9:15 p.m.
Hi ,
I work on POC to use Keycloak to secure a set of microservices( java written
SpringBooth&gradle projects).
I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1,
slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace
the embedded H2 db.
I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server
Installation and Configuration Guide".
1. I have logged on the master keycloak server and configured my new Realm that has my
microservice processes as clients.I have added roles,users,groups, etc., The realm
configuration of the master keycloak instance got replicated on the slave instances ( I
can see the cluster running when loging-on WildFly Management Interface).
2. I have added to all microservice java projects the keycloak securing code:
2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak
server(Client's "Installation" utility)
2.2 Added to the project's Application class a system property, to target the
keycloak.json file generated by the MASTER keycloak instance:
System.setProperty("keycloak.configurationFile",
"classpath:keycloak.json");
2.3 Created a new config's package class : public class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter
2.4 Added to the build.gradle file keycloak spring security adapter compilation :
compile group: 'org.keycloak',
name:'keycloak-spring-security-adapter',version:'2.1.0.Final
Note. I have compared the content of the json format code generated by the Client
"Installation" utility of the slave instances against master instance and, THE
ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL
address)
3. Now, I want to do the test of accessing particular resources of my microservice
applications(additional info: I did not implemented any load-balancer in front of the
keycloak cluster):
I have created a simple java program that uses a Basic Authorization procedure to get an
access token, and then use this token to sent request messages to my microservice
application and get the expected response messages.
- When I use the MASTER's instance authorization endpoint to get an access token, I
get the expected response message( because, I presume, my microservice application
attached keycloak.json file has HARDCODED content generated by the MASTER's instance
& containing MASTERS's authorization endpoint).
- When I use either-one SLAVE keycloak instance authorization&token generation
endpoint to generate an access token, my request fails with a 401 error: "Unable to
authenticate bearer token"
I believe or feel, I use a wrong approach to solve my problem. My microservice
applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or,
a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak
instance ( MASTER's ) "auth-server-url" info ).
Here, I need your help to enlighten me. Is there another approach to handle my problem? It
should, otherwise why writing about Domain Mode in Keycloak Release documentation.
Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain
Cluster and how to do test simulations with it. I would appreciate any help on this issue.
Thanks,
Ioan
3:03 a.m.
Doesn't sound like you have working clustering setup. Please take a look at
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
.
On 18 September 2016 at 04:15, i.pop(a)centurylink.net <i.pop(a)centurylink.net>
wrote:
Hi ,
I work on POC to use Keycloak to secure a set of microservices( java
written SpringBooth&gradle projects).
I use Keycloak-2.1.0.Final release installed on 3 different VMs(master
running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have
installed a shared (MySql) db to replace the embedded H2 db.
I have configured a Keycloak Domain Mode cluster using keycloak
documentation "Server Installation and Configuration Guide".
1. I have logged on the master keycloak server and configured my new Realm
that has my microservice processes as clients.I have added
roles,users,groups, etc., The realm configuration of the master keycloak
instance got replicated on the slave instances ( I can see the cluster
running when loging-on WildFly Management Interface).
2. I have added to all microservice java projects the keycloak securing
code:
2.1 Created a keycloak.json file who's content was generated my the
MASTER keycloak server(Client's "Installation" utility)
2.2 Added to the project's Application class a system property, to
target the keycloak.json file generated by the MASTER keycloak
instance:System.setProperty("keycloak.configurationFile",
"classpath:keycloak.json");
2.3 Created a new config's package class : public class SecurityConfig
extends KeycloakWebSecurityConfigurerAdapter
2.4 Added to the build.gradle file keycloak spring security adapter
compilation :
compile group: 'org.keycloak', name:'keycloak-spring-
security-adapter',version:'2.1.0.Final
Note. I have compared the content of the json format code generated by
the Client "Installation" utility of the slave instances against master
instance and, THE ONLY DIFFERENCE is the* "auth-server-url"* line (having
the specific node URL address)
3. Now, I want to do the test of accessing particular resources of my
microservice applications(additional info: I did not implemented any
load-balancer in front of the keycloak cluster):
I have created a simple java program that uses a Basic Authorization
procedure to get an access token, and then use this token to sent request
messages to my microservice application and get the expected response
messages.
- When I use the MASTER's instance authorization endpoint to get an
access token, I get the expected response message( because, I presume, my
microservice application attached keycloak.json file has HARDCODED content
generated by the MASTER's instance & containing MASTERS's authorization
endpoint).
- When I use either-one SLAVE keycloak instance authorization&token
generation endpoint to generate an access token, my request fails with a
401 error:"Unable to authenticate bearer token"
I believe or feel, I use a wrong approach to solve my problem. My
microservice applications (at this time) DO NOT KNOW anything, whether I
use a domain mode cluster or, a simple standalone keycloak
instanceattached keycloak.json file has ONLY one keycloak instance (
MASTER's ) "auth-server-url" info ).
Here, I need your help to enlighten me. Is there another approach to
handle my problem? It should, otherwise why writing about Domain Mode in
Keycloak Release documentation. Unfortunately, I have not found (yet )
detailed info on how to configure a Keycloak Domain Cluster and how to do
test simulations with it. I would appreciate any help on this issue.
Thanks,
Ioan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:45 p.m.
Thank you Stian for your message. I have gotten the cluster working in the domain
mode(just two nodes: master&slave):
MASTER NODE LOG:
[Server:server-one] 12:33:37,761 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-2,ee,master:server-one) ISPN000094: Received new cluster view for channel
server: [master:server-one|1] (2) [master:server-one, slave1:server-two]
[Server:server-one] 12:33:38,411 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t6)
ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=1,
rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[master:server-one:
60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[master:server-one: 30,
slave1:server-two: 30]}, unionCH=null, actualMembers=[master:server-one,
slave1:server-two]}
[Server:server-one] 12:33:38,419 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t4)
ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 1
SLAVE NODE LOG:
[Server:server-two] 12:33:38,179 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6)
ISPN000094: Received new cluster view for channel server: [master:server-one|1] (2)
[master:server-one, slave1:server-two]
THE ISSUE IS NOW how to test this working cluster.It looks like the the content of the
Keycloak string pattern generated by the master's Keycloak instance( and added to each
microservice's keycloak.json file) HAS NOT CHANGED : I still get the same
"auth-server-url" info as before when I had was not working cluster; no
reference to the the other node members of the working cluster :
{
"realm": "SearchMicroservices",
"realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh",
"auth-server-url":
"http://masterKCInstance.ourcompanyname.com:8230/auth",
"ssl-required": "external",
"resource": "LDAPSearch-Microservice",
"credentials": {
"secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16"
},
"use-resource-role-mappings": true
}
If I stop the Keycloak instance running on the master node(from the WildFly management
interface) and, I send a client search request message to one of my running application
registered in the realm as clients, I was expecting the request to be be redirected by the
load-balancer to the running state slave Keycloak instance (node:
"http://slaveKCInstance.ourcompanyname.com:8230/auth"); get a valid access_token
from it ,then my client request message(along with generated bearer token) sent to my
targeted resource should get a a response message. It does not happen like this.What I get
is this :
{"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable
to authenticate bearer
token","timestamp":1474566606034,"status":401}
The same outcome as described in my initial message sent to you. Can you please tell me
what is wrong in my testing procedure?
Thanks,
Ioan
----- Original Message -----
From: "Stian Thorgersen" <sthorger(a)redhat.com>
To: "i pop" <i.pop(a)centurylink.net>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, September 20, 2016 3:03:09 AM
Subject: Re: [keycloak-user] Setting up a Keycloak Domain Cluster
Doesn't sound like you have working clustering setup. Please take a look at
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
.
On 18 September 2016 at 04:15, i.pop(a)centurylink.net < i.pop(a)centurylink.net >
wrote:
Hi ,
I work on POC to use Keycloak to secure a set of microservices( java written
SpringBooth&gradle projects).
I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1,
slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace
the embedded H2 db.
I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server
Installation and Configuration Guide".
1. I have logged on the master keycloak server and configured my new Realm that has my
microservice processes as clients.I have added roles,users,groups, etc., The realm
configuration of the master keycloak instance got replicated on the slave instances ( I
can see the cluster running when loging-on WildFly Management Interface).
2. I have added to all microservice java projects the keycloak securing code:
2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak
server(Client's "Installation" utility)
2.2 Added to the project's Application class a system property, to target the
keycloak.json file generated by the MASTER keycloak instance:
System.setProperty("keycloak.configurationFile",
"classpath:keycloak.json");
2.3 Created a new config's package class : public class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter
2.4 Added to the build.gradle file keycloak spring security adapter compilation :
compile group: 'org.keycloak',
name:'keycloak-spring-security-adapter',version:'2.1.0.Final
Note. I have compared the content of the json format code generated by the Client
"Installation" utility of the slave instances against master instance and, THE
ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL
address)
3. Now, I want to do the test of accessing particular resources of my microservice
applications(additional info: I did not implemented any load-balancer in front of the
keycloak cluster):
I have created a simple java program that uses a Basic Authorization procedure to get an
access token, and then use this token to sent request messages to my microservice
application and get the expected response messages.
- When I use the MASTER's instance authorization endpoint to get an access token, I
get the expected response message( because, I presume, my microservice application
attached keycloak.json file has HARDCODED content generated by the MASTER's instance
& containing MASTERS's authorization endpoint).
- When I use either-one SLAVE keycloak instance authorization&token generation
endpoint to generate an access token, my request fails with a 401 error: "Unable to
authenticate bearer token"
I believe or feel, I use a wrong approach to solve my problem. My microservice
applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or,
a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak
instance ( MASTER's ) "auth-server-url" info ).
Here, I need your help to enlighten me. Is there another approach to handle my problem? It
should, otherwise why writing about Domain Mode in Keycloak Release documentation.
Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain
Cluster and how to do test simulations with it. I would appreciate any help on this issue.
Thanks,
Ioan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:04 p.m.
Additional info to make my case cleared. This is what I get from my targeted microservice
process log:
org.keycloak.common.VerificationException: Token audience doesn't match domain. Token
issuer is
http://slaveKCInstance.ourcompanyname.com:8230/auth/realms/SearchMicroser...,
but URL from configuration is
http://masterKCInstance.ourcompanyname.com:8230/auth/realms/SearchMicrose...
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49)
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65)
at
org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:137)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
Do I need to change the configuration of my SecurityConfig class( which has the current
implementation as public class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter)?
Thanks,
ioan
----- Original Message -----
From: "i pop" <i.pop(a)centurylink.net>
To: stian(a)redhat.com
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Thursday, September 22, 2016 1:45:55 PM
Subject: Re: [keycloak-user] Setting up a Keycloak Domain Cluster
Thank you Stian for your message. I have gotten the cluster working in the domain
mode(just two nodes: master&slave):
MASTER NODE LOG:
[Server:server-one] 12:33:37,761 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport]
(Incoming-2,ee,master:server-one) ISPN000094: Received new cluster view for channel
server: [master:server-one|1] (2) [master:server-one, slave1:server-two]
[Server:server-one] 12:33:38,411 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t6)
ISPN000310: Starting cluster-wide rebalance for cache realms, topology CacheTopology{id=1,
rebalanceId=1, currentCH=ReplicatedConsistentHash{ns = 60, owners = (1)[master:server-one:
60]}, pendingCH=ReplicatedConsistentHash{ns = 60, owners = (2)[master:server-one: 30,
slave1:server-two: 30]}, unionCH=null, actualMembers=[master:server-one,
slave1:server-two]}
[Server:server-one] 12:33:38,419 INFO [org.infinispan.CLUSTER] (remote-thread--p8-t4)
ISPN000336: Finished cluster-wide rebalance for cache users, topology id = 1
SLAVE NODE LOG:
[Server:server-two] 12:33:38,179 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6)
ISPN000094: Received new cluster view for channel server: [master:server-one|1] (2)
[master:server-one, slave1:server-two]
THE ISSUE IS NOW how to test this working cluster.It looks like the the content of the
Keycloak string pattern generated by the master's Keycloak instance( and added to each
microservice's keycloak.json file) HAS NOT CHANGED : I still get the same
"auth-server-url" info as before when I had was not working cluster; no
reference to the the other node members of the working cluster :
{
"realm": "SearchMicroservices",
"realm-public-key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh",
"auth-server-url":
"http://masterKCInstance.ourcompanyname.com:8230/auth",
"ssl-required": "external",
"resource": "LDAPSearch-Microservice",
"credentials": {
"secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16"
},
"use-resource-role-mappings": true
}
If I stop the Keycloak instance running on the master node(from the WildFly management
interface) and, I send a client search request message to one of my running application
registered in the realm as clients, I was expecting the request to be be redirected by the
load-balancer to the running state slave Keycloak instance (node:
"http://slaveKCInstance.ourcompanyname.com:8230/auth"); get a valid access_token
from it ,then my client request message(along with generated bearer token) sent to my
targeted resource should get a a response message. It does not happen like this.What I get
is this :
{"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable
to authenticate bearer
token","timestamp":1474566606034,"status":401}
The same outcome as described in my initial message sent to you. Can you please tell me
what is wrong in my testing procedure?
Thanks,
Ioan
----- Original Message -----
From: "Stian Thorgersen" <sthorger(a)redhat.com>
To: "i pop" <i.pop(a)centurylink.net>
Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org>
Sent: Tuesday, September 20, 2016 3:03:09 AM
Subject: Re: [keycloak-user] Setting up a Keycloak Domain Cluster
Doesn't sound like you have working clustering setup. Please take a look at
https://keycloak.gitbooks.io/server-installation-and-configuration/conten...
.
On 18 September 2016 at 04:15, i.pop(a)centurylink.net < i.pop(a)centurylink.net >
wrote:
Hi ,
I work on POC to use Keycloak to secure a set of microservices( java written
SpringBooth&gradle projects).
I use Keycloak-2.1.0.Final release installed on 3 different VMs(master running on VM1,
slave1 on VM2, slave2 on VM2). On a 4th VM I have installed a shared (MySql) db to replace
the embedded H2 db.
I have configured a Keycloak Domain Mode cluster using keycloak documentation "Server
Installation and Configuration Guide".
1. I have logged on the master keycloak server and configured my new Realm that has my
microservice processes as clients.I have added roles,users,groups, etc., The realm
configuration of the master keycloak instance got replicated on the slave instances ( I
can see the cluster running when loging-on WildFly Management Interface).
2. I have added to all microservice java projects the keycloak securing code:
2.1 Created a keycloak.json file who's content was generated my the MASTER keycloak
server(Client's "Installation" utility)
2.2 Added to the project's Application class a system property, to target the
keycloak.json file generated by the MASTER keycloak instance:
System.setProperty("keycloak.configurationFile",
"classpath:keycloak.json");
2.3 Created a new config's package class : public class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter
2.4 Added to the build.gradle file keycloak spring security adapter compilation :
compile group: 'org.keycloak',
name:'keycloak-spring-security-adapter',version:'2.1.0.Final
Note. I have compared the content of the json format code generated by the Client
"Installation" utility of the slave instances against master instance and, THE
ONLY DIFFERENCE is the "auth-server-url" line (having the specific node URL
address)
3. Now, I want to do the test of accessing particular resources of my microservice
applications(additional info: I did not implemented any load-balancer in front of the
keycloak cluster):
I have created a simple java program that uses a Basic Authorization procedure to get an
access token, and then use this token to sent request messages to my microservice
application and get the expected response messages.
- When I use the MASTER's instance authorization endpoint to get an access token, I
get the expected response message( because, I presume, my microservice application
attached keycloak.json file has HARDCODED content generated by the MASTER's instance
& containing MASTERS's authorization endpoint).
- When I use either-one SLAVE keycloak instance authorization&token generation
endpoint to generate an access token, my request fails with a 401 error: "Unable to
authenticate bearer token"
I believe or feel, I use a wrong approach to solve my problem. My microservice
applications (at this time) DO NOT KNOW anything, whether I use a domain mode cluster or,
a simple standalone keycloak instanceattached keycloak.json file has ONLY one keycloak
instance ( MASTER's ) "auth-server-url" info ).
Here, I need your help to enlighten me. Is there another approach to handle my problem? It
should, otherwise why writing about Domain Mode in Keycloak Release documentation.
Unfortunately, I have not found (yet ) detailed info on how to configure a Keycloak Domain
Cluster and how to do test simulations with it. I would appreciate any help on this issue.
Thanks,
Ioan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:06 a.m.
I think that's pretty self explanatory. Token is issued by '
http://slaveKCInstance.ourcompanyname.com:8230';, while the adapter is
expecting 'http://masterKCInstance.ourcompanyname.com:8230'. You need a
load balancer in front of your nodes so the applications talk to "https//
kc.ourcompany.com".
On 22 September 2016 at 23:04, i.pop(a)centurylink.net <i.pop(a)centurylink.net>
wrote:
Additional info to make my case cleared. This is what I get from my
targeted microservice process log:
org.keycloak.common.VerificationException: Token audience doesn't match
domain. Token issuer is
http://slaveKCInstance.ourcompanyname.com:8230/auth/
realms/SearchMicroservices,
but URL from configuration is http://masterKCInstance.
ourcompanyname.com:8230/auth/realms/SearchMicroservices
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49)
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
at org.keycloak.adapters.BearerTokenRequestAuthenticato
r.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(
BearerTokenRequestAuthenticator.java:82)
at org.keycloak.adapters.RequestAuthenticator.authenticate(
RequestAuthenticator.java:65)
at org.keycloak.adapters.springsecurity.filter.
KeycloakAuthenticationProcessingFilter.attemptAuthentication(
KeycloakAuthenticationProcessingFilter.java:137)
at org.springframework.security.web.authentication.
AbstractAuthenticationProcessingFilter.doFilter(
AbstractAuthenticationProcessingFilter.java:217)
Do I need to change the configuration of my SecurityConfig class( which
has the current implementation as public class SecurityConfig extends
KeycloakWebSecurityConfigurerAdapter)?
Thanks,
ioan
------------------------------
*From: *"i pop" <i.pop(a)centurylink.net>
*To: *stian(a)redhat.com
*Cc: *"keycloak-user" <keycloak-user(a)lists.jboss.org>
*Sent: *Thursday, September 22, 2016 1:45:55 PM
*Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster
Thank you Stian for your message. I have gotten the cluster working in
the domain mode(just two nodes: master&slave):
MASTER NODE LOG:
[Server:server-one] 12:33:37,761 INFO [org.infinispan.remoting.
transport.jgroups.JGroupsTransport] (Incoming-2,ee,master:server-one)
ISPN000094: Received new cluster view for channel server:
[master:server-one|1] (2) [master:server-one, slave1:server-two]
[Server:server-one] 12:33:38,411 INFO [org.infinispan.CLUSTER]
(remote-thread--p8-t6) ISPN000310: Starting cluster-wide rebalance for
cache realms, topology CacheTopology{id=1, rebalanceId=1,
currentCH=ReplicatedConsistentHash{ns
= 60, owners = (1)[master:server-one: 60]}, pendingCH=ReplicatedConsistentHash{ns
= 60, owners = (2)[master:server-one: 30, slave1:server-two: 30]},
unionCH=null, actualMembers=[master:server-one, slave1:server-two]}
[Server:server-one] 12:33:38,419 INFO [org.infinispan.CLUSTER]
(remote-thread--p8-t4) ISPN000336: Finished cluster-wide rebalance for
cache users, topology id = 1
SLAVE NODE LOG:
[Server:server-two] 12:33:38,179 INFO [org.infinispan.remoting.
transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094:
Received new cluster view for channel server: [master:server-one|1] (2)
[master:server-one, slave1:server-two]
THE ISSUE IS NOW how to test this working cluster.It looks like the the
content of the Keycloak string pattern generated by the master's Keycloak
instance( and added to each microservice's keycloak.json file) HAS NOT
CHANGED : I still get the same "auth-server-url" info as before when I
had was not working cluster; no reference to the the other node members of
the working cluster :
{
"realm": "SearchMicroservices",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh",
"auth-server-url":
"http://masterKCInstance.ourcompanyname.com:8230/auth
",
"ssl-required": "external",
"resource": "LDAPSearch-Microservice",
"credentials": {
"secret": "235b2960-1b6f-48bd-a5c4-069b5fc5cc16"
},
"use-resource-role-mappings": true
}
If I stop the Keycloak instance running on the master node(from the
WildFly management interface) and, I send a client search request message
to one of my running application registered in the realm as clients, I was
expecting the request to be be redirected by the load-balancer to the
running state slave Keycloak instance (node: "http://slaveKCInstance.
ourcompanyname.com:8230/auth"); get a valid access_token from it ,then my
client request message(along with generated bearer token) sent to my
targeted resource should get a a response message. It does not happen
like this.What I get is this :
{"path":"\/v1\/ldap\/DBResource\/resourceName","error":"Unauthorized","message":"Unable
to authenticate bearer
token","timestamp":1474566606034,"status":401}
The same outcome as described in my initial message sent to you. Can you
please tell me what is wrong in my testing procedure?
Thanks,
Ioan
------------------------------
*From: *"Stian Thorgersen" <sthorger(a)redhat.com>
*To: *"i pop" <i.pop(a)centurylink.net>
*Cc: *"keycloak-user" <keycloak-user(a)lists.jboss.org>
*Sent: *Tuesday, September 20, 2016 3:03:09 AM
*Subject: *Re: [keycloak-user] Setting up a Keycloak Domain Cluster
Doesn't sound like you have working clustering setup. Please take a look
at https://keycloak.gitbooks.io/server-installation-and-
configuration/content/topics/clustering.html.
On 18 September 2016 at 04:15, i.pop(a)centurylink.net <
i.pop(a)centurylink.net> wrote:
> Hi ,
> I work on POC to use Keycloak to secure a set of microservices( java
> written SpringBooth&gradle projects).
> I use Keycloak-2.1.0.Final release installed on 3 different VMs(master
> running on VM1, slave1 on VM2, slave2 on VM2). On a 4th VM I have
> installed a shared (MySql) db to replace the embedded H2 db.
> I have configured a Keycloak Domain Mode cluster using keycloak
> documentation "Server Installation and Configuration Guide".
> 1. I have logged on the master keycloak server and configured my new
> Realm that has my microservice processes as clients.I have added
> roles,users,groups, etc., The realm configuration of the master keycloak
> instance got replicated on the slave instances ( I can see the cluster
> running when loging-on WildFly Management Interface).
> 2. I have added to all microservice java projects the keycloak securing
> code:
> 2.1 Created a keycloak.json file who's content was generated my the
> MASTER keycloak server(Client's "Installation" utility)
> 2.2 Added to the project's Application class a system property, to
> target the keycloak.json file generated by the MASTER keycloak
> instance:System.setProperty("keycloak.configurationFile",
> "classpath:keycloak.json");
> 2.3 Created a new config's package class : public class
> SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
> 2.4 Added to the build.gradle file keycloak spring security adapter
> compilation :
> compile group: 'org.keycloak', name:'keycloak-spring-
> security-adapter',version:'2.1.0.Final
> Note. I have compared the content of the json format code generated by
> the Client "Installation" utility of the slave instances against master
> instance and, THE ONLY DIFFERENCE is the* "auth-server-url"* line
> (having the specific node URL address)
> 3. Now, I want to do the test of accessing particular resources of my
> microservice applications(additional info: I did not implemented any
> load-balancer in front of the keycloak cluster):
> I have created a simple java program that uses a Basic Authorization
> procedure to get an access token, and then use this token to sent request
> messages to my microservice application and get the expected response
> messages.
> - When I use the MASTER's instance authorization endpoint to get an
> access token, I get the expected response message( because, I presume, my
> microservice application attached keycloak.json file has HARDCODED content
> generated by the MASTER's instance & containing MASTERS's authorization
> endpoint).
> - When I use either-one SLAVE keycloak instance authorization&token
> generation endpoint to generate an access token, my request fails with a
> 401 error:"Unable to authenticate bearer token"
> I believe or feel, I use a wrong approach to solve my problem. My
> microservice applications (at this time) DO NOT KNOW anything, whether I
> use a domain mode cluster or, a simple standalone keycloak
> instanceattached keycloak.json file has ONLY one keycloak instance (
> MASTER's ) "auth-server-url" info ).
> Here, I need your help to enlighten me. Is there another approach to
> handle my problem? It should, otherwise why writing about Domain Mode in
> Keycloak Release documentation. Unfortunately, I have not found (yet )
> detailed info on how to configure a Keycloak Domain Cluster and how to do
> test simulations with it. I would appreciate any help on this issue.
> Thanks,
> Ioan
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3026
days inactive
3034
days old
4 comments
2 participants
participants (2)
-
i.pop@centurylink.net -
Stian Thorgersen