch. Currently we use a social login IdP as our main login method, we trust it unconditionally. But I find that custom user attributes from that IdP will not update in keycloak after the first login. And old users will not have these attributes at all. So I was wondering what can I do to make keycloak update user attributes on each and every login with the social IdP? Victor Z.

6 years, 7 months

1
0
0 / 0

Long user upload procedure

by Игорь Хесин

Asking for your help. We start docker image stand-alone Keycloack in openshift. We add new users using REST. But everything works very slowly. For 240000 users the uploads takes 24 hours. 1. Has anyone come across this? 2. How do you add and update users? Our server: CPU 4 4 GB. Our version of keyclock 7.3.1.GA. Thank you Igor

6 years, 7 months

2
1
0 / 0

Keycloak single logout is not working

by Hashem Ramadan

Hey, I am using keycloak as IdP server for the saml SSO, I am using spring boot application beside two more software docebo and channeltivity, The single sign-on is working, but while I am press sign out from docebo its not logging out, and in the same channeltivity it's not working. any leads to solve this? --

6 years, 7 months

1
0
0 / 0

Admin CLI - how to a a builtin protocol Mapper to a Client

by Bruce Smith

Hi I am trying to add the built-in protocol mapper "realm roles" to a client using the Admin CLI. I must have tried 500 syntactic combinations for the "--set" parameter; they all result in either no error (but no mapper added to the client), or a Java exception (com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of `java.util.ArrayList` out of VALUE_STRING token). Does anyone have an example that can be shared of successfully using the Admin CLI for this operation, please? Keycloak version is 6.0.1 Regards Bruce

6 years, 7 months

2
2
0 / 0

KeyCloak Client Credentials pass http header values

by Rohit Chowdhary

I want to connect two applications ClientApp, ResourceApp securely on behalf of a user via KeyCloak as the authorization server. User does a login into ClientApp and then ClientApp calls REST APIs on Resource App in the background. I have setup KeyCloak adjacent to ResourceApp and configured ClientApp as a KeyCloak client. ClientApp gets the AccessToken and then calls APIs on the ResourceApp. In this Auth process, I want to communicate some information from ClientApp to ResourceApp via HTTP Headers, so that KeyCloak can add them into the JWT Access Token. (The reason I am trying this approach is that I will not need any user maintenance within the KeyCloak and ResourceApp). Questions: Am I trying to do something that is not possible or allowed in such security setup? Is there a better way to achieve without having to maintain Users and Roles in the KeyCloak server? I want KeyCloak to be just a mechanism to offload token generation and as a security mediator. Or Can I pass the header data from Auth request into the JWT token? I looked into the Client Mappers of KeyCloak, but since there is a redirect or forward within KeyCloak from Auth request to Get Token, the header values are getting lost.

6 years, 7 months

2
4
0 / 0

Assign Roles to an LDAP user in Read only mode

by Harish Tammireddygari

Hi, I am aware that if "Import users" is enabled, the users will be automatically imported from LDAP into Keycloak and I can go to a user's settings, and add roles to that user as needed. But in my case, I don't want the users to be imported automatically and get access to the application. I would like to restrict the access to a few LDAP users by manually adding/importing LDAP users and assign roles to them. I managed to create my own Rest endpoint to import the selected LDAP user into Keycloak DB as a local user by adding the Federation link and required LDAP attributes to the user. It is working fine. But the problem comes when I assign a client level role to this imported user. It throws "Read-only Mode" exception because "Import Users" is set to OFF in LDAP configuration. I tried the below code to grant the roles to the user which works only after the service. Is there a better way to assign the roles to an LDAP user? UserModel user = keycloakSession.userLocalStorage().getUserById(userId, realm); RoleModel roleModel = client.getRole(role.getName()); user.grantRole(roleModel); Thanks.

6 years, 7 months

1
0
0 / 0

best way to save Keystore and Truststore passwords in standalone.xml?

by Chris Smith

How can the Keystore and Truststore passwords be reasonably saved? Just having them in plaintext in standalone.xml seems like kind of a "bad thing". Keycloak is running as a specific Active directory user, so set standalone as only accessible to that user and Domain Admins?

6 years, 7 months

2
2
0 / 0

Can decrypt identified HS256 refresh token with RS256 public key with client credentials grant

by Eric Brown

Hello, At first I struggled to understand why pyJWT was raising an error when decoding a refresh token issued from keycloak using the client credentials grant. The specified error was : "The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret. " I now understand the issue: The refresh token identifies itself as being HS256 encrypted in header so pyjwt raise an error when I try to decrypt it with keycloak public key. The problem is that I am able to decrypt it with the public key when bypassing verification with verify=False to pyjwt.decode. The access token received are identified as RS256 and are fine. Pyjwt behavior with enabled verify is thuscorrect when preventing decode of HS256 tokens with public keys. The problem now seems to be this: Shouldn't it be impossible to decrypt the HS256 refresh token with the public key at all? So it might seem that the refresh tokens are incorrectly labelled as HS256 in header but at truly RS256. Thanks, Eric

6 years, 7 months

2
1
0 / 0

Gatekeeper failing to proxy for redirect or mobile! :(

by Nick Powers

I have Keycloak and Gatekeeper configured to use Google as an identity provider to front end my PHP application and most of the time it works great but sometimes it exposes my internal host (which Gatekeeper should be proxying for). If I login from my desktop(chrome) it works fine unless instead of clicking on a link my app tries to use a redirect header. i.e. my PHP example: header("Location: /protected/dashboard"); When that happens instead of redirecting to https://commentcontext.com/protected/dashboard, like it should, I see https://webapp/protected/dashboard in the URL field. This fails because there is no DNS for webapp. webapp is the name I use internally and it should never be exposed externally. Also, if I try to connect using my phone or tablet (both android) I get through the Google authentication fine but then it tries to send me to https://webapp/protected/dashboard, which again is a FAIL :( Why is Gatekeeper failing to proxy sessions when initiated via a redirect or when they come from mobile browser? Has anyone seen this behavior before? Any help anyone could provide on this issue would be greatly appreciated. Thanks, Nick

6 years, 7 months

2
2
0 / 0

Keycloak Gatekeeper configuration with SPA

by Yumna Ghazi

Hello everyone, I'm using Keycloak as an identity manager and since it also provides optional authorization, I decided to use it to suit my access control requirements as well. I have multiple microservices that I want to protect using Keycloak Gatekeeper like the configuration below but with separate Gatekeepers per service. --------- ----------- ----------- ------------ | UI | ---> | Proxy | ---> | GateK | ---> | Service | --------- ------------ ----------- ------------ | || | v -----------------------------------> Keycloak Aside from the CORS related issues this creates (KEYCLOAK-9099 <https://issues.jboss.org/browse/KEYCLOAK-9099>), there's another important issue that I'm struggling with. My UI already has keycloak js integrated with a public client specifically for itself, which I was using for login initially. Now that I want to use the Gatekeeper proxy, I want my login/token refresh to happen on the UI such that it would automatically generate the requisite cookies for Gatekeeper, because I want to disable redirection on Gatekeeper and send 401 directly in case of expired/bad/no token. a) Is my understanding correct and is this the correct approach? b) If so, how can I login via Keycloak directly or via Gatekeeper and get the required cookies (without some proxy-level hacking)? Right now I'm hovering between a couple of options, from using Kong oidc with some custom authorization to using Gatekeeper. Any help would be much appreciated. Thanks. Yumna

6 years, 7 months

2
1
0 / 0

Hello mailinglist

by Xander

Hello everybody, I just subscribed to this list and as a test, I wanted to give a friendly hello to everyone. Best regards, Xander -- The Idiot Company Met vriendelijke groet, With kind regards, Xander Smalbil THE IDIOT COMPANY Staalsteden 4-3A 7547 TA Enschede The Netherlands +31 (0)53 20 30 275 info(a)theidiotcompany.eu WWW.THEIDIOTCOMPANY.EU

6 years, 8 months

1
0
0 / 0

jboss-cli SSL access to keycloak Management interface usage, in Elytron 2-way SSL config, failing: "problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big" ?

by PGNet Dev

I'm setting up a new install of keycloak 7.0.0 for 2-way TLS Starting with a working http controller /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \ --controller=remote+http://10.0.0.1:9990 \ version JBoss Admin Command-line Interface JBOSS_HOME: /opt/keycloak Release: 9.0.2.Final Product: Keycloak 7.0.0 JAVA_HOME: /usr/lib64/jvm/java-11-openjdk java.version: 11.0.4 java.vm.vendor: Oracle Corporation java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664 os.name: Linux os.version: 5.2.11-26.gd6e8aab-default I configure JCEKS key-stores, and enable https for admin user access, /subsystem=elytron/key-store=twoWayKS:add(path=/etc/keycloak/keystore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks) /subsystem=elytron/key-store=twoWayTS:add(path=/etc/keycloak/truststore.server.jceks,credential-reference={store=master-cs, alias=ks-pass},type=jceks) /subsystem=elytron/key-manager=twoWayKM:add(key-store=twoWayKS,credential-reference={store=master-cs, alias=ks-pass}) /subsystem=elytron/trust-manager=twoWayTM:add(key-store=twoWayTS) /subsystem=elytron/server-ssl-context=twoWaySSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM,need-client-auth=true) batch /subsystem=undertow/server=default-server/http-listener=default:remove() /subsystem=undertow/server=default-server/https-listener=https:remove() /subsystem=undertow/server=default-server/https-listener=default:add(socket-binding=https,ssl-context=twoWaySSC,enable-http2=true) run-batch At this point, egrep "http-listener|https-listener" /usr/local/etc/keycloak/*/*/standalone.xml <https-listener name="default" socket-binding="https" ssl-context="twoWaySSC" enable-http2="true"/> and I can verify admin UI via http in browser has been disabled, http://10.0.0.1:8080/auth/admin "Unable to connect" and https is enabled, https://10.0.0.1:8443/auth/admin LOGIN is OK I still have http:// mgmt controller access at cmd-line /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \ --controller=remote+http://10.0.0.1:9990 \ version JBoss Admin Command-line Interface JBOSS_HOME: /opt/keycloak Release: 9.0.2.Final Product: Keycloak 7.0.0 JAVA_HOME: /usr/lib64/jvm/java-11-openjdk java.version: 11.0.4 java.vm.vendor: Oracle Corporation java.vm.version: 11.0.4+11-suse-lp151.131.1-x8664 os.name: Linux os.version: 5.2.11-26.gd6e8aab-default Setup 2way SSL for the Management interface, batch /core-service=management/management-interface=http-interface:undefine-attribute(name=security-realm) /core-service=management/management-interface=http-interface:write-attribute(name=ssl-context, value=twoWaySSC) /core-service=management/management-interface=http-interface:write-attribute(name=secure-socket-binding, value=management-https) /subsystem=elytron/client-ssl-context=twoWayCSC:add(key-manager=twoWayKM,protocols=["TLSv1.2"],trust-manager=twoWayTM) run-batch and verify *managment* UI https in browser, http://10.0.0.1:9990 REDIRECTS TO https://10.0.0.1:9993 and https://10.0.0.1:9993 LOGIN is OK works as expected. But, checking cmd-line https access, /opt/keycloak/bin/jboss-cli.sh -c --user=mgmtuser --password=mgmtpass \ --controller=remote+https://10.0.0.1:9993 \ -Djavax.net.ssl.trustStore=/etc/keycloak/truststore.client.jceks \ -Djavax.net.ssl.keyStore=/etc/keycloak/keystore.client.jceks \ -Djavax.net.ssl.trustStorePassword=keypass \ -Djavax.net.ssl.keyStorePassword=keypass \ version where, keytool -list -storetype jceks -storepass keypass -keystore ./keystore.client.jceks Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry client-keystore, Sep 6, 2019, PrivateKeyEntry, Certificate fingerprint (SHA-256): 1F:...:6F keytool -list -storetype jceks -storepass keypass -keystore ./truststore.client.jceks Keystore type: JCEKS Keystore provider: SunJCE Your keystore contains 1 entry client-keystore, Sep 6, 2019, trustedCertEntry, Certificate fingerprint (SHA-256): 1F:...:6F fails with Failed to connect to the controller: Failed to resolve host '10.0.0.1': Failed to obtain SSLContext: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext): problem accessing trust store: DerInputStream.getLength(): lengthTag=78, too big. What's in my config, or missing from it, that's causing this error?

6 years, 8 months

2
2
0 / 0

Two clients to share tokens

by Yang Yang

Hello, Is it possible for two clients of the same realm share tokens? I am aware that when a user gets the token for a client, she will be redirected to get a new token when accessing another client. This is reasonable and necessary to stop attacks like CSRF, but if both of the two clients are trusted and registered on the same realm, we may be able to simplify the process. If possible, could you help to tell how to do it? Thanks, Yang

6 years, 8 months

2
1
0 / 0

Evaluation of RPT in admin console does not match Rest request result...

by Axel

Hello. Keycloak 6.0.1 and 7 Can anyone help me with understanding of evaluating RPT? Scenario: 2 Realm Roles - RoleA and RoleB 1 user with both realm roles 2 clients: clientA public (or confidential) with Scope=RoleA clientB confidential and Authorization-Enabled with Scope=RoleA,RoleB When I go to clientB Authorization-Evaluate set Client = clientA set User = user choose Any resource with scope(s) Any scope. and see: { "jti": "7692f97f-3907-4e1b-a784-663c52f33bc7", "exp": 1567062109, "nbf": 0, "iat": 1567061809, "aud": "clientB", "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607", "typ": "Bearer", "azp": "clientA", "auth_time": 0, "session_state": "ff2e581c-0663-4b8c-9332-629b02c02729", "acr": "1", "realm_access": { "roles": [ "RoleA" ] }, "authorization": { "permissions": [ { "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139", "rsname": "Default Resource" } ] }, "scope": "email profile", "email_verified": false, "preferred_username": "user" } here I see that I have only RoleA (that is correct - I'm going through clientA) But when I make requests: curl -d 'client_id=clientA' -d 'username=user' -d 'password=1' -d 'grant_type=password' ' http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token' grab access-token and curl -X POST \ http://localhost:8280/auth/realms/TestRPT/protocol/openid-connect/token \ -H "Authorization: Bearer access-token-from-first-curl" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "audience=clientB" I get different jwt: { "jti": "f956218e-abcf-4017-a6b2-d9c3c82692a2", "exp": 1567062641, "nbf": 0, "iat": 1567062341, "iss": "http://localhost:8280/auth/realms/TestRPT", "aud": "clientB", "sub": "2d6224b8-a4c4-4a4b-b064-18a5ac07a607", "typ": "Bearer", "azp": "clientA", "auth_time": 0, "session_state": "4d556dd0-4d27-4028-ac1d-54afd2e1f20e", "acr": "1", "realm_access": { "roles": [ "RoleB", "RoleA" ] }, "authorization": { "permissions": [ { "rsid": "e0dbd6bb-a4de-40bb-b017-4eba9a5a0139", "rsname": "Default Resource" } ] }, "scope": "email profile", "email_verified": false, "preferred_username": "user" } Why "RoleB" is in RPT? Do I understand documentation wrong? Wrong RPT request? Our main target is: when user goes through clientA to clientB, clientB should receive only those roles that the user has in clientA. We have many applications-clients and we want to limit some of them. How can we achieve this? Thanks in advance. Alexey Makarevich.

6 years, 8 months

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user September 2019