[keycloak-dev] min-time-between-jwks-requests Problems when running tests

Marek Posolda mposolda at redhat.com
Mon Mar 6 10:11:53 EST 2017


On 06/03/17 15:38, Stian Thorgersen wrote:
> I'm not 100% sure, but thinking that there are cases where it could 
> cause issues. For example if a service gets bad requests from a 
> client, say every 5 seconds, it won't be able to fetch new proper 
> keys. I'm probably overthinking this though.
It should be able to download new proper keys in this particular 
scenario though. Adapter will just downloads proper keys when it sees 
unknown KID.

So the scenario will be like:
- Bad request to the adapter with the kid "bad-kid" .
- Adapter will try to download new keys because it doesn't know 
"bad-kid" kid. It will download "good-kid" key
- Adapter saves the key for "good-kid" and then it rejects the request 
from "bad-kid" client
- Proper request coming to the adapter with "good-kid" will immediatelly 
see the "good-kid" key as it was already downloaded thanks to bad client :)
- Another request from "bad-kid" coming after 5 seconds will be rejected 
due to 10 seconds interval.
- Yet another bad request in additional 5 seconds will try to download 
keys again and request to the server will be sent then and it will 
re-download "good-kid". However one request per 10 second shouldn't be 
sufficient to simulate DoS.

Good clients aren't blocked anyhow and at the same time, there is no DoS 
from bad clients.

Marek


> On 6 March 2017 at 15:27, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Will it be useful for other scenarios besides automated tests? I
>     am not seeing why someone would re-import realm every 10 seconds
>     in real environment?
>
>     Even the tests can be easily fixed by put the keys into JSON reps.
>     And once we fix the adapter tests to not require realm re-import
>     after every method, even that won't be needed.
>
>     Marek
>
>
>     On 06/03/17 13:07, Stian Thorgersen wrote:
>>     Is this maybe something we should improve in the adapter in the
>>     first place? A blind only allow one request every 10 seconds
>>     seems a bit to forceful. Would it not be better to allow X number
>>     of failed attempts within some window?
>>
>>     On 2 March 2017 at 12:26, Marek Posolda <mposolda at redhat.com
>>     <mailto:mposolda at redhat.com>> wrote:
>>
>>         On 02/03/17 10:08, Marek Posolda wrote:
>>         > On 02/03/17 00:29, Bill Burke wrote:
>>         >> Ok, I just spent 1.5 days on debugging a problem and I was
>>         ready to
>>         >> throw my Laptop out of the window I was getting so frustrated.
>>         >>
>>         >> #1 I copied code from the arquillian adapter tests to
>>         deploy my own
>>         >> servlet.  When running in IntelliJ, all logging messages
>>         by the servlet
>>         >> and OIDC adapters were eaten and never displayed.
>>         > Keycloak logging disabled in
>>         >
>>         testsuite/integration-arquillian/tests/base/src/test/resources/log4j.properties
>>         > . AFAIK it's disabled just because running whole testsuite
>>         produces very
>>         > big logs, which caused issues with travis.
>>         >
>>         > I hope it's possible to fix that and have Keycloak logging
>>         enabled when
>>         > running from IDE, but still keep it disabled when running
>>         from command
>>         > line with "mvn" command. Will try to look into it. Created :
>>         > https://issues.jboss.org/browse/KEYCLOAK-4520
>>         <https://issues.jboss.org/browse/KEYCLOAK-4520>
>>         Fixed now. Logging for both server and adapters is enabled
>>         now when
>>         running test from IDE.
>>
>>         Marek
>>         >
>>         >> #2 If you have a @Deployment it deploys it in @BeforeClass
>>         and only once
>>         >> for all tests run in the class
>>         >>
>>         >> #3 I  recreate/destroy my realms for every test
>>         >>
>>         >> #4 The default "min-time-between-jwks-requests" is 10
>>         seconds...Because
>>         >> my servlet doesn't get redeployed per test, the 1st test
>>         would set up
>>         >> the cache for the realm key for the servlet.  The 2nd test
>>         would run,
>>         >> because the realms were recreated, there is a different
>>         key, but the
>>         >> min-time-between-jwkds-requests was 10 seconds so it
>>         wasn't updating the
>>         >> key and my logins would fail. This was extermely
>>         frustrating to debug
>>         >> because of #1 and because it only happened if I was
>>         running all tests in
>>         >> the class.
>>         >>
>>         >> The workaround is to set "min-time-between-jwks-requests"
>>         to zero in
>>         >> your adapter configuration.  This is an FYI just in case
>>         somebody else
>>         >> runs into this.  Took me awhile to figure out.
>>         > Another possibility is to put private/public keys into your
>>         realm JSON.
>>         > Then there is always same keys and same "kid" and
>>         application doesn't
>>         > need to re-download it.
>>         >
>>         > FYI. with my latest changes, there is no realm reimport for
>>         every test
>>         > for most of the tests (see other thread I sent yesterday). But
>>         > unfortunately this is not yet the case for Adapter tests
>>         (subclasses of
>>         > AbstractAdapterTest)...
>>         >
>>         > Marek
>>         >> _______________________________________________
>>         >> keycloak-dev mailing list
>>         >> keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>         >
>>         > _______________________________________________
>>         > keycloak-dev mailing list
>>         > keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>>
>>         _______________________________________________
>>         keycloak-dev mailing list
>>         keycloak-dev at lists.jboss.org
>>         <mailto:keycloak-dev at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>>
>>
>
>



More information about the keycloak-dev mailing list