Re-Sending email, received another email of rejection. Looks like its bounced back.
Thanks,
Deepti
________________________________
From: Deepti Tyagi
Sent: Monday, November 26, 2018 12:19 AM
To: Dmitry Telegin
Cc: Sachin Gandhi; Shankar Bhaskaran
Subject: RE: [EXTERNAL] Re: [keycloak-user] Keycloak Admin Realm is not upgraded on
Keycloak upgrade from v3.0 to v4.5
Great Thanks Dmitri for your kind support.
Yes, you are right. On changing back to default keycloak theme, it worked. :)
I had left it to do later, didn't realize that it could be the reason.
Thank You once Again,
Deepti
________________________________
From: Dmitry Telegin [dt(a)acutus.pro]
Sent: Friday, November 23, 2018 9:35 AM
To: Deepti Tyagi
Cc: Sachin Gandhi; Shankar Bhaskaran
Subject: Re: [EXTERNAL] Re: [keycloak-user] Keycloak Admin Realm is not upgraded on
Keycloak upgrade from v3.0 to v4.5
External Sender: Use caution with links/attachments.
Deepti,
Didn't you forget to migrate your themes? Your realm references a custom
"darktheme", so you should either migrate it too or disable in the database (set
REALM.LOGIN_THEME to "keycloak" or NULL). Having done the latter, I was able to
login again with Keycloak 4.5.0.
Also it seems that we've found a regression. In the case of nonexistent theme,
Keycloak 3.0.0 prints and error falls back to the built-in one, while Keycloak 4.5.0
throws an exception.
Let me know if it works and if I can reply to the ML, so that others could benefit from
the answer too.
Good luck,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info@acutus.pro<mailto:info@acutus.pro>
On Fri, 2018-11-23 at 09:06 +0000, Deepti Tyagi wrote:
Thanks Dmitry for the prompt reply.
It took some time to prepare an standalone reproducible example as you have asked for.
Attached the same. Please follow steps mentioned below.
Standalone.xmls, a sample war and non-master realm are attached. I have used postgres DB
and its jboss module, though H2 DB should also be fine.
Here you go.
1. Download Keycloak v3.0.0
2. Replace attached standalone.xml
3. Start the server in standalone mode.
4. Access Keycloak on localhost:8880. And upload attached non_master_realm.json
5. Download Wildfly v10.1
6. Install Keycloak adapters. (Keycloak v4.5 adapters also worked fine for me.)
7. Use attached standalone.xml and temp-console.war.
8. Start the server. War should be deployed.
9. Access url (
http://localhost:8080/temp-console).
It<https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A808...
should load a login page.
10. Stop Keycloak server.
11. Download Keycloak v4.5
12. Copy standalone, domain folders from old keycloak.
13. Execute below migration scripts.
jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss...
--file=migrate-standalone.cli
jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss...
--file=migrate-standalone-ha.cli
jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss...
--file=migrate-domain-clustered.cli
jboss-cli.sh<https://urldefense.proofpoint.com/v2/url?u=http-3A__jboss...
--file=migrate-domain-standalone.cli
14. Start keycloak server and access on localhost:8880
15. Restart Wildfly server.
16. Access Wildfly Server Url
(
http://localhost:8080/temp-console<https://urldefense.proofpoint.com/v...).
It should reproduce the issue.
17. Check Keycloak v4.5 server.log
Please find below answers to your questions.
On terminology: by "custom admin realm", do you mean simply a non-master realm
in Keycloak that you've created yourself?
[D]: Yes
On upgrade process: normally, you don't need to export/import realm data during
upgrades, since schema+data migration will be performed by Keycloak itself (it uses
Liquibase under the hood).
You only migrate your .xml configs, and then simply run the new Keycloak version with the
same database connection. Did you try this?
[D]: Yes. Exactly, same I have been doing.
Thanks,
Deepti
________________________________
From: Dmitry Telegin [dt(a)acutus.pro]
Sent: Wednesday, November 21, 2018 9:34 AM
To: Deepti Tyagi
Subject: [EXTERNAL] Re: [keycloak-user] Keycloak Admin Realm is not upgraded on Keycloak
upgrade from v3.0 to v4.5
External Sender: Use caution with links/attachments.
Hi again Deepti,
Just FYI, our company provides a free-of-charge community support on a volunteer basis,
but we generally can't afford to spend more than 1-2h per day on that.
For this all to be fruitful, I'd expect your active participation like preparing the
reproducible example (see my reply to the ML). Good luck :)
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info@acutus.pro<mailto:info@acutus.pro>
On Wed, 2018-11-21 at 07:28 +0000, Deepti Tyagi wrote:
Hi Team,
I am working on upgrading our in-house Keycloak Server from v3.0 to v4.5. Facing issue on
trying to re-use old custom admin realm. Is there any way we can re-use the old admin
realm or preserve at least users?
We have another Wildfly 10 application that use Keycloak v3.0 for authentication purpose
using a custom admin realm (custom-realm.json) that have multiple clients, roles, users
and protocol mappers.
While upgrading keycloak, I had run migration scripts to upgrade standalone, domain.xmls.
Postgres DB also gets upgraded and able to login to Keycloak using the same admin user in
v3.0.
Though, our Wildfly 10 application isn't able to authenticate with keycloak using that
old custom-realm (with new jboss adapters even).
I had to re-create a new custom admin realm, created same clients, roles, users to make it
work. And had to trash old realm that deleted all users also.
I also tried multiple workarounds like;
1. Created a new custom-realm on v4.5 and compared with v3.0 on keycloak UI, no visible
difference.
2. Partially re-imported new custom realm having same clients and roles. No help.
3. Trashed old realm and imported new custom realm, then tried partially importing old
custom realm users. Its not allowed. (KC-SERVICES0037: Error creating user:
java.lang.RuntimeException: Unable to find client role mappings for client: ds-data)
With the 3rd attempt, I can see at least keycloak login page on our wildfly 10 application
but can not login till I create admin user manually.
With 1st and 2nd attempt, I do not even see keycloak login page on our wildfly 10
application and below exception is thrown in keycloak server.log.
2018-11-20 23:56:30,691 WARN
[
org.keycloak.events<https://urldefense.proofpoint.com/v2/url?u=http-3A...]
(default task-2) type=LOGIN_ERROR, realmId=DecisionSpace_Integration_Server,
clientId=dsis-console, userId=null,
ipAddress=127.0.0.1<https://urldefense.proofpoint.com/v2/url?u=http-3A...;,
error=invalid_user_credentials, auth_method=openid-connect, auth_type=code,
response_type=code,
redirect_uri=http://localhost:8080/dsdataserver-console/<https://urlde...;,
code_id=a50ff093-64b8-43d2-a353-2a3ec1346297, response_mode=query
2018-11-20 23:56:30,692 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
task-2) Uncaught server error: java.lang.NullPointerException
at
org.keycloak.theme.ExtendingThemeManager.loadTheme(ExtendingThemeManager....
at
org.keycloak.theme.ExtendingThemeManager.getTheme(ExtendingThemeManager.j...
at
org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java&...
at
org.keycloak.theme.DefaultThemeManager.getTheme(DefaultThemeManager.java&...
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.getTheme...
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createRe...
at
org.keycloak.forms.login.freemarker.FreeMarkerLoginFormsProvider.createEr...
at
org.keycloak.services.ErrorPage.error(ErrorPage.java<https://urldefens...
at
org.keycloak.authentication.AuthenticationProcessor.handleBrowserExceptio...
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticati...
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthoriza...
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(Author...
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(Autho...
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java...
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorI...
at
java.lang.reflect.Method.invoke(Method.java<https://urldefense.proofpo...
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java...
at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(Reso...
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(R...
at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(Res...
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filt...
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMeth...
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoke...
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resou...
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvo...
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Resou...
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvo...
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatche...
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(Synchronous...
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(Synchro...
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filt...
at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispa...
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatche...
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.serv...
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(H...
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(H...
at
javax.servlet.http.HttpServlet.service(HttpServlet.java<https://urldef...
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler....
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Filte...
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(Keycl...
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java<htt...
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Filte...
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.ja...
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRe...
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.ja...
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(Serv...
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler...
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandl...
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.ha...
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.ha...
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandl...
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleReques...
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHan...
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReque...
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.h...
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(N...
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.h...
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandl...
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleR...
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandl...
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler....
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandl...
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Ser...
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInit...
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialH...
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialH...
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(Se...
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClas...
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction....
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$U...
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$U...
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$U...
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$U...
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Servle...
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInit...
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Servle...
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java<https...
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java<ht...
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoader...
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.jav...
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueu...
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecu...
at
java.lang.Thread.run(Thread.java<https://urldefense.proofpoint.com/v2/...
Thanks,
Deepti
----------------------------------------------------------------------
This e-mail, including any attached files, may contain confidential and privileged
information for the sole use of the intended recipient. Any review, use, distribution, or
disclosure by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive information for the intended recipient), please contact the sender
by reply e-mail and delete all copies of this message.
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://urldefe...