From mposolda at redhat.com Fri Apr 1 03:27:54 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 1 Apr 2016 09:27:54 +0200 Subject: [keycloak-user] standard vs implicit flow in SPA In-Reply-To: <8EE3449CB6463C4FB0544A12CEA72DD7DEC08C8F@iskexcemxprd02.virginblue.internal> References: <8EE3449CB6463C4FB0544A12CEA72DD7DEC08C8F@iskexcemxprd02.virginblue.internal> Message-ID: <56FE22FA.1000501@redhat.com> On 01/04/16 02:21, Anthony Fryer wrote: > > Hi, > > Up until recently I automatically selected to use implicit grant flow > from SPAs, but lately I?ve been re-assessing this since the keycloak > javascript adapter provides standard flow out of the box and makes > that a viable option. I also note that the keycloak admin console is > a HTML5/javascript/angular js app that uses the keycloak js adapter > and uses the standard flow. As a side note I find the client defaults > interesting in that Implicit flow is disabled, but direct access > grants are enabled (I?m coming from a mitreid connect implementation > where direct access grants where disabled by default and implicit flow > was enabled, so just wonder what the thinking is behind this since > direct access grants are discouraged). > Direct grants is enabled mostly for backwards compatibility and for having slightly easier some admin tasks. For example because direct grant is enabled, you have possibility to invoke admin REST endpoints once you start Keycloak, which is widely used in tests. Without direct grants enabled, you would first need to manually go to admin console and enable it for admin console client, but that's not easily just with admin REST endpoints (outside admin console UI) if it is disabled - in other words it's classic chicken-egg problem. The direct grants is discouraged mainly because it requires users to enter their password in your app instead of Keycloak server. However: - If your app is web-based and doesn't require direct grants, you just won't ask users to enter their password into your app - If your app is not web-based and requires direct grants, you would still need to enable direct grant and ask people to enter their password into your application. If they don't trust it, they just reject to enter password to your app. So from security and end-users perspective, there is not much difference between the case when direct access grant is enabled or disabled by default IMO. > > I?m really wondering why are you pushing standard flow from the > keycloak javascript adapter instead of implicit? What are the > benefits that make standard flow better in this case? One thing I > have seen mentioned is refresh tokens obtained in standard flow make > it easy to get a new access token, but I thought you could get refresh > tokens from the implicit flow anyway, and even if not, if a user logs > in with ?remember me?, then getting a new access token doesn?t require > re-entering credentials by the user. I want to make sure that when > implementing keycloak in our SPA we choose the best flow and want to > know if there?s some reason standard flow is best. > Yes, the refreshing tokens is not allowed in implicit flow per OIDC specification. Also there are accessToken and idToken sent in the URI fragment in implicit flow, which can in theory have some security implications. So with implicit flow, you have to redirect to login screen (as you mentioned above) instead of just simply refreshing tokens. Redirecting to login screen is usually worse for performance-wise than refreshing tokens and also requires some change in logic of your javascript app, but it's doable (For example you can implement callback keycloak.onTokenExpired or you can always manually check the expiration on accessToken before sending refresh request to 3rd party service). Logic for refreshing token in javascript app is quite simple, you just need to wrap the REST call with keycloak.update to ensure the accessToken is automatically refreshed by adapter in case that it's expired (or going to be expired). Marek > > Regards, > > Description: Description: > C:\Users\jayt\Desktop\tonyjay_sig_files\virginaustralia.gif > > *Anthony Fryer*| Solution Architect & Designer > > Mb: 0438 781 745 > > Email: anthony.fryer at virginaustralia.com > > > Virgin Australia group of airlines including Virgin Australia, > V Australia, Pacific Blue and Polynesian Blue > > Please consider the environment before printing this email. > > The content of this e-mail, including any attachments, is a > confidential communication between Virgin Australia Airlines Pty Ltd > (Virgin Australia) or its related entities (or the sender if this > email is a private communication) and the intended addressee and is > for the sole use of that intended addressee. If you are not the > intended addressee, any use, interference with, disclosure or copying > of this material is unauthorized and prohibited. If you have received > this e-mail in error please contact the sender immediately and then > delete the message and any attachment(s). There is no warranty that > this email is error, virus or defect free. This email is also subject > to copyright. No part of it should be reproduced, adapted or > communicated without the written consent of the copyright owner. If > this is a private communication it does not represent the views of > Virgin Australia or its related entities. Please be aware that the > contents of any emails sent to or from Virgin Australia or its related > entities may be periodically monitored and reviewed. Virgin Australia > and its related entities respect your privacy. Our privacy policy can > be accessed from our website: www.virginaustralia.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/c59bef57/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 5071 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/c59bef57/attachment.gif From guus.der.kinderen at gmail.com Fri Apr 1 05:46:06 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Fri, 1 Apr 2016 11:46:06 +0200 Subject: [keycloak-user] Limiting (network-based) access to different realms Message-ID: Hello, We're working on a setup where we have two realms, a 'master' realm that we use for administration, and another realm that is public-facing, providing service to our end-users. We'd like to be able to prevent access to the master realm for the general public. We do not want, for example, to have the general public be able to access the login page for the master realm, but we would like them to be able to use to login page for the other realm. Things will probably get interesting in the REST interface in that sense. Ideally, we would expose each realm on a different network endpoint (at the very least, use different TCP ports for each realm). We prefer to avoid a solution that relies on URL / path-based filtering. Can Keycloak facilitate this? Is it possible to limit exposure of a particular realm to a specific network endpoint? Kind regards, Guus -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/8d7fcb91/attachment-0001.html From Carsten.Saathoff at kisters.de Fri Apr 1 06:18:06 2016 From: Carsten.Saathoff at kisters.de (Carsten Saathoff) Date: Fri, 1 Apr 2016 12:18:06 +0200 Subject: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 Message-ID: Hi, I just upgraded my old Keycloak 1.4 installation to 1.9.1. But I am not able to log into the admin console any more. After having read the migration guide again, it seems this could be due to the direct grant being disabled now for some client. But to be honest, I don't quite understand what exactly the issue is. Any ideas? thanks and best regards Carsten -------------------------------------------------------------------------------------------------------------------------------------------- Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de -------------------------------------------------------------------------------------------------------------------------------------------- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/a07c026e/attachment.html From Carsten.Saathoff at kisters.de Fri Apr 1 06:29:40 2016 From: Carsten.Saathoff at kisters.de (Carsten Saathoff) Date: Fri, 1 Apr 2016 12:29:40 +0200 Subject: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 In-Reply-To: References: Message-ID: Hi again, I should have added some more details, sorry: keycloak-user-bounces at lists.jboss.org wrote on 01/04/2016 12:18:06: > I just upgraded my old Keycloak 1.4 installation to 1.9.1. But I am > not able to log into the admin console any more. After having read > the migration guide again, it seems this could be due to the direct > grant being disabled now for some client. But to be honest, I don't > quite understand what exactly the issue is. Any ideas? > the browser shows me the following error: Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client. In the logs, I only find the following line: 2016-04-01 12:27:16,772 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=192.168.113.34, error=not_allowed, response_type=code, response_mode=fragment I am not sure, what I have to do to enable the standard flow in the 1.4 UI. thanks Carsten -------------------------------------------------------------------------------------------------------------------------------------------- Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de -------------------------------------------------------------------------------------------------------------------------------------------- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/9b7ab80c/attachment.html From thomas.darimont at googlemail.com Fri Apr 1 07:53:04 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 1 Apr 2016 13:53:04 +0200 Subject: [keycloak-user] Guidelines Load- / Stress-Testing Keycloak Message-ID: Hello group, has anyone already stress tested a Keycloak deployment? The Keycloak Testsuite contains a rudimentary stress test for login/logout [0], but we were wondering whether someone has already done more thorough testing here that they are willing to share. We're looking into stress testing Keycloak with gatling [1] to get a sense for when Keycloak falls over and some information about JVM memory requirements during high load. Furthermore, are there any suggestions for use-cases that should be tested in particular, e.g.: - Simple Page Invocations (Unauthenticated, Authenticated) - Login - Logout - Registration - Account Page - Complex flows - Login, goto account page, Logout - Login, goto account page, change password, Logout, Login with new password - Service Requests - Aquire Refresh Token - Aquire Access Token Are there any (knwon) potentially expensive operations that are not obvious that should be tested in particular? (in simulating a real-world load with high user counts, for example, are there any particularly expensive operations where a high user count would noticeably impact performance?) What is the best way to initialize Keycloak (e.g. backed by a PostgreSQL database) with varying (arbitrarily large) numbers of users, in order to get realistic performance numbers? Given that creating XX,000 users via the REST API might take some time, is it enough to simply generate 10,000 * X records in the UserEntity table? Cheers, Thomas [0] https://github.com/keycloak/keycloak/tree/master/testsuite/stress [1] http://gatling.io/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/e3d18283/attachment-0001.html From Carsten.Saathoff at kisters.de Fri Apr 1 08:01:06 2016 From: Carsten.Saathoff at kisters.de (Carsten Saathoff) Date: Fri, 1 Apr 2016 14:01:06 +0200 Subject: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 In-Reply-To: References: Message-ID: Fixed it by manually setting standardFlowEnabled and directAccessGrantsEnabled to true in the DB. We are using MongoDB. I still don't understand whether this is intended behaviour, or if something went wrong during the upgrade. The "new" attributes were not present in MongoDB. So maybe the database was not properly migrated? best Carsten keycloak-user-bounces at lists.jboss.org wrote on 01/04/2016 12:29:40: > From: Carsten Saathoff > To: Carsten Saathoff > Cc: keycloak-user-bounces at lists.jboss.org, keycloak-user at lists.jboss.org > Date: 01/04/2016 12:31 > Subject: Re: [keycloak-user] Not able to log into admin console > ufter upgrading from 1.4 -> 1.9.1 > Sent by: keycloak-user-bounces at lists.jboss.org > > Hi again, I should have added some more details, sorry: > > keycloak-user-bounces at lists.jboss.org wrote on 01/04/2016 12:18:06: > > > I just upgraded my old Keycloak 1.4 installation to 1.9.1. But I am > > not able to log into the admin console any more. After having read > > the migration guide again, it seems this could be due to the direct > > grant being disabled now for some client. But to be honest, I don't > > quite understand what exactly the issue is. Any ideas? > > > > the browser shows me the following error: > > Client is not allowed to initiate browser login with given > response_type. Standard flow is disabled for the client. > > In the logs, I only find the following line: > > 2016-04-01 12:27:16,772 WARN [org.keycloak.events] (default task-7) > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > userId=null, ipAddress=192.168.113.34, error=not_allowed, > response_type=code, response_mode=fragment > > I am not sure, what I have to do to enable the standard flow in the 1.4 UI. > > thanks > > Carsten > Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany > Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, > Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers > Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: > Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de Diese E- > Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese > E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den > Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren > sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. > This e-mail may contain confidential and/or privileged information. > If you are not the intended recipient (or have received this e-mail > in error) please notify the sender immediately and destroy this e- > mail. Any unauthorised copying, disclosure or distribution of the > material in this e-mail is strictly forbidden. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------------------------------------------------------------------------------------------------------------------------------------- Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de -------------------------------------------------------------------------------------------------------------------------------------------- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/1ebb0de2/attachment.html From thomas.darimont at googlemail.com Fri Apr 1 08:01:06 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 1 Apr 2016 14:01:06 +0200 Subject: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 In-Reply-To: References: Message-ID: Hello, I guess you could change this in the database ... -> e.g. in the "client" table in the keycloak db, there are boolean flags per client like: - standard_flow_enabled boolean NOT NULL DEFAULT true, - implicit_flow_enabled boolean NOT NULL DEFAULT false, - direct_access_grants_enabled boolean NOT NULL DEFAULT false, You could try to change that ... Cheers, Thomas 2016-04-01 12:29 GMT+02:00 Carsten Saathoff : > Hi again, I should have added some more details, sorry: > > keycloak-user-bounces at lists.jboss.org wrote on 01/04/2016 12:18:06: > > > I just upgraded my old Keycloak 1.4 installation to 1.9.1. But I am > > not able to log into the admin console any more. After having read > > the migration guide again, it seems this could be due to the direct > > grant being disabled now for some client. But to be honest, I don't > > quite understand what exactly the issue is. Any ideas? > > > > the browser shows me the following error: > > Client is not allowed to initiate browser login with given response_type. > Standard flow is disabled for the client. > > In the logs, I only find the following line: > > 2016-04-01 12:27:16,772 WARN [org.keycloak.events] (default task-7) > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > userId=null, ipAddress=192.168.113.34, error=not_allowed, > response_type=code, response_mode=fragment > > I am not sure, what I have to do to enable the standard flow in the 1.4 UI. > > thanks > > Carsten > ------------------------------ > Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany > Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns > Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers > Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: > Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de > ------------------------------ > Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail > irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und > vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte > Weitergabe dieser Mail ist nicht gestattet. > This e-mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) > please notify the sender immediately and destroy this e-mail. Any > unauthorised copying, disclosure or distribution of the material in this > e-mail is strictly forbidden. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/7c19a222/attachment.html From Carsten.Saathoff at kisters.de Fri Apr 1 08:09:58 2016 From: Carsten.Saathoff at kisters.de (Carsten Saathoff) Date: Fri, 1 Apr 2016 14:09:58 +0200 Subject: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 In-Reply-To: References: Message-ID: Hi Thomas, yes, that's what I eventually did and it worked. Thanks. best Carsten -------------------------------------------------------------------------------------------------------------------------------------------- Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de -------------------------------------------------------------------------------------------------------------------------------------------- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From: Thomas Darimont To: Carsten Saathoff Cc: keycloak-user , keycloak-user-bounces at lists.jboss.org Date: 01/04/2016 14:04 Subject: Re: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 Sent by: keycloak-user-bounces at lists.jboss.org Hello, I guess you could change this in the database ... -> e.g. in the "client" table in the keycloak db, there are boolean flags per client like: - standard_flow_enabled boolean NOT NULL DEFAULT true, - implicit_flow_enabled boolean NOT NULL DEFAULT false, - direct_access_grants_enabled boolean NOT NULL DEFAULT false, You could try to change that ... Cheers, Thomas 2016-04-01 12:29 GMT+02:00 Carsten Saathoff : Hi again, I should have added some more details, sorry: keycloak-user-bounces at lists.jboss.org wrote on 01/04/2016 12:18:06: > I just upgraded my old Keycloak 1.4 installation to 1.9.1. But I am > not able to log into the admin console any more. After having read > the migration guide again, it seems this could be due to the direct > grant being disabled now for some client. But to be honest, I don't > quite understand what exactly the issue is. Any ideas? > the browser shows me the following error: Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client. In the logs, I only find the following line: 2016-04-01 12:27:16,772 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=192.168.113.34, error=not_allowed, response_type=code, response_mode=fragment I am not sure, what I have to do to enable the standard flow in the 1.4 UI. thanks Carsten Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/cc051864/attachment-0001.html From bburke at redhat.com Fri Apr 1 09:16:52 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 1 Apr 2016 09:16:52 -0400 Subject: [keycloak-user] Limiting (network-based) access to different realms In-Reply-To: References: Message-ID: <56FE74C4.5070704@redhat.com> You could write an authenticator plugged in via the auth SPI that checks client IP and port and not allow connections based on that. On 4/1/2016 5:46 AM, Guus der Kinderen wrote: > Hello, > > We're working on a setup where we have two realms, a 'master' realm > that we use for administration, and another realm that is > public-facing, providing service to our end-users. > > We'd like to be able to prevent access to the master realm for the > general public. We do not want, for example, to have the general > public be able to access the login page for the master realm, but we > would like them to be able to use to login page for the other realm. > Things will probably get interesting in the REST interface in that sense. > > Ideally, we would expose each realm on a different network endpoint > (at the very least, use different TCP ports for each realm). We prefer > to avoid a solution that relies on URL / path-based filtering. > > Can Keycloak facilitate this? Is it possible to limit exposure of a > particular realm to a specific network endpoint? > > Kind regards, > > Guus > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/ad2e8b2f/attachment.html From guus.der.kinderen at gmail.com Fri Apr 1 10:14:43 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Fri, 1 Apr 2016 16:14:43 +0200 Subject: [keycloak-user] Server-side validation of custom user attributes Message-ID: Hello, Chapter 32 of the Keycloak user manual describes how custom user attributes can be used. Is there a way to validate the user attribute values server-sided (as opposed to in the theme / client-sided)? In our case, we'd like to require our users to supply a particular value, which must match one of many pre-defined values. We do not want to expose the entire list of valid values publicly though. Regards, Guus -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/de7794c1/attachment.html From mposolda at redhat.com Fri Apr 1 10:59:36 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 1 Apr 2016 16:59:36 +0200 Subject: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 In-Reply-To: References: Message-ID: <56FE8CD8.1000501@redhat.com> I've finally reproduced it and see why the DB wasn't upgraded for you. I guess you were missing property "databaseSchema" in the configuration of connectionsMongo in keycloak-server.json. I've removed this property for the future versions and instead Mongo will be checked for updates by default at startup. JIRA is here https://issues.jboss.org/browse/KEYCLOAK-2737 Marek On 01/04/16 14:09, Carsten Saathoff wrote: > Hi Thomas, > > yes, that's what I eventually did and it worked. Thanks. > > best > > Carsten > ------------------------------------------------------------------------ > Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany > Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns > Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers > Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: > Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de > ------------------------------------------------------------------------ > Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese > E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den > Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie > die unbefugte Weitergabe dieser Mail ist nicht gestattet. > This e-mail may contain confidential and/or privileged information. If > you are not the intended recipient (or have received this e-mail in > error) please notify the sender immediately and destroy this e-mail. > Any unauthorised copying, disclosure or distribution of the material > in this e-mail is strictly forbidden. > > > > From: Thomas Darimont > To: Carsten Saathoff > Cc: keycloak-user , > keycloak-user-bounces at lists.jboss.org > Date: 01/04/2016 14:04 > Subject: Re: [keycloak-user] Not able to log into admin console ufter > upgrading from 1.4 -> 1.9.1 > Sent by: keycloak-user-bounces at lists.jboss.org > ------------------------------------------------------------------------ > > > > Hello, > > I guess you could change this in the database ... -> e.g. in the > "client" table in the keycloak db, there are boolean flags per client > like: > - standard_flow_enabled boolean NOT NULL DEFAULT true, > - implicit_flow_enabled boolean NOT NULL DEFAULT false, > - direct_access_grants_enabled boolean NOT NULL DEFAULT false, > > You could try to change that ... > > Cheers, > Thomas > > 2016-04-01 12:29 GMT+02:00 Carsten Saathoff > <_Carsten.Saathoff at kisters.de_ >: > Hi again, I should have added some more details, sorry: > _ > __keycloak-user-bounces at lists.jboss.org_ > wrote on 01/04/2016 > 12:18:06: > > > I just upgraded my old Keycloak 1.4 installation to 1.9.1. But I am > > not able to log into the admin console any more. After having read > > the migration guide again, it seems this could be due to the direct > > grant being disabled now for some client. But to be honest, I don't > > quite understand what exactly the issue is. Any ideas? > > > > the browser shows me the following error: > > Client is not allowed to initiate browser login with given > response_type. Standard flow is disabled for the client. > > In the logs, I only find the following line: > > 2016-04-01 12:27:16,772 WARN [org.keycloak.events] (default task-7) > type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, > userId=null, ipAddress=192.168.113.34, error=not_allowed, > response_type=code, response_mode=fragment > > I am not sure, what I have to do to enable the standard flow in the > 1.4 UI. > > thanks > > Carsten > ------------------------------------------------------------------------ > Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany > Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns > Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers > Phone: _+49 441 93602 -257_ | Fax: > _+49 441 93602 -222_ | E-Mail: > _Carsten.Saathoff at kisters.de_ | > WWW: _http://www.kisters.de_ > ------------------------------------------------------------------------ > Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese > E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den > Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie > die unbefugte Weitergabe dieser Mail ist nicht gestattet. > This e-mail may contain confidential and/or privileged information. If > you are not the intended recipient (or have received this e-mail in > error) please notify the sender immediately and destroy this e-mail. > Any unauthorised copying, disclosure or distribution of the material > in this e-mail is strictly forbidden. > > _______________________________________________ > keycloak-user mailing list_ > __keycloak-user at lists.jboss.org_ _ > __https://lists.jboss.org/mailman/listinfo/keycloak-user_ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/8303c492/attachment-0001.html From Carsten.Saathoff at kisters.de Fri Apr 1 11:03:21 2016 From: Carsten.Saathoff at kisters.de (Carsten Saathoff) Date: Fri, 1 Apr 2016 17:03:21 +0200 Subject: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 In-Reply-To: <56FE8CD8.1000501@redhat.com> References: <56FE8CD8.1000501@redhat.com> Message-ID: Ah! You are right, I did not set that property. I even remember that it existed, now that you mention it. I agree that it's probably better to check it every time, since currently it's easy to overlook (obviously). Thanks Carsten -------------------------------------------------------------------------------------------------------------------------------------------- Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de -------------------------------------------------------------------------------------------------------------------------------------------- Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From: Marek Posolda To: Carsten Saathoff , Thomas Darimont , keycloak-user at lists.jboss.org Date: 01/04/2016 16:59 Subject: Re: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 I've finally reproduced it and see why the DB wasn't upgraded for you. I guess you were missing property "databaseSchema" in the configuration of connectionsMongo in keycloak-server.json. I've removed this property for the future versions and instead Mongo will be checked for updates by default at startup. JIRA is here https://issues.jboss.org/browse/KEYCLOAK-2737 Marek On 01/04/16 14:09, Carsten Saathoff wrote: Hi Thomas, yes, that's what I eventually did and it worked. Thanks. best Carsten Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. From: Thomas Darimont To: Carsten Saathoff Cc: keycloak-user , keycloak-user-bounces at lists.jboss.org Date: 01/04/2016 14:04 Subject: Re: [keycloak-user] Not able to log into admin console ufter upgrading from 1.4 -> 1.9.1 Sent by: keycloak-user-bounces at lists.jboss.org Hello, I guess you could change this in the database ... -> e.g. in the "client" table in the keycloak db, there are boolean flags per client like: - standard_flow_enabled boolean NOT NULL DEFAULT true, - implicit_flow_enabled boolean NOT NULL DEFAULT false, - direct_access_grants_enabled boolean NOT NULL DEFAULT false, You could try to change that ... Cheers, Thomas 2016-04-01 12:29 GMT+02:00 Carsten Saathoff : Hi again, I should have added some more details, sorry: keycloak-user-bounces at lists.jboss.org wrote on 01/04/2016 12:18:06: > I just upgraded my old Keycloak 1.4 installation to 1.9.1. But I am > not able to log into the admin console any more. After having read > the migration guide again, it seems this could be due to the direct > grant being disabled now for some client. But to be honest, I don't > quite understand what exactly the issue is. Any ideas? > the browser shows me the following error: Client is not allowed to initiate browser login with given response_type. Standard flow is disabled for the client. In the logs, I only find the following line: 2016-04-01 12:27:16,772 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=192.168.113.34, error=not_allowed, response_type=code, response_mode=fragment I am not sure, what I have to do to enable the standard flow in the 1.4 UI. thanks Carsten Carsten Saathoff - KISTERS AG - Stau 75 - 26122 Oldenburg - Germany Handelsregister Aachen, HRB-Nr. 7838 | Vorstand: Klaus Kisters, Hanns Kisters | Aufsichtsratsvorsitzender: Dr. Thomas Klevers Phone: +49 441 93602 -257 | Fax: +49 441 93602 -222 | E-Mail: Carsten.Saathoff at kisters.de | WWW: http://www.kisters.de Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/624d3a02/attachment.html From jsprague at redhat.com Fri Apr 1 12:29:39 2016 From: jsprague at redhat.com (Jared Sprague) Date: Fri, 1 Apr 2016 12:29:39 -0400 (EDT) Subject: [keycloak-user] Which OpenID Connect Flow to Use? In-Reply-To: <56FD60F3.6060109@redhat.com> References: <943504158.35746087.1459444639623.JavaMail.zimbra@redhat.com> <56FD60F3.6060109@redhat.com> Message-ID: <346100896.36052704.1459528179086.JavaMail.zimbra@redhat.com> Thanks for the response Bill! So it sounds like from what you're saying that the Standard flow should work fine for us since it's what the admin app uses and it's an Angular app that talks to REST API. Just out of curiosity, in what situation would implicit flow be used? Thanks! - Jared ----- Original Message ----- From: "Bill Burke" To: keycloak-user at lists.jboss.org Sent: Thursday, March 31, 2016 1:40:03 PM Subject: Re: [keycloak-user] Which OpenID Connect Flow to Use? The Keycloak admin console is a pure HTML5/Javascript/Angular application. It is a public client that uses the keycloak.js adapter. It uses the authorization code grant flow (standard). The admin console app is registered as a client under the realm with precise allowed redirect URIs. CORS is used at the REST api to additional ensure that the correct origins are communicating with it. This ensures that only the admin console can initiate authentication and that only the admin console can participate in the auth code grant flow and only the admin console (through CORS and bearer tokens) can invoke on the REST API. On 3/31/2016 1:17 PM, Jared Sprague wrote: > Hello! > We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs. What are example uses cases for both flows? When would you use one vs the other? > > Here is the general use case we are trying to solve. > > 1. A user logs in and receives an access_token. > 1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token. > 2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request. > 3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app. > > The above flow should be able to continue anytime throughout the duration of the SSO session. So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid? > > Standard Flow > http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth > > Implicit Flow > http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth > > Thank you! > - Jared Sprague > access.redhat.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Fri Apr 1 13:37:17 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 1 Apr 2016 13:37:17 -0400 Subject: [keycloak-user] Which OpenID Connect Flow to Use? In-Reply-To: <346100896.36052704.1459528179086.JavaMail.zimbra@redhat.com> References: <943504158.35746087.1459444639623.JavaMail.zimbra@redhat.com> <56FD60F3.6060109@redhat.com> <346100896.36052704.1459528179086.JavaMail.zimbra@redhat.com> Message-ID: <56FEB1CD.50000@redhat.com> I think implicit was intended for Javascript clients that didn't have an adapter. I don't like it because access tokens become part of the browser history. On 4/1/2016 12:29 PM, Jared Sprague wrote: > Thanks for the response Bill! So it sounds like from what you're saying that the Standard flow should work fine for us since it's what the admin app uses and it's an Angular app that talks to REST API. Just out of curiosity, in what situation would implicit flow be used? > Thanks! > - Jared > > ----- Original Message ----- > From: "Bill Burke" > To: keycloak-user at lists.jboss.org > Sent: Thursday, March 31, 2016 1:40:03 PM > Subject: Re: [keycloak-user] Which OpenID Connect Flow to Use? > > The Keycloak admin console is a pure HTML5/Javascript/Angular > application. It is a public client that uses the keycloak.js adapter. > It uses the authorization code grant flow (standard). The admin console > app is registered as a client under the realm with precise allowed > redirect URIs. CORS is used at the REST api to additional ensure that > the correct origins are communicating with it. This ensures that only > the admin console can initiate authentication and that only the admin > console can participate in the auth code grant flow and only the admin > console (through CORS and bearer tokens) can invoke on the REST API. > > On 3/31/2016 1:17 PM, Jared Sprague wrote: >> Hello! >> We are currently in the process of migrating our Customer Portal to Keycloak, and are trying to decide which is the best OpenID Connect Flow to use, standard or implicit, based on our needs. What are example uses cases for both flows? When would you use one vs the other? >> >> Here is the general use case we are trying to solve. >> >> 1. A user logs in and receives an access_token. >> 1. The user loads an Angular single-page-app that makes a call to a stateless REST api, passing an access token. >> 2. The REST API validates the access_token and forwards the request to the downstream system e.g. a data provider, including the access token in the request. >> 3. The data provider reprieves the access token and validates it and returns the response to the REST service, which returns the response to the Angular app. >> >> The above flow should be able to continue anytime throughout the duration of the SSO session. So for the above flow which OpenID Connct flow would you recommend using? Standard, Implicit, or Hybrid? >> >> Standard Flow >> http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth >> >> Implicit Flow >> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth >> >> Thank you! >> - Jared Sprague >> access.redhat.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From bburke at redhat.com Fri Apr 1 13:45:11 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 1 Apr 2016 13:45:11 -0400 Subject: [keycloak-user] req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) In-Reply-To: References: Message-ID: <56FEB3A7.7080306@redhat.com> Which adapter are you using? I'll log a jira after I know this information. On 3/31/2016 5:01 PM, LEONARDO NUNES wrote: > Hi everyone, > > I have a page1 that it's access is not restricted, at the page1 I have > a Login button that directs to Keycloak and the redirect_uri is the page1. > After I login and get redirect to page1, I try to access the logged in > user information with req.getUserPrincipal() but this method returns > NULL at this moment. > If I navigate to a page that it's url is restricted and then return to > the non-restricted page, then req.getUserPrincipal() returns the user > object. > > I noticed that I have to go to a restricted page before being able to > access the user information at a non-restricted page. > > The ticket below solved the problem of not accessing the user > information at a non-restricted page, but still have this case when > the user logged in at non-restricted page. > https://issues.jboss.org/browse/KEYCLOAK-2518 > > > > -- > Leonardo > ------------------------------------------------------------------------ > /Esta mensagem pode conter informa??o confidencial e/ou privilegiada. > Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta > mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela > contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? > recebeu esta mensagem por engano, por favor avise imediatamente o > remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua > coopera??o. > > This message may contain confidential and/or privileged information. > If you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose or take any action based > on this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation/ > //// > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/540e942f/attachment.html From bburke at redhat.com Fri Apr 1 13:49:02 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 1 Apr 2016 13:49:02 -0400 Subject: [keycloak-user] req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) In-Reply-To: <56FEB3A7.7080306@redhat.com> References: <56FEB3A7.7080306@redhat.com> Message-ID: <56FEB48E.4090701@redhat.com> Also, how does your login button work? Are you calling HttpServletRequest.authenticate()? On 4/1/2016 1:45 PM, Bill Burke wrote: > Which adapter are you using? I'll log a jira after I know this > information. > > On 3/31/2016 5:01 PM, LEONARDO NUNES wrote: >> Hi everyone, >> >> I have a page1 that it's access is not restricted, at the page1 I >> have a Login button that directs to Keycloak and the redirect_uri is >> the page1. >> After I login and get redirect to page1, I try to access the logged >> in user information with req.getUserPrincipal() but this method >> returns NULL at this moment. >> If I navigate to a page that it's url is restricted and then return >> to the non-restricted page, then req.getUserPrincipal() returns the >> user object. >> >> I noticed that I have to go to a restricted page before being able to >> access the user information at a non-restricted page. >> >> The ticket below solved the problem of not accessing the user >> information at a non-restricted page, but still have this case when >> the user logged in at non-restricted page. >> https://issues.jboss.org/browse/KEYCLOAK-2518 >> >> >> >> -- >> Leonardo >> ------------------------------------------------------------------------ >> /Esta mensagem pode conter informa??o confidencial e/ou privilegiada. >> Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta >> mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela >> contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? >> recebeu esta mensagem por engano, por favor avise imediatamente o >> remetente, respondendo o e-mail e em seguida apague-o. Agradecemos >> sua coopera??o. >> >> This message may contain confidential and/or privileged information. >> If you are not the addressee or authorized to receive this for the >> addressee, you must not use, copy, disclose or take any action based >> on this message or any information herein. If you have received this >> message in error, please advise the sender immediately by reply >> e-mail and delete this message. Thank you for your cooperation/ >> //// >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/58bf15cb/attachment.html From bburke at redhat.com Fri Apr 1 13:54:05 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 1 Apr 2016 13:54:05 -0400 Subject: [keycloak-user] req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) In-Reply-To: <56FEB48E.4090701@redhat.com> References: <56FEB3A7.7080306@redhat.com> <56FEB48E.4090701@redhat.com> Message-ID: <56FEB5BD.8070506@redhat.com> Actually, I don't think I can fix this on all platforms. I suggest that your login button redirects to a secure area on your website as a workaround. The redirect can just a a jsp that redirects back to the unsecured page. On 4/1/2016 1:49 PM, Bill Burke wrote: > Also, how does your login button work? Are you calling > HttpServletRequest.authenticate()? > > On 4/1/2016 1:45 PM, Bill Burke wrote: >> Which adapter are you using? I'll log a jira after I know this >> information. >> >> On 3/31/2016 5:01 PM, LEONARDO NUNES wrote: >>> Hi everyone, >>> >>> I have a page1 that it's access is not restricted, at the page1 I >>> have a Login button that directs to Keycloak and the redirect_uri is >>> the page1. >>> After I login and get redirect to page1, I try to access the logged >>> in user information with req.getUserPrincipal() but this method >>> returns NULL at this moment. >>> If I navigate to a page that it's url is restricted and then return >>> to the non-restricted page, then req.getUserPrincipal() returns the >>> user object. >>> >>> I noticed that I have to go to a restricted page before being able >>> to access the user information at a non-restricted page. >>> >>> The ticket below solved the problem of not accessing the user >>> information at a non-restricted page, but still have this case when >>> the user logged in at non-restricted page. >>> https://issues.jboss.org/browse/KEYCLOAK-2518 >>> >>> >>> >>> -- >>> Leonardo >>> ------------------------------------------------------------------------ >>> /Esta mensagem pode conter informa??o confidencial e/ou >>> privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada >>> a receber esta mensagem, n?o poder? usar, copiar ou divulgar as >>> informa??es nela contidas ou tomar qualquer a??o baseada nessas >>> informa??es. Se voc? recebeu esta mensagem por engano, por favor >>> avise imediatamente o remetente, respondendo o e-mail e em seguida >>> apague-o. Agradecemos sua coopera??o. >>> >>> This message may contain confidential and/or privileged information. >>> If you are not the addressee or authorized to receive this for the >>> addressee, you must not use, copy, disclose or take any action based >>> on this message or any information herein. If you have received this >>> message in error, please advise the sender immediately by reply >>> e-mail and delete this message. Thank you for your cooperation/ >>> //// >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/d12831c9/attachment-0001.html From leo.nunes at gjccorp.com.br Fri Apr 1 14:21:52 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Fri, 1 Apr 2016 18:21:52 +0000 Subject: [keycloak-user] req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) Message-ID: Hi everyone, I have a page1 that it's access is not restricted, at the page1 I have a Login button that directs to Keycloak and the redirect_uri is the page1. After I login and get redirect to page1, I try to access the logged in user information with req.getUserPrincipal() but this method returns NULL at this moment. If I navigate to a page that it's url is restricted and then return to the non-restricted page, then req.getUserPrincipal() returns the user object. I noticed that I have to go to a restricted page before being able to access the user information at a non-restricted page. Keycloak version: 1.9.1.Final The ticket below solved the problem of not accessing the user information at a non-restricted page, but still have this case when the user logged in at non-restricted page. https://issues.jboss.org/browse/KEYCLOAK-2518 -- Leonardo ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/7340c184/attachment.html From leo.nunes at gjccorp.com.br Fri Apr 1 14:34:12 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Fri, 1 Apr 2016 18:34:12 +0000 Subject: [keycloak-user] req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) In-Reply-To: Message-ID: I'm using with Tomcat 8 Adapter and with Spring Boot Adapter. On both i'm using Keycloak version 1.9.1.Final. The Login button calls this URL: http://localhost:8180/auth/realms/accounts/protocol/openid-connect/auth?client_id=accounts-teste&redirect_uri=http://localhost:8088/accounts-teste/&response_mode=fragment&response_type=code The Register button calls this URL: http://localhost:8180/auth/realms/accounts/protocol/openid-connect/registrations?client_id=accounts-teste&redirect_uri=http://localhost:8088/accounts-teste/&response_mode=fragment&response_type=code -- Att, Leonardo Nunes Analista de Sistemas leo.nunes at gjccorp.com.br Skype: leonardo.puc +55 (62) 3250-1462 Grupo Jaime C?mara www.gjccorp.com.br From: Leonardo Nunes > Date: quinta-feira, 31 de mar?o de 2016 18:01 To: "keycloak-user at lists.jboss.org" > Subject: req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) Hi everyone, I have a page1 that it's access is not restricted, at the page1 I have a Login button that directs to Keycloak and the redirect_uri is the page1. After I login and get redirect to page1, I try to access the logged in user information with req.getUserPrincipal() but this method returns NULL at this moment. If I navigate to a page that it's url is restricted and then return to the non-restricted page, then req.getUserPrincipal() returns the user object. I noticed that I have to go to a restricted page before being able to access the user information at a non-restricted page. The ticket below solved the problem of not accessing the user information at a non-restricted page, but still have this case when the user logged in at non-restricted page. https://issues.jboss.org/browse/KEYCLOAK-2518 -- Leonardo ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/7c731bbd/attachment.html From leo.nunes at gjccorp.com.br Fri Apr 1 15:03:40 2016 From: leo.nunes at gjccorp.com.br (LEONARDO NUNES) Date: Fri, 1 Apr 2016 19:03:40 +0000 Subject: [keycloak-user] req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) In-Reply-To: Message-ID: I didn't use HttpServletRequest.authenticate() because I didn't find a way to specify with I want to go to the Login page or to the Registration page directly. -- Leonardo From: Leonardo Nunes > Date: sexta-feira, 1 de abril de 2016 15:34 To: "keycloak-user at lists.jboss.org" >, "bburke at redhat.com" > Subject: Re: req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) I'm using with Tomcat 8 Adapter and with Spring Boot Adapter. On both i'm using Keycloak version 1.9.1.Final. The Login button calls this URL: http://localhost:8180/auth/realms/accounts/protocol/openid-connect/auth?client_id=accounts-teste&redirect_uri=http://localhost:8088/accounts-teste/&response_mode=fragment&response_type=code The Register button calls this URL: http://localhost:8180/auth/realms/accounts/protocol/openid-connect/registrations?client_id=accounts-teste&redirect_uri=http://localhost:8088/accounts-teste/&response_mode=fragment&response_type=code -- Leonardo From: Leonardo Nunes > Date: quinta-feira, 31 de mar?o de 2016 18:01 To: "keycloak-user at lists.jboss.org" > Subject: req.getUserPrincipal() returns NULL before navigating to a restricted url (after login) Hi everyone, I have a page1 that it's access is not restricted, at the page1 I have a Login button that directs to Keycloak and the redirect_uri is the page1. After I login and get redirect to page1, I try to access the logged in user information with req.getUserPrincipal() but this method returns NULL at this moment. If I navigate to a page that it's url is restricted and then return to the non-restricted page, then req.getUserPrincipal() returns the user object. I noticed that I have to go to a restricted page before being able to access the user information at a non-restricted page. The ticket below solved the problem of not accessing the user information at a non-restricted page, but still have this case when the user logged in at non-restricted page. https://issues.jboss.org/browse/KEYCLOAK-2518 -- Leonardo ________________________________ Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/e18a8d3c/attachment-0001.html From robotirlandes at gmail.com Fri Apr 1 15:31:25 2016 From: robotirlandes at gmail.com (venito camelas) Date: Fri, 1 Apr 2016 16:31:25 -0300 Subject: [keycloak-user] Keycloak 1.9 - jboss eap6.4 Message-ID: Hi, im trying to use keycloak 1.9 on a jboss eap-6.4 I downloaded keycloak 1.9.1 and keycloak overlay 1.9.1. When I try to start jboss I get the following error: Caused by: java.lang.NoSuchMethodError: org.jboss.as.controller.ExtensionContext.registerSubsystem(Ljava/lang/String;Lorg/jboss/as/controller/ModelVersion;)Lorg/jboss/as/controller/SubsystemRegistration; at org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:70) at org.jboss.as.controller.extension.ExtensionAddHandler.initializeExtension(ExtensionAddHandler.java:97) [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:139) [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:125) [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_45] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_45] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1] For what I understood reading the code, it is trying to call the method register subsystem using 2 arguments and the ExtensionContext that jboss eap 6.4 uses doesn't support 2 arguments, it supports 2 or more. What am I missing? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/87a67dd0/attachment.html From bburke at redhat.com Fri Apr 1 16:32:16 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 1 Apr 2016 16:32:16 -0400 Subject: [keycloak-user] Keycloak 1.9 - jboss eap6.4 In-Reply-To: References: Message-ID: <56FEDAD0.1000502@redhat.com> Keycloak Server 1.9.x and later is no longer supported (or even works) on EAP 6.x, only latest Wildfly and EAP 7. Its too much extra maintenance for us. Our supported keycloak product will run on EAP7. The Keycloak client adapters (SAML and OIDC/OAuth) should all still work with AS7, EAP 6.x, Wildfly 8-10, Jetty 8.1-9.2, Tomcat 6-8. On 4/1/2016 3:31 PM, venito camelas wrote: > Hi, im trying to use keycloak 1.9 on a jboss eap-6.4 > I downloaded keycloak 1.9.1 and keycloak overlay 1.9.1. > > When I try to start jboss I get the following error: > > Caused by: java.lang.NoSuchMethodError: > org.jboss.as.controller.ExtensionContext.registerSubsystem(Ljava/lang/String;Lorg/jboss/as/controller/ModelVersion;)Lorg/jboss/as/controller/SubsystemRegistration; > at > org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:70) > at > org.jboss.as.controller.extension.ExtensionAddHandler.initializeExtension(ExtensionAddHandler.java:97) > [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] > at > org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:139) > [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] > at > org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:125) > [jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > [rt.jar:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > [rt.jar:1.8.0_45] > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > [rt.jar:1.8.0_45] > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] > at org.jboss.threads.JBossThread.run(JBossThread.java:122) > [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1] > > > For what I understood reading the code, it is trying to call the > method register subsystem using 2 arguments and the ExtensionContext > that jboss eap 6.4 uses doesn't support 2 arguments, it supports 2 or > more. > > What am I missing? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/ea217a05/attachment.html From bburke at redhat.com Fri Apr 1 16:36:17 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 1 Apr 2016 16:36:17 -0400 Subject: [keycloak-user] Keycloak 1.9 - jboss eap6.4 In-Reply-To: <56FEDAD0.1000502@redhat.com> References: <56FEDAD0.1000502@redhat.com> Message-ID: <56FEDBC1.4030901@redhat.com> Also, going forward, Keycloak community server download will only run on latest stable release of EAP and latest stable release of Wildfly. On 4/1/2016 4:32 PM, Bill Burke wrote: > Keycloak Server 1.9.x and later is no longer supported (or even works) > on EAP 6.x, only latest Wildfly and EAP 7. Its too much extra > maintenance for us. Our supported keycloak product will run on EAP7. > > The Keycloak client adapters (SAML and OIDC/OAuth) should all still > work with AS7, EAP 6.x, Wildfly 8-10, Jetty 8.1-9.2, Tomcat 6-8. > > On 4/1/2016 3:31 PM, venito camelas wrote: >> Hi, im trying to use keycloak 1.9 on a jboss eap-6.4 >> I downloaded keycloak 1.9.1 and keycloak overlay 1.9.1. >> >> When I try to start jboss I get the following error: >> >> Caused by: java.lang.NoSuchMethodError: >> org.jboss.as.controller.ExtensionContext.registerSubsystem(Ljava/lang/String;Lorg/jboss/as/controller/ModelVersion;)Lorg/jboss/as/controller/SubsystemRegistration; >> at >> org.keycloak.subsystem.server.extension.KeycloakExtension.initialize(KeycloakExtension.java:70) >> at >> org.jboss.as.controller.extension.ExtensionAddHandler.initializeExtension(ExtensionAddHandler.java:97)[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >> at >> org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:139)[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >> at >> org.jboss.as.controller.extension.ParallelExtensionAddHandler$ExtensionInitializeTask.call(ParallelExtensionAddHandler.java:125)[jboss-as-controller-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> [rt.jar:1.8.0_45] >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> [rt.jar:1.8.0_45] >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> [rt.jar:1.8.0_45] >> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45] >> at org.jboss.threads.JBossThread.run(JBossThread.java:122) >> [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1] >> >> >> For what I understood reading the code, it is trying to call the >> method register subsystem using 2 arguments and the ExtensionContext >> that jboss eap 6.4 uses doesn't support 2 arguments, it supports 2 or >> more. >> >> What am I missing? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160401/eb0085f5/attachment.html From guus.der.kinderen at gmail.com Mon Apr 4 08:52:35 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Mon, 4 Apr 2016 14:52:35 +0200 Subject: [keycloak-user] Is Keycloak client admin thread safe? In-Reply-To: References: <56FCF00B.1030901@redhat.com> Message-ID: Hey, thanks for this. Coincidentally, I was looking into similar issues. We've been running into concurrently-related issues. These find their origin in the Resteasy client that is created in the client admin Keycloak class. Marek writes that the underlying connection pool can be modified, but that's not really straightforward: there is no getInstance() method that exposes the Resteasy client. One has to subclass the Keycloak class to gain access. Perhaps there's room for improvement here? Also, by default, the Resteasy client uses one connection. That seems to be a very conservative default, given the nature of the client admin. I believe that the client admin would benefit from using a thread pool of a size that's arbitrarily larger than 1. I'd go with 10. Regards, Guus On 31 March 2016 at 21:20, Hristo Stoyanov wrote: > Marek, > Thanks for this clarification and all your help in this forum to my other > questions! > > You guys rock! > > /Hristo Stoyanov > On Mar 31, 2016 2:38 AM, "Marek Posolda" wrote: > >> It's supposed to be and we even internally using it in some concurrency >> test. >> >> It's using Apache HTTP client under the hood, which itself is thread-safe >> and is using connection pooling. In case you need, you can configure more >> fine-grained details (like connection pool size etc) by pass the custom >> resteasyClient to Keycloak object. >> >> However when I looked a bit more into sources now, I can see that there >> are some potential concurrency issues in TokenManager class, which is used >> internally by admin client. Created JIRA >> https://issues.jboss.org/browse/KEYCLOAK-2731 for it. It's not too bad >> IMO, but note that you can possibly see situation when more concurrent >> threads are trying to refresh the same access token at the same time. >> >> Marek >> >> >> On 31/03/16 01:37, Hristo Stoyanov wrote: >> >> Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it as a >> single admin client for the entire app ... >> >> /Hristo Stoyanov >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160404/9760dea3/attachment-0001.html From bburke at redhat.com Mon Apr 4 09:59:17 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 4 Apr 2016 09:59:17 -0400 Subject: [keycloak-user] Is Keycloak client admin thread safe? In-Reply-To: References: <56FCF00B.1030901@redhat.com> Message-ID: <57027335.6010600@redhat.com> You can just create the ResteasyClient, get a ResteasyWebTarget, then call target.proxy(RealmsResource.class) On 4/4/2016 8:52 AM, Guus der Kinderen wrote: > Hey, thanks for this. Coincidentally, I was looking into similar issues. > > We've been running into concurrently-related issues. These find their > origin in the Resteasy client that is created in the client admin > Keycloak class. > > Marek writes that the underlying connection pool can be modified, but > that's not really straightforward: there is no getInstance() method > that exposes the Resteasy client. One has to subclass the Keycloak > class to gain access. Perhaps there's room for improvement here? > > Also, by default, the Resteasy client uses one connection. That seems > to be a very conservative default, given the nature of the client > admin. I believe that the client admin would benefit from using a > thread pool of a size that's arbitrarily larger than 1. I'd go with 10. > > Regards, > > Guus > > On 31 March 2016 at 21:20, Hristo Stoyanov > wrote: > > Marek, > Thanks for this clarification and all your help in this forum to > my other questions! > > You guys rock! > > /Hristo Stoyanov > > On Mar 31, 2016 2:38 AM, "Marek Posolda" > wrote: > > It's supposed to be and we even internally using it in some > concurrency test. > > It's using Apache HTTP client under the hood, which itself is > thread-safe and is using connection pooling. In case you need, > you can configure more fine-grained details (like connection > pool size etc) by pass the custom resteasyClient to Keycloak > object. > > However when I looked a bit more into sources now, I can see > that there are some potential concurrency issues in > TokenManager class, which is used internally by admin client. > Created JIRA https://issues.jboss.org/browse/KEYCLOAK-2731 for > it. It's not too bad IMO, but note that you can possibly see > situation when more concurrent threads are trying to refresh > the same access token at the same time. > > Marek > > > On 31/03/16 01:37, Hristo Stoyanov wrote: >> >> Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to >> use it as a single admin client for the entire app ... >> >> /Hristo Stoyanov >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160404/118d6aff/attachment.html From guus.der.kinderen at gmail.com Mon Apr 4 09:08:35 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Mon, 4 Apr 2016 15:08:35 +0200 Subject: [keycloak-user] Is Keycloak client admin thread safe? In-Reply-To: <57027335.6010600@redhat.com> References: <56FCF00B.1030901@redhat.com> <57027335.6010600@redhat.com> Message-ID: Thanks for the suggestion, but wouldn't that bypass the TokenManager? I've just ran a quick test with subclassing Keycloak to add another getInstance(). That works fine. Why not make that constructor public? Do we want to hide the Resteasy instance so bad? - Guus On 4 April 2016 at 15:59, Bill Burke wrote: > You can just create the ResteasyClient, get a ResteasyWebTarget, then call > target.proxy(RealmsResource.class) > > > On 4/4/2016 8:52 AM, Guus der Kinderen wrote: > > Hey, thanks for this. Coincidentally, I was looking into similar issues. > > We've been running into concurrently-related issues. These find their > origin in the Resteasy client that is created in the client admin Keycloak > class. > > Marek writes that the underlying connection pool can be modified, but > that's not really straightforward: there is no getInstance() method that > exposes the Resteasy client. One has to subclass the Keycloak class to gain > access. Perhaps there's room for improvement here? > > Also, by default, the Resteasy client uses one connection. That seems to > be a very conservative default, given the nature of the client admin. I > believe that the client admin would benefit from using a thread pool of a > size that's arbitrarily larger than 1. I'd go with 10. > > Regards, > > Guus > > On 31 March 2016 at 21:20, Hristo Stoyanov > wrote: > >> Marek, >> Thanks for this clarification and all your help in this forum to my other >> questions! >> >> You guys rock! >> >> /Hristo Stoyanov >> On Mar 31, 2016 2:38 AM, "Marek Posolda" wrote: >> >>> It's supposed to be and we even internally using it in some concurrency >>> test. >>> >>> It's using Apache HTTP client under the hood, which itself is >>> thread-safe and is using connection pooling. In case you need, you can >>> configure more fine-grained details (like connection pool size etc) by pass >>> the custom resteasyClient to Keycloak object. >>> >>> However when I looked a bit more into sources now, I can see that there >>> are some potential concurrency issues in TokenManager class, which is used >>> internally by admin client. Created JIRA >>> https://issues.jboss.org/browse/KEYCLOAK-2731 for it. It's not too bad >>> IMO, but note that you can possibly see situation when more concurrent >>> threads are trying to refresh the same access token at the same time. >>> >>> Marek >>> >>> >>> On 31/03/16 01:37, Hristo Stoyanov wrote: >>> >>> Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it as >>> a single admin client for the entire app ... >>> >>> /Hristo Stoyanov >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160404/ca266b40/attachment.html From mposolda at redhat.com Mon Apr 4 10:28:57 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 4 Apr 2016 16:28:57 +0200 Subject: [keycloak-user] Is Keycloak client admin thread safe? In-Reply-To: References: <56FCF00B.1030901@redhat.com> <57027335.6010600@redhat.com> Message-ID: <57027A29.5080405@redhat.com> Maybe for consistency, we can just add another "getInstance" like this: public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, ResteasyClientresteasyClient){ return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret,resteasyClient); } That should be easy and not break anything regarding backwards compatibility. Marek On 04/04/16 15:08, Guus der Kinderen wrote: > Thanks for the suggestion, but wouldn't that bypass the TokenManager? > I've just ran a quick test with subclassing Keycloak to add another > getInstance(). That works fine. > Why not make that constructor public? Do we want to hide the Resteasy > instance so bad? > - Guus > On 4 April 2016 at 15:59, Bill Burke > wrote: > > You can just create the ResteasyClient, get a ResteasyWebTarget, > then call target.proxy(RealmsResource.class) > On 4/4/2016 8:52 AM, Guus der Kinderen wrote: >> Hey, thanks for this. Coincidentally, I was looking into similar >> issues. >> We've been running into concurrently-related issues. These find >> their origin in the Resteasy client that is created in the client >> admin Keycloak class. >> Marek writes that the underlying connection pool can be modified, >> but that's not really straightforward: there is no getInstance() >> method that exposes the Resteasy client. One has to subclass the >> Keycloak class to gain access. Perhaps there's room for >> improvement here? >> Also, by default, the Resteasy client uses one connection. That >> seems to be a very conservative default, given the nature of the >> client admin. I believe that the client admin would benefit from >> using a thread pool of a size that's arbitrarily larger than 1. >> I'd go with 10. >> Regards, >> Guus >> On 31 March 2016 at 21:20, Hristo Stoyanov >> > wrote: >> >> Marek, Thanks for this clarification and all your help in >> this forum to my other questions! >> >> You guys rock! >> >> /Hristo Stoyanov >> >> On Mar 31, 2016 2:38 AM, "Marek Posolda" > > wrote: >> >> It's supposed to be and we even internally using it in >> some concurrency test. It's using Apache HTTP client >> under the hood, which itself is thread-safe and is using >> connection pooling. In case you need, you can configure >> more fine-grained details (like connection pool size etc) >> by pass the custom resteasyClient to Keycloak object. >> However when I looked a bit more into sources now, I can >> see that there are some potential concurrency issues in >> TokenManager class, which is used internally by admin >> client. Created JIRA >> https://issues.jboss.org/browse/KEYCLOAK-2731 for it. >> It's not too bad IMO, but note that you can possibly see >> situation when more concurrent threads are trying to >> refresh the same access token at the same time. Marek On >> 31/03/16 01:37, Hristo Stoyanov wrote: >>> >>> Is org.Keycloak.admin.client.Keycloak threadsafe? I >>> intend to use it as a single admin client for the entire >>> app ... >>> >>> /Hristo Stoyanov >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ keycloak-user >> mailing list keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ keycloak-user > mailing list keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160404/5e59d85d/attachment-0001.html From guus.der.kinderen at gmail.com Mon Apr 4 10:44:19 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Mon, 4 Apr 2016 16:44:19 +0200 Subject: [keycloak-user] Is Keycloak client admin thread safe? In-Reply-To: <57027A29.5080405@redhat.com> References: <56FCF00B.1030901@redhat.com> <57027335.6010600@redhat.com> <57027A29.5080405@redhat.com> Message-ID: That would work for me. It's exactly what I did in the subclass. On 4 April 2016 at 16:28, Marek Posolda wrote: > Maybe for consistency, we can just add another "getInstance" like this: > > public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, ResteasyClient resteasyClient){ > return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, resteasyClient); > } > > That should be easy and not break anything regarding backwards > compatibility. Marek On 04/04/16 15:08, Guus der Kinderen wrote: > > Thanks for the suggestion, but wouldn't that bypass the TokenManager? > I've just ran a quick test with subclassing Keycloak to add another > getInstance(). That works fine. > Why not make that constructor public? Do we want to hide the Resteasy > instance so bad? > - Guus > On 4 April 2016 at 15:59, Bill Burke wrote: >> >> You can just create the ResteasyClient, get a ResteasyWebTarget, then >> call target.proxy(RealmsResource.class) >> On 4/4/2016 8:52 AM, Guus der Kinderen wrote: >> >> Hey, thanks for this. Coincidentally, I was looking into similar issues. >> We've been running into concurrently-related issues. These find their >> origin in the Resteasy client that is created in the client admin Keycloak >> class. >> Marek writes that the underlying connection pool can be modified, but >> that's not really straightforward: there is no getInstance() method that >> exposes the Resteasy client. One has to subclass the Keycloak class to gain >> access. Perhaps there's room for improvement here? >> Also, by default, the Resteasy client uses one connection. That seems to >> be a very conservative default, given the nature of the client admin. I >> believe that the client admin would benefit from using a thread pool of a >> size that's arbitrarily larger than 1. I'd go with 10. >> Regards, >> Guus >> On 31 March 2016 at 21:20, Hristo Stoyanov >> wrote: >>> >>> Marek, Thanks for this clarification and all your help in this forum to >>> my other questions! >>> >>> You guys rock! >>> >>> /Hristo Stoyanov >>> On Mar 31, 2016 2:38 AM, "Marek Posolda" wrote: >>>> >>>> It's supposed to be and we even internally using it in some concurrency >>>> test. It's using Apache HTTP client under the hood, which itself is >>>> thread-safe and is using connection pooling. In case you need, you can >>>> configure more fine-grained details (like connection pool size etc) by pass >>>> the custom resteasyClient to Keycloak object. However when I looked a bit >>>> more into sources now, I can see that there are some potential concurrency >>>> issues in TokenManager class, which is used internally by admin client. >>>> Created JIRA https://issues.jboss.org/browse/KEYCLOAK-2731 for it. >>>> It's not too bad IMO, but note that you can possibly see situation when >>>> more concurrent threads are trying to refresh the same access token at the >>>> same time. Marek On 31/03/16 01:37, Hristo Stoyanov wrote: >>>> >>>> Is org.Keycloak.admin.client.Keycloak threadsafe? I intend to use it as >>>> a single admin client for the entire app ... >>>> >>>> /Hristo Stoyanov >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> _______________________________________________ keycloak-user mailing >>> list keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Bill Burke >> JBoss, a division of Red Hathttp://bill.burkecentral.com >> >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160404/152a15e1/attachment.html From juandiego83 at gmail.com Mon Apr 4 23:06:14 2016 From: juandiego83 at gmail.com (Juan Diego) Date: Mon, 4 Apr 2016 22:06:14 -0500 Subject: [keycloak-user] nginx with a reverse proxy to keycloak server Message-ID: Hi, I installed keycloak on a wildfly 10 server, I bought an installed the a certificate. Everything seems to work accesing https://mydomain.com:8443/auth/ My problem comes with my reverse proxy. I have other apps inside that wildfly, and they have their own domain and they work perfectly with the reverse proxy I set on. When I access https://mydomain.com, i can see the first page of keycloak but none of the images work,the links are broken. Should I enable something on my keycloak so it can work. This is my block upstream wildfly { server 127.0.0.1:8443 fail_timeout=0; } server { listen 80; server_name mydomain.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name mydomain.com; ssl on; ssl_certificate /opt/wildfly/standalone/configuration/rrec/mydomain.com.crt; ssl_certificate_key /opt/wildfly/standalone/configuration/rrec/mydomain.com.rsa.key; access_log /var/log/nginx/mydomain.com-access.log; error_log /var/log/nginx/mydomain.com-error.log; location = / { return 301 https://mydomain.com/auth; } location /auth { proxy_pass https://127.0.0.1:8443/auth/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port 443; } } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160404/c05667ba/attachment.html From sthorger at redhat.com Tue Apr 5 00:53:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Apr 2016 06:53:15 +0200 Subject: [keycloak-user] nginx with a reverse proxy to keycloak server In-Reply-To: References: Message-ID: Did you follow the steps in http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e403 ? On 5 April 2016 at 05:06, Juan Diego wrote: > Hi, > > I installed keycloak on a wildfly 10 server, I bought an installed the a > certificate. Everything seems to work accesing > https://mydomain.com:8443/auth/ > > My problem comes with my reverse proxy. I have other apps inside that > wildfly, and they have their own domain and they work perfectly with the > reverse proxy I set on. > > When I access https://mydomain.com, i can see the first page of keycloak > but none of the images work,the links are broken. > > > Should I enable something on my keycloak so it can work. > > This is my block > > upstream wildfly { > server 127.0.0.1:8443 fail_timeout=0; > } > > > server { > listen 80; > server_name mydomain.com; > return 301 https://$server_name$request_uri; > } > > > server { > listen 443 ssl; > server_name mydomain.com; > > ssl on; > ssl_certificate > /opt/wildfly/standalone/configuration/rrec/mydomain.com.crt; > ssl_certificate_key > /opt/wildfly/standalone/configuration/rrec/mydomain.com.rsa.key; > access_log /var/log/nginx/mydomain.com-access.log; > error_log /var/log/nginx/mydomain.com-error.log; > > > location = / { > return 301 https://mydomain.com/auth; > } > > > location /auth { > proxy_pass https://127.0.0.1:8443/auth/; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-Port 443; > } > > } > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/e195d4a3/attachment-0001.html From sthorger at redhat.com Tue Apr 5 01:23:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Apr 2016 07:23:29 +0200 Subject: [keycloak-user] GMail throws suspicious error when sending email. In-Reply-To: References: Message-ID: Do you know what the issue is with the subject? You can change the subjects by creating a custom email theme with a message bundle to override the specific key (add for example emailVerificationSubject to messages/messages_en.properties). On 30 March 2016 at 16:08, Dirk Franssen wrote: > Hi, > > I'm having the same behavior with 1.9.1.Final. I'm using SendGrid and have > taken all steps for whitelabelling. After some testing with curl, using the > same subject and body content, I found that it is related to the Subject > content that is being send. Is there an easy way to change the mail > templates in KeyCloak or by REST API? > > Kind regards, > Dirk Franssen > > On Wed, Mar 16, 2016 at 6:30 AM, Stian Thorgersen > wrote: > >> Please try again with the latest release (1.9.1) and see if the problem >> still exists. >> On 14 Mar 2016 12:04, "Revanth Ayalasomayajula" < >> revanth at arvindinternet.com> wrote: >> >>> Hi, >>> >>> I am using keycloak1.5.0 for my product and when i am sending email for >>> execute actions, gmail throws me the following warning in the image >>> attached below. However, when i do forget password from my login screen the >>> email sent does not contain this warning. Can i help me debug as to why >>> this is happening. Execute actions is an important part of my product and >>> any help reg this would be highly appreciated. >>> >>> >>> >>> Thanks. >>> ? >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/5c7330f3/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2016-03-14 16:24:47.png Type: image/png Size: 9053 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/5c7330f3/attachment.png From sthorger at redhat.com Tue Apr 5 01:28:40 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Apr 2016 07:28:40 +0200 Subject: [keycloak-user] Guidelines Load- / Stress-Testing Keycloak In-Reply-To: References: Message-ID: We have done a fair bit of performance testing ourselves recently, but I'd be interested to know what the results are from your testing. For complex flow I'd suggest going to an external client rather than account management. Also, I'd suggest only a random number of the users actively logout (in real life some users will click logout, but most will just close the browser so there's a background thread that eventually removes expired sessions). For users you also need to make sure they have some role mappings. On 1 April 2016 at 13:53, Thomas Darimont wrote: > Hello group, > > has anyone already stress tested a Keycloak deployment? > > The Keycloak Testsuite contains a rudimentary stress test for login/logout > [0], > > but we were wondering whether someone has already done more thorough > testing here that they are willing to share. > > We're looking into stress testing Keycloak with gatling [1] to get a sense > for when Keycloak falls over and some information about JVM memory > requirements during high load. > > Furthermore, are there any suggestions for use-cases that should be tested > in particular, e.g.: > > - > > Simple Page Invocations (Unauthenticated, Authenticated) > - > > Login > - > > Logout > - > > Registration > - > > Account Page > > > > - > > Complex flows > - > > Login, goto account page, Logout > - > > Login, goto account page, change password, Logout, Login with new > password > > > > - > > Service Requests > - > > Aquire Refresh Token > - > > Aquire Access Token > > > Are there any (knwon) potentially expensive operations that are not > obvious that should be tested in particular? > > > (in simulating a real-world load with high user counts, for example, are > there any particularly expensive operations where a high user count would > noticeably impact performance?) > > What is the best way to initialize Keycloak (e.g. backed by a PostgreSQL > database) with varying (arbitrarily large) numbers of users, in order to > get realistic performance numbers? > > Given that creating XX,000 users via the REST API might take some time, is > it enough to simply generate 10,000 * X records in the UserEntity table? > > Cheers, > > Thomas > > [0] https://github.com/keycloak/keycloak/tree/master/testsuite/stress > [1] http://gatling.io/ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/d024ce4b/attachment-0001.html From sthorger at redhat.com Tue Apr 5 03:37:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Apr 2016 09:37:39 +0200 Subject: [keycloak-user] @SecurityDomain for wildfly 10? In-Reply-To: References: Message-ID: @SecurityDomain (or equivalent in ejb xml) is still required. The org.jboss.ejb3.annotation.SecurityDomain class is still present in WildFly 10, but you can probably use either. On 1 April 2016 at 00:05, Hristo Stoyanov wrote: > Do we still need @SecurityDomain for wildfly 10 ejbs in addition for the > older jboss server? > > If so, I think in section 8.2.1, the example ejb code has the wrong import > for that annotation. It should be : import > org.jboss.annotation.security.SecurityDomain? > > /Hristo Stoyanov > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/99bf279d/attachment.html From Markus.Lauer at co-met.info Tue Apr 5 03:44:08 2016 From: Markus.Lauer at co-met.info (Lauer Markus) Date: Tue, 5 Apr 2016 07:44:08 +0000 Subject: [keycloak-user] Arquillian / Remote Container / EJB Security In-Reply-To: <1459408152.4328.21.camel@co-met.info> References: <1458734452.4526.43.camel@co-met.info> <56F2A1AD.90300@redhat.com> <1458742499.4526.53.camel@co-met.info> <1458743308.4526.56.camel@co-met.info> <1458813303.4526.67.camel@co-met.info> <1459408152.4328.21.camel@co-met.info> Message-ID: <1459842233.17294.11.camel@co-met.info> > > This throws an exception: > > > > > > javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User > Enabled TRACE logging of org.jboss.security: You first see the successful login: "PBOX00242: Begin commit method, overall result: true" Then some log output from the test class showing all principals of the subject. After that Subject.doAs() is called and here the problems begin: Instead of (re-)using the login from above, the server tries to use KeycloakLoginModule which is configured in standalone.xml. Here abort() is invoked and finally the hole process fails.. -> javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User Why is that? 09:28:56,878 DEBUG [org.jboss.security] (default task-2) PBOX00350: Module option: jboss.security.security_domain, value: keycloak 09:28:56,878 DEBUG [org.jboss.security] (default task-2) PBOX00350: Module option: multi-threaded, value: true 09:28:56,878 DEBUG [org.jboss.security] (default task-2) PBOX00350: Module option: restore-login-identity, value: true 09:28:56,879 DEBUG [org.jboss.security] (default task-2) PBOX00350: Module option: password-stacking, value: null 09:28:56,880 TRACE [org.jboss.security] (default task-2) PBOX00240: Begin login method 09:28:56,889 TRACE [org.jboss.security] (default task-2) PBOX00351: Obtained auth info from handler, principal: markus.lauer at co-met.info, credential class: class [C 09:28:56,890 TRACE [org.jboss.security] (default task-2) PBOX00241: End login method, isValid: true 09:28:56,890 TRACE [org.jboss.security] (default task-2) PBOX00242: Begin commit method, overall result: true 09:28:56,893 INFO [com.example.master_data.CarIT] (default task-2) principals: [40fe2bc5-fc55-496a-b438-0783c7473b90, view-master-data, view-order, user, manage-master-data, view-common, markus.lauer at co-met.info] 09:28:56,893 INFO [com.example.master_data.CarIT] (default task-2) name: 40fe2bc5-fc55-496a-b438-0783c7473b90, type: class org.keycloak.KeycloakPrincipal 09:28:56,893 INFO [com.example.master_data.CarIT] (default task-2) name: view-master-data, type: class org.keycloak.adapters.jaas.RolePrincipal 09:28:56,893 INFO [com.example.master_data.CarIT] (default task-2) name: view-order, type: class org.keycloak.adapters.jaas.RolePrincipal 09:28:56,893 INFO [com.example.master_data.CarIT] (default task-2) name: user, type: class org.keycloak.adapters.jaas.RolePrincipal 09:28:56,893 INFO [com.example.master_data.CarIT] (default task-2) name: manage-master-data, type: class org.keycloak.adapters.jaas.RolePrincipal 09:28:56,893 INFO [com.example.master_data.CarIT] (default task-2) name: view-common, type: class org.keycloak.adapters.jaas.RolePrincipal 09:28:56,894 INFO [com.example.master_data.CarIT] (default task-2) name: markus.lauer at co-met.info, type: class org.jboss.security.SimplePrincipal 09:28:56,903 TRACE [org.jboss.security] (default task-2) PBOX00200: Begin isValid, principal: markus.lauer at co-met.info, cache entry: null 09:28:56,903 TRACE [org.jboss.security] (default task-2) PBOX00209: defaultLogin, principal: markus.lauer at co-met.info 09:28:56,904 TRACE [org.jboss.security] (default task-2) PBOX00221: Begin getAppConfigurationEntry(keycloak), size: 6 09:28:56,905 TRACE [org.jboss.security] (default task-2) PBOX00224: End getAppConfigurationEntry(keycloak), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.keycloak.adapters.jboss.KeycloakLoginModule ControlFlag: LoginModuleControlFlag: required Options: 09:28:56,916 TRACE [org.jboss.security] (default task-38) PBOX00354: Setting security roles ThreadLocal: null 09:28:56,918 TRACE [org.jboss.security] (default task-2) PBOX00236: Begin initialize method 09:28:56,919 TRACE [org.jboss.security] (default task-2) PBOX00240: Begin login method 09:28:56,920 TRACE [org.jboss.security] (default task-2) PBOX00244: Begin abort method, overall result: false 09:28:56,921 DEBUG [org.jboss.security] (default task-2) PBOX00206: Login failure: javax.security.auth.login.LoginException: Anmeldefehler: Alle Module werden ignoriert at javax.security.auth.login.LoginContext.invoke(LoginContext.java:906) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:406) at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:367) at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:55) at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49) at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:66) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356) at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:195) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73) at info.co_met.comobile.backend.common.TenantRepository$$$view53.createQuery(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.weld.util.reflection.Reflections.invokeAndUnwrap(Reflections.java:436) at org.jboss.weld.bean.proxy.EnterpriseBeanProxyMethodHandler.invoke(EnterpriseBeanProxyMethodHandler.java:127) at org.jboss.weld.bean.proxy.EnterpriseTargetBeanInstance.invoke(EnterpriseTargetBeanInstance.java:56) at org.jboss.weld.bean.proxy.InjectionPointPropagatingEnterpriseTargetBeanInstance.invoke(InjectionPointPropagatingEnterpriseTargetBeanInstance.java:67) at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:100) at com.example.common.boundary.BaseEntityCrudRepository$CrudRepository$TenantRepository$2045748926$Proxy$_$$_Weld$EnterpriseProxy$.createQuery(Unknown Source) at com.example.common.TenantExample.root(TenantExample.java:200) at com.example.master_data.CarIT.lambda$setup$0(CarIT.java:275) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:483) at com.example.master_data.CarIT.setup(CarIT.java:273) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:24) at org.jboss.arquillian.junit.Arquillian$StatementLifecycleExecutor.invoke(Arquillian.java:459) at org.jboss.arquillian.container.test.impl.execution.BeforeLifecycleEventExecuter.on(BeforeLifecycleEventExecuter.java:35) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.test.impl.TestContextHandler.createTestContext(TestContextHandler.java:130) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createClassContext(TestContextHandler.java:92) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.before(EventTestRunnerAdaptor.java:108) at org.jboss.arquillian.junit.Arquillian$4.evaluate(Arquillian.java:241) at org.jboss.arquillian.junit.Arquillian.multiExecute(Arquillian.java:422) at org.jboss.arquillian.junit.Arquillian.access$200(Arquillian.java:54) at org.jboss.arquillian.junit.Arquillian$5.evaluate(Arquillian.java:259) at org.jboss.arquillian.junit.Arquillian$7$1.invoke(Arquillian.java:315) at org.jboss.arquillian.container.test.impl.execution.BeforeLifecycleEventExecuter.on(BeforeLifecycleEventExecuter.java:35) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.test.impl.TestContextHandler.createTestContext(TestContextHandler.java:130) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createClassContext(TestContextHandler.java:92) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.fireCustomLifecycle(EventTestRunnerAdaptor.java:159) at org.jboss.arquillian.junit.Arquillian$7.evaluate(Arquillian.java:311) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) at org.jboss.arquillian.junit.Arquillian$2.evaluate(Arquillian.java:204) at org.jboss.arquillian.junit.Arquillian.multiExecute(Arquillian.java:422) at org.jboss.arquillian.junit.Arquillian.access$200(Arquillian.java:54) at org.jboss.arquillian.junit.Arquillian$3.evaluate(Arquillian.java:218) at org.junit.runners.ParentRunner.run(ParentRunner.java:363) at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:166) at org.junit.runner.JUnitCore.run(JUnitCore.java:137) at org.junit.runner.JUnitCore.run(JUnitCore.java:115) at org.jboss.arquillian.junit.container.JUnitTestRunner.execute(JUnitTestRunner.java:66) at org.jboss.arquillian.protocol.servlet.runner.ServletTestRunner.executeTest(ServletTestRunner.java:170) at org.jboss.arquillian.protocol.servlet.runner.ServletTestRunner.execute(ServletTestRunner.java:135) at org.jboss.arquillian.protocol.servlet.runner.ServletTestRunner.doGet(ServletTestRunner.java:98) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:66) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 09:28:56,945 TRACE [org.jboss.security] (default task-2) PBOX00201: End isValid, result = false 09:28:56,947 TRACE [org.jboss.security.audit] (default task-2) [Failure]principal=markus.lauer at co-met.info;Action=authentication;Source=org.jboss.as.security.service.SimpleSecurityManager; 09:28:56,947 TRACE [org.jboss.security] (default task-2) PBOX00354: Setting security roles ThreadLocal: null 09:28:56,948 ERROR [org.jboss.as.ejb3.invocation] (default task-2) WFLYEJB0034: EJB Invocation failed on component DefaultTenantRepository for method public abstract java.lang.Object info.co_met.comobile.backend.common.CrudRepository.createQuery(): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69) at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49) at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:66) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:636) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356) at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:195) at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73) at info.co_met.comobile.backend.common.TenantRepository$$$view53.createQuery(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.weld.util.reflection.Reflections.invokeAndUnwrap(Reflections.java:436) at org.jboss.weld.bean.proxy.EnterpriseBeanProxyMethodHandler.invoke(EnterpriseBeanProxyMethodHandler.java:127) at org.jboss.weld.bean.proxy.EnterpriseTargetBeanInstance.invoke(EnterpriseTargetBeanInstance.java:56) at org.jboss.weld.bean.proxy.InjectionPointPropagatingEnterpriseTargetBeanInstance.invoke(InjectionPointPropagatingEnterpriseTargetBeanInstance.java:67) at org.jboss.weld.bean.proxy.ProxyMethodHandler.invoke(ProxyMethodHandler.java:100) at com.example.common.boundary.BaseEntityCrudRepository$CrudRepository$TenantRepository$2045748926$Proxy$_$$_Weld$EnterpriseProxy$.createQuery(Unknown Source) at com.example.common.TenantExample.root(TenantExample.java:200) at com.example.master_data.CarIT.lambda$setup$0(CarIT.java:275) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:483) at com.example.master_data.CarIT.setup(CarIT.java:273) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:24) at org.jboss.arquillian.junit.Arquillian$StatementLifecycleExecutor.invoke(Arquillian.java:459) at org.jboss.arquillian.container.test.impl.execution.BeforeLifecycleEventExecuter.on(BeforeLifecycleEventExecuter.java:35) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.test.impl.TestContextHandler.createTestContext(TestContextHandler.java:130) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createClassContext(TestContextHandler.java:92) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.before(EventTestRunnerAdaptor.java:108) at org.jboss.arquillian.junit.Arquillian$4.evaluate(Arquillian.java:241) at org.jboss.arquillian.junit.Arquillian.multiExecute(Arquillian.java:422) at org.jboss.arquillian.junit.Arquillian.access$200(Arquillian.java:54) at org.jboss.arquillian.junit.Arquillian$5.evaluate(Arquillian.java:259) at org.jboss.arquillian.junit.Arquillian$7$1.invoke(Arquillian.java:315) at org.jboss.arquillian.container.test.impl.execution.BeforeLifecycleEventExecuter.on(BeforeLifecycleEventExecuter.java:35) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.test.impl.TestContextHandler.createTestContext(TestContextHandler.java:130) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createClassContext(TestContextHandler.java:92) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.test.impl.TestContextHandler.createSuiteContext(TestContextHandler.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:94) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:88) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.fireCustomLifecycle(EventTestRunnerAdaptor.java:159) at org.jboss.arquillian.junit.Arquillian$7.evaluate(Arquillian.java:311) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) at org.jboss.arquillian.junit.Arquillian$2.evaluate(Arquillian.java:204) at org.jboss.arquillian.junit.Arquillian.multiExecute(Arquillian.java:422) at org.jboss.arquillian.junit.Arquillian.access$200(Arquillian.java:54) at org.jboss.arquillian.junit.Arquillian$3.evaluate(Arquillian.java:218) at org.junit.runners.ParentRunner.run(ParentRunner.java:363) at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:166) at org.junit.runner.JUnitCore.run(JUnitCore.java:137) at org.junit.runner.JUnitCore.run(JUnitCore.java:115) at org.jboss.arquillian.junit.container.JUnitTestRunner.execute(JUnitTestRunner.java:66) at org.jboss.arquillian.protocol.servlet.runner.ServletTestRunner.executeTest(ServletTestRunner.java:170) at org.jboss.arquillian.protocol.servlet.runner.ServletTestRunner.execute(ServletTestRunner.java:135) at org.jboss.arquillian.protocol.servlet.runner.ServletTestRunner.doGet(ServletTestRunner.java:98) at javax.servlet.http.HttpServlet.service(HttpServlet.java:687) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler.handleRequest(UndertowAuthenticatedActionsHandler.java:66) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 09:28:56,981 TRACE [org.jboss.security] (default task-2) PBOX00354: Setting security roles ThreadLocal: {} 09:28:56,985 TRACE [org.jboss.security] (default task-2) PBOX00354: Setting security roles ThreadLocal: null ________________________________ Zum Lesen der rechtlichen Hinweise dieser Mail, kopieren Sie bitte die aufgef?hrte URL in Ihren Browser oder folgen Sie dem Link. http://disclaimer.tec-saar.de/co-met.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4628 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/e946b46f/attachment-0001.bin From yelata at blulogix.com Tue Apr 5 05:16:27 2016 From: yelata at blulogix.com (Yasser El-ata) Date: Tue, 5 Apr 2016 12:16:27 +0300 Subject: [keycloak-user] Make keycloak.json configurable Message-ID: Hello, As we know the configuration in keycloak.json is make for a specific realm and public key , i'am talking here about bearer applications so is there any way to make the realm name and the public key is configurable ? My case is : i have multi realm all realm have the same clients by multi tenancy i wan't to decide every request which is his realm using it's domain , i got the domains and i can use the keycloak rest to get the realm name and it's public key , just i wan't when the bearer application make the request on keycloak it's should use the realm name , public key that i will get Thanks -- Yasser El-Ata Java Developer BluLogix 737 Walker Rd Ste 3, Great Falls, VA 22066 t: 443.333.4100 | f: 443.333.4101 *www.blulogix.com * The information transmitted is intended only for the person(s) to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/928d4131/attachment.html From juraci at kroehling.de Tue Apr 5 05:34:17 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Tue, 5 Apr 2016 11:34:17 +0200 Subject: [keycloak-user] Make keycloak.json configurable In-Reply-To: References: Message-ID: <57038699.7020405@kroehling.de> Take a look at the section "8.14. Multi Tenancy" of the documentation: https://git.io/vVzzb And this example: https://git.io/vVzzA - Juca. On 05.04.2016 11:16, Yasser El-ata wrote: > Hello, > > As we know the configuration in keycloak.json is make for a specific > realm and public key , i'am talking here about bearer applications so is > there any way to make the realm name and the public key is configurable ? > > My case is : i have multi realm all realm have the same clients by multi > tenancy i wan't to decide every request which is his realm using it's > domain , i got the domains and i can use the keycloak rest to get the > realm name and it's public key , just i wan't when the bearer > application make the request on keycloak it's should use the realm name > , public key that i will get > > Thanks > > -- > Yasser El-Ata > Java Developer > BluLogix > 737 Walker Rd Ste 3, Great Falls, VA 22066 > t: 443.333.4100 | f: 443.333.4101 > _www.blulogix.com _ > > The information transmitted is intended only for the person(s) to whom > it is addressed and may contain confidential and/or privileged material. > Any review, retransmission, dissemination or other use of, or taking of > any action in reliance upon, this information by persons or entities > other than the intended recipient is prohibited. If you received this in > error, please contact the sender and delete the material from any computer. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Apr 5 07:25:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 5 Apr 2016 13:25:34 +0200 Subject: [keycloak-user] Server-side validation of custom user attributes In-Reply-To: References: Message-ID: We are planning on adding a Profile SPI in the future. The built-in provider will be configurable and allow creating a list of simple attributes, marking which are required and also select some basic validation. For more advanced profiles/validation it will be possible to provide your own profile provider. In the mean time you need to create a custom authentication flow with a custom authenticator to achieve this. For registration you need to also create a custom registration flow. See the authenticators section in the documentation for more details. On 1 April 2016 at 16:14, Guus der Kinderen wrote: > Hello, > > Chapter 32 of the Keycloak user manual describes how custom user > attributes can be used. Is there a way to validate the user attribute > values server-sided (as opposed to in the theme / client-sided)? > > In our case, we'd like to require our users to supply a particular value, > which must match one of many pre-defined values. We do not want to expose > the entire list of valid values publicly though. > > Regards, > > Guus > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/f10f372c/attachment.html From aikeaguinea at xsmail.com Tue Apr 5 14:22:28 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 05 Apr 2016 14:22:28 -0400 Subject: [keycloak-user] Authenticator provider config properties Message-ID: <1459880548.1827579.569873665.40974897@webmail.messagingengine.com> I've just implemented a new authenticator, following the instructions here: http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e3785 In my implementation of the authenticator factory, I have a ProviderConfigProperty set up in a static block as is done in the example. My impression was that the value of this property would be set as a config option in the admin console. Right now I'm not seeing my property in the admin console, but it's possible I'm not looking in the right place. I was able to create a new flow and add my authenticator to it as a new execution, but I don't see anywhere to add this configuration property. I'm not seeing any errors in the Keycloak console log, so I'm assuming that I have things set up right. Any ideas? -- http://www.fastmail.com - Faster than the air-speed velocity of an unladen european swallow From pismen at ecmc.org Tue Apr 5 14:49:18 2016 From: pismen at ecmc.org (Ismen, Peter) Date: Tue, 5 Apr 2016 18:49:18 +0000 Subject: [keycloak-user] (no subject) Message-ID: Hi, I get an error trying to use the AS7 adapter on a vanilla AS 7.1.1.Final. Uisng standalone-full.xml configuration. No other configuration. Installed the adapter without any errors. I find the org.keycloak.keycloak-adapter-subsystem in the extentions on the server. Deploying my application I get ther following error 11:26:27,682 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC00001: Failed to start service jboss.deployment.unit."cloaked.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."cloaked.war".POST_MODULE: Failed to process phase POST_MODULE of deployment "cloaked.war" at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:119) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_80] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_80] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80] Caused by: java.lang.NoClassDefFoundError: org/keycloak/adapters/jbossweb/KeycloakAuthenticatorValve at org.keycloak.subsystem.as7.KeycloakAdapterConfigDeploymentProcessor.addValve(KeycloakAdapterConfigDeploymentProcessor.java:98) at org.keycloak.subsystem.as7.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:86) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:113) [jboss-as-server-7.1.1.Final.jar:7.1.1.Final] ... 5 more Caused by: java.lang.ClassNotFoundException: org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve from [Module "org.keycloak.keycloak-as7-subsystem:main" from local module loader @5ea6a4a0 (roots: /home/ecmc/servers/jboss-as-7.1.1.Final/modules)] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468) at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120) ... 8 more I do find the class in modules/org/keycloak/keycloak-as7-adapter/main/keycloak-as7-adapter-1.9.1.Final.jar All help is appreciated. Thanks/Peter Ism?n -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160405/1c3888a1/attachment-0001.html From Anthony.Fryer at virginaustralia.com Tue Apr 5 23:12:30 2016 From: Anthony.Fryer at virginaustralia.com (Anthony Fryer) Date: Wed, 6 Apr 2016 03:12:30 +0000 Subject: [keycloak-user] Issue creating EntityManagerFactory from custom UserFederationProviderFactory Message-ID: <8EE3449CB6463C4FB0544A12CEA72DD7DEC094F6@iskexcemxprd02.virginblue.internal> Hi All, I'm implementing a UserFederationProviderFactory and want to create an EntityManagerFactory from one of its methods. I have packaged up a persistence.xml in the META-INF folder of the SPI jar file and deployed this as a module to the keycloak standalone server. My module.xml looks like this... In my UserFederationProviderFactory I have a method like this... private EntityManagerFactory getEntityManagerFactory(UserFederationProviderModel model) { if (emf == null) { logger.trace("Creating entityManagerFactory..."); Map config = model.getConfig(); Properties p = new Properties(); // for now just use hibernate built in connection factory p.put("hibernate.connection.driver_class", config.get(DATABASE_DRIVER_CLASS_NAME)); p.put("hibernate.connection.url", config.get(DATABASE_URL)); p.put("hibernate.connection.username", config.get(DATABASE_USER)); p.put("hibernate.connection.password", config.get(DATABASE_PASSWORD)); p.put("hibernate.show_sql", "true"); p.put("hibernate.format_sql", "true"); emf = Persistence.createEntityManagerFactory("acmeEntities", p); } return emf; } When this method is called, it always returns the error "No Persistence provider for EntityManager named acmeEntities". I'm 90% sure this is to do with the ClassLoader being used by Persistence not being able to see the META-INF/persistence.xml packaged up in the keycloak-acme-user-federation-1.0.0.jar. Does anyone have an idea what I need to do to my module configuration to get this working? Thanks, Anthony Fryer The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/298cb050/attachment.html From subhrajyotim at gmail.com Wed Apr 6 05:24:19 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Wed, 6 Apr 2016 14:54:19 +0530 Subject: [keycloak-user] Authentication from embedded webpage Message-ID: Hello Team, I have a standalone windows desktop application, that authenticates against an AD/LDAP server. The application popups a username/password box, and submits it to the LDAP for authentication. The same AD/LDAP server is also synced with a Keycloak installation. The windows application embeds the IE browser control and shows a jsp page. This jsp page is protected using keycloak js adapter. Obviously the user is re-directed to the keycloak login page. So the user has to login twice, once using the application popup and other in the embedded jsp, after getting redirected to the keycloak login page. I dont want to re-prompt the user for relogin, since he has already authenticated against the AD server. Is there a way to not re-prompt the user, when the embedded IE requests the secure JSP? Please help, as we are not able to come up with a solution for the same. Any pointers how we can avoid the 2nd authentication. Thanks, Subhro. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/914b17d3/attachment.html From sthorger at redhat.com Wed Apr 6 06:56:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 6 Apr 2016 12:56:11 +0200 Subject: [keycloak-user] Issue creating EntityManagerFactory from custom UserFederationProviderFactory In-Reply-To: <8EE3449CB6463C4FB0544A12CEA72DD7DEC094F6@iskexcemxprd02.virginblue.internal> References: <8EE3449CB6463C4FB0544A12CEA72DD7DEC094F6@iskexcemxprd02.virginblue.internal> Message-ID: It's not very easy to get Persistence to pick-up the persistence.xml file from a module. We've got a fix for this coming in 1.9.2, but you can just copy/paste the lines from https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/connections/jpa/util/JpaUtils.java#L43. It uses Hibernate classes directly to create the EntityManagerFactory which allows specifying the classloader. Just use the classloader for your UserFederationProviderFactory implementation. On 6 April 2016 at 05:12, Anthony Fryer wrote: > Hi All, > > > > I?m implementing a UserFederationProviderFactory and want to create an > EntityManagerFactory from one of its methods. I have packaged up a > persistence.xml in the META-INF folder of the SPI jar file and deployed > this as a module to the keycloak standalone server. > > > > My module.xml looks like this? > > > > name="acme.keycloak-acme-user-federation"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > In my UserFederationProviderFactory I have a method like this? > > > > private EntityManagerFactory > getEntityManagerFactory(UserFederationProviderModel model) { > > if (emf == null) { > > logger.trace("Creating > entityManagerFactory..."); > > Map config > = model.getConfig(); > > Properties p = new > Properties(); > > // for now just use > hibernate built in connection factory > > > p.put("hibernate.connection.driver_class", > config.get(DATABASE_DRIVER_CLASS_NAME)); > > > p.put("hibernate.connection.url", config.get(DATABASE_URL)); > > > p.put("hibernate.connection.username", config.get(DATABASE_USER)); > > > p.put("hibernate.connection.password", config.get(DATABASE_PASSWORD)); > > > p.put("hibernate.show_sql", "true"); > > > p.put("hibernate.format_sql", "true"); > > emf = > Persistence.createEntityManagerFactory("acmeEntities", p); > > } > > > > return emf; > > } > > > > When this method is called, it always returns the error ?No Persistence > provider for EntityManager named acmeEntities?. > > > > I?m 90% sure this is to do with the ClassLoader being used by Persistence > not being able to see the META-INF/persistence.xml packaged up in the > keycloak-acme-user-federation-1.0.0.jar. Does anyone have an idea what I > need to do to my module configuration to get this working? > > > > Thanks, > > > > Anthony Fryer > > > > > The content of this e-mail, including any attachments, is a confidential > communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) > or its related entities (or the sender if this email is a private > communication) and the intended addressee and is for the sole use of that > intended addressee. If you are not the intended addressee, any use, > interference with, disclosure or copying of this material is unauthorized > and prohibited. If you have received this e-mail in error please contact > the sender immediately and then delete the message and any attachment(s). > There is no warranty that this email is error, virus or defect free. This > email is also subject to copyright. No part of it should be reproduced, > adapted or communicated without the written consent of the copyright owner. > If this is a private communication it does not represent the views of > Virgin Australia or its related entities. Please be aware that the contents > of any emails sent to or from Virgin Australia or its related entities may > be periodically monitored and reviewed. Virgin Australia and its related > entities respect your privacy. Our privacy policy can be accessed from our > website: www.virginaustralia.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/3c768c72/attachment-0001.html From dirk.franssen at gmail.com Wed Apr 6 10:05:31 2016 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Wed, 6 Apr 2016 16:05:31 +0200 Subject: [keycloak-user] Rest api execute-actions-email does not redirect Message-ID: Hi all, I have created a user via the REST api with userActions RESET_PASSWORD and VERIFY_EMAIL. Subsequently I use the endpoint 'execute-actions-email' with the query-params 'client_id' and 'redirect_uri' for the action RESET_PASSWORD and VERIFY_EMAIL. The email is sent to the user, but it seems it does not take into account the query params. If the user sets his password via the link in the email, the page "Your account has been updated" is displayed without redirection nor a link to go to the application? Do I miss something? Kind regards, Dirk -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/fd909d97/attachment.html From dvvivek at gmail.com Wed Apr 6 11:28:45 2016 From: dvvivek at gmail.com (vivek dhayalan) Date: Wed, 6 Apr 2016 20:58:45 +0530 Subject: [keycloak-user] Rest API for create user JSON Message-ID: Hi All, With the help of REST API (/admin/realms/{realm}/users) I'm trying to create user in a realm. The API creates user in that realm but, credentials w.r.t the user is not stored properly. I'm using the following JSON to request body. Please let me know if I'm making some blunder mistake with respect to credentials part of the JSON. { "username": "cjbarker5", "enabled": true, "emailVerified": false, "firstName": "CJ", "lastName": "Barker", "credentials": [ { "type": "password", "value": "newPas1*", "temporary": false } ] } -- Thanks & Regards Vivek Dhayalan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/00c461b9/attachment.html From dirk.franssen at gmail.com Wed Apr 6 14:24:12 2016 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Wed, 6 Apr 2016 20:24:12 +0200 Subject: [keycloak-user] Rest API for create user JSON In-Reply-To: References: Message-ID: I think it is not supported yet to do this in 1 call, you should: 1. create user 2. update user with role/group 3. reset-password or execute-actions-email (with UPDATE_PASSWORD action) Dirk On Wed, Apr 6, 2016 at 5:28 PM, vivek dhayalan wrote: > Hi All, > > With the help of REST API (/admin/realms/{realm}/users) I'm trying to > create user in a realm. The API creates user in that realm but, credentials > w.r.t the user is not stored properly. I'm using the following JSON to > request body. Please let me know if I'm making some blunder mistake with > respect to credentials part of the JSON. > > { > "username": "cjbarker5", > "enabled": true, > "emailVerified": false, > "firstName": "CJ", > "lastName": "Barker", > "credentials": [ > { > "type": "password", > "value": "newPas1*", > "temporary": false > } > ] > } > > -- > Thanks & Regards > Vivek Dhayalan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/dce6a570/attachment.html From mposolda at redhat.com Wed Apr 6 17:03:24 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 6 Apr 2016 23:03:24 +0200 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: References: Message-ID: <5705799C.2070802@redhat.com> Do you have the "control" under the application? Is it possible to propagate security contexts from application to embedded IE or viceversa? In theory what can work is either: - You will skip step1 and don't popup username/password box. Instead you will just authenticate in step2 inside IE and then propagate the context ( token ) to step1. This is possible just if application is able to access the javascript state from embedded IE. - If you can propagate just from desktop to IE, then in step1 you wwill configure your application to send the request for username/password authentication to Keycloak via direct access grant (instead of sending username+password directly to AD/LDAP). Once you receive token from direct access grant, you can use it inside IE in step2 ( keycloak.js has possibility to be initialized with token. You just need to pass the token and refreshToken as arguments to keycloak.init . Then keycloak.js won't redirect you to login screen ) Marek On 06/04/16 11:24, Subhrajyoti Moitra wrote: > Hello Team, > > I have a standalone windows desktop application, that authenticates > against an AD/LDAP server. The application popups a username/password > box, and submits it to the LDAP for authentication. > The same AD/LDAP server is also synced with a Keycloak installation. > > The windows application embeds the IE browser control and shows a jsp > page. > This jsp page is protected using keycloak js adapter. Obviously the > user is re-directed to the keycloak login page. So the user has to > login twice, once using the application popup and other in the > embedded jsp, after getting redirected to the keycloak login page. > > I dont want to re-prompt the user for relogin, since he has already > authenticated against the AD server. > Is there a way to not re-prompt the user, when the embedded IE > requests the secure JSP? > > Please help, as we are not able to come up with a solution for the same. > Any pointers how we can avoid the 2nd authentication. > > Thanks, > Subhro. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/a270005c/attachment.html From Anthony.Fryer at virginaustralia.com Wed Apr 6 18:52:16 2016 From: Anthony.Fryer at virginaustralia.com (Anthony Fryer) Date: Wed, 6 Apr 2016 22:52:16 +0000 Subject: [keycloak-user] Issue creating EntityManagerFactory from custom UserFederationProviderFactory In-Reply-To: References: <8EE3449CB6463C4FB0544A12CEA72DD7DEC094F6@iskexcemxprd02.virginblue.internal> Message-ID: <8EE3449CB6463C4FB0544A12CEA72DD7DEC096BD@iskexcemxprd02.virginblue.internal> There?s definitely some challenges getting the classloaders to play nicely with each other. I ended up getting this to work by just adding the following one line to the properties used when creating the EntityManagerFactory? // Adding "hibernate.classLoaders" property is critical for this to work p.put("hibernate.classLoaders", Arrays.asList(this.getClass().getClassLoader())); ? emf = Persistence.createEntityManagerFactory("acmeEntities", p); Thanks, Anthony From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Wednesday, 6 April 2016 8:56 PM To: Anthony Fryer Cc: keycloak-user (keycloak-user at lists.jboss.org) Subject: Re: [keycloak-user] Issue creating EntityManagerFactory from custom UserFederationProviderFactory It's not very easy to get Persistence to pick-up the persistence.xml file from a module. We've got a fix for this coming in 1.9.2, but you can just copy/paste the lines from https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/connections/jpa/util/JpaUtils.java#L43. It uses Hibernate classes directly to create the EntityManagerFactory which allows specifying the classloader. Just use the classloader for your UserFederationProviderFactory implementation. On 6 April 2016 at 05:12, Anthony Fryer > wrote: Hi All, I?m implementing a UserFederationProviderFactory and want to create an EntityManagerFactory from one of its methods. I have packaged up a persistence.xml in the META-INF folder of the SPI jar file and deployed this as a module to the keycloak standalone server. My module.xml looks like this? In my UserFederationProviderFactory I have a method like this? private EntityManagerFactory getEntityManagerFactory(UserFederationProviderModel model) { if (emf == null) { logger.trace("Creating entityManagerFactory..."); Map config = model.getConfig(); Properties p = new Properties(); // for now just use hibernate built in connection factory p.put("hibernate.connection.driver_class", config.get(DATABASE_DRIVER_CLASS_NAME)); p.put("hibernate.connection.url", config.get(DATABASE_URL)); p.put("hibernate.connection.username", config.get(DATABASE_USER)); p.put("hibernate.connection.password", config.get(DATABASE_PASSWORD)); p.put("hibernate.show_sql", "true"); p.put("hibernate.format_sql", "true"); emf = Persistence.createEntityManagerFactory("acmeEntities", p); } return emf; } When this method is called, it always returns the error ?No Persistence provider for EntityManager named acmeEntities?. I?m 90% sure this is to do with the ClassLoader being used by Persistence not being able to see the META-INF/persistence.xml packaged up in the keycloak-acme-user-federation-1.0.0.jar. Does anyone have an idea what I need to do to my module configuration to get this working? Thanks, Anthony Fryer The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160406/0403e38f/attachment-0001.html From dvvivek at gmail.com Wed Apr 6 21:39:15 2016 From: dvvivek at gmail.com (vivek dhayalan) Date: Thu, 7 Apr 2016 07:09:15 +0530 Subject: [keycloak-user] Rest API for create user JSON In-Reply-To: References: Message-ID: But I could see create user API accepts UserRepresentation object in body param which in turn accepts credentials as an attribute. Related links: http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user http://keycloak.github.io/docs/rest-api/index.html#_userrepresentation Thanks, Vivek On Apr 6, 2016 11:54 PM, "Dirk Franssen" wrote: > I think it is not supported yet to do this in 1 call, you should: > 1. create user > 2. update user with role/group > 3. reset-password or execute-actions-email (with UPDATE_PASSWORD action) > > Dirk > > On Wed, Apr 6, 2016 at 5:28 PM, vivek dhayalan wrote: > >> Hi All, >> >> With the help of REST API (/admin/realms/{realm}/users) I'm trying to >> create user in a realm. The API creates user in that realm but, credentials >> w.r.t the user is not stored properly. I'm using the following JSON to >> request body. Please let me know if I'm making some blunder mistake with >> respect to credentials part of the JSON. >> >> { >> "username": "cjbarker5", >> "enabled": true, >> "emailVerified": false, >> "firstName": "CJ", >> "lastName": "Barker", >> "credentials": [ >> { >> "type": "password", >> "value": "newPas1*", >> "temporary": false >> } >> ] >> } >> >> -- >> Thanks & Regards >> Vivek Dhayalan >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/4fe352d6/attachment.html From subhrajyotim at gmail.com Wed Apr 6 23:05:26 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Thu, 7 Apr 2016 08:35:26 +0530 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: <5705799C.2070802@redhat.com> References: <5705799C.2070802@redhat.com> Message-ID: Thanks a million Marek for setting us in the right direction. "...application is able to access the javascript state from embedded IE"- this is not possible currently, hence 1st solution wont work. We will follow the 2nd way to do this. So using "direct access grant " i get the required JSON token data as mentioned. Then I pass this data to the jsp page (embedded in IE), using URL params. The JSP page pulls out the required data from the URL params, and then inits keycloak.js. in keycloak init function i pass the token, idToken and refreshToken values. Hopefully this works, trying it now! Thanks a lot again for the pointers. Subhro. On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda wrote: > Do you have the "control" under the application? Is it possible to > propagate security contexts from application to embedded IE or viceversa? > > In theory what can work is either: > - You will skip step1 and don't popup username/password box. Instead you > will just authenticate in step2 inside IE and then propagate the context ( > token ) to step1. This is possible just if application is able to access > the javascript state from embedded IE. > > - If you can propagate just from desktop to IE, then in step1 you wwill > configure your application to send the request for username/password > authentication to Keycloak via direct access grant (instead of sending > username+password directly to AD/LDAP). Once you receive token from direct > access grant, you can use it inside IE in step2 ( keycloak.js has > possibility to be initialized with token. You just need to pass the token > and refreshToken as arguments to keycloak.init . Then keycloak.js won't > redirect you to login screen ) > > Marek > > > On 06/04/16 11:24, Subhrajyoti Moitra wrote: > > Hello Team, > > I have a standalone windows desktop application, that authenticates > against an AD/LDAP server. The application popups a username/password box, > and submits it to the LDAP for authentication. > The same AD/LDAP server is also synced with a Keycloak installation. > > The windows application embeds the IE browser control and shows a jsp page. > This jsp page is protected using keycloak js adapter. Obviously the user > is re-directed to the keycloak login page. So the user has to login twice, > once using the application popup and other in the embedded jsp, after > getting redirected to the keycloak login page. > > I dont want to re-prompt the user for relogin, since he has already > authenticated against the AD server. > Is there a way to not re-prompt the user, when the embedded IE requests > the secure JSP? > > Please help, as we are not able to come up with a solution for the same. > Any pointers how we can avoid the 2nd authentication. > > Thanks, > Subhro. > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/e991d996/attachment.html From cpitman at redhat.com Thu Apr 7 00:24:20 2016 From: cpitman at redhat.com (Chris Pitman) Date: Thu, 7 Apr 2016 00:24:20 -0400 (EDT) Subject: [keycloak-user] Using Keycloak Proxy behind a TLS terminating reverse proxy In-Reply-To: <1968568744.48498811.1460002727314.JavaMail.zimbra@redhat.com> Message-ID: <1728086122.48498976.1460003060793.JavaMail.zimbra@redhat.com> Hey everyone, I'm trying to setup Keycloak Proxy to protect access to a legacy application. Right now we have HTTPD setup as a reverse proxy that terminates TLS and then passes through the request via HTTP to the legacy app. What I want to do is put the Keycloak Proxy in between HTTPD and the app. I've got it running, but the problem is the URL the proxy passes as the redirect url to keycloak. It is passing an "http://" url, which then doesn't match the configured redirect_urls in Keycloak. I'm assuming it does this since I'm using the HTTP port on the proxy. How can I get Keycloak Proxy to pass a redirect url with a "https://" scheme, even when not connecting via https to the proxy itself? Thanks, Chris Pitman Architect, Red Hat Consulting From subhrajyotim at gmail.com Thu Apr 7 01:07:56 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Thu, 7 Apr 2016 10:37:56 +0530 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: References: <5705799C.2070802@redhat.com> Message-ID: Hello Marek, What is the value of onLoad during keycloak init() function? I tried both check-sso and login-required, but it still is showing the kc login page. Heres what I did. Using java code I get a direct access grant tokens. I get response from this code as something below. {"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"} Then I am hitting the jsp page. http://localhost:8080/myapp/index.jsp?tokenJson= In index.jsp I extract the tokenJson param and parse the json to further extract the accessToken, idToken and refreshToken. A code snippet in index.jsp, like the below generates the keycloak init obj. <% String iaJsonStr =request.getParameter("tokenJson");//get the token json from url String token="",idToken="",refreshToken="";//init the values if(!StringUtils.isEmpty(iaJsonStr)){ JsonObject iaJsonObj = Json.createReader(new StringReader(iaJsonStr)).readObject(); token=iaJsonObj.getString("access_token");//extract access refreshToken=iaJsonObj.getString("refresh_token");//extract refresh idToken=iaJsonObj.getString("id_token");//extract id } if(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(refreshToken) && !StringUtils.isEmpty(idToken)){ %> var kcInitObj={ onLoad:'check-sso', token:'<%=token%>', refreshToken:'<%=refreshToken%>', idToken:'<%=idToken%>' }; <% }else{ %> var kcInitObj={ onLoad:'check-sso' }; <% } %> ....... ..... This is still redirecting me to the login page. Do I have to do something in the client setup? So close,, yet so far... Please help.. Thanks and lot for your attention. Subhro. On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra wrote: > Thanks a million Marek for setting us in the right direction. > > "...application is able to access the javascript state from embedded IE"- > this is not possible currently, hence 1st solution wont work. > > We will follow the 2nd way to do this. > > So using "direct access grant > " > i get the required JSON token data as mentioned. > Then I pass this data to the jsp page (embedded in IE), using URL params. > The JSP page pulls out the required data from the URL params, and then > inits keycloak.js. > in keycloak init function i pass the token, idToken and refreshToken > values. > > Hopefully this works, trying it now! > > Thanks a lot again for the pointers. > > Subhro. > > On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda wrote: > >> Do you have the "control" under the application? Is it possible to >> propagate security contexts from application to embedded IE or viceversa? >> >> In theory what can work is either: >> - You will skip step1 and don't popup username/password box. Instead you >> will just authenticate in step2 inside IE and then propagate the context ( >> token ) to step1. This is possible just if application is able to access >> the javascript state from embedded IE. >> >> - If you can propagate just from desktop to IE, then in step1 you wwill >> configure your application to send the request for username/password >> authentication to Keycloak via direct access grant (instead of sending >> username+password directly to AD/LDAP). Once you receive token from direct >> access grant, you can use it inside IE in step2 ( keycloak.js has >> possibility to be initialized with token. You just need to pass the token >> and refreshToken as arguments to keycloak.init . Then keycloak.js won't >> redirect you to login screen ) >> >> Marek >> >> >> On 06/04/16 11:24, Subhrajyoti Moitra wrote: >> >> Hello Team, >> >> I have a standalone windows desktop application, that authenticates >> against an AD/LDAP server. The application popups a username/password box, >> and submits it to the LDAP for authentication. >> The same AD/LDAP server is also synced with a Keycloak installation. >> >> The windows application embeds the IE browser control and shows a jsp >> page. >> This jsp page is protected using keycloak js adapter. Obviously the user >> is re-directed to the keycloak login page. So the user has to login twice, >> once using the application popup and other in the embedded jsp, after >> getting redirected to the keycloak login page. >> >> I dont want to re-prompt the user for relogin, since he has already >> authenticated against the AD server. >> Is there a way to not re-prompt the user, when the embedded IE requests >> the secure JSP? >> >> Please help, as we are not able to come up with a solution for the same. >> Any pointers how we can avoid the 2nd authentication. >> >> Thanks, >> Subhro. >> >> >> _______________________________________________ >> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/c67f3b3d/attachment-0001.html From sthorger at redhat.com Thu Apr 7 01:48:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 07:48:23 +0200 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: References: <5705799C.2070802@redhat.com> Message-ID: keycloak.js doesn't support direct grant and we won't add it. You'd have to invoke that yourself and initialize keycloak.js with the tokens afterwards. Why do you need to authenticate with both LDAP and Keycloak in the first place? In either case I'd say a better way would be to use what Marek suggests as option 2. User can enter username/password in embedded Keycloak login page instead of popup box. Using the embedded login page has a number of benefits over direct grant. For example required actions, recover password support, etc, etc.. On 7 April 2016 at 07:07, Subhrajyoti Moitra wrote: > Hello Marek, > > What is the value of onLoad during keycloak init() function? > I tried both check-sso and login-required, but it still is showing the kc > login page. > > Heres what I did. > Using java code I get a direct access grant tokens. I get response from > this code as something below. > > {"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah > blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"} > > Then I am hitting the jsp page. > http://localhost:8080/myapp/index.jsp?tokenJson= > > > In index.jsp I extract the tokenJson param and parse the json to further > extract the accessToken, idToken and refreshToken. > > A code snippet in index.jsp, like the below generates the keycloak init > obj. > > <% > > String iaJsonStr =request.getParameter("tokenJson");//get the token json from url > String token="",idToken="",refreshToken="";//init the values > if(!StringUtils.isEmpty(iaJsonStr)){ > JsonObject iaJsonObj = Json.createReader(new StringReader(iaJsonStr)).readObject(); > token=iaJsonObj.getString("access_token");//extract access > refreshToken=iaJsonObj.getString("refresh_token");//extract refresh > idToken=iaJsonObj.getString("id_token");//extract id > } > if(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(refreshToken) && !StringUtils.isEmpty(idToken)){ > %> > var kcInitObj={ > onLoad:'check-sso', > token:'<%=token%>', > refreshToken:'<%=refreshToken%>', > idToken:'<%=idToken%>' > }; > <% > }else{ > %> > var kcInitObj={ > onLoad:'check-sso' > }; > <% > } > %> > > ....... > ..... > > > > > This is still redirecting me to the login page. Do I have to do something > in the client setup? > > So close,, yet so far... Please help.. > > Thanks and lot for your attention. > Subhro. > > > On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra > wrote: > >> Thanks a million Marek for setting us in the right direction. >> >> "...application is able to access the javascript state from embedded IE"- >> this is not possible currently, hence 1st solution wont work. >> >> We will follow the 2nd way to do this. >> >> So using "direct access grant >> " >> i get the required JSON token data as mentioned. >> Then I pass this data to the jsp page (embedded in IE), using URL params. >> The JSP page pulls out the required data from the URL params, and then >> inits keycloak.js. >> in keycloak init function i pass the token, idToken and refreshToken >> values. >> >> Hopefully this works, trying it now! >> >> Thanks a lot again for the pointers. >> >> Subhro. >> >> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda >> wrote: >> >>> Do you have the "control" under the application? Is it possible to >>> propagate security contexts from application to embedded IE or viceversa? >>> >>> In theory what can work is either: >>> - You will skip step1 and don't popup username/password box. Instead you >>> will just authenticate in step2 inside IE and then propagate the context ( >>> token ) to step1. This is possible just if application is able to access >>> the javascript state from embedded IE. >>> >>> - If you can propagate just from desktop to IE, then in step1 you wwill >>> configure your application to send the request for username/password >>> authentication to Keycloak via direct access grant (instead of sending >>> username+password directly to AD/LDAP). Once you receive token from direct >>> access grant, you can use it inside IE in step2 ( keycloak.js has >>> possibility to be initialized with token. You just need to pass the token >>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't >>> redirect you to login screen ) >>> >>> Marek >>> >>> >>> On 06/04/16 11:24, Subhrajyoti Moitra wrote: >>> >>> Hello Team, >>> >>> I have a standalone windows desktop application, that authenticates >>> against an AD/LDAP server. The application popups a username/password box, >>> and submits it to the LDAP for authentication. >>> The same AD/LDAP server is also synced with a Keycloak installation. >>> >>> The windows application embeds the IE browser control and shows a jsp >>> page. >>> This jsp page is protected using keycloak js adapter. Obviously the user >>> is re-directed to the keycloak login page. So the user has to login twice, >>> once using the application popup and other in the embedded jsp, after >>> getting redirected to the keycloak login page. >>> >>> I dont want to re-prompt the user for relogin, since he has already >>> authenticated against the AD server. >>> Is there a way to not re-prompt the user, when the embedded IE requests >>> the secure JSP? >>> >>> Please help, as we are not able to come up with a solution for the same. >>> Any pointers how we can avoid the 2nd authentication. >>> >>> Thanks, >>> Subhro. >>> >>> >>> _______________________________________________ >>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/8a101172/attachment.html From sthorger at redhat.com Thu Apr 7 01:59:02 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 07:59:02 +0200 Subject: [keycloak-user] Using Keycloak Proxy behind a TLS terminating reverse proxy In-Reply-To: <1728086122.48498976.1460003060793.JavaMail.zimbra@redhat.com> References: <1968568744.48498811.1460002727314.JavaMail.zimbra@redhat.com> <1728086122.48498976.1460003060793.JavaMail.zimbra@redhat.com> Message-ID: http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e397 On 7 April 2016 at 06:24, Chris Pitman wrote: > Hey everyone, > > I'm trying to setup Keycloak Proxy to protect access to a legacy > application. Right now we have HTTPD setup as a reverse proxy that > terminates TLS and then passes through the request via HTTP to the legacy > app. What I want to do is put the Keycloak Proxy in between HTTPD and the > app. > > I've got it running, but the problem is the URL the proxy passes as the > redirect url to keycloak. It is passing an "http://" url, which then > doesn't match the configured redirect_urls in Keycloak. I'm assuming it > does this since I'm using the HTTP port on the proxy. > > How can I get Keycloak Proxy to pass a redirect url with a "https://" > scheme, even when not connecting via https to the proxy itself? > > Thanks, > Chris Pitman > Architect, Red Hat Consulting > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/0df8a63d/attachment-0001.html From sthorger at redhat.com Thu Apr 7 02:00:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 08:00:09 +0200 Subject: [keycloak-user] Rest API for create user JSON In-Reply-To: References: Message-ID: As Dirk said it's not supported. It will be improved in a future release, but for now you need to do the separate call to reset credentials endpoint. On 7 April 2016 at 03:39, vivek dhayalan wrote: > But I could see create user API accepts UserRepresentation object in body > param which in turn accepts credentials as an attribute. > > Related links: > > http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user > > http://keycloak.github.io/docs/rest-api/index.html#_userrepresentation > > Thanks, > Vivek > On Apr 6, 2016 11:54 PM, "Dirk Franssen" wrote: > >> I think it is not supported yet to do this in 1 call, you should: >> 1. create user >> 2. update user with role/group >> 3. reset-password or execute-actions-email (with UPDATE_PASSWORD action) >> >> Dirk >> >> On Wed, Apr 6, 2016 at 5:28 PM, vivek dhayalan wrote: >> >>> Hi All, >>> >>> With the help of REST API (/admin/realms/{realm}/users) I'm trying to >>> create user in a realm. The API creates user in that realm but, credentials >>> w.r.t the user is not stored properly. I'm using the following JSON to >>> request body. Please let me know if I'm making some blunder mistake with >>> respect to credentials part of the JSON. >>> >>> { >>> "username": "cjbarker5", >>> "enabled": true, >>> "emailVerified": false, >>> "firstName": "CJ", >>> "lastName": "Barker", >>> "credentials": [ >>> { >>> "type": "password", >>> "value": "newPas1*", >>> "temporary": false >>> } >>> ] >>> } >>> >>> -- >>> Thanks & Regards >>> Vivek Dhayalan >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/a6793e5c/attachment.html From sthorger at redhat.com Thu Apr 7 02:03:02 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 08:03:02 +0200 Subject: [keycloak-user] Issue creating EntityManagerFactory from custom UserFederationProviderFactory In-Reply-To: <8EE3449CB6463C4FB0544A12CEA72DD7DEC096BD@iskexcemxprd02.virginblue.internal> References: <8EE3449CB6463C4FB0544A12CEA72DD7DEC094F6@iskexcemxprd02.virginblue.internal> <8EE3449CB6463C4FB0544A12CEA72DD7DEC096BD@iskexcemxprd02.virginblue.internal> Message-ID: That's much cleaner than the approach I used. Thanks On 7 April 2016 at 00:52, Anthony Fryer wrote: > There?s definitely some challenges getting the classloaders to play nicely > with each other. I ended up getting this to work by just adding the > following one line to the properties used when creating the > EntityManagerFactory? > > > > // Adding "hibernate.classLoaders" property is critical for this to work > > p.put("hibernate.classLoaders", > Arrays.asList(this.getClass().getClassLoader())); > > ? > > emf = Persistence.createEntityManagerFactory("acmeEntities", p); > > > > Thanks, > > > > Anthony > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Wednesday, 6 April 2016 8:56 PM > *To:* Anthony Fryer > *Cc:* keycloak-user (keycloak-user at lists.jboss.org) > *Subject:* Re: [keycloak-user] Issue creating EntityManagerFactory from > custom UserFederationProviderFactory > > > > It's not very easy to get Persistence to pick-up the persistence.xml file > from a module. We've got a fix for this coming in 1.9.2, but you can just > copy/paste the lines from > https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/connections/jpa/util/JpaUtils.java#L43. > It uses Hibernate classes directly to create the EntityManagerFactory which > allows specifying the classloader. Just use the classloader for your UserFederationProviderFactory > implementation. > > > > On 6 April 2016 at 05:12, Anthony Fryer > wrote: > > Hi All, > > > > I?m implementing a UserFederationProviderFactory and want to create an > EntityManagerFactory from one of its methods. I have packaged up a > persistence.xml in the META-INF folder of the SPI jar file and deployed > this as a module to the keycloak standalone server. > > > > My module.xml looks like this? > > > > name="acme.keycloak-acme-user-federation"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > In my UserFederationProviderFactory I have a method like this? > > > > private EntityManagerFactory > getEntityManagerFactory(UserFederationProviderModel model) { > > if (emf == null) { > > logger.trace("Creating > entityManagerFactory..."); > > Map config > = model.getConfig(); > > Properties p = new > Properties(); > > // for now just use > hibernate built in connection factory > > > p.put("hibernate.connection.driver_class", > config.get(DATABASE_DRIVER_CLASS_NAME)); > > > p.put("hibernate.connection.url", config.get(DATABASE_URL)); > > > p.put("hibernate.connection.username", config.get(DATABASE_USER)); > > > p.put("hibernate.connection.password", config.get(DATABASE_PASSWORD)); > > > p.put("hibernate.show_sql", "true"); > > > p.put("hibernate.format_sql", "true"); > > emf = > Persistence.createEntityManagerFactory("acmeEntities", p); > > } > > > > return emf; > > } > > > > When this method is called, it always returns the error ?No Persistence > provider for EntityManager named acmeEntities?. > > > > I?m 90% sure this is to do with the ClassLoader being used by Persistence > not being able to see the META-INF/persistence.xml packaged up in the > keycloak-acme-user-federation-1.0.0.jar. Does anyone have an idea what I > need to do to my module configuration to get this working? > > > > Thanks, > > > > Anthony Fryer > > > > > > The content of this e-mail, including any attachments, is a confidential > communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) > or its related entities (or the sender if this email is a private > communication) and the intended addressee and is for the sole use of that > intended addressee. If you are not the intended addressee, any use, > interference with, disclosure or copying of this material is unauthorized > and prohibited. If you have received this e-mail in error please contact > the sender immediately and then delete the message and any attachment(s). > There is no warranty that this email is error, virus or defect free. This > email is also subject to copyright. No part of it should be reproduced, > adapted or communicated without the written consent of the copyright owner. > If this is a private communication it does not represent the views of > Virgin Australia or its related entities. Please be aware that the contents > of any emails sent to or from Virgin Australia or its related entities may > be periodically monitored and reviewed. Virgin Australia and its related > entities respect your privacy. Our privacy policy can be accessed from our > website: www.virginaustralia.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > The content of this e-mail, including any attachments, is a confidential > communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) > or its related entities (or the sender if this email is a private > communication) and the intended addressee and is for the sole use of that > intended addressee. If you are not the intended addressee, any use, > interference with, disclosure or copying of this material is unauthorized > and prohibited. If you have received this e-mail in error please contact > the sender immediately and then delete the message and any attachment(s). > There is no warranty that this email is error, virus or defect free. This > email is also subject to copyright. No part of it should be reproduced, > adapted or communicated without the written consent of the copyright owner. > If this is a private communication it does not represent the views of > Virgin Australia or its related entities. Please be aware that the contents > of any emails sent to or from Virgin Australia or its related entities may > be periodically monitored and reviewed. Virgin Australia and its related > entities respect your privacy. Our privacy policy can be accessed from our > website: www.virginaustralia.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/05c43943/attachment-0001.html From subhrajyotim at gmail.com Thu Apr 7 02:19:30 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Thu, 7 Apr 2016 11:49:30 +0530 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: References: <5705799C.2070802@redhat.com> Message-ID: Hello Stian and Marek, Thanks for the clarification. I am not sure what u mean by "invoke that yourself and initialize keycloak.js with the tokens afterwards". U mean in the new KeyCloak(...) constructor I pass the tokens and other values? " authenticate with both LDAP and Keycloak in the first place...." - The desktop windows application is a old legacy application(custom dialer) used to connect to Aspect Telephony server. This Aspect server requires the AD login so that agents using this dialer is connected to Aspect. So I dont know how I can avoid this. - There is no way to pass the username/pass from the embedded KC page to the "parent" windows application. Not sure if some workaround is possible in the local application or not. Please help. Thanks, Subhro. On Thu, Apr 7, 2016 at 11:18 AM, Stian Thorgersen wrote: > keycloak.js doesn't support direct grant and we won't add it. You'd have > to invoke that yourself and initialize keycloak.js with the tokens > afterwards. > > Why do you need to authenticate with both LDAP and Keycloak in the first > place? In either case I'd say a better way would be to use what Marek > suggests as option 2. User can enter username/password in embedded Keycloak > login page instead of popup box. Using the embedded login page has a number > of benefits over direct grant. For example required actions, recover > password support, etc, etc.. > > On 7 April 2016 at 07:07, Subhrajyoti Moitra > wrote: > >> Hello Marek, >> >> What is the value of onLoad during keycloak init() function? >> I tried both check-sso and login-required, but it still is showing the kc >> login page. >> >> Heres what I did. >> Using java code I get a direct access grant tokens. I get response from >> this code as something below. >> >> {"access_token":"eyJhbGciOiJSUzI1NiJ9blahblah","expires_in":1800,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiblahblah","token_type":"bearer","id_token":"eyJhbGciblah >> blah","not-before-policy":1437991554,"session-state":"7afb2db2-6f4f-43a8-a9ad-355d5cc5c8fe"} >> >> Then I am hitting the jsp page. >> http://localhost:8080/myapp/index.jsp?tokenJson= >> >> >> In index.jsp I extract the tokenJson param and parse the json to further >> extract the accessToken, idToken and refreshToken. >> >> A code snippet in index.jsp, like the below generates the keycloak init >> obj. >> >> <% >> >> String iaJsonStr =request.getParameter("tokenJson");//get the token json from url >> String token="",idToken="",refreshToken="";//init the values >> if(!StringUtils.isEmpty(iaJsonStr)){ >> JsonObject iaJsonObj = Json.createReader(new StringReader(iaJsonStr)).readObject(); >> token=iaJsonObj.getString("access_token");//extract access >> refreshToken=iaJsonObj.getString("refresh_token");//extract refresh >> idToken=iaJsonObj.getString("id_token");//extract id >> } >> if(!StringUtils.isEmpty(token) && !StringUtils.isEmpty(refreshToken) && !StringUtils.isEmpty(idToken)){ >> %> >> var kcInitObj={ >> onLoad:'check-sso', >> token:'<%=token%>', >> refreshToken:'<%=refreshToken%>', >> idToken:'<%=idToken%>' >> }; >> <% >> }else{ >> %> >> var kcInitObj={ >> onLoad:'check-sso' >> }; >> <% >> } >> %> >> >> ....... >> ..... >> >> >> >> >> This is still redirecting me to the login page. Do I have to do something >> in the client setup? >> >> So close,, yet so far... Please help.. >> >> Thanks and lot for your attention. >> Subhro. >> >> >> On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra < >> subhrajyotim at gmail.com> wrote: >> >>> Thanks a million Marek for setting us in the right direction. >>> >>> "...application is able to access the javascript state from embedded >>> IE"- this is not possible currently, hence 1st solution wont work. >>> >>> We will follow the 2nd way to do this. >>> >>> So using "direct access grant >>> " >>> i get the required JSON token data as mentioned. >>> Then I pass this data to the jsp page (embedded in IE), using URL params. >>> The JSP page pulls out the required data from the URL params, and then >>> inits keycloak.js. >>> in keycloak init function i pass the token, idToken and refreshToken >>> values. >>> >>> Hopefully this works, trying it now! >>> >>> Thanks a lot again for the pointers. >>> >>> Subhro. >>> >>> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda >>> wrote: >>> >>>> Do you have the "control" under the application? Is it possible to >>>> propagate security contexts from application to embedded IE or viceversa? >>>> >>>> In theory what can work is either: >>>> - You will skip step1 and don't popup username/password box. Instead >>>> you will just authenticate in step2 inside IE and then propagate the >>>> context ( token ) to step1. This is possible just if application is able to >>>> access the javascript state from embedded IE. >>>> >>>> - If you can propagate just from desktop to IE, then in step1 you wwill >>>> configure your application to send the request for username/password >>>> authentication to Keycloak via direct access grant (instead of sending >>>> username+password directly to AD/LDAP). Once you receive token from direct >>>> access grant, you can use it inside IE in step2 ( keycloak.js has >>>> possibility to be initialized with token. You just need to pass the token >>>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't >>>> redirect you to login screen ) >>>> >>>> Marek >>>> >>>> >>>> On 06/04/16 11:24, Subhrajyoti Moitra wrote: >>>> >>>> Hello Team, >>>> >>>> I have a standalone windows desktop application, that authenticates >>>> against an AD/LDAP server. The application popups a username/password box, >>>> and submits it to the LDAP for authentication. >>>> The same AD/LDAP server is also synced with a Keycloak installation. >>>> >>>> The windows application embeds the IE browser control and shows a jsp >>>> page. >>>> This jsp page is protected using keycloak js adapter. Obviously the >>>> user is re-directed to the keycloak login page. So the user has to login >>>> twice, once using the application popup and other in the embedded jsp, >>>> after getting redirected to the keycloak login page. >>>> >>>> I dont want to re-prompt the user for relogin, since he has already >>>> authenticated against the AD server. >>>> Is there a way to not re-prompt the user, when the embedded IE requests >>>> the secure JSP? >>>> >>>> Please help, as we are not able to come up with a solution for the same. >>>> Any pointers how we can avoid the 2nd authentication. >>>> >>>> Thanks, >>>> Subhro. >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/af4f63c0/attachment.html From mposolda at redhat.com Thu Apr 7 04:06:06 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 7 Apr 2016 10:06:06 +0200 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: References: <5705799C.2070802@redhat.com> Message-ID: <570614EE.9080102@redhat.com> I think that you don't need to use "onLoad" option at all because you passed tokens. So you can just use something like: var kcInitObj={ token:'<%=token%>', refreshToken:'<%=refreshToken%>', idToken:'<%=idToken%>' }; Besides that, I can see that you added tag " > > > This is still redirecting me to the login page. Do I have to > do something in the client setup? > > So close,, yet so far... Please help.. > > Thanks and lot for your attention. > Subhro. > > > On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra > > wrote: > > Thanks a million Marek for setting us in the right direction. > > "...application is able to access the javascript state > from embedded IE"- this is not possible currently, hence > 1st solution wont work. > > We will follow the 2nd way to do this. > > So using "direct access grant > " > i get the required JSON token data as mentioned. > Then I pass this data to the jsp page (embedded in IE), > using URL params. > The JSP page pulls out the required data from the URL > params, and then inits keycloak.js. > in keycloak init function i pass the token, idToken and > refreshToken values. > > Hopefully this works, trying it now! > > Thanks a lot again for the pointers. > > Subhro. > > On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda > > wrote: > > Do you have the "control" under the application? Is it > possible to propagate security contexts from > application to embedded IE or viceversa? > > In theory what can work is either: > - You will skip step1 and don't popup > username/password box. Instead you will just > authenticate in step2 inside IE and then propagate the > context ( token ) to step1. This is possible just if > application is able to access the javascript state > from embedded IE. > > - If you can propagate just from desktop to IE, then > in step1 you wwill configure your application to send > the request for username/password authentication to > Keycloak via direct access grant (instead of sending > username+password directly to AD/LDAP). Once you > receive token from direct access grant, you can use it > inside IE in step2 ( keycloak.js has possibility to be > initialized with token. You just need to pass the > token and refreshToken as arguments to keycloak.init . > Then keycloak.js won't redirect you to login screen ) > > Marek > > > On 06/04/16 11:24, Subhrajyoti Moitra wrote: >> Hello Team, >> >> I have a standalone windows desktop application, that >> authenticates against an AD/LDAP server. The >> application popups a username/password box, and >> submits it to the LDAP for authentication. >> The same AD/LDAP server is also synced with a >> Keycloak installation. >> >> The windows application embeds the IE browser control >> and shows a jsp page. >> This jsp page is protected using keycloak js adapter. >> Obviously the user is re-directed to the keycloak >> login page. So the user has to login twice, once >> using the application popup and other in the embedded >> jsp, after getting redirected to the keycloak login page. >> >> I dont want to re-prompt the user for relogin, since >> he has already authenticated against the AD server. >> Is there a way to not re-prompt the user, when the >> embedded IE requests the secure JSP? >> >> Please help, as we are not able to come up with a >> solution for the same. >> Any pointers how we can avoid the 2nd authentication. >> >> Thanks, >> Subhro. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/dd3a1a81/attachment-0001.html From christian at datek.no Thu Apr 7 04:22:45 2016 From: christian at datek.no (Christian Schwarz) Date: Thu, 7 Apr 2016 08:22:45 +0000 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? Message-ID: Hi! I'm trying to setup a keycloak cluster on AWS, which does not support UDP multicast. IP addresses of the nodes are also not known in advance (I'm using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker image) for user session replication will not work (seems that it requires either UDP multicast or IP addresses known in advance). The main problem I have is that logout is not working propertly. I only get logged out from one of the two keycloak nodes. I have tried to disable the user cache (by setting userCache.default.enabled = false) and to disable infinispan (by using ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak node still thinks that the user is logged in, it?s not refreshing the user session from the database even if user cache and infinispan cluster cache is disbled. => Is there a possibility of using the database as a synchronization point between keycloak nodes? (i.e. each node always checks logout status in the database) Or is there another way of getting a keycloak cluster up and running on AWS when IP addresses are not known in advance? I hope there is a way? :) Kind regards, Christian From subhrajyotim at gmail.com Thu Apr 7 05:22:38 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Thu, 7 Apr 2016 14:52:38 +0530 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: <570614EE.9080102@redhat.com> References: <5705799C.2070802@redhat.com> <570614EE.9080102@redhat.com> Message-ID: Hello Marek, I actually hadnt shown the starting script tag in the code snippet above. :) I checked using a debugger that the kcInitObj values are going into the init method correctly. Do I have to call some other function after init call? Somehow, when I skip the onLoad option, success/error methods are never called. I notice that call to this url is being made and nothing after that, http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080 Does version of KC matter, I am using 1.5.1.Final? I am attaching the index.jsp for reference, since this is the file I am experimenting with. This is just an example to check if things are working or not. Thanks a lot for taking time to look into this. Really appreciate it. Thanks, Subhro. On Thu, Apr 7, 2016 at 1:36 PM, Marek Posolda wrote: > I think that you don't need to use "onLoad" option at all because you > passed tokens. So you can just use something like: > > var kcInitObj={ > token:'<%=token%>', > refreshToken:'<%=refreshToken%>', > idToken:'<%=idToken%>'}; > > > Besides that, I can see that you added tag " >>> >>> >>> This is still redirecting me to the login page. Do I have to do >>> something in the client setup? >>> >>> So close,, yet so far... Please help.. >>> >>> Thanks and lot for your attention. >>> Subhro. >>> >>> >>> On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra < >>> subhrajyotim at gmail.com> wrote: >>> >>>> Thanks a million Marek for setting us in the right direction. >>>> >>>> "...application is able to access the javascript state from embedded >>>> IE"- this is not possible currently, hence 1st solution wont work. >>>> >>>> We will follow the 2nd way to do this. >>>> >>>> So using "direct access grant >>>> " >>>> i get the required JSON token data as mentioned. >>>> Then I pass this data to the jsp page (embedded in IE), using URL >>>> params. >>>> The JSP page pulls out the required data from the URL params, and then >>>> inits keycloak.js. >>>> in keycloak init function i pass the token, idToken and refreshToken >>>> values. >>>> >>>> Hopefully this works, trying it now! >>>> >>>> Thanks a lot again for the pointers. >>>> >>>> Subhro. >>>> >>>> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda < >>>> mposolda at redhat.com> wrote: >>>> >>>>> Do you have the "control" under the application? Is it possible to >>>>> propagate security contexts from application to embedded IE or viceversa? >>>>> >>>>> In theory what can work is either: >>>>> - You will skip step1 and don't popup username/password box. Instead >>>>> you will just authenticate in step2 inside IE and then propagate the >>>>> context ( token ) to step1. This is possible just if application is able to >>>>> access the javascript state from embedded IE. >>>>> >>>>> - If you can propagate just from desktop to IE, then in step1 you >>>>> wwill configure your application to send the request for username/password >>>>> authentication to Keycloak via direct access grant (instead of sending >>>>> username+password directly to AD/LDAP). Once you receive token from direct >>>>> access grant, you can use it inside IE in step2 ( keycloak.js has >>>>> possibility to be initialized with token. You just need to pass the token >>>>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't >>>>> redirect you to login screen ) >>>>> >>>>> Marek >>>>> >>>>> >>>>> On 06/04/16 11:24, Subhrajyoti Moitra wrote: >>>>> >>>>> Hello Team, >>>>> >>>>> I have a standalone windows desktop application, that authenticates >>>>> against an AD/LDAP server. The application popups a username/password box, >>>>> and submits it to the LDAP for authentication. >>>>> The same AD/LDAP server is also synced with a Keycloak installation. >>>>> >>>>> The windows application embeds the IE browser control and shows a jsp >>>>> page. >>>>> This jsp page is protected using keycloak js adapter. Obviously the >>>>> user is re-directed to the keycloak login page. So the user has to login >>>>> twice, once using the application popup and other in the embedded jsp, >>>>> after getting redirected to the keycloak login page. >>>>> >>>>> I dont want to re-prompt the user for relogin, since he has already >>>>> authenticated against the AD server. >>>>> Is there a way to not re-prompt the user, when the embedded IE >>>>> requests the secure JSP? >>>>> >>>>> Please help, as we are not able to come up with a solution for the >>>>> same. >>>>> Any pointers how we can avoid the 2nd authentication. >>>>> >>>>> Thanks, >>>>> Subhro. >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/319da38d/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: index.jsp Type: application/octet-stream Size: 7846 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/319da38d/attachment-0001.obj From dvvivek at gmail.com Thu Apr 7 05:24:38 2016 From: dvvivek at gmail.com (vivek dhayalan) Date: Thu, 7 Apr 2016 14:54:38 +0530 Subject: [keycloak-user] Rest API for create user JSON In-Reply-To: References: Message-ID: Thanks Dirk & Stian. I'm able to proceed with out any issues by following your suggestions. On 7 April 2016 at 11:30, Stian Thorgersen wrote: > As Dirk said it's not supported. It will be improved in a future release, > but for now you need to do the separate call to reset credentials endpoint. > > On 7 April 2016 at 03:39, vivek dhayalan wrote: > >> But I could see create user API accepts UserRepresentation object in body >> param which in turn accepts credentials as an attribute. >> >> Related links: >> >> http://keycloak.github.io/docs/rest-api/index.html#_create_a_new_user >> >> http://keycloak.github.io/docs/rest-api/index.html#_userrepresentation >> >> Thanks, >> Vivek >> On Apr 6, 2016 11:54 PM, "Dirk Franssen" wrote: >> >>> I think it is not supported yet to do this in 1 call, you should: >>> 1. create user >>> 2. update user with role/group >>> 3. reset-password or execute-actions-email (with UPDATE_PASSWORD action) >>> >>> Dirk >>> >>> On Wed, Apr 6, 2016 at 5:28 PM, vivek dhayalan >>> wrote: >>> >>>> Hi All, >>>> >>>> With the help of REST API (/admin/realms/{realm}/users) I'm trying to >>>> create user in a realm. The API creates user in that realm but, credentials >>>> w.r.t the user is not stored properly. I'm using the following JSON to >>>> request body. Please let me know if I'm making some blunder mistake with >>>> respect to credentials part of the JSON. >>>> >>>> { >>>> "username": "cjbarker5", >>>> "enabled": true, >>>> "emailVerified": false, >>>> "firstName": "CJ", >>>> "lastName": "Barker", >>>> "credentials": [ >>>> { >>>> "type": "password", >>>> "value": "newPas1*", >>>> "temporary": false >>>> } >>>> ] >>>> } >>>> >>>> -- >>>> Thanks & Regards >>>> Vivek Dhayalan >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Thanks & Regards Vivek Dhayalan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/a7f36bd4/attachment.html From glaissard at axway.com Thu Apr 7 05:25:56 2016 From: glaissard at axway.com (Gerard Laissard) Date: Thu, 7 Apr 2016 09:25:56 +0000 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] Message-ID: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> Team, Keycloak server 1.9.0 fails to start. Yesterday, I did try to play with client/role : Scope Param Required without any success. I got server java.lang.StackOverflowError. I stopped the server Today when I start server, I have : 10:51:50,948 ERROR [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] (ServerService Thread Pool -- 52) ExecutionException when computed future. Errors: 1: java.util.concurrent.ExecutionException: java.lang.StackOverflowError at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.StackOverflowError at org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) at org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) at org.hibernate.loader.Loader.getResultSet(Loader.java:2116) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2611) at org.hibernate.loader.Loader.doList(Loader.java:2594) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) at org.hibernate.loader.Loader.list(Loader.java:2418) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) ... What should I do ? Thanks Gerard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/5f885f90/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: standalone.zip Type: application/x-zip-compressed Size: 46189 bytes Desc: standalone.zip Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/5f885f90/attachment-0001.bin From mposolda at redhat.com Thu Apr 7 05:53:46 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 7 Apr 2016 11:53:46 +0200 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: References: <5705799C.2070802@redhat.com> <570614EE.9080102@redhat.com> Message-ID: <57062E2A.9070901@redhat.com> Ah, it's maybe login iframe which is causing issues for you. Given the nature of your app and the fact that you're not using SSO anyway in embedded IE, I suggest to disable login iframe by add this option to your "kcInitObj" too: |checkLoginIframe: false Besides that, it seems that we have a minor bug in keycloak.js that callbacks are not called when you provide "tokens", but not "onLoad" and IFrame is not working. Created JIRA : https://issues.jboss.org/browse/KEYCLOAK-2765 Marek |On 07/04/16 11:22, Subhrajyoti Moitra wrote: > Hello Marek, > > I actually hadnt shown the starting script tag in the code snippet > above. :) > > I checked using a debugger that the kcInitObj values are going into > the init method correctly. > Do I have to call some other function after init call? > Somehow, when I skip the onLoad option, success/error methods are > never called. > I notice that call to this url is being made and nothing after that, > > http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080 > > Does version of KC matter, I am using 1.5.1.Final? > > I am attaching the index.jsp for reference, since this is the file I > am experimenting with. > This is just an example to check if things are working or not. > > Thanks a lot for taking time to look into this. Really appreciate it. > > Thanks, > Subhro. > > > > > > > On Thu, Apr 7, 2016 at 1:36 PM, Marek Posolda > wrote: > > I think that you don't need to use "onLoad" option at all because > you passed tokens. So you can just use something like: > > var kcInitObj={ > token:'<%=token%>', refreshToken:'<%=refreshToken%>', > idToken:'<%=idToken%>' }; > > > Besides that, I can see that you added tag " >> >> >> This is still redirecting me to the login page. Do I have >> to do something in the client setup? >> >> So close,, yet so far... Please help.. >> >> Thanks and lot for your attention. >> Subhro. >> >> >> On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra >> > >> wrote: >> >> Thanks a million Marek for setting us in the right >> direction. >> >> "...application is able to access the javascript >> state from embedded IE"- this is not possible >> currently, hence 1st solution wont work. >> >> We will follow the 2nd way to do this. >> >> So using "direct access grant >> " >> i get the required JSON token data as mentioned. >> Then I pass this data to the jsp page (embedded in >> IE), using URL params. >> The JSP page pulls out the required data from the URL >> params, and then inits keycloak.js. >> in keycloak init function i pass the token, idToken >> and refreshToken values. >> >> Hopefully this works, trying it now! >> >> Thanks a lot again for the pointers. >> >> Subhro. >> >> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda >> > wrote: >> >> Do you have the "control" under the application? >> Is it possible to propagate security contexts >> from application to embedded IE or viceversa? >> >> In theory what can work is either: >> - You will skip step1 and don't popup >> username/password box. Instead you will just >> authenticate in step2 inside IE and then >> propagate the context ( token ) to step1. This is >> possible just if application is able to access >> the javascript state from embedded IE. >> >> - If you can propagate just from desktop to IE, >> then in step1 you wwill configure your >> application to send the request for >> username/password authentication to Keycloak via >> direct access grant (instead of sending >> username+password directly to AD/LDAP). Once you >> receive token from direct access grant, you can >> use it inside IE in step2 ( keycloak.js has >> possibility to be initialized with token. You >> just need to pass the token and refreshToken as >> arguments to keycloak.init . Then keycloak.js >> won't redirect you to login screen ) >> >> Marek >> >> >> On 06/04/16 11:24, Subhrajyoti Moitra wrote: >>> Hello Team, >>> >>> I have a standalone windows desktop application, >>> that authenticates against an AD/LDAP server. >>> The application popups a username/password box, >>> and submits it to the LDAP for authentication. >>> The same AD/LDAP server is also synced with a >>> Keycloak installation. >>> >>> The windows application embeds the IE browser >>> control and shows a jsp page. >>> This jsp page is protected using keycloak js >>> adapter. Obviously the user is re-directed to >>> the keycloak login page. So the user has to >>> login twice, once using the application popup >>> and other in the embedded jsp, after getting >>> redirected to the keycloak login page. >>> >>> I dont want to re-prompt the user for relogin, >>> since he has already authenticated against the >>> AD server. >>> Is there a way to not re-prompt the user, when >>> the embedded IE requests the secure JSP? >>> >>> Please help, as we are not able to come up with >>> a solution for the same. >>> Any pointers how we can avoid the 2nd >>> authentication. >>> >>> Thanks, >>> Subhro. >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/9cc66c7c/attachment-0001.html From subhrajyotim at gmail.com Thu Apr 7 06:08:10 2016 From: subhrajyotim at gmail.com (Subhrajyoti Moitra) Date: Thu, 7 Apr 2016 15:38:10 +0530 Subject: [keycloak-user] Authentication from embedded webpage In-Reply-To: <57062E2A.9070901@redhat.com> References: <5705799C.2070802@redhat.com> <570614EE.9080102@redhat.com> <57062E2A.9070901@redhat.com> Message-ID: It worked .. It Worked...!!!! awesome.. Thanks a lot Marek and Stian for your patience and time. Really appreciate your help in fixing this issue. Thanks and regards, Subhro. On Thu, Apr 7, 2016 at 3:23 PM, Marek Posolda wrote: > Ah, it's maybe login iframe which is causing issues for you. Given the > nature of your app and the fact that you're not using SSO anyway in > embedded IE, I suggest to disable login iframe by add this option to your > "kcInitObj" too: > > checkLoginIframe: false > > > Besides that, it seems that we have a minor bug in keycloak.js that > callbacks are not called when you provide "tokens", but not "onLoad" and > IFrame is not working. Created JIRA : > https://issues.jboss.org/browse/KEYCLOAK-2765 > > Marek > > On 07/04/16 11:22, Subhrajyoti Moitra wrote: > > Hello Marek, > > I actually hadnt shown the starting script tag in the code snippet above. > :) > > I checked using a debugger that the kcInitObj values are going into the > init method correctly. > Do I have to call some other function after init call? > Somehow, when I skip the onLoad option, success/error methods are never > called. > I notice that call to this url is being made and nothing after that, > > > http://beta10.dev.hs18.lan:9080/auth/realms/HSN18/protocol/openid-connect/login-status-iframe.html?client_id=CMS&origin=http://localhost:8080 > > Does version of KC matter, I am using 1.5.1.Final? > > I am attaching the index.jsp for reference, since this is the file I am > experimenting with. > This is just an example to check if things are working or not. > > Thanks a lot for taking time to look into this. Really appreciate it. > > Thanks, > Subhro. > > > > > > > On Thu, Apr 7, 2016 at 1:36 PM, Marek Posolda wrote: > >> I think that you don't need to use "onLoad" option at all because you >> passed tokens. So you can just use something like: >> >> var kcInitObj={ >> token:'<%=token%>', >> refreshToken:'<%=refreshToken%>', >> idToken:'<%=idToken%>'}; >> >> >> Besides that, I can see that you added tag " >>>> >>>> >>>> This is still redirecting me to the login page. Do I have to do >>>> something in the client setup? >>>> >>>> So close,, yet so far... Please help.. >>>> >>>> Thanks and lot for your attention. >>>> Subhro. >>>> >>>> >>>> On Thu, Apr 7, 2016 at 8:35 AM, Subhrajyoti Moitra < >>>> subhrajyotim at gmail.com> wrote: >>>> >>>>> Thanks a million Marek for setting us in the right direction. >>>>> >>>>> "...application is able to access the javascript state from embedded >>>>> IE"- this is not possible currently, hence 1st solution wont work. >>>>> >>>>> We will follow the 2nd way to do this. >>>>> >>>>> So using "direct access grant >>>>> " >>>>> i get the required JSON token data as mentioned. >>>>> Then I pass this data to the jsp page (embedded in IE), using URL >>>>> params. >>>>> The JSP page pulls out the required data from the URL params, and then >>>>> inits keycloak.js. >>>>> in keycloak init function i pass the token, idToken and refreshToken >>>>> values. >>>>> >>>>> Hopefully this works, trying it now! >>>>> >>>>> Thanks a lot again for the pointers. >>>>> >>>>> Subhro. >>>>> >>>>> On Thu, Apr 7, 2016 at 2:33 AM, Marek Posolda < >>>>> mposolda at redhat.com> wrote: >>>>> >>>>>> Do you have the "control" under the application? Is it possible to >>>>>> propagate security contexts from application to embedded IE or viceversa? >>>>>> >>>>>> In theory what can work is either: >>>>>> - You will skip step1 and don't popup username/password box. Instead >>>>>> you will just authenticate in step2 inside IE and then propagate the >>>>>> context ( token ) to step1. This is possible just if application is able to >>>>>> access the javascript state from embedded IE. >>>>>> >>>>>> - If you can propagate just from desktop to IE, then in step1 you >>>>>> wwill configure your application to send the request for username/password >>>>>> authentication to Keycloak via direct access grant (instead of sending >>>>>> username+password directly to AD/LDAP). Once you receive token from direct >>>>>> access grant, you can use it inside IE in step2 ( keycloak.js has >>>>>> possibility to be initialized with token. You just need to pass the token >>>>>> and refreshToken as arguments to keycloak.init . Then keycloak.js won't >>>>>> redirect you to login screen ) >>>>>> >>>>>> Marek >>>>>> >>>>>> >>>>>> On 06/04/16 11:24, Subhrajyoti Moitra wrote: >>>>>> >>>>>> Hello Team, >>>>>> >>>>>> I have a standalone windows desktop application, that authenticates >>>>>> against an AD/LDAP server. The application popups a username/password box, >>>>>> and submits it to the LDAP for authentication. >>>>>> The same AD/LDAP server is also synced with a Keycloak installation. >>>>>> >>>>>> The windows application embeds the IE browser control and shows a jsp >>>>>> page. >>>>>> This jsp page is protected using keycloak js adapter. Obviously the >>>>>> user is re-directed to the keycloak login page. So the user has to login >>>>>> twice, once using the application popup and other in the embedded jsp, >>>>>> after getting redirected to the keycloak login page. >>>>>> >>>>>> I dont want to re-prompt the user for relogin, since he has already >>>>>> authenticated against the AD server. >>>>>> Is there a way to not re-prompt the user, when the embedded IE >>>>>> requests the secure JSP? >>>>>> >>>>>> Please help, as we are not able to come up with a solution for the >>>>>> same. >>>>>> Any pointers how we can avoid the 2nd authentication. >>>>>> >>>>>> Thanks, >>>>>> Subhro. >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/1da491c0/attachment-0001.html From sthorger at redhat.com Thu Apr 7 06:40:28 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 12:40:28 +0200 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: References: Message-ID: It is not currently possible to run multiple nodes without clustering. However, it's possible to configure JGroups to work on AWS. I can't remember the configuration required though, but if you search the user mailing list you'll find instructions or google for JGroups and AWS. On 7 April 2016 at 10:22, Christian Schwarz wrote: > Hi! > > I'm trying to setup a keycloak cluster on AWS, which does not support UDP > multicast. IP addresses of the nodes are also not known in advance (I'm > using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker > image) for user session replication will not work (seems that it requires > either UDP multicast or IP addresses known in advance). > > The main problem I have is that logout is not working propertly. I only > get logged out from one of the two keycloak nodes. > > I have tried to disable the user cache (by setting > userCache.default.enabled = false) and to disable infinispan (by using > ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak > node still thinks that the user is logged in, it?s not refreshing the user > session from the database even if user cache and infinispan cluster cache > is disbled. > > => Is there a possibility of using the database as a synchronization point > between keycloak nodes? (i.e. each node always checks logout status in the > database) > Or is there another way of getting a keycloak cluster up and running on > AWS when IP addresses are not known in advance? > > I hope there is a way? :) > > Kind regards, > Christian > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/ec8a75fc/attachment.html From thomas.darimont at googlemail.com Thu Apr 7 06:44:22 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Thu, 7 Apr 2016 12:44:22 +0200 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: References: Message-ID: Hello, have a look at this thread: http://lists.jboss.org/pipermail/keycloak-user/2016-February/004935.html Cheers, Thomas 2016-04-07 12:40 GMT+02:00 Stian Thorgersen : > It is not currently possible to run multiple nodes without clustering. > However, it's possible to configure JGroups to work on AWS. I can't > remember the configuration required though, but if you search the user > mailing list you'll find instructions or google for JGroups and AWS. > > On 7 April 2016 at 10:22, Christian Schwarz wrote: > >> Hi! >> >> I'm trying to setup a keycloak cluster on AWS, which does not support UDP >> multicast. IP addresses of the nodes are also not known in advance (I'm >> using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker >> image) for user session replication will not work (seems that it requires >> either UDP multicast or IP addresses known in advance). >> >> The main problem I have is that logout is not working propertly. I only >> get logged out from one of the two keycloak nodes. >> >> I have tried to disable the user cache (by setting >> userCache.default.enabled = false) and to disable infinispan (by using >> ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak >> node still thinks that the user is logged in, it?s not refreshing the user >> session from the database even if user cache and infinispan cluster cache >> is disbled. >> >> => Is there a possibility of using the database as a synchronization >> point between keycloak nodes? (i.e. each node always checks logout status >> in the database) >> Or is there another way of getting a keycloak cluster up and running on >> AWS when IP addresses are not known in advance? >> >> I hope there is a way? :) >> >> Kind regards, >> Christian >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/34c694ec/attachment.html From christian at datek.no Thu Apr 7 06:56:37 2016 From: christian at datek.no (Christian Schwarz) Date: Thu, 7 Apr 2016 10:56:37 +0000 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: References: Message-ID: Ok, thank you Stian for the fast reply! I will look into using jgroups S3_PING module that supports AWS, and that I think will work with docker-cloud as well since it accepts system properties where I can set the current IP address. Just plain old clustering with a database as shared data store and sticky sessions to a keycloak instance would be a nice default clustering option in the future (but I?m sure you have enough on your plate already :) Keep up the good work! Christian On 07 Apr 2016, at 12:40, Stian Thorgersen > wrote: It is not currently possible to run multiple nodes without clustering. However, it's possible to configure JGroups to work on AWS. I can't remember the configuration required though, but if you search the user mailing list you'll find instructions or google for JGroups and AWS. On 7 April 2016 at 10:22, Christian Schwarz > wrote: Hi! I'm trying to setup a keycloak cluster on AWS, which does not support UDP multicast. IP addresses of the nodes are also not known in advance (I'm using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker image) for user session replication will not work (seems that it requires either UDP multicast or IP addresses known in advance). The main problem I have is that logout is not working propertly. I only get logged out from one of the two keycloak nodes. I have tried to disable the user cache (by setting userCache.default.enabled = false) and to disable infinispan (by using ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak node still thinks that the user is logged in, it?s not refreshing the user session from the database even if user cache and infinispan cluster cache is disbled. => Is there a possibility of using the database as a synchronization point between keycloak nodes? (i.e. each node always checks logout status in the database) Or is there another way of getting a keycloak cluster up and running on AWS when IP addresses are not known in advance? I hope there is a way? :) Kind regards, Christian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/7dbad6d9/attachment.html From sthorger at redhat.com Thu Apr 7 07:03:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 13:03:50 +0200 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: References: Message-ID: On 7 April 2016 at 12:56, Christian Schwarz wrote: > Ok, thank you Stian for the fast reply! > > I will look into using jgroups S3_PING module that supports AWS, and that > I think will work with docker-cloud as well since it accepts system > properties where I can set the current IP address. > > Just plain old clustering with a database as shared data store and sticky > sessions to a keycloak instance would be a nice default clustering option > in the future (but I?m sure you have enough on your plate already :) > We're planning sticky session support in 2.x. The problem is that you need to make sure browser + all adapter requests go to the same node. So it's not quite as simple as just setting a cookie. See https://issues.jboss.org/browse/KEYCLOAK-2352 > > Keep up the good work! > > Christian > > On 07 Apr 2016, at 12:40, Stian Thorgersen wrote: > > It is not currently possible to run multiple nodes without clustering. > However, it's possible to configure JGroups to work on AWS. I can't > remember the configuration required though, but if you search the user > mailing list you'll find instructions or google for JGroups and AWS. > > On 7 April 2016 at 10:22, Christian Schwarz wrote: > >> Hi! >> >> I'm trying to setup a keycloak cluster on AWS, which does not support UDP >> multicast. IP addresses of the nodes are also not known in advance (I'm >> using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker >> image) for user session replication will not work (seems that it requires >> either UDP multicast or IP addresses known in advance). >> >> The main problem I have is that logout is not working propertly. I only >> get logged out from one of the two keycloak nodes. >> >> I have tried to disable the user cache (by setting >> userCache.default.enabled = false) and to disable infinispan (by using >> ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak >> node still thinks that the user is logged in, it?s not refreshing the user >> session from the database even if user cache and infinispan cluster cache >> is disbled. >> >> => Is there a possibility of using the database as a synchronization >> point between keycloak nodes? (i.e. each node always checks logout status >> in the database) >> Or is there another way of getting a keycloak cluster up and running on >> AWS when IP addresses are not known in advance? >> >> I hope there is a way? :) >> >> Kind regards, >> Christian >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/cd2e8e5f/attachment-0001.html From smacksnr at hotmail.com Thu Apr 7 07:18:06 2016 From: smacksnr at hotmail.com (Bill Simakis) Date: Thu, 7 Apr 2016 07:18:06 -0400 Subject: [keycloak-user] Display Password policy on Password page Message-ID: Is there any way to dynamically display the password policy info on the Password page? i.e. show the password policy that is configured for the realm and not just hardcoded into the Theme.? Currently the only time the user knows about the policy is if they submit a password and see the error message.? Thanks, Bill From christian at datek.no Thu Apr 7 07:25:00 2016 From: christian at datek.no (Christian Schwarz) Date: Thu, 7 Apr 2016 11:25:00 +0000 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: References: Message-ID: On 07 Apr 2016, at 13:03, Stian Thorgersen > wrote: On 7 April 2016 at 12:56, Christian Schwarz > wrote: Ok, thank you Stian for the fast reply! I will look into using jgroups S3_PING module that supports AWS, and that I think will work with docker-cloud as well since it accepts system properties where I can set the current IP address. Just plain old clustering with a database as shared data store and sticky sessions to a keycloak instance would be a nice default clustering option in the future (but I?m sure you have enough on your plate already :) We're planning sticky session support in 2.x. The problem is that you need to make sure browser + all adapter requests go to the same node. So it's not quite as simple as just setting a cookie. See https://issues.jboss.org/browse/KEYCLOAK-2352 When I implemented a custom OpenID Connect Authorization Server a couple of years ago (when the spec was fresh), we accepted that a single database request per HTTP request was OK performance wise. Then you can re-read the most volatile data on each HTTP request (e.g. logout status) and then use a local cache for the rest. If you got load-balanced to another node (e.g. during deployment or failover) then the other node would have to fetch more data from the database (we did not use JSESSION, we used a custom session mechanism with a custom cookie that was an ID to a login session stored in the database. Then you had transparent failover and instant logout from all authorization server nodes. Keep up the good work! Christian On 07 Apr 2016, at 12:40, Stian Thorgersen > wrote: It is not currently possible to run multiple nodes without clustering. However, it's possible to configure JGroups to work on AWS. I can't remember the configuration required though, but if you search the user mailing list you'll find instructions or google for JGroups and AWS. On 7 April 2016 at 10:22, Christian Schwarz > wrote: Hi! I'm trying to setup a keycloak cluster on AWS, which does not support UDP multicast. IP addresses of the nodes are also not known in advance (I'm using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker image) for user session replication will not work (seems that it requires either UDP multicast or IP addresses known in advance). The main problem I have is that logout is not working propertly. I only get logged out from one of the two keycloak nodes. I have tried to disable the user cache (by setting userCache.default.enabled = false) and to disable infinispan (by using ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak node still thinks that the user is logged in, it?s not refreshing the user session from the database even if user cache and infinispan cluster cache is disbled. => Is there a possibility of using the database as a synchronization point between keycloak nodes? (i.e. each node always checks logout status in the database) Or is there another way of getting a keycloak cluster up and running on AWS when IP addresses are not known in advance? I hope there is a way? :) Kind regards, Christian _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/260f085b/attachment.html From sthorger at redhat.com Thu Apr 7 08:00:21 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 14:00:21 +0200 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: References: Message-ID: We had something similar, but we decided to drop persistence of session data from the DB due to performance issues and that we didn't have the resources to maintain two implementations for session storage. On 7 April 2016 at 13:25, Christian Schwarz wrote: > On 07 Apr 2016, at 13:03, Stian Thorgersen wrote: > > > > > On 7 April 2016 at 12:56, Christian Schwarz wrote: > >> Ok, thank you Stian for the fast reply! >> >> I will look into using jgroups S3_PING module that supports AWS, and that >> I think will work with docker-cloud as well since it accepts system >> properties where I can set the current IP address. >> >> Just plain old clustering with a database as shared data store and sticky >> sessions to a keycloak instance would be a nice default clustering option >> in the future (but I?m sure you have enough on your plate already :) >> > > We're planning sticky session support in 2.x. The problem is that you need > to make sure browser + all adapter requests go to the same node. So it's > not quite as simple as just setting a cookie. See > https://issues.jboss.org/browse/KEYCLOAK-2352 > > > When I implemented a custom OpenID Connect Authorization Server a couple > of years ago (when the spec was fresh), we accepted that a single database > request per HTTP request was OK performance wise. Then you can re-read the > most volatile data on each HTTP request (e.g. logout status) and then use a > local cache for the rest. If you got load-balanced to another node (e.g. > during deployment or failover) then the other node would have to fetch more > data from the database (we did not use JSESSION, we used a custom session > mechanism with a custom cookie that was an ID to a login session stored in > the database. Then you had transparent failover and instant logout from all > authorization server nodes. > > > >> >> Keep up the good work! >> >> Christian >> >> On 07 Apr 2016, at 12:40, Stian Thorgersen wrote: >> >> It is not currently possible to run multiple nodes without clustering. >> However, it's possible to configure JGroups to work on AWS. I can't >> remember the configuration required though, but if you search the user >> mailing list you'll find instructions or google for JGroups and AWS. >> >> On 7 April 2016 at 10:22, Christian Schwarz wrote: >> >>> Hi! >>> >>> I'm trying to setup a keycloak cluster on AWS, which does not support >>> UDP multicast. IP addresses of the nodes are also not known in advance (I'm >>> using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker >>> image) for user session replication will not work (seems that it requires >>> either UDP multicast or IP addresses known in advance). >>> >>> The main problem I have is that logout is not working propertly. I only >>> get logged out from one of the two keycloak nodes. >>> >>> I have tried to disable the user cache (by setting >>> userCache.default.enabled = false) and to disable infinispan (by using >>> ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak >>> node still thinks that the user is logged in, it?s not refreshing the user >>> session from the database even if user cache and infinispan cluster cache >>> is disbled. >>> >>> => Is there a possibility of using the database as a synchronization >>> point between keycloak nodes? (i.e. each node always checks logout status >>> in the database) >>> Or is there another way of getting a keycloak cluster up and running on >>> AWS when IP addresses are not known in advance? >>> >>> I hope there is a way? :) >>> >>> Kind regards, >>> Christian >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/feae8b50/attachment-0001.html From juraj.janosik77 at gmail.com Thu Apr 7 08:18:45 2016 From: juraj.janosik77 at gmail.com (Juraj Janosik) Date: Thu, 7 Apr 2016 14:18:45 +0200 Subject: [keycloak-user] Admin REST API Get Users (and search) returns enabled user ("enabled":true) after "Max Login Failures" exceeded Message-ID: Hi, is the following issue known in the community? (see description below) *Prerequisities:* 1. Keycloak 1.9.1.Final, CentOS7, Oracle12c 2. User disabled after "Max Login Failure" attempts. *Observed behavior:* 1. User displayed correctly as disabled ("enabled":false) via Get Representation of the user GET /admin/realms/{realm}/users/{id} 2. User displayed correctly as disabled ("disabled":true) via GET /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} 3. User displayed not correctly ("enabled":true) via Get users (list of all users and search) GET /admin/realms/{realm}/users GET /admin/realms/{realm}/users?search={string} Thanks a lot. Best Regards, Juraj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/5f36097a/attachment.html From sthorger at redhat.com Thu Apr 7 09:48:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 15:48:39 +0200 Subject: [keycloak-user] Admin REST API Get Users (and search) returns enabled user ("enabled":true) after "Max Login Failures" exceeded In-Reply-To: References: Message-ID: User#enabled is only used for users that are manually disabled by admin and not for user temporarily disabled by brute force protection, so this is expected behavior. On 7 April 2016 at 14:18, Juraj Janosik wrote: > Hi, > > is the following issue known in the community? (see description below) > > *Prerequisities:* > 1. Keycloak 1.9.1.Final, CentOS7, Oracle12c > 2. User disabled after "Max Login Failure" attempts. > > *Observed behavior:* > 1. User displayed correctly as disabled ("enabled":false) via Get > Representation of the user > GET /admin/realms/{realm}/users/{id} > > 2. User displayed correctly as disabled ("disabled":true) via > GET /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} > > 3. User displayed not correctly ("enabled":true) via Get users (list of > all users and search) > GET /admin/realms/{realm}/users > GET /admin/realms/{realm}/users?search={string} > > Thanks a lot. > > Best Regards, > Juraj > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/cb1fad4f/attachment.html From sthorger at redhat.com Thu Apr 7 09:50:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 15:50:23 +0200 Subject: [keycloak-user] Display Password policy on Password page In-Reply-To: References: Message-ID: No, afraid not. The password policy is not currently exposed to themes at all. Directly exposing it wouldn't help to much I think as it would make much sense to users. On 7 April 2016 at 13:18, Bill Simakis wrote: > Is there any way to dynamically display the password policy info on the > Password page? i.e. show the password policy that is configured for the > realm and not just hardcoded into the Theme. > > Currently the only time the user knows about the policy is if they submit > a password and see the error message. > > Thanks, > > Bill > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/687fce3f/attachment.html From cpitman at redhat.com Thu Apr 7 11:36:19 2016 From: cpitman at redhat.com (Chris Pitman) Date: Thu, 7 Apr 2016 11:36:19 -0400 (EDT) Subject: [keycloak-user] Using Keycloak Proxy behind a TLS terminating reverse proxy In-Reply-To: References: <1968568744.48498811.1460002727314.JavaMail.zimbra@redhat.com> <1728086122.48498976.1460003060793.JavaMail.zimbra@redhat.com> Message-ID: <579168574.48696311.1460043379487.JavaMail.zimbra@redhat.com> Isn't that documentation for setting up keycloak behind a reverse proxy? I have the keycloak appliance setup already, and can execute an OAuth flow *as long as the redirect_uri passed by the application is correct*. The problem is that the Keycloak Proxy is passing the wring redirect_uri to keycloak. HTTPD is passing the x-forwarded-proto header to the proxy. And I don't believe the proxy has a configuration file where you can modify the undertow configuration. The only configuration I am aware of for the proxy is documented here: http://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html#d4e3464 Am I missing something? ----- Original Message ----- > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e397 > > On 7 April 2016 at 06:24, Chris Pitman wrote: > > > Hey everyone, > > > > I'm trying to setup Keycloak Proxy to protect access to a legacy > > application. Right now we have HTTPD setup as a reverse proxy that > > terminates TLS and then passes through the request via HTTP to the legacy > > app. What I want to do is put the Keycloak Proxy in between HTTPD and the > > app. > > > > I've got it running, but the problem is the URL the proxy passes as the > > redirect url to keycloak. It is passing an "http://" url, which then > > doesn't match the configured redirect_urls in Keycloak. I'm assuming it > > does this since I'm using the HTTP port on the proxy. > > > > How can I get Keycloak Proxy to pass a redirect url with a "https://" > > scheme, even when not connecting via https to the proxy itself? > > > > Thanks, > > Chris Pitman > > Architect, Red Hat Consulting > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From juandiego83 at gmail.com Thu Apr 7 11:58:10 2016 From: juandiego83 at gmail.com (Juan Diego) Date: Thu, 7 Apr 2016 10:58:10 -0500 Subject: [keycloak-user] NulPointerException when running oauth-client-cdi-example Message-ID: Hi, I ran the demo oauth-client-cdi the day before yesterday and it seemed to work. It had some problems with the database service configuration, and I fixed that. But then I decided to do a git fetch in order to get latest repo and I am getting this error. ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 78) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: java.lang.RuntimeException: java.lang.NullPointerException at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: java.lang.NullPointerException at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:231) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) ... 6 more Caused by: java.lang.NullPointerException at org.keycloak.servlet.ServletOAuthClientBuilder.build(ServletOAuthClientBuilder.java:47) at org.keycloak.example.oauth.AppContextListener.contextInitialized(AppContextListener.java:59) at io.undertow.servlet.core.ApplicationListeners.contextInitialized(ApplicationListeners.java:187) at io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:198) ... 8 more 10:52:00,992 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("full-replace-deployment") failed - address: ([]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./oauth-client-cdi" => "org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: java.lang.RuntimeException: java.lang.NullPointerException Caused by: java.lang.RuntimeException: java.lang.NullPointerException Caused by: java.lang.NullPointerException"}} The third party app works fine just the cdi doesnt work. Thanks, Juan Diego -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/cb359f88/attachment.html From juraci at kroehling.de Thu Apr 7 12:58:39 2016 From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=) Date: Thu, 7 Apr 2016 18:58:39 +0200 Subject: [keycloak-user] Using Keycloak Proxy behind a TLS terminating reverse proxy In-Reply-To: <579168574.48696311.1460043379487.JavaMail.zimbra@redhat.com> References: <1968568744.48498811.1460002727314.JavaMail.zimbra@redhat.com> <1728086122.48498976.1460003060793.JavaMail.zimbra@redhat.com> <579168574.48696311.1460043379487.JavaMail.zimbra@redhat.com> Message-ID: <570691BF.7050103@kroehling.de> On 07.04.2016 17:36, Chris Pitman wrote: > Isn't that documentation for setting up keycloak behind a reverse proxy? I have the keycloak appliance setup already, and can execute an OAuth flow *as long as the redirect_uri passed by the application is correct*. > > The problem is that the Keycloak Proxy is passing the wring redirect_uri to keycloak. HTTPD is passing the x-forwarded-proto header to the proxy. And I don't believe the proxy has a configuration file where you can modify the undertow configuration. The only configuration I am aware of for the proxy is documented here: http://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html#d4e3464 > > Am I missing something? Actually, I've seen something similar in an application I'm working on. I didn't have time to debug it yet, but it *seems* that the Wildfly Adapter is not recognizing the proper protocol and is building the redirect_uri with "http" all the time. - Juca. From sthorger at redhat.com Thu Apr 7 13:39:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 7 Apr 2016 19:39:16 +0200 Subject: [keycloak-user] Using Keycloak Proxy behind a TLS terminating reverse proxy In-Reply-To: <579168574.48696311.1460043379487.JavaMail.zimbra@redhat.com> References: <1968568744.48498811.1460002727314.JavaMail.zimbra@redhat.com> <1728086122.48498976.1460003060793.JavaMail.zimbra@redhat.com> <579168574.48696311.1460043379487.JavaMail.zimbra@redhat.com> Message-ID: On 7 April 2016 at 17:36, Chris Pitman wrote: > Isn't that documentation for setting up keycloak behind a reverse proxy? I > have the keycloak appliance setup already, and can execute an OAuth flow > *as long as the redirect_uri passed by the application is correct*. > Yep you're right, I was a bit hasty with that reply. Sorry. > > The problem is that the Keycloak Proxy is passing the wring redirect_uri > to keycloak. HTTPD is passing the x-forwarded-proto header to the proxy. > And I don't believe the proxy has a configuration file where you can modify > the undertow configuration. The only configuration I am aware of for the > proxy is documented here: > http://keycloak.github.io/docs/userguide/keycloak-server/html/proxy.html#d4e3464 Can't really help you there, I've got no clue about the Keycloak Proxy > > > Am I missing something? > > ----- Original Message ----- > > > http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e397 > > > > On 7 April 2016 at 06:24, Chris Pitman wrote: > > > > > Hey everyone, > > > > > > I'm trying to setup Keycloak Proxy to protect access to a legacy > > > application. Right now we have HTTPD setup as a reverse proxy that > > > terminates TLS and then passes through the request via HTTP to the > legacy > > > app. What I want to do is put the Keycloak Proxy in between HTTPD and > the > > > app. > > > > > > I've got it running, but the problem is the URL the proxy passes as the > > > redirect url to keycloak. It is passing an "http://" url, which then > > > doesn't match the configured redirect_urls in Keycloak. I'm assuming it > > > does this since I'm using the HTTP port on the proxy. > > > > > > How can I get Keycloak Proxy to pass a redirect url with a "https://" > > > scheme, even when not connecting via https to the proxy itself? > > > > > > Thanks, > > > Chris Pitman > > > Architect, Red Hat Consulting > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/014b8507/attachment.html From jaxley at expedia.com Thu Apr 7 15:59:42 2016 From: jaxley at expedia.com (Jason Axley) Date: Thu, 7 Apr 2016 19:59:42 +0000 Subject: [keycloak-user] SSO amongst two realms In-Reply-To: <56CEAC60.2030105@redhat.com> References: <56CEAC60.2030105@redhat.com> Message-ID: <56151A13-44C7-4715-8EE9-A3498E4863F9@expedia.com> Could you possibly support ?Authenticate by default? with a ?fallback to the local realm?? It would be nice to have certain users attached to a particular realm realm1 but have Keycloak internally attempt to authenticate first against another realm so you can get the effect of a union of the users across the two realms. The user experience with the federation buttons as an alternative makes this configuration complexity exposed to the user and I?d prefer to not have to do that. -Jason From: > on behalf of Marek Posolda > Date: Wednesday, February 24, 2016 at 11:25 PM To: Sarp Kaya >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] SSO amongst two realms It's possible to achieve something like this with identity provider. You can create identityProvider in realm2, which will authenticate against realm1. In that case, there will be button in login screen of realm2 like "Login with realm1" and when user clicks on this, he will be logged-in automatically. There is also possibility to use switch "Authenticate by default" in identity provider and then login screen of realm2 won't be shown, but instead it will always automatically redirect to realm1 login screen. The thing is, that you will end with duplicated user accounts (Account of user "john" will be in both realm1 and realm2). AFAIK we plan to improve this in the future to have this use-case more "friendly" as more people ask about that. Marek On 25/02/16 01:39, Sarp Kaya wrote: Hi, I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to an app1 that auths against realm1, then user 1 tries to use app2 which auths against realm2 which should work fine as user 1 logged into realm1 before and it should SSO into app2 fine. If this is possible then what would be the setup like? Kind Regards, Sarp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/1b63038e/attachment.html From srossillo at smartling.com Thu Apr 7 16:56:29 2016 From: srossillo at smartling.com (Scott Rossillo) Date: Thu, 7 Apr 2016 16:56:29 -0400 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: References: Message-ID: <8E6D7F6B-C214-454F-BA0C-F8ECF4ECC894@smartling.com> Hi! We completed the final steps to getting this working on Amazon AWS with Docker using Keycloak 1.9.x. Since we already have a database, we used JDBC_PING not to add S3 as yet another dependency. The changes are here[0] for now. Would Keycloak devs be interested in adding a running Keycloak on AWS section or another sample docker image? There are 3 steps / files: 1. configureCache.xsl sets up Infinispan correctly 2. start.sh - Uses Amazon APIs via HTTP to get the correct instance IP information 3. 30_docker_ports.config - if using Docker, this shell script runs on deploy to expose the cluster port to the EC2 interface. Needed with Beanstalk, maybe not with ECS [0]: https://gist.github.com/foo4u/ad2fa7251ac5b4d4fd318f668f50f7ac Best, Scott Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Apr 7, 2016, at 6:44 AM, Thomas Darimont wrote: > > Hello, > > have a look at this thread: http://lists.jboss.org/pipermail/keycloak-user/2016-February/004935.html > > Cheers, > Thomas > > 2016-04-07 12:40 GMT+02:00 Stian Thorgersen >: > It is not currently possible to run multiple nodes without clustering. However, it's possible to configure JGroups to work on AWS. I can't remember the configuration required though, but if you search the user mailing list you'll find instructions or google for JGroups and AWS. > > On 7 April 2016 at 10:22, Christian Schwarz > wrote: > Hi! > > I'm trying to setup a keycloak cluster on AWS, which does not support UDP multicast. IP addresses of the nodes are also not known in advance (I'm using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker image) for user session replication will not work (seems that it requires either UDP multicast or IP addresses known in advance). > > The main problem I have is that logout is not working propertly. I only get logged out from one of the two keycloak nodes. > > I have tried to disable the user cache (by setting userCache.default.enabled = false) and to disable infinispan (by using ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak node still thinks that the user is logged in, it?s not refreshing the user session from the database even if user cache and infinispan cluster cache is disbled. > > => Is there a possibility of using the database as a synchronization point between keycloak nodes? (i.e. each node always checks logout status in the database) > Or is there another way of getting a keycloak cluster up and running on AWS when IP addresses are not known in advance? > > I hope there is a way? :) > > Kind regards, > Christian > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/c7c0f886/attachment-0001.html From bruno at abstractj.org Thu Apr 7 17:15:03 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 07 Apr 2016 21:15:03 +0000 Subject: [keycloak-user] NulPointerException when running oauth-client-cdi-example In-Reply-To: References: Message-ID: Could you please provide the exact steps to reproduce it? I'm running the same example based on 2.0.0.CR1-SNAPSHOT (preconfigured distribution) against master with no issues. What I did was: 1. mvn clean install -Pdistribution 2. cp distribution/demo-dist/target/keycloak-demo-2.0.0.CR1-SNAPSHOT.tar.gz someplace/ 3. Upload my testrealm.json 4. Under examples/preconfigured-demo, deploy third-party-cdi On Thu, Apr 7, 2016 at 12:58 PM Juan Diego wrote: > Hi, > > I ran the demo oauth-client-cdi the day before yesterday and it seemed to > work. It had some problems with the database service configuration, and I > fixed that. But then I decided to do a git fetch in order to get latest > repo and I am getting this error. > > ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 78) > MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: > java.lang.RuntimeException: java.lang.NullPointerException > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: java.lang.NullPointerException > at > io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:231) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > ... 6 more > Caused by: java.lang.NullPointerException > at > org.keycloak.servlet.ServletOAuthClientBuilder.build(ServletOAuthClientBuilder.java:47) > at > org.keycloak.example.oauth.AppContextListener.contextInitialized(AppContextListener.java:59) > at > io.undertow.servlet.core.ApplicationListeners.contextInitialized(ApplicationListeners.java:187) > at > io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:198) > ... 8 more > > 10:52:00,992 ERROR [org.jboss.as.controller.management-operation] > (DeploymentScanner-threads - 1) WFLYCTL0013: Operation > ("full-replace-deployment") failed - address: ([]) - failure description: > {"WFLYCTL0080: Failed services" => > {"jboss.undertow.deployment.default-server.default-host./oauth-client-cdi" > => "org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: > java.lang.RuntimeException: java.lang.NullPointerException > Caused by: java.lang.RuntimeException: java.lang.NullPointerException > Caused by: java.lang.NullPointerException"}} > > The third party app works fine just the cdi doesnt work. > > Thanks, > > Juan Diego > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/ea407815/attachment.html From bruno at abstractj.org Thu Apr 7 17:20:35 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Thu, 07 Apr 2016 21:20:35 +0000 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] In-Reply-To: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> References: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> Message-ID: It seems related to https://issues.jboss.org/browse/KEYCLOAK-2431. Do the same happens with 1.9.1.Final? On Thu, Apr 7, 2016 at 6:26 AM Gerard Laissard wrote: > Team, > > > > Keycloak server 1.9.0 fails to start. > > Yesterday, I did try to play with client/role : Scope Param Required > without any success. > > I got server java.lang.StackOverflowError. > > I stopped the server > > Today when I start server, I have : > > 10:51:50,948 ERROR > [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] > (ServerService Thread Pool -- 52) ExecutionException when computed future. > Errors: 1: java.util.concurrent.ExecutionException: > java.lang.StackOverflowError > > at > java.util.concurrent.FutureTask.report(FutureTask.java:122) > > at java.util.concurrent.FutureTask.get(FutureTask.java:192) > > at > org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) > > at > org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) > > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) > > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) > > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) > > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) > > at > org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) > > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) > > at > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > at > java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > > Caused by: java.lang.StackOverflowError > > at > org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) > > at > org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) > > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) > > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) > > at > org.hibernate.loader.Loader.getResultSet(Loader.java:2116) > > at > org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) > > at > org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) > > at org.hibernate.loader.Loader.doQuery(Loader.java:919) > > at > org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) > > at org.hibernate.loader.Loader.doList(Loader.java:2611) > > at org.hibernate.loader.Loader.doList(Loader.java:2594) > > at > org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) > > at org.hibernate.loader.Loader.list(Loader.java:2418) > > at > org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) > > at > org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) > > at > org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) > > at > org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) > > at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) > > at > org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) > > at > org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > ? > > > > What should I do ? > > Thanks > > Gerard > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/b76cfbf2/attachment-0001.html From juandiego83 at gmail.com Thu Apr 7 18:34:03 2016 From: juandiego83 at gmail.com (Juan Diego) Date: Thu, 7 Apr 2016 17:34:03 -0500 Subject: [keycloak-user] NulPointerException when running oauth-client-cdi-example In-Reply-To: References: Message-ID: Hi, I dont think I did something in particular. I downloaded keycloak 1.9.1 server. Added scandir to the standalone.xml. Git clone keycloak repo. I used eclipse, imported maven examples to workspace. cd examples/ mvn clean install cd /demo-templates mvn clean install cd third-party-cdi mvn clean install cp target/oauth-client-cdi.war keycloak-1.9.1.final/standalone/deployments/ I imported the test realm from json file as explained on the documentaion. I might have done something else wrong. But i thought I follow all the instructions to the letter twice. I added the standalone.xml I dont know If I should any other stuff. Thanks, Juan Diego On Thu, Apr 7, 2016 at 4:15 PM, Bruno Oliveira wrote: > Could you please provide the exact steps to reproduce it? I'm running the > same example based on 2.0.0.CR1-SNAPSHOT (preconfigured distribution) > against master with no issues. > > What I did was: > > 1. mvn clean install -Pdistribution > 2. cp > distribution/demo-dist/target/keycloak-demo-2.0.0.CR1-SNAPSHOT.tar.gz > someplace/ > 3. Upload my testrealm.json > 4. Under examples/preconfigured-demo, deploy third-party-cdi > > On Thu, Apr 7, 2016 at 12:58 PM Juan Diego wrote: > >> Hi, >> >> I ran the demo oauth-client-cdi the day before yesterday and it seemed to >> work. It had some problems with the database service configuration, and I >> fixed that. But then I decided to do a git fetch in order to get latest >> repo and I am getting this error. >> >> ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 78) >> MSC000001: Failed to start service >> jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: >> java.lang.RuntimeException: java.lang.NullPointerException >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) >> at >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> Caused by: java.lang.RuntimeException: java.lang.NullPointerException >> at >> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:231) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >> ... 6 more >> Caused by: java.lang.NullPointerException >> at >> org.keycloak.servlet.ServletOAuthClientBuilder.build(ServletOAuthClientBuilder.java:47) >> at >> org.keycloak.example.oauth.AppContextListener.contextInitialized(AppContextListener.java:59) >> at >> io.undertow.servlet.core.ApplicationListeners.contextInitialized(ApplicationListeners.java:187) >> at >> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:198) >> ... 8 more >> >> 10:52:00,992 ERROR [org.jboss.as.controller.management-operation] >> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation >> ("full-replace-deployment") failed - address: ([]) - failure description: >> {"WFLYCTL0080: Failed services" => >> {"jboss.undertow.deployment.default-server.default-host./oauth-client-cdi" >> => "org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: >> java.lang.RuntimeException: java.lang.NullPointerException >> Caused by: java.lang.RuntimeException: java.lang.NullPointerException >> Caused by: java.lang.NullPointerException"}} >> >> The third party app works fine just the cdi doesnt work. >> >> Thanks, >> >> Juan Diego >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/3713bf96/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: standalone.xml Type: text/xml Size: 21605 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/3713bf96/attachment-0001.xml From juandiego83 at gmail.com Thu Apr 7 19:25:29 2016 From: juandiego83 at gmail.com (Juan Diego) Date: Thu, 7 Apr 2016 18:25:29 -0500 Subject: [keycloak-user] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Message-ID: I installed a keycloak server on amazon and bought a cert from Komodo. And I was testing my app from my localhost, so my webapp in jsf is supposed to log against that server and it seems to work. I modified my web.xml so the loign-config uses keycloak. I thought my localserver ssl was the problem but I disabled CONFIDENTIAL But I got the same error. 17:49:20,443 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-49) failed to turn code into token: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314) at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260) at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112) at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 56 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 62 more For what I understand it is because my java doesnt perceives my Cert as a proper CA signed cert. Thanks, Juan diego -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/2f4481fb/attachment.html From rllavallee at hotmail.com Thu Apr 7 19:35:11 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Thu, 7 Apr 2016 23:35:11 +0000 Subject: [keycloak-user] Question re app timeout Message-ID: Does anyone know the answer to this? I want to setup up a Keycloak SSO for, say, five apps: only one of which is required (by U.S. State Law) to become logged out upon ten inactive minutes timeout. How can I achieve this in Keycloak? So for example: user signs in to Keycloak and begins working in APP1 then switches to APP2 and stays there for more than ten minutes. User re-visits APP1 which has been idle for more than ten minutes. By law he needs to re-authenticate to APP1 even though he remains already authenticated in Keycloak. How to force re-authentication for at least APP1? -Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160407/b2f6c6e1/attachment.html From bruno at abstractj.org Thu Apr 7 20:21:27 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 08 Apr 2016 00:21:27 +0000 Subject: [keycloak-user] NulPointerException when running oauth-client-cdi-example In-Reply-To: References: Message-ID: Have you tried it with the examples available here http://www.redhat.com/j/elqNow/elqRedir.htm?ref=http://downloads.jboss.org/keycloak/1.9.1.Final/keycloak-demo-1.9.1.Final.tar.gz ? On Thu, Apr 7, 2016, 7:34 PM Juan Diego wrote: > Hi, > > I dont think I did something in particular. I downloaded keycloak 1.9.1 > server. Added scandir to the standalone.xml. > Git clone keycloak repo. I used eclipse, imported maven examples to > workspace. > cd examples/ > mvn clean install > cd /demo-templates > mvn clean install > cd third-party-cdi > mvn clean install > cp target/oauth-client-cdi.war keycloak-1.9.1.final/standalone/deployments/ > > I imported the test realm from json file as explained on the documentaion. > > I might have done something else wrong. But i thought I follow all the > instructions to the letter twice. > > I added the standalone.xml > > I dont know If I should any other stuff. > > Thanks, > > Juan Diego > > > On Thu, Apr 7, 2016 at 4:15 PM, Bruno Oliveira > wrote: > >> Could you please provide the exact steps to reproduce it? I'm running the >> same example based on 2.0.0.CR1-SNAPSHOT (preconfigured distribution) >> against master with no issues. >> >> What I did was: >> >> 1. mvn clean install -Pdistribution >> 2. cp >> distribution/demo-dist/target/keycloak-demo-2.0.0.CR1-SNAPSHOT.tar.gz >> someplace/ >> 3. Upload my testrealm.json >> 4. Under examples/preconfigured-demo, deploy third-party-cdi >> >> On Thu, Apr 7, 2016 at 12:58 PM Juan Diego wrote: >> >>> Hi, >>> >>> I ran the demo oauth-client-cdi the day before yesterday and it seemed >>> to work. It had some problems with the database service configuration, and >>> I fixed that. But then I decided to do a git fetch in order to get latest >>> repo and I am getting this error. >>> >>> ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 78) >>> MSC000001: Failed to start service >>> jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: >>> org.jboss.msc.service.StartException in service >>> jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: >>> java.lang.RuntimeException: java.lang.NullPointerException >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85) >>> at >>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>> Caused by: java.lang.RuntimeException: java.lang.NullPointerException >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:231) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >>> ... 6 more >>> Caused by: java.lang.NullPointerException >>> at >>> org.keycloak.servlet.ServletOAuthClientBuilder.build(ServletOAuthClientBuilder.java:47) >>> at >>> org.keycloak.example.oauth.AppContextListener.contextInitialized(AppContextListener.java:59) >>> at >>> io.undertow.servlet.core.ApplicationListeners.contextInitialized(ApplicationListeners.java:187) >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:198) >>> ... 8 more >>> >>> 10:52:00,992 ERROR [org.jboss.as.controller.management-operation] >>> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation >>> ("full-replace-deployment") failed - address: ([]) - failure description: >>> {"WFLYCTL0080: Failed services" => >>> {"jboss.undertow.deployment.default-server.default-host./oauth-client-cdi" >>> => "org.jboss.msc.service.StartException in service >>> jboss.undertow.deployment.default-server.default-host./oauth-client-cdi: >>> java.lang.RuntimeException: java.lang.NullPointerException >>> Caused by: java.lang.RuntimeException: java.lang.NullPointerException >>> Caused by: java.lang.NullPointerException"}} >>> >>> The third party app works fine just the cdi doesnt work. >>> >>> Thanks, >>> >>> Juan Diego >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/843f4cd8/attachment-0001.html From jessec at dnbcloud.com Thu Apr 7 20:40:14 2016 From: jessec at dnbcloud.com (Jesse Chahal) Date: Thu, 7 Apr 2016 17:40:14 -0700 Subject: [keycloak-user] Logout using URL broken in keycloak 1.9.1? Message-ID: Hi, So our company recently upgraded from keycloak 1.5.1 to 1.9.1 We destroyed the database as we are still evaluating keycloak for the time being. We are noticing some issues with logout not working anymore after this upgrade. Currently we have implemented logout using URL approach as such: http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri which can be found here: http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d4e1383 We have setup the correct 'Valid Redirect URIs' for the client we are logging out from. Our client is using the openid-connect protocol and confidential access. What we are seeing is keycloak providing us with a blank page and the session not being destroyed. Our application is built ontop of Wildfly10 but we were not able to easily implement HttpServletRequest.logout() way of logging out as when a user logs in we translate the keycloak principle/user to be a our own principle/user type. I did not see a bug in Jira for this yet (was looking at release version 1.9.2) and am having a hard time believing nobody else has encountered this issue. I have attached the stacktrace that keycloak is spitting out below. To me it appears as if this feature was removed while the documentation still shows it as available. 00:05:46,037 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-78) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://keycloak.dnbcloud.com:8090/auth/realms/indicee/tokens/logout?redirect_uri=http://localhost.dnbcloud.com:8080 at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114) at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Thanks, Jesse From sthorger at redhat.com Fri Apr 8 00:58:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Apr 2016 06:58:34 +0200 Subject: [keycloak-user] Logout using URL broken in keycloak 1.9.1? In-Reply-To: References: Message-ID: The tokens endpoint was deprecated a while back and eventually removed in 1.9. Looks like one url has been missed in the documentation (I created https://issues.jboss.org/browse/KEYCLOAK-2774 to update docs and it will be fixed for 1.9.2). Replace: http://keycloak.dnbcloud.com:8090/auth/realms/indicee/tokens/logout?redirect_uri=http://localhost.dnbcloud.com:8080 With: http://keycloak.dnbcloud.com:8090/auth/realms/indicee/protocol/openid-connect/logout?redirect_uri=http://localhost.dnbcloud.com:8080 On 8 April 2016 at 02:40, Jesse Chahal wrote: > Hi, > > So our company recently upgraded from keycloak 1.5.1 to 1.9.1 We > destroyed the database as we are still evaluating keycloak for the > time being. We are noticing some issues with logout not working > anymore after this upgrade. Currently we have implemented logout using > URL approach as such: > > http://auth-server/auth/realms/{realm-name}/tokens/logout?redirect_uri=encodedRedirectUri > which can be found here: > > http://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#d4e1383 > > We have setup the correct 'Valid Redirect URIs' for the client we are > logging out from. Our client is using the openid-connect protocol and > confidential access. > What we are seeing is keycloak providing us with a blank page and the > session not being destroyed. Our application is built ontop of > Wildfly10 but we were not able to easily implement > HttpServletRequest.logout() way of logging out as when a user logs in > we translate the keycloak principle/user to be a our own > principle/user type. I did not see a bug in Jira for this yet (was > looking at release version 1.9.2) and am having a hard time believing > nobody else has encountered this issue. > > I have attached the stacktrace that keycloak is spitting out below. To > me it appears as if this feature was removed while the documentation > still shows it as available. > > > 00:05:46,037 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default > task-78) RESTEASY002010: Failed to execute: > javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource > for full path: > http://keycloak.dnbcloud.com:8090/auth/realms/indicee/tokens/logout?redirect_uri=http://localhost.dnbcloud.com:8080 > at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114) > at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) > at > org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > > Thanks, > Jesse > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/0be04a6b/attachment.html From sthorger at redhat.com Fri Apr 8 01:05:59 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Apr 2016 07:05:59 +0200 Subject: [keycloak-user] SSO amongst two realms In-Reply-To: <56151A13-44C7-4715-8EE9-A3498E4863F9@expedia.com> References: <56CEAC60.2030105@redhat.com> <56151A13-44C7-4715-8EE9-A3498E4863F9@expedia.com> Message-ID: Can you elaborate on how you imagine "fallback to the local realm" would work? On 7 April 2016 at 21:59, Jason Axley wrote: > Could you possibly support ?Authenticate by default? with a ?fallback to > the local realm?? It would be nice to have certain users attached to a > particular realm realm1 but have Keycloak internally attempt to > authenticate first against another realm so you can get the effect of a > union of the users across the two realms. The user experience with the > federation buttons as an alternative makes this configuration complexity > exposed to the user and I?d prefer to not have to do that. > > -Jason > > From: on behalf of Marek Posolda < > mposolda at redhat.com> > Date: Wednesday, February 24, 2016 at 11:25 PM > To: Sarp Kaya , "keycloak-user at lists.jboss.org" < > keycloak-user at lists.jboss.org> > Subject: Re: [keycloak-user] SSO amongst two realms > > It's possible to achieve something like this with identity provider. You > can create identityProvider in realm2, which will authenticate against > realm1. In that case, there will be button in login screen of realm2 like > "Login with realm1" and when user clicks on this, he will be logged-in > automatically. There is also possibility to use switch "Authenticate by > default" in identity provider and then login screen of realm2 won't be > shown, but instead it will always automatically redirect to realm1 login > screen. > > The thing is, that you will end with duplicated user accounts (Account of > user "john" will be in both realm1 and realm2). AFAIK we plan to improve > this in the future to have this use-case more "friendly" as more people ask > about that. > > Marek > > On 25/02/16 01:39, Sarp Kaya wrote: > > Hi, > > I want to know whether it is possible to have SSO amongst two realms. Ie > User 1 logins to an app1 that auths against realm1, then user 1 tries to > use app2 which auths against realm2 which should work fine as user 1 logged > into realm1 before and it should SSO into app2 fine. > > If this is possible then what would be the setup like? > > Kind Regards, > Sarp > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/aa8b619e/attachment-0001.html From sthorger at redhat.com Fri Apr 8 01:12:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Apr 2016 07:12:51 +0200 Subject: [keycloak-user] Question re app timeout In-Reply-To: References: Message-ID: We don't have support for this at the moment and would like to do it at some point. It would mainly be a matter of adding the authentication time to the token as well as implementing support for prompt=login (see http://openid.net/specs/openid-connect-implicit-1_0.html#rfc.section.2.1.1.1 ). You could probably achieve the same with a custom authentication flow and a custom protocol mapper that adds the authentication time to the token. On 8 April 2016 at 01:35, Richard Lavallee wrote: > Does anyone know the answer to this? > > I want to setup up a Keycloak SSO for, say, five apps: only one of which > is required (by U.S. State Law) to become logged out upon ten inactive > minutes timeout. > How can I achieve this in Keycloak? > > So for example: user signs in to Keycloak and begins working in APP1 then > switches to APP2 and stays there for more than ten minutes. User re-visits > APP1 which has been idle for more than ten minutes. By law he needs to > re-authenticate to APP1 even though he remains already authenticated in > Keycloak. How to force re-authentication for at least APP1? > > -Richard > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/f77cc220/attachment.html From sthorger at redhat.com Fri Apr 8 01:15:59 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 8 Apr 2016 07:15:59 +0200 Subject: [keycloak-user] Question re app timeout In-Reply-To: References: Message-ID: Couldn't find the issue about this so added https://issues.jboss.org/browse/KEYCLOAK-2775 On 8 April 2016 at 07:12, Stian Thorgersen wrote: > We don't have support for this at the moment and would like to do it at > some point. It would mainly be a matter of adding the authentication time > to the token as well as implementing support for prompt=login (see > http://openid.net/specs/openid-connect-implicit-1_0.html#rfc.section.2.1.1.1 > ). > > You could probably achieve the same with a custom authentication flow and > a custom protocol mapper that adds the authentication time to the token. > > On 8 April 2016 at 01:35, Richard Lavallee wrote: > >> Does anyone know the answer to this? >> >> I want to setup up a Keycloak SSO for, say, five apps: only one of which >> is required (by U.S. State Law) to become logged out upon ten inactive >> minutes timeout. >> How can I achieve this in Keycloak? >> >> So for example: user signs in to Keycloak and begins working in APP1 >> then switches to APP2 and stays there for more than ten minutes. User >> re-visits APP1 which has been idle for more than ten minutes. By law he >> needs to re-authenticate to APP1 even though he remains already >> authenticated in Keycloak. How to force re-authentication for at least >> APP1? >> >> -Richard >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/792b976c/attachment.html From guus.der.kinderen at gmail.com Fri Apr 8 01:28:54 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Fri, 8 Apr 2016 07:28:54 +0200 Subject: [keycloak-user] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target In-Reply-To: References: Message-ID: Hello Juan Diego, I think you are right. Java probably does not recognize Komodo as a valid certificate authority. Java keeps certificates of CAs in a keystore (a 'trust store' - a store of certificates from authorities that are to be trusted). The Komodo certificate that is part of your chain is probably not in them). I'm quite new to Keycloak, and I'm not sure if Keycloak uses the default keystores that ship with any version of Java, or uses it's own set. Perhaps the Keycloak documentation gives you a hint to that effect. I hope this helps. Regards, Guus On 8 April 2016 at 01:25, Juan Diego wrote: > I installed a keycloak server on amazon and bought a cert from Komodo. > And I was testing my app from my localhost, so my webapp in jsf is supposed > to log against that server and it seems to work. I modified my web.xml so > the loign-config uses keycloak. > > I thought my localserver ssl was the problem but I disabled > CONFIDENTIAL > > But I got the same error. > > 17:49:20,443 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] > (default task-49) failed to turn code into token: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) > at > org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314) > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260) > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112) > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) > ... 56 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > ... 62 more > > > For what I understand it is because my java doesnt perceives my Cert as a > proper CA signed cert. > > Thanks, > > Juan diego > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/0310095c/attachment-0001.html From guus.der.kinderen at gmail.com Fri Apr 8 01:31:30 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Fri, 8 Apr 2016 07:31:30 +0200 Subject: [keycloak-user] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target In-Reply-To: References: Message-ID: And, to be clear: the implied solution: you should add the certificate from Komodo's CA (you can probably download it from Komodo) to that trust store. - Guus On 8 April 2016 at 07:28, Guus der Kinderen wrote: > Hello Juan Diego, > > I think you are right. Java probably does not recognize Komodo as a valid > certificate authority. > > Java keeps certificates of CAs in a keystore (a 'trust store' - a store of > certificates from authorities that are to be trusted). The Komodo > certificate that is part of your chain is probably not in them). > > I'm quite new to Keycloak, and I'm not sure if Keycloak uses the default > keystores that ship with any version of Java, or uses it's own set. Perhaps > the Keycloak documentation gives you a hint to that effect. > > I hope this helps. Regards, > > Guus > > On 8 April 2016 at 01:25, Juan Diego wrote: > >> I installed a keycloak server on amazon and bought a cert from Komodo. >> And I was testing my app from my localhost, so my webapp in jsf is supposed >> to log against that server and it seems to work. I modified my web.xml so >> the loign-config uses keycloak. >> >> I thought my localserver ssl was the problem but I disabled >> CONFIDENTIAL >> >> But I got the same error. >> >> 17:49:20,443 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >> (default task-49) failed to turn code into token: >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to find >> valid certification path to requested target >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) >> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) >> at >> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) >> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) >> at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) >> at >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) >> at >> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) >> at >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) >> at >> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) >> at >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) >> at >> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) >> at >> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) >> at >> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) >> at >> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) >> at >> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) >> at >> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) >> at >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314) >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260) >> at >> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112) >> at >> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) >> at >> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) >> at >> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) >> at >> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) >> at >> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) >> at >> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) >> at >> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) >> at >> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) >> at >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at >> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: unable >> to find valid certification path to requested target >> at >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) >> at >> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) >> at sun.security.validator.Validator.validate(Validator.java:260) >> at >> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) >> at >> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) >> at >> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) >> at >> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) >> ... 56 more >> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> at >> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) >> at >> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) >> at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) >> at >> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) >> ... 62 more >> >> >> For what I understand it is because my java doesnt perceives my Cert as a >> proper CA signed cert. >> >> Thanks, >> >> Juan diego >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/924a55f2/attachment.html From juraj.janosik77 at gmail.com Fri Apr 8 02:19:56 2016 From: juraj.janosik77 at gmail.com (Juraj Janosik) Date: Fri, 8 Apr 2016 08:19:56 +0200 Subject: [keycloak-user] Admin REST API Get Users (and search) returns enabled user ("enabled":true) after "Max Login Failures" exceeded In-Reply-To: References: Message-ID: OK. Then in this case I can report inconsistency in displaying of value of parameter "enabled" between following two admin REST API requests: 1. GET /admin/realms/{realm}/users/{id} => "enabled":false 2.1 GET /admin/realms/{realm}/users => "enabled":true 2.2 GET /admin/realms/{realm}/users?search={string} => "enabled":true And in GUI Admin console is user disabled after Max Login Failure attempts. Thanks. Juraj 2016-04-07 15:48 GMT+02:00 Stian Thorgersen : > User#enabled is only used for users that are manually disabled by admin > and not for user temporarily disabled by brute force protection, so this is > expected behavior. > > On 7 April 2016 at 14:18, Juraj Janosik wrote: > >> Hi, >> >> is the following issue known in the community? (see description below) >> >> *Prerequisities:* >> 1. Keycloak 1.9.1.Final, CentOS7, Oracle12c >> 2. User disabled after "Max Login Failure" attempts. >> >> *Observed behavior:* >> 1. User displayed correctly as disabled ("enabled":false) via Get >> Representation of the user >> GET /admin/realms/{realm}/users/{id} >> >> 2. User displayed correctly as disabled ("disabled":true) via >> GET >> /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} >> >> 3. User displayed not correctly ("enabled":true) via Get users (list of >> all users and search) >> GET /admin/realms/{realm}/users >> GET /admin/realms/{realm}/users?search={string} >> >> Thanks a lot. >> >> Best Regards, >> Juraj >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/b05279ff/attachment-0001.html From sascha.brose at adesso.ch Fri Apr 8 06:08:09 2016 From: sascha.brose at adesso.ch (Brose, Sascha) Date: Fri, 8 Apr 2016 10:08:09 +0000 Subject: [keycloak-user] spring security adapter and single log out Message-ID: <8b563ef9317044cda79d1a79389479b6@EX2013-DB02.adesso.local> Hi Anthony, we noticed the same issue and your report helped a lot. Thank you very much! I perceived that logout will not work correctly when you have multiple active sessions and an user logs out. In that case, HttpSessionManager::logoutHttpSessions is called which clears the references to all known sessions with sessions.clear(). Additionally, destroyed sessions weren't removed from ServiceRegistryImpl. This seems to be because ServiceRegistryImpl created in WebSecurityConfig is no Spring Bean. Therefore, I did two adjustments to the code you provided: 1) HttpSessionManager: Removed sessions.clear() at the end of logoutHttpSessions(List) 2) WebSecurityConfig: Replaced @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); } with @Bean @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new RegisterSessionAuthenticationStrategy(buildSessionRegistry()); } @Bean protected SessionRegistry buildSessionRegistry() { return new SessionRegistryImpl(); } Best, Sascha -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von keycloak-user-request at lists.jboss.org Gesendet: Dienstag, 22. M?rz 2016 18:35 An: keycloak-user at lists.jboss.org Betreff: keycloak-user Digest, Vol 27, Issue 98 Send keycloak-user mailing list submissions to keycloak-user at lists.jboss.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.jboss.org/mailman/listinfo/keycloak-user or, via email, send a message with subject or body 'help' to keycloak-user-request at lists.jboss.org You can reach the person managing the list at keycloak-user-owner at lists.jboss.org When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-user digest..." Today's Topics: 1. Re: spring security adapter and single log out (Scott Rossillo) ---------------------------------------------------------------------- Message: 1 Date: Tue, 22 Mar 2016 13:34:41 -0400 From: Scott Rossillo Subject: Re: [keycloak-user] spring security adapter and single log out To: Anthony Fryer Cc: Niels Bertram , "keycloak-user \(keycloak-user at lists.jboss.org\)" Message-ID: <6E696A99-A3D8-43C4-8D72-3BE00CB304CA at smartling.com> Content-Type: text/plain; charset="utf-8" Hi Anthony, Thanks for the very descriptive bug report. I?ll have a look at fixing this shortly. Scott Rossillo Smartling | Senior Software Engineer srossillo at smartling.com > On Mar 21, 2016, at 7:26 PM, Anthony Fryer wrote: > > I?ve noticed some issues when testing single logout with the spring security adapter. > > I setup the admin url for the test application that used the spring security adapter in keycloak and tested logging out from keycloak and it didn?t invalidate the session. This is consistent with what I saw in other environments while testing. I did some digging and found that the spring adapter isn?t working correctly for single log out in my environments. We?re not using spring boot so not sure if that might be a reason why its not working out of the box. > > The issue is with the org.keycloak.adapters.springsecurity.management.HtttpSessionManager class. This implements javax.servlet.http.HttpSessionListener to receive events when sessions are created and stores the sessions in a hash map. When you do a logout from keycloak, it sends a POST request to /k_logout. This results in a call to the HttpSessionManager.logoutHttpSessions method with the session id passed in as an argument. This method attempts to lookup the session in the hashmap and call the invalidate() method. > > The problem is by default the HttpSessionManager class isn?t receiving the session create events. You need to configure it as a listener in web.xml to enable that. But even if you do that it still doesn?t work because the servlet container will create a instance of the class, but spring will also create another instance when creating the keycloak beans and this new instance is the one passed into the KeycloakPreAuthActionsFilter constructor. So the instance that is created by the servlet container is the one receiving the session create event and the one used by spring isn?t receiving any events but is the one used to do the logoutHttpSessions() call. The spring instance has no sessions in the hashmap, so logoutHttpSessions() does nothing. > > The fix is to make a new version of HttpSessionManager that implements org.keycloak.adapters.spi.UserSessionManagement andorg.springframework.context.ApplicationListener, which is a spring interface that receives session create/destroy events. In web.xml you need to register org.springframework.security.web.session.HttpSessionEventPublisher as a listener so spring will receive those events from the servlet container. Then in the spring config, you need the KeycloakPreAuthActionsFilter to be initialized with the new HttpSessionManager instead of the default one. > > The HttpSessionManager class that works for me is below? > > package my.keycloak; > > import java.util.List; > > import javax.servlet.http.HttpSession; > > import org.keycloak.adapters.spi.UserSessionManagement; > import > org.keycloak.adapters.springsecurity.management.LocalSessionManagement > Strategy; import > org.keycloak.adapters.springsecurity.management.SessionManagementStrat > egy; > import org.slf4j.Logger; > import org.slf4j.LoggerFactory; > import org.springframework.context.ApplicationEvent; > import org.springframework.context.ApplicationListener; > import > org.springframework.security.web.session.HttpSessionCreatedEvent; > import > org.springframework.security.web.session.HttpSessionDestroyedEvent; > > public class HttpSessionManager implements UserSessionManagement, > ApplicationListener { > > private static final Logger log = LoggerFactory.getLogger(HttpSessionManager.class); > private SessionManagementStrategy sessions = new > LocalSessionManagementStrategy(); > > @Override > public void logoutAll() { > log .info ("Received request to log out all users."); > for (HttpSession session : sessions.getAll()) { > session.invalidate(); > } > sessions.clear(); > } > > @Override > public void logoutHttpSessions(List ids) { > log .info ("Received request to log out {} session(s): {}", ids.size(), ids); > for (String id : ids) { > HttpSession session = sessions.remove(id); > if (session != null) { > session.invalidate(); > } > } > sessions.clear(); > } > > @Override > public void onApplicationEvent(ApplicationEvent event) { > if (event instanceof HttpSessionCreatedEvent) { > HttpSessionCreatedEvent e = (HttpSessionCreatedEvent)event; > HttpSession session = e.getSession(); > log.debug("Session created: {}", session.getId()); > sessions.store(session); > } else if (event instanceof HttpSessionDestroyedEvent) { > HttpSessionDestroyedEvent e = (HttpSessionDestroyedEvent)event; > HttpSession session = e.getSession(); > sessions.remove(session.getId()); > log.debug("Session destroyed: {}", > session.getId()); > > } > > } > > } > > > The keycloak config changes are below? > > @Configuration > @EnableWebSecurity > @ComponentScan(basePackageClasses = KeycloakSecurityComponents.class) > public class WebSecurityConfig extends > KeycloakWebSecurityConfigurerAdapter { > > @Autowired > public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { > auth.authenticationProvider(keycloakAuthenticationProvider()); > } > > > @Override > protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { > return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); > } > > @Bean > protected KeycloakPreAuthActionsFilter keycloakPreAuthActionsFilter() { > return new KeycloakPreAuthActionsFilter(springHttpSessionManager()); > } > > > @Bean > protected my.keycloak.HttpSessionManager springHttpSessionManager() { > return new my.keycloak.HttpSessionManager(); > } > > > > @Override > protected void configure(HttpSecurity http) throws Exception { > super.configure(http); > > > http > .logout() > .logoutRequestMatcher(new AntPathRequestMatcher("/sso/logout")) > .and() > .authorizeRequests() > .antMatchers("/user*").authenticated() > .anyRequest().permitAll(); > } > } > > and web.xml needs this added to it? > > > org.springframework.security.web.session.HttpSessionEventPublisher > > > After making the above changes, log out from the keycloak admin console works as expected. > > Regards, > > Anthony Fryer > > The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Austr! alia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160322/3d1b1e08/attachment.html ------------------------------ _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user End of keycloak-user Digest, Vol 27, Issue 98 ********************************************* From glaissard at axway.com Fri Apr 8 09:02:07 2016 From: glaissard at axway.com (Gerard Laissard) Date: Fri, 8 Apr 2016 13:02:07 +0000 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] In-Reply-To: References: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> Message-ID: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1DD7@WPHXMAIL1.phx.axway.int> Thanks for the help I did change standalone/configuration/keycloak-server.json to have "userSessionPersister": { "provider": "disabled" } Server 1.9.0 now starts, but with admin UI, I cannot access to clients and some users (still same error). Only one realm is affected: the one, I plaid with ?Scope Param Required? I tried to export that realm, but it fails I installed 1.9.1 but as I do not have an export of the failing realm, I?m not sure will be able to reproduce. Gerard From: Bruno Oliveira [mailto:bruno at abstractj.org] Sent: jeudi 7 avril 2016 23:21 To: Gerard Laissard; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] It seems related to https://issues.jboss.org/browse/KEYCLOAK-2431. Do the same happens with 1.9.1.Final? On Thu, Apr 7, 2016 at 6:26 AM Gerard Laissard > wrote: Team, Keycloak server 1.9.0 fails to start. Yesterday, I did try to play with client/role : Scope Param Required without any success. I got server java.lang.StackOverflowError. I stopped the server Today when I start server, I have : 10:51:50,948 ERROR [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] (ServerService Thread Pool -- 52) ExecutionException when computed future. Errors: 1: java.util.concurrent.ExecutionException: java.lang.StackOverflowError at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.StackOverflowError at org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) at org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) at org.hibernate.loader.Loader.getResultSet(Loader.java:2116) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2611) at org.hibernate.loader.Loader.doList(Loader.java:2594) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) at org.hibernate.loader.Loader.list(Loader.java:2418) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) ? What should I do ? Thanks Gerard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/b9106a7d/attachment-0001.html From bruno at abstractj.org Fri Apr 8 09:53:33 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 08 Apr 2016 13:53:33 +0000 Subject: [keycloak-user] Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target In-Reply-To: References: Message-ID: Hi Juan, if we are talking about Comodo, instead of Komodo (because I never heard about it to be honest). Have you added the certificate[1]? In some situations[2] is not mandatory, but it pretty much depends on your environment. [1] - https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/37/certificate-installation-java-based-web-servers-tomcat-using-keytool [2] - https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/296/17/are-your-roots-included-in-any-java-release On Thu, Apr 7, 2016 at 8:25 PM Juan Diego wrote: > I installed a keycloak server on amazon and bought a cert from Komodo. > And I was testing my app from my localhost, so my webapp in jsf is supposed > to log against that server and it seems to work. I modified my web.xml so > the loign-config uses keycloak. > > I thought my localserver ssl was the problem but I disabled > CONFIDENTIAL > > But I got the same error. > > 17:49:20,443 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] > (default task-49) failed to turn code into token: > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) > at > org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314) > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260) > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112) > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) > ... 56 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > ... 62 more > > > For what I understand it is because my java doesnt perceives my Cert as a > proper CA signed cert. > > Thanks, > > Juan diego > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/d9ee6ae2/attachment.html From mposolda at redhat.com Fri Apr 8 10:16:44 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 8 Apr 2016 16:16:44 +0200 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] In-Reply-To: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1DD7@WPHXMAIL1.phx.axway.int> References: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1DD7@WPHXMAIL1.phx.axway.int> Message-ID: <5707BD4C.4050902@redhat.com> There is lot of caching fixes in 1.9.1 and even more in latest master (or 1.9.x branch). There is high chance this StackOverflowError is already fixed. So if you have opportunity to upgrade to 1.9.1 (or even better to latest master or 1.9.x branch, but that requires you to build keycloak) and try it there, it will be cool. Are you on H2 database? If so, I think the trick to upgrade database might be to just copy files from one server to another. Something like: cp -r $KEYCLOAK_190_HOME/standalone/data/keycloak.* $KEYCLOAK_LATEST_MASTER_HOME/standalone/data/ Marek On 08/04/16 15:02, Gerard Laissard wrote: > > Thanks for the help > > I did change standalone/configuration/keycloak-server.json to have > > "userSessionPersister": > > { "provider": "disabled" } > > Server 1.9.0 now starts, but with admin UI, I cannot access to clients > and some users (still same error). Only one realm is affected: the > one, I plaid with ?Scope Param Required? > > I tried to export that realm, but it fails > > I installed 1.9.1 but as I do not have an export of the failing realm, > I?m not sure will be able to reproduce. > > Gerard > > *From:*Bruno Oliveira [mailto:bruno at abstractj.org] > *Sent:* jeudi 7 avril 2016 23:21 > *To:* Gerard Laissard; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Server fails to start with > java.lang.StackOverflowError on > infinispan.initializer.InfinispanUserSessionInitializer] > > It seems related to https://issues.jboss.org/browse/KEYCLOAK-2431. Do > the same happens with 1.9.1.Final? > > On Thu, Apr 7, 2016 at 6:26 AM Gerard Laissard > wrote: > > Team, > > Keycloak server 1.9.0 fails to start. > > Yesterday, I did try to play with client/role : Scope Param > Required without any success. > > I got server java.lang.StackOverflowError. > > I stopped the server > > Today when I start server, I have : > > 10:51:50,948 ERROR > [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] > (ServerService Thread Pool -- 52) ExecutionException when computed > future. Errors: 1: java.util.concurrent.ExecutionException: > java.lang.StackOverflowError > > at java.util.concurrent.FutureTask.report(FutureTask.java:122) > > at java.util.concurrent.FutureTask.get(FutureTask.java:192) > > at > org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) > > at > org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) > > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) > > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) > > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) > > at > org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) > > at > org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) > > at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) > > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) > > at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) > > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) > > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) > > at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) > > at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) > > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) > > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > > Caused by: java.lang.StackOverflowError > > at > org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) > > at > org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) > > at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) > > at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) > > at org.hibernate.loader.Loader.getResultSet(Loader.java:2116) > > at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) > > at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) > > at org.hibernate.loader.Loader.doQuery(Loader.java:919) > > at > org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) > > at org.hibernate.loader.Loader.doList(Loader.java:2611) > > at org.hibernate.loader.Loader.doList(Loader.java:2594) > > at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) > > at org.hibernate.loader.Loader.list(Loader.java:2418) > > at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) > > at > org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) > > at > org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) > > at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) > > at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) > > at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) > > at > org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > at > org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) > > at > org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) > > at > org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) > > at > org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) > > at > org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) > > at > org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) > > ? > > What should I do ? > > Thanks > > Gerard > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/a10ed2e5/attachment-0001.html From glaissard at axway.com Fri Apr 8 10:49:35 2016 From: glaissard at axway.com (Gerard Laissard) Date: Fri, 8 Apr 2016 14:49:35 +0000 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] In-Reply-To: <5707BD4C.4050902@redhat.com> References: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1DD7@WPHXMAIL1.phx.axway.int> <5707BD4C.4050902@redhat.com> Message-ID: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1E74@WPHXMAIL1.phx.axway.int> Marek, I'm using H2, I did the trick you proposed by copying the keycloak.* files on 1.9.1 No change on 1.9.1 : same behavior. Will try with 1.9.x branch Inside error Loop on : at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:620) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:142) at org.keycloak.models.cache.infinispan.StreamCacheRealmProvider.getRoleById(StreamCacheRealmProvider.java:667) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:542) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.infinispan.entities.CachedClient.(CachedClient.java:95) at org.keycloak.models.cache.infinispan.StreamCacheRealmProvider.getClientById(StreamCacheRealmProvider.java:847 at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:620) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:142) at org.keycloak.models.cache.infinispan.StreamCacheRealmProvider.getRoleById(StreamCacheRealmProvider.java:667) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:542) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.infinispan.entities.CachedClient.(CachedClient.java:95) at org.keycloak.models.cache.infinispan.StreamCacheRealmProvider.getClientById(StreamCacheRealmProvider.java:847 ) Gerard From: Marek Posolda [mailto:mposolda at redhat.com] Sent: vendredi 8 avril 2016 16:17 To: Gerard Laissard; Bruno Oliveira; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] There is lot of caching fixes in 1.9.1 and even more in latest master (or 1.9.x branch). There is high chance this StackOverflowError is already fixed. So if you have opportunity to upgrade to 1.9.1 (or even better to latest master or 1.9.x branch, but that requires you to build keycloak) and try it there, it will be cool. Are you on H2 database? If so, I think the trick to upgrade database might be to just copy files from one server to another. Something like: cp -r $KEYCLOAK_190_HOME/standalone/data/keycloak.* $KEYCLOAK_LATEST_MASTER_HOME/standalone/data/ Marek On 08/04/16 15:02, Gerard Laissard wrote: Thanks for the help I did change standalone/configuration/keycloak-server.json to have "userSessionPersister": { "provider": "disabled" } Server 1.9.0 now starts, but with admin UI, I cannot access to clients and some users (still same error). Only one realm is affected: the one, I plaid with 'Scope Param Required' I tried to export that realm, but it fails I installed 1.9.1 but as I do not have an export of the failing realm, I'm not sure will be able to reproduce. Gerard From: Bruno Oliveira [mailto:bruno at abstractj.org] Sent: jeudi 7 avril 2016 23:21 To: Gerard Laissard; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] It seems related to https://issues.jboss.org/browse/KEYCLOAK-2431. Do the same happens with 1.9.1.Final? On Thu, Apr 7, 2016 at 6:26 AM Gerard Laissard > wrote: Team, Keycloak server 1.9.0 fails to start. Yesterday, I did try to play with client/role : Scope Param Required without any success. I got server java.lang.StackOverflowError. I stopped the server Today when I start server, I have : 10:51:50,948 ERROR [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] (ServerService Thread Pool -- 52) ExecutionException when computed future. Errors: 1: java.util.concurrent.ExecutionException: java.lang.StackOverflowError at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.StackOverflowError at org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) at org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) at org.hibernate.loader.Loader.getResultSet(Loader.java:2116) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2611) at org.hibernate.loader.Loader.doList(Loader.java:2594) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) at org.hibernate.loader.Loader.list(Loader.java:2418) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) ... What should I do ? Thanks Gerard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/c01f5ec0/attachment-0001.html From jaxley at expedia.com Fri Apr 8 11:47:15 2016 From: jaxley at expedia.com (Jason Axley) Date: Fri, 8 Apr 2016 15:47:15 +0000 Subject: [keycloak-user] SSO amongst two realms In-Reply-To: References: <56CEAC60.2030105@redhat.com> <56151A13-44C7-4715-8EE9-A3498E4863F9@expedia.com> Message-ID: <03E7242B-F5FD-4593-84CC-26D8B8863A42@expedia.com> Assume these are the users in each realm: realm1 : [ ?jaxley?, ?nancy? ] realm2 : [ ?LDAP:foouser at example.org?, ?SAML:baruser at example.org" ] If realm1 configuration == "Authenticate against realm2 with fallback to local realm (realm1)? AND A User tries to log in, then authenticate the user against realm2 first (internally); if the user is not found or fails, try against the local realm realm1. If that succeeds, that is the user and they are now authenticated. Thus, if foouser at example.org tried to log into realm1, they would be tried in realm2 first (their home realm). But if ?jaxley? tried to log into realm1, an attempt would be made against realm2 and fail (no ?jaxley? there), then an attempt against realm1 would be made. If that succeeds, that is the user and they are now authenticated. What I want to be able to do is to maintain a set of users inside a Keycloak realm, but I want to still be able to create multiple additional realms to represent different configurations (e.g. Internal-facing vs. external-facing). The challenge is how when applications use those additional realms to authenticate can we seamlessly allow authentication in our preferred order of searching. I?d hate to have the official answer to be to use the APIs to write a login UI ourselves? This kind of ?preferred order of authentication sources? capability as a declarative configuration option is a feature of many commercial IdM and authentication tools. The conflict between users with the same login ID across realms is either resolved by fully qualifying the user IDs or using the search order to make some sources weighted higher in the search path so those win. -Jason From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Thursday, April 7, 2016 at 10:05 PM To: Jason Axley > Cc: Marek Posolda >, Sarp Kaya >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] SSO amongst two realms Can you elaborate on how you imagine "fallback to the local realm" would work? On 7 April 2016 at 21:59, Jason Axley > wrote: Could you possibly support ?Authenticate by default? with a ?fallback to the local realm?? It would be nice to have certain users attached to a particular realm realm1 but have Keycloak internally attempt to authenticate first against another realm so you can get the effect of a union of the users across the two realms. The user experience with the federation buttons as an alternative makes this configuration complexity exposed to the user and I?d prefer to not have to do that. -Jason From: > on behalf of Marek Posolda > Date: Wednesday, February 24, 2016 at 11:25 PM To: Sarp Kaya >, "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] SSO amongst two realms It's possible to achieve something like this with identity provider. You can create identityProvider in realm2, which will authenticate against realm1. In that case, there will be button in login screen of realm2 like "Login with realm1" and when user clicks on this, he will be logged-in automatically. There is also possibility to use switch "Authenticate by default" in identity provider and then login screen of realm2 won't be shown, but instead it will always automatically redirect to realm1 login screen. The thing is, that you will end with duplicated user accounts (Account of user "john" will be in both realm1 and realm2). AFAIK we plan to improve this in the future to have this use-case more "friendly" as more people ask about that. Marek On 25/02/16 01:39, Sarp Kaya wrote: Hi, I want to know whether it is possible to have SSO amongst two realms. Ie User 1 logins to an app1 that auths against realm1, then user 1 tries to use app2 which auths against realm2 which should work fine as user 1 logged into realm1 before and it should SSO into app2 fine. If this is possible then what would be the setup like? Kind Regards, Sarp _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/3fee3f2f/attachment.html From bburke at redhat.com Fri Apr 8 11:58:28 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 8 Apr 2016 11:58:28 -0400 Subject: [keycloak-user] SSO amongst two realms In-Reply-To: <03E7242B-F5FD-4593-84CC-26D8B8863A42@expedia.com> References: <56CEAC60.2030105@redhat.com> <56151A13-44C7-4715-8EE9-A3498E4863F9@expedia.com> <03E7242B-F5FD-4593-84CC-26D8B8863A42@expedia.com> Message-ID: <5707D524.4080404@redhat.com> Right now you can federate user storage from one or more sources (including keycloak storage). But, it has zero sophistication for ordering other than whichever one is listed first. And there is no SPI to plug into to do this. We hope to get back to feature development soon, but we're currently busy polishing up our current codebase. On 4/8/2016 11:47 AM, Jason Axley wrote: > Assume these are the users in each realm: > > realm1 : [ ?jaxley?, ?nancy? ] > realm2 : [ ?LDAP:foouser at example.org?, ?SAML:baruser at example.org" ] > If realm1 configuration == "Authenticate against realm2 with fallback > to local realm (realm1)? > AND A User tries to log in, then authenticate the user against realm2 > first (internally); if the user is not found or fails, try against the > local realm realm1. If that succeeds, that is the user and they are > now authenticated. > > Thus, if foouser at example.org tried to log into realm1, they would be > tried in realm2 first (their home realm). > But if ?jaxley? tried to log into realm1, an attempt would be made > against realm2 and fail (no ?jaxley? there), then an attempt against > realm1 would be made. If that succeeds, that is the user and they are > now authenticated. > > What I want to be able to do is to maintain a set of users inside a > Keycloak realm, but I want to still be able to create multiple > additional realms to represent different configurations (e.g. > Internal-facing vs. external-facing). The challenge is how when > applications use those additional realms to authenticate can we > seamlessly allow authentication in our preferred order of searching. > I?d hate to have the official answer to be to use the APIs to write a > login UI ourselves? > > This kind of ?preferred order of authentication sources? capability as > a declarative configuration option is a feature of many commercial IdM > and authentication tools. The conflict between users with the same > login ID across realms is either resolved by fully qualifying the user > IDs or using the search order to make some sources weighted higher in > the search path so those win. > > -Jason > > From: Stian Thorgersen > > Reply-To: "stian at redhat.com " > > > Date: Thursday, April 7, 2016 at 10:05 PM > To: Jason Axley > > Cc: Marek Posolda >, > Sarp Kaya >, > "keycloak-user at lists.jboss.org " > > > Subject: Re: [keycloak-user] SSO amongst two realms > > Can you elaborate on how you imagine "fallback to the local realm" > would work? > > On 7 April 2016 at 21:59, Jason Axley > wrote: > > Could you possibly support ?Authenticate by default? with a > ?fallback to the local realm?? It would be nice to have certain > users attached to a particular realm realm1 but have Keycloak > internally attempt to authenticate first against another realm so > you can get the effect of a union of the users across the two > realms. The user experience with the federation buttons as an > alternative makes this configuration complexity exposed to the > user and I?d prefer to not have to do that. > > -Jason > > From: > on behalf of Marek > Posolda > > Date: Wednesday, February 24, 2016 at 11:25 PM > To: Sarp Kaya >, > "keycloak-user at lists.jboss.org > " > > > Subject: Re: [keycloak-user] SSO amongst two realms > > It's possible to achieve something like this with identity > provider. You can create identityProvider in realm2, which will > authenticate against realm1. In that case, there will be button in > login screen of realm2 like "Login with realm1" and when user > clicks on this, he will be logged-in automatically. There is also > possibility to use switch "Authenticate by default" in identity > provider and then login screen of realm2 won't be shown, but > instead it will always automatically redirect to realm1 login screen. > > The thing is, that you will end with duplicated user accounts > (Account of user "john" will be in both realm1 and realm2). AFAIK > we plan to improve this in the future to have this use-case more > "friendly" as more people ask about that. > > Marek > > On 25/02/16 01:39, Sarp Kaya wrote: >> Hi, >> >> I want to know whether it is possible to have SSO amongst two >> realms. Ie User 1 logins to an app1 that auths against realm1, >> then user 1 tries to use app2 which auths against realm2 which >> should work fine as user 1 logged into realm1 before and it >> should SSO into app2 fine. >> >> If this is possible then what would be the setup like? >> >> Kind Regards, >> Sarp >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/f82d5583/attachment-0001.html From bburke at redhat.com Fri Apr 8 12:07:34 2016 From: bburke at redhat.com (Bill Burke) Date: Fri, 8 Apr 2016 12:07:34 -0400 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] In-Reply-To: <5707BD4C.4050902@redhat.com> References: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1DD7@WPHXMAIL1.phx.axway.int> <5707BD4C.4050902@redhat.com> Message-ID: <5707D746.2030408@redhat.com> Log a jira and schedule it for 1.9.1. I'll look into it for 1.9.2 after I finish this reorg of public/private apis. On 4/8/2016 10:16 AM, Marek Posolda wrote: > There is lot of caching fixes in 1.9.1 and even more in latest master > (or 1.9.x branch). There is high chance this StackOverflowError is > already fixed. > > So if you have opportunity to upgrade to 1.9.1 (or even better to > latest master or 1.9.x branch, but that requires you to build > keycloak) and try it there, it will be cool. > > Are you on H2 database? If so, I think the trick to upgrade database > might be to just copy files from one server to another. Something like: > > cp -r $KEYCLOAK_190_HOME/standalone/data/keycloak.* > $KEYCLOAK_LATEST_MASTER_HOME/standalone/data/ > > > Marek > > On 08/04/16 15:02, Gerard Laissard wrote: >> >> Thanks for the help >> >> I did change standalone/configuration/keycloak-server.json to have >> >> "userSessionPersister": >> >> { "provider": "disabled" } >> >> Server 1.9.0 now starts, but with admin UI, I cannot access to >> clients and some users (still same error). Only one realm is >> affected: the one, I plaid with ?Scope Param Required? >> >> I tried to export that realm, but it fails >> >> I installed 1.9.1 but as I do not have an export of the failing >> realm, I?m not sure will be able to reproduce. >> >> Gerard >> >> *From:*Bruno Oliveira [mailto:bruno at abstractj.org] >> *Sent:* jeudi 7 avril 2016 23:21 >> *To:* Gerard Laissard; keycloak-user at lists.jboss.org >> *Subject:* Re: [keycloak-user] Server fails to start with >> java.lang.StackOverflowError on >> infinispan.initializer.InfinispanUserSessionInitializer] >> >> It seems related to https://issues.jboss.org/browse/KEYCLOAK-2431. Do >> the same happens with 1.9.1.Final? >> >> On Thu, Apr 7, 2016 at 6:26 AM Gerard Laissard > > wrote: >> >> Team, >> >> Keycloak server 1.9.0 fails to start. >> >> Yesterday, I did try to play with client/role : Scope Param >> Required without any success. >> >> I got server java.lang.StackOverflowError. >> >> I stopped the server >> >> Today when I start server, I have : >> >> 10:51:50,948 ERROR >> [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] >> (ServerService Thread Pool -- 52) ExecutionException when >> computed future. Errors: 1: >> java.util.concurrent.ExecutionException: java.lang.StackOverflowError >> >> at java.util.concurrent.FutureTask.report(FutureTask.java:122) >> >> at java.util.concurrent.FutureTask.get(FutureTask.java:192) >> >> at >> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) >> >> at >> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) >> >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) >> >> at >> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) >> >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) >> >> at >> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) >> >> at >> org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) >> >> at >> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) >> >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >> Method) >> >> at >> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >> >> at >> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >> >> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> >> at >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >> >> at >> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) >> >> at >> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) >> >> at >> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) >> >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) >> >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >> >> at >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >> >> at >> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >> >> at >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >> >> at >> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >> >> at >> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) >> >> at >> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) >> >> at >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >> >> at >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> >> Caused by: java.lang.StackOverflowError >> >> at >> org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) >> >> at >> org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) >> >> at >> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) >> >> at >> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) >> >> at org.hibernate.loader.Loader.getResultSet(Loader.java:2116) >> >> at >> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) >> >> at >> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) >> >> at org.hibernate.loader.Loader.doQuery(Loader.java:919) >> >> at >> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) >> >> at org.hibernate.loader.Loader.doList(Loader.java:2611) >> >> at org.hibernate.loader.Loader.doList(Loader.java:2594) >> >> at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) >> >> at org.hibernate.loader.Loader.list(Loader.java:2418) >> >> at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) >> >> at >> org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) >> >> at >> org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) >> >> at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) >> >> at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) >> >> at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) >> >> at >> org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) >> >> at >> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) >> >> at >> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >> >> at >> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >> >> at >> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >> >> at >> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >> >> at >> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >> >> at >> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >> >> at >> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >> >> at >> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >> >> at >> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >> >> at >> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >> >> at >> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >> >> at >> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >> >> at >> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >> >> at >> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >> >> at >> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >> >> at >> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >> >> at >> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >> >> at >> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >> >> at >> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >> >> ? >> >> What should I do ? >> >> Thanks >> >> Gerard >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/3691597f/attachment-0001.html From mposolda at redhat.com Fri Apr 8 16:30:11 2016 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 8 Apr 2016 22:30:11 +0200 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] In-Reply-To: <5707D746.2030408@redhat.com> References: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1DD7@WPHXMAIL1.phx.axway.int> <5707BD4C.4050902@redhat.com> <5707D746.2030408@redhat.com> Message-ID: <570814D3.5080309@redhat.com> Here it is https://issues.jboss.org/browse/KEYCLOAK-2790 Gerard, if you had opportunity to try on latest 1.9.x, you can comment here or in JIRA if you still seeing this or not. Thanks, Marek On 08/04/16 18:07, Bill Burke wrote: > Log a jira and schedule it for 1.9.1. I'll look into it for 1.9.2 > after I finish this reorg of public/private apis. > > On 4/8/2016 10:16 AM, Marek Posolda wrote: >> There is lot of caching fixes in 1.9.1 and even more in latest master >> (or 1.9.x branch). There is high chance this StackOverflowError is >> already fixed. >> >> So if you have opportunity to upgrade to 1.9.1 (or even better to >> latest master or 1.9.x branch, but that requires you to build >> keycloak) and try it there, it will be cool. >> >> Are you on H2 database? If so, I think the trick to upgrade database >> might be to just copy files from one server to another. Something like: >> >> cp -r $KEYCLOAK_190_HOME/standalone/data/keycloak.* >> $KEYCLOAK_LATEST_MASTER_HOME/standalone/data/ >> >> >> Marek >> >> On 08/04/16 15:02, Gerard Laissard wrote: >>> >>> Thanks for the help >>> >>> I did change standalone/configuration/keycloak-server.json to have >>> >>> "userSessionPersister": >>> >>> { "provider": "disabled" } >>> >>> Server 1.9.0 now starts, but with admin UI, I cannot access to >>> clients and some users (still same error). Only one realm is >>> affected: the one, I plaid with ?Scope Param Required? >>> >>> I tried to export that realm, but it fails >>> >>> I installed 1.9.1 but as I do not have an export of the failing >>> realm, I?m not sure will be able to reproduce. >>> >>> Gerard >>> >>> *From:*Bruno Oliveira [mailto:bruno at abstractj.org] >>> *Sent:* jeudi 7 avril 2016 23:21 >>> *To:* Gerard Laissard; keycloak-user at lists.jboss.org >>> *Subject:* Re: [keycloak-user] Server fails to start with >>> java.lang.StackOverflowError on >>> infinispan.initializer.InfinispanUserSessionInitializer] >>> >>> It seems related to https://issues.jboss.org/browse/KEYCLOAK-2431. >>> Do the same happens with 1.9.1.Final? >>> >>> On Thu, Apr 7, 2016 at 6:26 AM Gerard Laissard >> > wrote: >>> >>> Team, >>> >>> Keycloak server 1.9.0 fails to start. >>> >>> Yesterday, I did try to play with client/role : Scope Param >>> Required without any success. >>> >>> I got server java.lang.StackOverflowError. >>> >>> I stopped the server >>> >>> Today when I start server, I have : >>> >>> 10:51:50,948 ERROR >>> [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] >>> (ServerService Thread Pool -- 52) ExecutionException when >>> computed future. Errors: 1: >>> java.util.concurrent.ExecutionException: >>> java.lang.StackOverflowError >>> >>> at java.util.concurrent.FutureTask.report(FutureTask.java:122) >>> >>> at java.util.concurrent.FutureTask.get(FutureTask.java:192) >>> >>> at >>> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) >>> >>> at >>> org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) >>> >>> at >>> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) >>> >>> at >>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) >>> >>> at >>> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) >>> >>> at >>> org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) >>> >>> at >>> org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) >>> >>> at >>> org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) >>> >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>> Method) >>> >>> at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>> >>> at >>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>> >>> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>> >>> at >>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) >>> >>> at >>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) >>> >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) >>> >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) >>> >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) >>> >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >>> >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >>> >>> at >>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >>> >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >>> >>> at >>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) >>> >>> at >>> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) >>> >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) >>> >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) >>> >>> at >>> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >>> >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >>> >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >>> >>> at java.lang.Thread.run(Thread.java:745) >>> >>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>> >>> Caused by: java.lang.StackOverflowError >>> >>> at >>> org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) >>> >>> at >>> org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) >>> >>> at >>> org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) >>> >>> at >>> org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) >>> >>> at org.hibernate.loader.Loader.getResultSet(Loader.java:2116) >>> >>> at >>> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) >>> >>> at >>> org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) >>> >>> at org.hibernate.loader.Loader.doQuery(Loader.java:919) >>> >>> at >>> org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) >>> >>> at org.hibernate.loader.Loader.doList(Loader.java:2611) >>> >>> at org.hibernate.loader.Loader.doList(Loader.java:2594) >>> >>> at >>> org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) >>> >>> at org.hibernate.loader.Loader.list(Loader.java:2418) >>> >>> at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) >>> >>> at >>> org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) >>> >>> at >>> org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) >>> >>> at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) >>> >>> at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) >>> >>> at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) >>> >>> at >>> org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) >>> >>> at >>> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) >>> >>> at >>> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >>> >>> at >>> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >>> >>> at >>> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >>> >>> at >>> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >>> >>> at >>> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >>> >>> at >>> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >>> >>> at >>> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >>> >>> at >>> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >>> >>> at >>> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >>> >>> at >>> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) >>> >>> at >>> org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) >>> >>> at >>> org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) >>> >>> at >>> org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) >>> >>> at >>> org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) >>> >>> at >>> org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) >>> >>> ? >>> >>> What should I do ? >>> >>> Thanks >>> >>> Gerard >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160408/ed8c10d1/attachment-0001.html From dirk.franssen at gmail.com Sun Apr 10 13:52:37 2016 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Sun, 10 Apr 2016 19:52:37 +0200 Subject: [keycloak-user] Rest api execute-actions-email does not redirect In-Reply-To: References: Message-ID: Stian, can you have a look at my question below? Thanks, Dirk On Wed, Apr 6, 2016 at 4:05 PM, Dirk Franssen wrote: > Hi all, > > I have created a user via the REST api with userActions RESET_PASSWORD and > VERIFY_EMAIL. Subsequently I use the endpoint 'execute-actions-email' with > the query-params 'client_id' and 'redirect_uri' for the action > RESET_PASSWORD and VERIFY_EMAIL. The email is sent to the user, but it > seems it does not take into account the query params. If the user sets his > password via the link in the email, the page "Your account has been > updated" is displayed without redirection nor a link to go to the > application? > > Do I miss something? > > Kind regards, > Dirk > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160410/0917a44a/attachment.html From juraj.janosik77 at gmail.com Mon Apr 11 03:12:56 2016 From: juraj.janosik77 at gmail.com (Juraj Janosik) Date: Mon, 11 Apr 2016 09:12:56 +0200 Subject: [keycloak-user] Admin REST API Get Users (and search) returns enabled user ("enabled":true) after "Max Login Failures" exceeded In-Reply-To: References: Message-ID: Jira issue for this: https://issues.jboss.org/browse/KEYCLOAK-2796 Best Regards, Juraj 2016-04-08 8:19 GMT+02:00 Juraj Janosik : > OK. > Then in this case I can report inconsistency in displaying of value of > parameter "enabled" between > following two admin REST API requests: > 1. GET /admin/realms/{realm}/users/{id} => "enabled":false > > 2.1 GET /admin/realms/{realm}/users => "enabled":true > 2.2 GET /admin/realms/{realm}/users?search={string} => "enabled":true > > And in GUI Admin console is user disabled after Max Login Failure attempts. > > Thanks. > Juraj > > 2016-04-07 15:48 GMT+02:00 Stian Thorgersen : > >> User#enabled is only used for users that are manually disabled by admin >> and not for user temporarily disabled by brute force protection, so this is >> expected behavior. >> >> On 7 April 2016 at 14:18, Juraj Janosik >> wrote: >> >>> Hi, >>> >>> is the following issue known in the community? (see description below) >>> >>> *Prerequisities:* >>> 1. Keycloak 1.9.1.Final, CentOS7, Oracle12c >>> 2. User disabled after "Max Login Failure" attempts. >>> >>> *Observed behavior:* >>> 1. User displayed correctly as disabled ("enabled":false) via Get >>> Representation of the user >>> GET /admin/realms/{realm}/users/{id} >>> >>> 2. User displayed correctly as disabled ("disabled":true) via >>> GET >>> /admin/realms/{realm}/attack-detection/brute-force/usernames/{username} >>> >>> 3. User displayed not correctly ("enabled":true) via Get users (list of >>> all users and search) >>> GET /admin/realms/{realm}/users >>> GET /admin/realms/{realm}/users?search={string} >>> >>> Thanks a lot. >>> >>> Best Regards, >>> Juraj >>> >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/d6af1aa8/attachment.html From unimaginablydull at gmail.com Mon Apr 11 09:29:30 2016 From: unimaginablydull at gmail.com (Jon Rathbone) Date: Mon, 11 Apr 2016 14:29:30 +0100 Subject: [keycloak-user] Keycloak Integration with WSO2 Message-ID: <9B769CD2-4F56-4792-8747-ECD8223191F0@gmail.com> Hi there, I?m trying to understand if it is possible to integrate KeyCloak with WSO2. The context is that I have one suite of applications with SSO using KeyCloak, and I have a requirement to integrate that suite of applications with another, which is using WSO2 as an identity provider for SSO. At this stage I don?t need to achieve SSO across both app suites with this solution, although that might be required in the future. I?d like to understand if it is possible to use Keycloak to federate out to WSO2 for IDP. I think the answer is yes, based on what I?ve read, but my searching hasn?t turned up any concrete examples. Has anyone done this, or have enough experience with the respective products to be confident that it would or wouldn?t work? If yes, what would be a good integration approach. Sincere thanks. Jon From josh.cain at redhat.com Mon Apr 11 09:35:46 2016 From: josh.cain at redhat.com (Josh Cain) Date: Mon, 11 Apr 2016 08:35:46 -0500 Subject: [keycloak-user] Realm Export in Clustered Environment Message-ID: Hi All, We're looking to take nightly realm backups of a clustered Keycloak deployment via the realm export feature. However, in reading through the docs , I came across this statement: The fact it's done at server startup means that no-one can access Keycloak UI or REST endpoints and edit Keycloak database on the fly when export or import is in progress. Otherwise it could lead to inconsistent results. What are the implications for this in a clustered environment? We were planning to take a single server down and use it for realm export. Will this operation be reliable with other servers running? Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/16ea3783/attachment.html From mposolda at redhat.com Mon Apr 11 11:46:43 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Apr 2016 17:46:43 +0200 Subject: [keycloak-user] Realm Export in Clustered Environment In-Reply-To: References: Message-ID: <570BC6E3.1070500@redhat.com> On 11/04/16 15:35, Josh Cain wrote: > Hi All, > > We're looking to take nightly realm backups of a clustered Keycloak > deployment via the realm export feature. However, in reading through > the docs > , > I came across this statement: > > The fact it's done at server startup means that no-one can access > Keycloak UI or REST endpoints and edit Keycloak database on the fly > when export or import is in progress. Otherwise it could lead to > inconsistent results. > > What are the implications for this in a clustered environment? We > were planning to take a single server down and use it for realm > export. Will this operation be reliable with other servers running? Depends on which level of consistency you want to achieve. In theory, it might not be so bad. But note that in your case, the node2 will be doing export when node1 will still receive requests from users. This can lead to possible inconsistencies. For example, some user decided that he don't trust facebook login, so he is going to set password instead of facebook link. So he will do these actions quickly in account management: - Set his password in account mgmt page - Remove link to facebook Assuming the export will be in progress, it can happen that user will be exported without password and also without federationLinks, so after reimport he won't be able to login anymore. Marek > > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* > +1 843-737-1735 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/f4711589/attachment-0001.html From mposolda at redhat.com Mon Apr 11 11:56:03 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Apr 2016 17:56:03 +0200 Subject: [keycloak-user] Keycloak Integration with WSO2 In-Reply-To: <9B769CD2-4F56-4792-8747-ECD8223191F0@gmail.com> References: <9B769CD2-4F56-4792-8747-ECD8223191F0@gmail.com> Message-ID: <570BC913.60109@redhat.com> It seems that it should work. WSO2 is supposed to support both OpenID Connect and SAML, so you can set WSO2 based identity provider in keycloak admin console (either OpenID Connect or SAML2 based) and integrate it. See keycloak docs for identity providers for more details. Marek On 11/04/16 15:29, Jon Rathbone wrote: > Hi there, > > I?m trying to understand if it is possible to integrate KeyCloak with WSO2. > > The context is that I have one suite of applications with SSO using KeyCloak, and I have a requirement to integrate that suite of applications with another, which is using WSO2 as an identity provider for SSO. At this stage I don?t need to achieve SSO across both app suites with this solution, although that might be required in the future. > > I?d like to understand if it is possible to use Keycloak to federate out to WSO2 for IDP. I think the answer is yes, based on what I?ve read, but my searching hasn?t turned up any concrete examples. > > Has anyone done this, or have enough experience with the respective products to be confident that it would or wouldn?t work? > > If yes, what would be a good integration approach. > > Sincere thanks. > > Jon > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From josh.cain at redhat.com Mon Apr 11 12:30:37 2016 From: josh.cain at redhat.com (Josh Cain) Date: Mon, 11 Apr 2016 11:30:37 -0500 Subject: [keycloak-user] Realm Export in Clustered Environment In-Reply-To: <570BC6E3.1070500@redhat.com> References: <570BC6E3.1070500@redhat.com> Message-ID: Hi Marek, So to be clear - we're using this strictly for a configuration backup (no user data will be exported). And if I'm understanding you correctly, is it safe to assume that the exports will be clean as long as no administrators are actively making configuration changes during the export process? Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 843-737-1735 On Mon, Apr 11, 2016 at 10:46 AM, Marek Posolda wrote: > On 11/04/16 15:35, Josh Cain wrote: > > Hi All, > > We're looking to take nightly realm backups of a clustered Keycloak > deployment via the realm export feature. However, in reading through the > docs > , > I came across this statement: > > The fact it's done at server startup means that no-one can access Keycloak > UI or REST endpoints and edit Keycloak database on the fly when export or > import is in progress. Otherwise it could lead to inconsistent results. > > What are the implications for this in a clustered environment? We were > planning to take a single server down and use it for realm export. Will > this operation be reliable with other servers running? > > Depends on which level of consistency you want to achieve. In theory, it > might not be so bad. But note that in your case, the node2 will be doing > export when node1 will still receive requests from users. This can lead to > possible inconsistencies. > > For example, some user decided that he don't trust facebook login, so he > is going to set password instead of facebook link. So he will do these > actions quickly in account management: > - Set his password in account mgmt page > - Remove link to facebook > > Assuming the export will be in progress, it can happen that user will be > exported without password and also without federationLinks, so after > reimport he won't be able to login anymore. > > Marek > > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 843-737-1735 > > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/1b4d68c8/attachment.html From guus.der.kinderen at gmail.com Mon Apr 11 13:08:09 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Mon, 11 Apr 2016 19:08:09 +0200 Subject: [keycloak-user] Uniqueness of user properties Message-ID: Hello, Keycloak uses a UUID value to identify a uses. Basic questions: through some form of configuration: - Can more than two users exist that have an identical username? - Can more than two users exist that have an identical email address? Regards, Guus -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/14f13565/attachment.html From rllavallee at hotmail.com Mon Apr 11 13:37:42 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Mon, 11 Apr 2016 17:37:42 +0000 Subject: [keycloak-user] Question re Keycloak conflicting password policies In-Reply-To: References: Message-ID: Does anyone know the answer to this? A keycloak admin may want to enforce a specific password policy for one APP but a different (and conflicting) password policy for another APP. E.g. first policy requires one special character whereas second policy prohibits any special character. Is this supportable in Keycloak? I am thinking that two realms could be defined to do this but wouldn't that defeat single-sign-on across the realms? Any thoughts? -Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/ac4af887/attachment.html From juandiego83 at gmail.com Mon Apr 11 13:40:57 2016 From: juandiego83 at gmail.com (Juan Diego) Date: Mon, 11 Apr 2016 12:40:57 -0500 Subject: [keycloak-user] syncing users in database with keycloak user Message-ID: Hi, This is the first time I am using my users in another database, using keycloak. And I am not sure what is the best approach. I have my app that has a table users and other tables that depend on users. When i did my trials I was thinking on using keycloak interface, but that got me thinking that I should manually add the users to my database in order for them to work, at least the ID of the user and then matched to cookies once i loaded. So the best approach I can think of is to create a login module or something in my app and when I create users through my app they connect via rest to my keycloak server and "duplicate" the needed data on keycloak and my database. So If I need to delete something both databases would be on sync. right? So if I want to add users to my app I shouldnt use the keycloak interface, I should use mine right? The other way I was thinking is that if it is the first time my users log in, my app triggers some functions that recreate what you have on keycloak Thanks Juan Diego -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/c623db3f/attachment.html From guus.der.kinderen at gmail.com Mon Apr 11 13:53:01 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Mon, 11 Apr 2016 19:53:01 +0200 Subject: [keycloak-user] Question re Keycloak conflicting password policies In-Reply-To: References: Message-ID: I don't know the answer, but: would it be valid to have a SSO solution in the first place, when the applications have conflicting password policies? APP-A: You can't log in like that! I don't trust you, go away! APP-B: Sure, come on in! APP-A: Ah, I see you're a perfectly trusted user now! - Guus On 11 April 2016 at 19:37, Richard Lavallee wrote: > > Does anyone know the answer to this? > > A keycloak admin may want to enforce a specific password policy for one > APP but a different (and conflicting) password policy for another APP. > > E.g. first policy requires one special character whereas second policy > prohibits any special character. Is this supportable in Keycloak? I am > thinking that two realms could be defined to do this but wouldn't that > defeat single-sign-on across the realms? Any thoughts? > > -Richard > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/afcce0f1/attachment-0001.html From rllavallee at hotmail.com Mon Apr 11 14:49:45 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Mon, 11 Apr 2016 18:49:45 +0000 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: , Message-ID: Does Keycloak support the following requirements? Password:Password should be changed in every 60 days (configurable) If user enters password wrong three times account is locked out for 15 min (configurable) Password chosen should not be previous 24 passwords Password should have a letter and a number Password should not have consecutive letters Inactivity:Application session inactivity - default is 45 minutes (can be configured) Account inactivity - account inactivity is 30 days default (configurable) -Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/1dab3683/attachment.html From mposolda at redhat.com Mon Apr 11 17:38:37 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 11 Apr 2016 23:38:37 +0200 Subject: [keycloak-user] Realm Export in Clustered Environment In-Reply-To: References: <570BC6E3.1070500@redhat.com> Message-ID: <570C195D.2060901@redhat.com> On 11/04/16 18:30, Josh Cain wrote: > Hi Marek, > > So to be clear - we're using this strictly for a configuration backup > (no user data will be exported). And if I'm understanding you > correctly, is it safe to assume that the exports will be clean as long > as no administrators are actively making configuration changes during > the export process? Hi Josh, Yes, then I think it should be safe to assume. Despite some corner cases (For example if you have LDAP, the roles or groups from LDAP might be synced to the realm database during first login of any user, who is member of particular role/group. So if this login happen during export, the new role/groups would be added during export progress too). Marek > > Josh Cain | Software Applications Engineer > /Identity and Access Management/ > *Red Hat* > +1 843-737-1735 > > On Mon, Apr 11, 2016 at 10:46 AM, Marek Posolda > wrote: > > On 11/04/16 15:35, Josh Cain wrote: >> Hi All, >> >> We're looking to take nightly realm backups of a clustered >> Keycloak deployment via the realm export feature. However, in >> reading through the docs >> , >> I came across this statement: >> >> The fact it's done at server startup means that no-one can access >> Keycloak UI or REST endpoints and edit Keycloak database on the >> fly when export or import is in progress. Otherwise it could lead >> to inconsistent results. >> >> What are the implications for this in a clustered environment? >> We were planning to take a single server down and use it for >> realm export. Will this operation be reliable with other servers >> running? > Depends on which level of consistency you want to achieve. In > theory, it might not be so bad. But note that in your case, the > node2 will be doing export when node1 will still receive requests > from users. This can lead to possible inconsistencies. > > For example, some user decided that he don't trust facebook > login, so he is going to set password instead of facebook link. So > he will do these actions quickly in account management: > - Set his password in account mgmt page > - Remove link to facebook > > Assuming the export will be in progress, it can happen that user > will be exported without password and also without > federationLinks, so after reimport he won't be able to login anymore. > > Marek >> >> Josh Cain | Software Applications Engineer >> /Identity and Access Management/ >> *Red Hat* >> +1 843-737-1735 >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/066959f7/attachment.html From Anthony.Fryer at virginaustralia.com Mon Apr 11 18:48:42 2016 From: Anthony.Fryer at virginaustralia.com (Anthony Fryer) Date: Mon, 11 Apr 2016 22:48:42 +0000 Subject: [keycloak-user] syncing users in database with keycloak user In-Reply-To: References: Message-ID: <8EE3449CB6463C4FB0544A12CEA72DD7F6D3DB75@LDREXCEMXPRD02.virginblue.internal> You should implement a User Federation Provider (https://keycloak.github.io/docs/userguide/keycloak-server/html/user_federation.html#d4e2875) that uses your external database. Regards, Anthony From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Juan Diego Sent: Tuesday, 12 April 2016 3:41 AM To: keycloak-user Subject: [keycloak-user] syncing users in database with keycloak user Hi, This is the first time I am using my users in another database, using keycloak. And I am not sure what is the best approach. I have my app that has a table users and other tables that depend on users. When i did my trials I was thinking on using keycloak interface, but that got me thinking that I should manually add the users to my database in order for them to work, at least the ID of the user and then matched to cookies once i loaded. So the best approach I can think of is to create a login module or something in my app and when I create users through my app they connect via rest to my keycloak server and "duplicate" the needed data on keycloak and my database. So If I need to delete something both databases would be on sync. right? So if I want to add users to my app I shouldnt use the keycloak interface, I should use mine right? The other way I was thinking is that if it is the first time my users log in, my app triggers some functions that recreate what you have on keycloak Thanks Juan Diego The content of this e-mail, including any attachments, is a confidential communication between Virgin Australia Airlines Pty Ltd (Virgin Australia) or its related entities (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Australia or its related entities. Please be aware that the contents of any emails sent to or from Virgin Australia or its related entities may be periodically monitored and reviewed. Virgin Australia and its related entities respect your privacy. Our privacy policy can be accessed from our website: www.virginaustralia.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160411/1e2b221e/attachment-0001.html From nielsbne at gmail.com Mon Apr 11 18:50:24 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Tue, 12 Apr 2016 08:50:24 +1000 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: Hi Guus, I can't see how you could manage non-uniqueness of the username as you will need at least one user side unique identifier to drive forget password flow. But the option to have email non-unique has been discussed a while back in the user forum and there is this open Jira https://issues.jboss.org/browse/KEYCLOAK-2141. We have been looking at non-unique emails and essentially one will have to remove the functionality of using email as a form of login from the login flow leaving the user to only be able to use their assigned or selected username as option. We have been trying to "hack" the codebase a bit but have not been too successful in getting keycloak to work properly with non-unique emails :( ... Cheers, Niels On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < guus.der.kinderen at gmail.com> wrote: > Hello, > > Keycloak uses a UUID value to identify a uses. Basic questions: through > some form of configuration: > > - Can more than two users exist that have an identical username? > - Can more than two users exist that have an identical email address? > > Regards, > > Guus > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/7585f727/attachment.html From guus.der.kinderen at gmail.com Mon Apr 11 19:31:46 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Tue, 12 Apr 2016 01:31:46 +0200 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: Thanks for the feedback, Niels, I am primarily concerned about the email address, but as another attribute than the username is used to identify things, I thought I'd make sure and include that in the question too. At some point, my customer will probably want non-unique email addresses. It's good to know it's at least on the roadmap. Regards, Guus On 12 April 2016 at 00:50, Niels Bertram wrote: > Hi Guus, > > I can't see how you could manage non-uniqueness of the username as you > will need at least one user side unique identifier to drive forget password > flow. But the option to have email non-unique has been discussed a while > back in the user forum and there is this open Jira > https://issues.jboss.org/browse/KEYCLOAK-2141. > > We have been looking at non-unique emails and essentially one will have to > remove the functionality of using email as a form of login from the login > flow leaving the user to only be able to use their assigned or selected > username as option. We have been trying to "hack" the codebase a bit but > have not been too successful in getting keycloak to work properly with > non-unique emails :( ... > > Cheers, > Niels > > > > > On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < > guus.der.kinderen at gmail.com> wrote: > >> Hello, >> >> Keycloak uses a UUID value to identify a uses. Basic questions: through >> some form of configuration: >> >> - Can more than two users exist that have an identical username? >> - Can more than two users exist that have an identical email address? >> >> Regards, >> >> Guus >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/5eedc45b/attachment.html From sthorger at redhat.com Tue Apr 12 00:31:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 06:31:26 +0200 Subject: [keycloak-user] Question re Keycloak conflicting password policies In-Reply-To: References: Message-ID: A password policy per-app makes no sense in a SSO solution. However, step up authentication does. For example one app requires user to be logged-in with password only, while another requires otp as well. We're planning to add the latter at some point. On 11 April 2016 at 19:53, Guus der Kinderen wrote: > I don't know the answer, but: would it be valid to have a SSO solution in > the first place, when the applications have conflicting password policies? > > APP-A: You can't log in like that! I don't trust you, go away! > APP-B: Sure, come on in! > APP-A: Ah, I see you're a perfectly trusted user now! > > - Guus > > On 11 April 2016 at 19:37, Richard Lavallee > wrote: > >> >> Does anyone know the answer to this? >> >> A keycloak admin may want to enforce a specific password policy for one >> APP but a different (and conflicting) password policy for another APP. >> >> E.g. first policy requires one special character whereas second policy >> prohibits any special character. Is this supportable in Keycloak? I am >> thinking that two realms could be defined to do this but wouldn't that >> defeat single-sign-on across the realms? Any thoughts? >> >> -Richard >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/3fc8f01d/attachment.html From sthorger at redhat.com Tue Apr 12 00:32:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 06:32:56 +0200 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: There's an option to enable users to change their username. Enabling that could result in a user renaming the username, then another user taking the same username. There's also the situation where a user with a specific username is deleted, then another user is created with the same username (maybe years after). On 12 April 2016 at 01:31, Guus der Kinderen wrote: > Thanks for the feedback, Niels, > > I am primarily concerned about the email address, but as another attribute > than the username is used to identify things, I thought I'd make sure and > include that in the question too. > > At some point, my customer will probably want non-unique email addresses. > It's good to know it's at least on the roadmap. > > Regards, > > Guus > > On 12 April 2016 at 00:50, Niels Bertram wrote: > >> Hi Guus, >> >> I can't see how you could manage non-uniqueness of the username as you >> will need at least one user side unique identifier to drive forget password >> flow. But the option to have email non-unique has been discussed a while >> back in the user forum and there is this open Jira >> https://issues.jboss.org/browse/KEYCLOAK-2141. >> >> We have been looking at non-unique emails and essentially one will have >> to remove the functionality of using email as a form of login from the >> login flow leaving the user to only be able to use their assigned or >> selected username as option. We have been trying to "hack" the codebase a >> bit but have not been too successful in getting keycloak to work properly >> with non-unique emails :( ... >> >> Cheers, >> Niels >> >> >> >> >> On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < >> guus.der.kinderen at gmail.com> wrote: >> >>> Hello, >>> >>> Keycloak uses a UUID value to identify a uses. Basic questions: through >>> some form of configuration: >>> >>> - Can more than two users exist that have an identical username? >>> - Can more than two users exist that have an identical email >>> address? >>> >>> Regards, >>> >>> Guus >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/1477edde/attachment-0001.html From sthorger at redhat.com Tue Apr 12 00:37:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 06:37:41 +0200 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: Message-ID: On 11 April 2016 at 20:49, Richard Lavallee wrote: > Does Keycloak support the following requirements? > > *Password:* > > - Password should be changed in every 60 days (configurable) > > Yes > > - If user enters password wrong three times account is locked out for > 15 min (configurable) > > Yes > > - Password chosen should not be previous 24 passwords > > Yes > > - Password should have a letter and a number > > Yes > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. > > - > > *Inactivity:* > > - Application session inactivity - default is 45 minutes (can be > configured) > > Yes, you can configure idle timeout for a session. Idle for a session is if there are no app logins or token refreshes > > - Account inactivity - account inactivity is 30 days default > (configurable) > > Yes > > -Richard > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/5ffb1876/attachment.html From sthorger at redhat.com Tue Apr 12 00:45:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 06:45:34 +0200 Subject: [keycloak-user] Rest api execute-actions-email does not redirect In-Reply-To: References: Message-ID: What you're doing looks correct to me, so most likely a bug can you create a JIRA please? On 10 April 2016 at 19:52, Dirk Franssen wrote: > Stian, > > can you have a look at my question below? > > Thanks, > > Dirk > > On Wed, Apr 6, 2016 at 4:05 PM, Dirk Franssen > wrote: > >> Hi all, >> >> I have created a user via the REST api with userActions RESET_PASSWORD >> and VERIFY_EMAIL. Subsequently I use the endpoint 'execute-actions-email' >> with the query-params 'client_id' and 'redirect_uri' for the action >> RESET_PASSWORD and VERIFY_EMAIL. The email is sent to the user, but it >> seems it does not take into account the query params. If the user sets his >> password via the link in the email, the page "Your account has been >> updated" is displayed without redirection nor a link to go to the >> application? >> >> Do I miss something? >> >> Kind regards, >> Dirk >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/4bca41d5/attachment.html From sthorger at redhat.com Tue Apr 12 00:48:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 06:48:39 +0200 Subject: [keycloak-user] Logouts / how to disable keycloak "user session" cache? In-Reply-To: <8E6D7F6B-C214-454F-BA0C-F8ECF4ECC894@smartling.com> References: <8E6D7F6B-C214-454F-BA0C-F8ECF4ECC894@smartling.com> Message-ID: +1 To running Keycloak on AWS section to docs. Do you want to contribute that? Not sure about Docker images, we already have more than I'd like to maintain. On 7 April 2016 at 22:56, Scott Rossillo wrote: > Hi! > > We completed the final steps to getting this working on Amazon AWS with > Docker using Keycloak 1.9.x. Since we already have a database, we used > JDBC_PING not to add S3 as yet another dependency. > > The changes are here[0] for now. Would Keycloak devs be interested in > adding a running Keycloak on AWS section or another sample docker image? > > There are 3 steps / files: > > 1. configureCache.xsl sets up Infinispan correctly > 2. start.sh - Uses Amazon APIs via HTTP to get the correct instance IP > information > 3. 30_docker_ports.config - if using Docker, this shell script runs on > deploy to expose the cluster port to the EC2 interface. Needed with > Beanstalk, maybe not with ECS > > [0]: https://gist.github.com/foo4u/ad2fa7251ac5b4d4fd318f668f50f7ac > > Best, > Scott > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo at smartling.com > > On Apr 7, 2016, at 6:44 AM, Thomas Darimont < > thomas.darimont at googlemail.com> wrote: > > Hello, > > have a look at this thread: > http://lists.jboss.org/pipermail/keycloak-user/2016-February/004935.html > > Cheers, > Thomas > > 2016-04-07 12:40 GMT+02:00 Stian Thorgersen : > >> It is not currently possible to run multiple nodes without clustering. >> However, it's possible to configure JGroups to work on AWS. I can't >> remember the configuration required though, but if you search the user >> mailing list you'll find instructions or google for JGroups and AWS. >> >> On 7 April 2016 at 10:22, Christian Schwarz wrote: >> >>> Hi! >>> >>> I'm trying to setup a keycloak cluster on AWS, which does not support >>> UDP multicast. IP addresses of the nodes are also not known in advance (I'm >>> using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker >>> image) for user session replication will not work (seems that it requires >>> either UDP multicast or IP addresses known in advance). >>> >>> The main problem I have is that logout is not working propertly. I only >>> get logged out from one of the two keycloak nodes. >>> >>> I have tried to disable the user cache (by setting >>> userCache.default.enabled = false) and to disable infinispan (by using >>> ?keycloak-postgres? docker image), but to no avail. The ?other? keycloak >>> node still thinks that the user is logged in, it?s not refreshing the user >>> session from the database even if user cache and infinispan cluster cache >>> is disbled. >>> >>> => Is there a possibility of using the database as a synchronization >>> point between keycloak nodes? (i.e. each node always checks logout status >>> in the database) >>> Or is there another way of getting a keycloak cluster up and running on >>> AWS when IP addresses are not known in advance? >>> >>> I hope there is a way? :) >>> >>> Kind regards, >>> Christian >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/ffaece5f/attachment-0001.html From glaissard at axway.com Tue Apr 12 02:57:22 2016 From: glaissard at axway.com (Gerard Laissard) Date: Tue, 12 Apr 2016 06:57:22 +0000 Subject: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] In-Reply-To: <570814D3.5080309@redhat.com> References: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD19A5@WPHXMAIL1.phx.axway.int> <4AC8C602867B3A4CB6F9F6BA4528DEE477CD1DD7@WPHXMAIL1.phx.axway.int> <5707BD4C.4050902@redhat.com> <5707D746.2030408@redhat.com> <570814D3.5080309@redhat.com> Message-ID: <4AC8C602867B3A4CB6F9F6BA4528DEE477CD2272@WPHXMAIL1.phx.axway.int> Marek, I did build Keycloak server from master yesterday (April 13rd). I still have same issue on start when I use the failing database: by copying files as you suggested. Therefore with a fresh install, I failed to recreate the stack overflow error. I'm not sure I redo the exact same scenario. Gerard From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda Sent: vendredi 8 avril 2016 22:30 To: Bill Burke; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] Here it is https://issues.jboss.org/browse/KEYCLOAK-2790 Gerard, if you had opportunity to try on latest 1.9.x, you can comment here or in JIRA if you still seeing this or not. Thanks, Marek On 08/04/16 18:07, Bill Burke wrote: Log a jira and schedule it for 1.9.1. I'll look into it for 1.9.2 after I finish this reorg of public/private apis. On 4/8/2016 10:16 AM, Marek Posolda wrote: There is lot of caching fixes in 1.9.1 and even more in latest master (or 1.9.x branch). There is high chance this StackOverflowError is already fixed. So if you have opportunity to upgrade to 1.9.1 (or even better to latest master or 1.9.x branch, but that requires you to build keycloak) and try it there, it will be cool. Are you on H2 database? If so, I think the trick to upgrade database might be to just copy files from one server to another. Something like: cp -r $KEYCLOAK_190_HOME/standalone/data/keycloak.* $KEYCLOAK_LATEST_MASTER_HOME/standalone/data/ Marek On 08/04/16 15:02, Gerard Laissard wrote: Thanks for the help I did change standalone/configuration/keycloak-server.json to have "userSessionPersister": { "provider": "disabled" } Server 1.9.0 now starts, but with admin UI, I cannot access to clients and some users (still same error). Only one realm is affected: the one, I plaid with 'Scope Param Required' I tried to export that realm, but it fails I installed 1.9.1 but as I do not have an export of the failing realm, I'm not sure will be able to reproduce. Gerard From: Bruno Oliveira [mailto:bruno at abstractj.org] Sent: jeudi 7 avril 2016 23:21 To: Gerard Laissard; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Server fails to start with java.lang.StackOverflowError on infinispan.initializer.InfinispanUserSessionInitializer] It seems related to https://issues.jboss.org/browse/KEYCLOAK-2431. Do the same happens with 1.9.1.Final? On Thu, Apr 7, 2016 at 6:26 AM Gerard Laissard > wrote: Team, Keycloak server 1.9.0 fails to start. Yesterday, I did try to play with client/role : Scope Param Required without any success. I got server java.lang.StackOverflowError. I stopped the server Today when I start server, I have : 10:51:50,948 ERROR [org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer] (ServerService Thread Pool -- 52) ExecutionException when computed future. Errors: 1: java.util.concurrent.ExecutionException: java.lang.StackOverflowError at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.startLoading(InfinispanUserSessionInitializer.java:197) at org.keycloak.models.sessions.infinispan.initializer.InfinispanUserSessionInitializer.loadPersistentSessions(InfinispanUserSessionInitializer.java:88) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$2.run(InfinispanUserSessionProviderFactory.java:91) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:280) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadPersistentSessions(InfinispanUserSessionProviderFactory.java:82) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:71) at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:63) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:141) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.StackOverflowError at org.jboss.jca.adapters.jdbc.WrappedConnection.checkException(WrappedConnection.java:1958) at org.jboss.jca.adapters.jdbc.WrappedStatement.checkException(WrappedStatement.java:1446) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:509) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) at org.hibernate.loader.Loader.getResultSet(Loader.java:2116) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1899) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2611) at org.hibernate.loader.Loader.doList(Loader.java:2594) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) at org.hibernate.loader.Loader.list(Loader.java:2418) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:246) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) at org.keycloak.models.cache.infinispan.locking.entities.RevisionedCachedClient.(RevisionedCachedClient.java:18) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getClientById(LockingCacheRealmProvider.java:456) at org.keycloak.models.cache.infinispan.RealmAdapter.getClientById(RealmAdapter.java:631) at org.keycloak.models.jpa.RoleAdapter.getContainer(RoleAdapter.java:135) at org.keycloak.models.cache.infinispan.locking.LockingCacheRealmProvider.getRoleById(LockingCacheRealmProvider.java:397) at org.keycloak.models.cache.infinispan.RealmAdapter.getRoleById(RealmAdapter.java:543) at org.keycloak.models.jpa.ClientAdapter.getScopeMappings(ClientAdapter.java:249) at org.keycloak.models.cache.entities.CachedClient.(CachedClient.java:98) ... What should I do ? Thanks Gerard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/c9f06ca4/attachment-0001.html From guus.der.kinderen at gmail.com Tue Apr 12 02:58:35 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Tue, 12 Apr 2016 08:58:35 +0200 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: Hmm... that rename route is disabled by default though? Also, when deleting a user, are we guaranteed that all user artifacts are removed? I'd hate to see another user (years later) have access to things simply because he picked a previously used name. Then again, most artifacts (if not all) will probably be linked through the ID, not username. On 12 April 2016 at 06:32, Stian Thorgersen wrote: > There's an option to enable users to change their username. Enabling that > could result in a user renaming the username, then another user taking the > same username. There's also the situation where a user with a specific > username is deleted, then another user is created with the same username > (maybe years after). > > On 12 April 2016 at 01:31, Guus der Kinderen > wrote: > >> Thanks for the feedback, Niels, >> >> I am primarily concerned about the email address, but as another >> attribute than the username is used to identify things, I thought I'd make >> sure and include that in the question too. >> >> At some point, my customer will probably want non-unique email addresses. >> It's good to know it's at least on the roadmap. >> >> Regards, >> >> Guus >> >> On 12 April 2016 at 00:50, Niels Bertram wrote: >> >>> Hi Guus, >>> >>> I can't see how you could manage non-uniqueness of the username as you >>> will need at least one user side unique identifier to drive forget password >>> flow. But the option to have email non-unique has been discussed a while >>> back in the user forum and there is this open Jira >>> https://issues.jboss.org/browse/KEYCLOAK-2141. >>> >>> We have been looking at non-unique emails and essentially one will have >>> to remove the functionality of using email as a form of login from the >>> login flow leaving the user to only be able to use their assigned or >>> selected username as option. We have been trying to "hack" the codebase a >>> bit but have not been too successful in getting keycloak to work properly >>> with non-unique emails :( ... >>> >>> Cheers, >>> Niels >>> >>> >>> >>> >>> On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < >>> guus.der.kinderen at gmail.com> wrote: >>> >>>> Hello, >>>> >>>> Keycloak uses a UUID value to identify a uses. Basic questions: through >>>> some form of configuration: >>>> >>>> - Can more than two users exist that have an identical username? >>>> - Can more than two users exist that have an identical email >>>> address? >>>> >>>> Regards, >>>> >>>> Guus >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/10a8904f/attachment.html From sthorger at redhat.com Tue Apr 12 03:03:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 09:03:15 +0200 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: On 12 April 2016 at 08:58, Guus der Kinderen wrote: > Hmm... that rename route is disabled by default though? > Yes > > Also, when deleting a user, are we guaranteed that all user artifacts are > removed? I'd hate to see another user (years later) have access to things > simply because he picked a previously used name. Then again, most artifacts > (if not all) will probably be linked through the ID, not username. > Everything in Keycloak is linked through ID, not username. Obviously you may use username in your app rather than ID, in which case that may be a problem in your app. In that case you should probably disable a decommissioned user rather than disable or change your app. > > On 12 April 2016 at 06:32, Stian Thorgersen wrote: > >> There's an option to enable users to change their username. Enabling that >> could result in a user renaming the username, then another user taking the >> same username. There's also the situation where a user with a specific >> username is deleted, then another user is created with the same username >> (maybe years after). >> >> On 12 April 2016 at 01:31, Guus der Kinderen > > wrote: >> >>> Thanks for the feedback, Niels, >>> >>> I am primarily concerned about the email address, but as another >>> attribute than the username is used to identify things, I thought I'd make >>> sure and include that in the question too. >>> >>> At some point, my customer will probably want non-unique email >>> addresses. It's good to know it's at least on the roadmap. >>> >>> Regards, >>> >>> Guus >>> >>> On 12 April 2016 at 00:50, Niels Bertram wrote: >>> >>>> Hi Guus, >>>> >>>> I can't see how you could manage non-uniqueness of the username as you >>>> will need at least one user side unique identifier to drive forget password >>>> flow. But the option to have email non-unique has been discussed a while >>>> back in the user forum and there is this open Jira >>>> https://issues.jboss.org/browse/KEYCLOAK-2141. >>>> >>>> We have been looking at non-unique emails and essentially one will have >>>> to remove the functionality of using email as a form of login from the >>>> login flow leaving the user to only be able to use their assigned or >>>> selected username as option. We have been trying to "hack" the codebase a >>>> bit but have not been too successful in getting keycloak to work properly >>>> with non-unique emails :( ... >>>> >>>> Cheers, >>>> Niels >>>> >>>> >>>> >>>> >>>> On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < >>>> guus.der.kinderen at gmail.com> wrote: >>>> >>>>> Hello, >>>>> >>>>> Keycloak uses a UUID value to identify a uses. Basic questions: >>>>> through some form of configuration: >>>>> >>>>> - Can more than two users exist that have an identical username? >>>>> - Can more than two users exist that have an identical email >>>>> address? >>>>> >>>>> Regards, >>>>> >>>>> Guus >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/26231a02/attachment.html From sthorger at redhat.com Tue Apr 12 03:04:01 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 09:04:01 +0200 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: BTW this is main reason token subject is User ID not username, to guarantee uniqueness over time. On 12 April 2016 at 09:03, Stian Thorgersen wrote: > > > On 12 April 2016 at 08:58, Guus der Kinderen > wrote: > >> Hmm... that rename route is disabled by default though? >> > > Yes > > >> >> Also, when deleting a user, are we guaranteed that all user artifacts are >> removed? I'd hate to see another user (years later) have access to things >> simply because he picked a previously used name. Then again, most artifacts >> (if not all) will probably be linked through the ID, not username. >> > > Everything in Keycloak is linked through ID, not username. Obviously you > may use username in your app rather than ID, in which case that may be a > problem in your app. In that case you should probably disable a > decommissioned user rather than disable or change your app. > > >> >> On 12 April 2016 at 06:32, Stian Thorgersen wrote: >> >>> There's an option to enable users to change their username. Enabling >>> that could result in a user renaming the username, then another user taking >>> the same username. There's also the situation where a user with a specific >>> username is deleted, then another user is created with the same username >>> (maybe years after). >>> >>> On 12 April 2016 at 01:31, Guus der Kinderen < >>> guus.der.kinderen at gmail.com> wrote: >>> >>>> Thanks for the feedback, Niels, >>>> >>>> I am primarily concerned about the email address, but as another >>>> attribute than the username is used to identify things, I thought I'd make >>>> sure and include that in the question too. >>>> >>>> At some point, my customer will probably want non-unique email >>>> addresses. It's good to know it's at least on the roadmap. >>>> >>>> Regards, >>>> >>>> Guus >>>> >>>> On 12 April 2016 at 00:50, Niels Bertram wrote: >>>> >>>>> Hi Guus, >>>>> >>>>> I can't see how you could manage non-uniqueness of the username as you >>>>> will need at least one user side unique identifier to drive forget password >>>>> flow. But the option to have email non-unique has been discussed a while >>>>> back in the user forum and there is this open Jira >>>>> https://issues.jboss.org/browse/KEYCLOAK-2141. >>>>> >>>>> We have been looking at non-unique emails and essentially one will >>>>> have to remove the functionality of using email as a form of login from the >>>>> login flow leaving the user to only be able to use their assigned or >>>>> selected username as option. We have been trying to "hack" the codebase a >>>>> bit but have not been too successful in getting keycloak to work properly >>>>> with non-unique emails :( ... >>>>> >>>>> Cheers, >>>>> Niels >>>>> >>>>> >>>>> >>>>> >>>>> On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < >>>>> guus.der.kinderen at gmail.com> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> Keycloak uses a UUID value to identify a uses. Basic questions: >>>>>> through some form of configuration: >>>>>> >>>>>> - Can more than two users exist that have an identical username? >>>>>> - Can more than two users exist that have an identical email >>>>>> address? >>>>>> >>>>>> Regards, >>>>>> >>>>>> Guus >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/eb877ca2/attachment-0001.html From guus.der.kinderen at gmail.com Tue Apr 12 03:16:09 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Tue, 12 Apr 2016 09:16:09 +0200 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: Yes, that makes sense. In the way I use the admin client, I created a challenge in my application. Every time someone logs in, I simply check delegate that attempt to Keycloak. I won't know if the user was deleted and recreated in the mean time. Pretty likely, the credentials will have changed, but that's not a good indicator to determine if the user attributes that I store in my app should be purged. For now, all user management will be done in my app (propagating all changes to Keycloak), but at some point, this is going to hurt me... On 12 April 2016 at 09:04, Stian Thorgersen wrote: > BTW this is main reason token subject is User ID not username, to > guarantee uniqueness over time. > > On 12 April 2016 at 09:03, Stian Thorgersen wrote: > >> >> >> On 12 April 2016 at 08:58, Guus der Kinderen > > wrote: >> >>> Hmm... that rename route is disabled by default though? >>> >> >> Yes >> >> >>> >>> Also, when deleting a user, are we guaranteed that all user artifacts >>> are removed? I'd hate to see another user (years later) have access to >>> things simply because he picked a previously used name. Then again, most >>> artifacts (if not all) will probably be linked through the ID, not username. >>> >> >> Everything in Keycloak is linked through ID, not username. Obviously you >> may use username in your app rather than ID, in which case that may be a >> problem in your app. In that case you should probably disable a >> decommissioned user rather than disable or change your app. >> >> >>> >>> On 12 April 2016 at 06:32, Stian Thorgersen wrote: >>> >>>> There's an option to enable users to change their username. Enabling >>>> that could result in a user renaming the username, then another user taking >>>> the same username. There's also the situation where a user with a specific >>>> username is deleted, then another user is created with the same username >>>> (maybe years after). >>>> >>>> On 12 April 2016 at 01:31, Guus der Kinderen < >>>> guus.der.kinderen at gmail.com> wrote: >>>> >>>>> Thanks for the feedback, Niels, >>>>> >>>>> I am primarily concerned about the email address, but as another >>>>> attribute than the username is used to identify things, I thought I'd make >>>>> sure and include that in the question too. >>>>> >>>>> At some point, my customer will probably want non-unique email >>>>> addresses. It's good to know it's at least on the roadmap. >>>>> >>>>> Regards, >>>>> >>>>> Guus >>>>> >>>>> On 12 April 2016 at 00:50, Niels Bertram wrote: >>>>> >>>>>> Hi Guus, >>>>>> >>>>>> I can't see how you could manage non-uniqueness of the username as >>>>>> you will need at least one user side unique identifier to drive forget >>>>>> password flow. But the option to have email non-unique has been discussed a >>>>>> while back in the user forum and there is this open Jira >>>>>> https://issues.jboss.org/browse/KEYCLOAK-2141. >>>>>> >>>>>> We have been looking at non-unique emails and essentially one will >>>>>> have to remove the functionality of using email as a form of login from the >>>>>> login flow leaving the user to only be able to use their assigned or >>>>>> selected username as option. We have been trying to "hack" the codebase a >>>>>> bit but have not been too successful in getting keycloak to work properly >>>>>> with non-unique emails :( ... >>>>>> >>>>>> Cheers, >>>>>> Niels >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < >>>>>> guus.der.kinderen at gmail.com> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> Keycloak uses a UUID value to identify a uses. Basic questions: >>>>>>> through some form of configuration: >>>>>>> >>>>>>> - Can more than two users exist that have an identical username? >>>>>>> - Can more than two users exist that have an identical email >>>>>>> address? >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Guus >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/e5db4589/attachment.html From adrianmatei at gmail.com Tue Apr 12 03:42:56 2016 From: adrianmatei at gmail.com (Adrian Matei) Date: Tue, 12 Apr 2016 09:42:56 +0200 Subject: [keycloak-user] b2b and b2c users best practices Message-ID: Hi guys, Our requirements are the following: - login one must decide if it is business or normal user - at registration business users might have extra attributes - users are persisted in AD, different OUs I guess the cleanest solution would be to have different realms for each category of users, but our constraint is that our CMS, that is the client for the realm can define only one Identity Provider (via SAML)... Would like to hear your thoughts. Thanks, Adrian -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/28c88901/attachment.html From nielsbne at gmail.com Tue Apr 12 05:18:23 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Tue, 12 Apr 2016 19:18:23 +1000 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: Stian, would we be able to collaborate on removing the uniqueness of email a bit further? We have non-unique emails for a very large number of accounts and can't use keycloak in its current form. In our case username is unique but email is not and never will be. From what I can see following use cases would need consideration making email non-unique. - login (username or email) , in case of email non-uniqueness accepting email as login will need to be disabled - forget username, in this case one would not be able to recover a username if email can be present in multiple accounts - forget password, accepting email as login will need to be disabled Are there any other use cases that could be impacted? Thanks Niels On Tue, Apr 12, 2016 at 5:16 PM, Guus der Kinderen < guus.der.kinderen at gmail.com> wrote: > Yes, that makes sense. > > In the way I use the admin client, I created a challenge in my > application. Every time someone logs in, I simply check delegate that > attempt to Keycloak. I won't know if the user was deleted and recreated in > the mean time. Pretty likely, the credentials will have changed, but that's > not a good indicator to determine if the user attributes that I store in my > app should be purged. > > For now, all user management will be done in my app (propagating all > changes to Keycloak), but at some point, this is going to hurt me... > > On 12 April 2016 at 09:04, Stian Thorgersen wrote: > >> BTW this is main reason token subject is User ID not username, to >> guarantee uniqueness over time. >> >> On 12 April 2016 at 09:03, Stian Thorgersen wrote: >> >>> >>> >>> On 12 April 2016 at 08:58, Guus der Kinderen < >>> guus.der.kinderen at gmail.com> wrote: >>> >>>> Hmm... that rename route is disabled by default though? >>>> >>> >>> Yes >>> >>> >>>> >>>> Also, when deleting a user, are we guaranteed that all user artifacts >>>> are removed? I'd hate to see another user (years later) have access to >>>> things simply because he picked a previously used name. Then again, most >>>> artifacts (if not all) will probably be linked through the ID, not username. >>>> >>> >>> Everything in Keycloak is linked through ID, not username. Obviously you >>> may use username in your app rather than ID, in which case that may be a >>> problem in your app. In that case you should probably disable a >>> decommissioned user rather than disable or change your app. >>> >>> >>>> >>>> On 12 April 2016 at 06:32, Stian Thorgersen >>>> wrote: >>>> >>>>> There's an option to enable users to change their username. Enabling >>>>> that could result in a user renaming the username, then another user taking >>>>> the same username. There's also the situation where a user with a specific >>>>> username is deleted, then another user is created with the same username >>>>> (maybe years after). >>>>> >>>>> On 12 April 2016 at 01:31, Guus der Kinderen < >>>>> guus.der.kinderen at gmail.com> wrote: >>>>> >>>>>> Thanks for the feedback, Niels, >>>>>> >>>>>> I am primarily concerned about the email address, but as another >>>>>> attribute than the username is used to identify things, I thought I'd make >>>>>> sure and include that in the question too. >>>>>> >>>>>> At some point, my customer will probably want non-unique email >>>>>> addresses. It's good to know it's at least on the roadmap. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Guus >>>>>> >>>>>> On 12 April 2016 at 00:50, Niels Bertram wrote: >>>>>> >>>>>>> Hi Guus, >>>>>>> >>>>>>> I can't see how you could manage non-uniqueness of the username as >>>>>>> you will need at least one user side unique identifier to drive forget >>>>>>> password flow. But the option to have email non-unique has been discussed a >>>>>>> while back in the user forum and there is this open Jira >>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2141. >>>>>>> >>>>>>> We have been looking at non-unique emails and essentially one will >>>>>>> have to remove the functionality of using email as a form of login from the >>>>>>> login flow leaving the user to only be able to use their assigned or >>>>>>> selected username as option. We have been trying to "hack" the codebase a >>>>>>> bit but have not been too successful in getting keycloak to work properly >>>>>>> with non-unique emails :( ... >>>>>>> >>>>>>> Cheers, >>>>>>> Niels >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < >>>>>>> guus.der.kinderen at gmail.com> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> Keycloak uses a UUID value to identify a uses. Basic questions: >>>>>>>> through some form of configuration: >>>>>>>> >>>>>>>> - Can more than two users exist that have an identical username? >>>>>>>> - Can more than two users exist that have an identical email >>>>>>>> address? >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Guus >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/2898be5b/attachment-0001.html From sthorger at redhat.com Tue Apr 12 07:01:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 12 Apr 2016 13:01:51 +0200 Subject: [keycloak-user] Uniqueness of user properties In-Reply-To: References: Message-ID: We can consider adding the option to have non-unique email for 2.x. However, we may not have resources to implement it ourselves. Would you be interested in contributing? In summary my idea is that a realm has option on login to choose "username and email", "username" and "email. Further the main email address on the user (UserModel#email) will remain unique and will be the only email address that is permitted for login. We'll then add option to add additional email address as properties and allow sending of email to other email addresses than UserModel#email. Please raise a separate mail on developer mailing list to continue the discussion. On 12 April 2016 at 11:18, Niels Bertram wrote: > Stian, would we be able to collaborate on removing the uniqueness of email > a bit further? We have non-unique emails for a very large number of > accounts and can't use keycloak in its current form. In our case username > is unique but email is not and never will be. From what I can see following > use cases would need consideration making email non-unique. > > - login (username or email) , in case of email non-uniqueness accepting > email as login will need to be disabled > - forget username, in this case one would not be able to recover a > username if email can be present in multiple accounts > - forget password, accepting email as login will need to be disabled > > Are there any other use cases that could be impacted? > > Thanks Niels > > > > On Tue, Apr 12, 2016 at 5:16 PM, Guus der Kinderen < > guus.der.kinderen at gmail.com> wrote: > >> Yes, that makes sense. >> >> In the way I use the admin client, I created a challenge in my >> application. Every time someone logs in, I simply check delegate that >> attempt to Keycloak. I won't know if the user was deleted and recreated in >> the mean time. Pretty likely, the credentials will have changed, but that's >> not a good indicator to determine if the user attributes that I store in my >> app should be purged. >> >> For now, all user management will be done in my app (propagating all >> changes to Keycloak), but at some point, this is going to hurt me... >> >> On 12 April 2016 at 09:04, Stian Thorgersen wrote: >> >>> BTW this is main reason token subject is User ID not username, to >>> guarantee uniqueness over time. >>> >>> On 12 April 2016 at 09:03, Stian Thorgersen wrote: >>> >>>> >>>> >>>> On 12 April 2016 at 08:58, Guus der Kinderen < >>>> guus.der.kinderen at gmail.com> wrote: >>>> >>>>> Hmm... that rename route is disabled by default though? >>>>> >>>> >>>> Yes >>>> >>>> >>>>> >>>>> Also, when deleting a user, are we guaranteed that all user artifacts >>>>> are removed? I'd hate to see another user (years later) have access to >>>>> things simply because he picked a previously used name. Then again, most >>>>> artifacts (if not all) will probably be linked through the ID, not username. >>>>> >>>> >>>> Everything in Keycloak is linked through ID, not username. Obviously >>>> you may use username in your app rather than ID, in which case that may be >>>> a problem in your app. In that case you should probably disable a >>>> decommissioned user rather than disable or change your app. >>>> >>>> >>>>> >>>>> On 12 April 2016 at 06:32, Stian Thorgersen >>>>> wrote: >>>>> >>>>>> There's an option to enable users to change their username. Enabling >>>>>> that could result in a user renaming the username, then another user taking >>>>>> the same username. There's also the situation where a user with a specific >>>>>> username is deleted, then another user is created with the same username >>>>>> (maybe years after). >>>>>> >>>>>> On 12 April 2016 at 01:31, Guus der Kinderen < >>>>>> guus.der.kinderen at gmail.com> wrote: >>>>>> >>>>>>> Thanks for the feedback, Niels, >>>>>>> >>>>>>> I am primarily concerned about the email address, but as another >>>>>>> attribute than the username is used to identify things, I thought I'd make >>>>>>> sure and include that in the question too. >>>>>>> >>>>>>> At some point, my customer will probably want non-unique email >>>>>>> addresses. It's good to know it's at least on the roadmap. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Guus >>>>>>> >>>>>>> On 12 April 2016 at 00:50, Niels Bertram wrote: >>>>>>> >>>>>>>> Hi Guus, >>>>>>>> >>>>>>>> I can't see how you could manage non-uniqueness of the username as >>>>>>>> you will need at least one user side unique identifier to drive forget >>>>>>>> password flow. But the option to have email non-unique has been discussed a >>>>>>>> while back in the user forum and there is this open Jira >>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-2141. >>>>>>>> >>>>>>>> We have been looking at non-unique emails and essentially one will >>>>>>>> have to remove the functionality of using email as a form of login from the >>>>>>>> login flow leaving the user to only be able to use their assigned or >>>>>>>> selected username as option. We have been trying to "hack" the codebase a >>>>>>>> bit but have not been too successful in getting keycloak to work properly >>>>>>>> with non-unique emails :( ... >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Niels >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Apr 12, 2016 at 3:08 AM, Guus der Kinderen < >>>>>>>> guus.der.kinderen at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> Keycloak uses a UUID value to identify a uses. Basic questions: >>>>>>>>> through some form of configuration: >>>>>>>>> >>>>>>>>> - Can more than two users exist that have an identical >>>>>>>>> username? >>>>>>>>> - Can more than two users exist that have an identical email >>>>>>>>> address? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Guus >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/319f077e/attachment.html From dirk.franssen at gmail.com Tue Apr 12 07:36:18 2016 From: dirk.franssen at gmail.com (Dirk Franssen) Date: Tue, 12 Apr 2016 13:36:18 +0200 Subject: [keycloak-user] Rest api execute-actions-email does not redirect In-Reply-To: References: Message-ID: done: https://issues.jboss.org/browse/KEYCLOAK-2806 On Tue, Apr 12, 2016 at 6:45 AM, Stian Thorgersen wrote: > What you're doing looks correct to me, so most likely a bug can you create > a JIRA please? > > On 10 April 2016 at 19:52, Dirk Franssen wrote: > >> Stian, >> >> can you have a look at my question below? >> >> Thanks, >> >> Dirk >> >> On Wed, Apr 6, 2016 at 4:05 PM, Dirk Franssen >> wrote: >> >>> Hi all, >>> >>> I have created a user via the REST api with userActions RESET_PASSWORD >>> and VERIFY_EMAIL. Subsequently I use the endpoint 'execute-actions-email' >>> with the query-params 'client_id' and 'redirect_uri' for the action >>> RESET_PASSWORD and VERIFY_EMAIL. The email is sent to the user, but it >>> seems it does not take into account the query params. If the user sets his >>> password via the link in the email, the page "Your account has been >>> updated" is displayed without redirection nor a link to go to the >>> application? >>> >>> Do I miss something? >>> >>> Kind regards, >>> Dirk >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/b140a848/attachment.html From aikeaguinea at xsmail.com Tue Apr 12 10:00:55 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 12 Apr 2016 10:00:55 -0400 Subject: [keycloak-user] Authenticator provider config properties In-Reply-To: <1459880548.1827579.569873665.40974897@webmail.messagingengine.com> References: <1459880548.1827579.569873665.40974897@webmail.messagingengine.com> Message-ID: <1460469655.655774.576415417.5E4F0609@webmail.messagingengine.com> I figured out the issue here: The isConfigurable() method in the implementation of the authenticator factory was returning false, so the configuration screen wasn't showing. On a related question, in the Keycloak log I'm seeing: 09:58:20,494 WARN [org.keycloak.services] (ServerService Thread Pool -- 50) KC-SERVICES0047: CustomAuthenticator (test.keycloak.CustomAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice I see public documentation about the Authenticator SPI on the Keycloak site. Is this log message obsolete? On Tue, Apr 5, 2016, at 02:22 PM, Aikeaguinea wrote: > I've just implemented a new authenticator, following the instructions > here: > http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e3785 > > In my implementation of the authenticator factory, I have a > ProviderConfigProperty set up in a static block as is done in the > example. My impression was that the value of this property would be set > as a config option in the admin console. Right now I'm not seeing my > property in the admin console, but it's possible I'm not looking in the > right place. I was able to create a new flow and add my authenticator to > it as a new execution, but I don't see anywhere to add this > configuration property. > > I'm not seeing any errors in the Keycloak console log, so I'm assuming > that I have things set up right. Any ideas? > > -- > http://www.fastmail.com - Faster than the air-speed velocity of an > unladen european swallow > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - The way an email service should be From aikeaguinea at xsmail.com Tue Apr 12 10:17:47 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 12 Apr 2016 10:17:47 -0400 Subject: [keycloak-user] Authentication failure logs at ERROR level Message-ID: <1460470667.660016.576429577.509CD43C@webmail.messagingengine.com> I'm implementing a custom authenticator, and I'm noticing that whenever I get an authentication failure I get a long exception in the log at level ERROR as well as one at level WARN: 19:08:16,592 WARN [org.keycloak.events] (default task-7) type=LOGIN_ERROR, realmId=CustomAuthTest, clientId=account, userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri='http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect', code_id=117bfe17-d8be-431d-9c7f-5fcfd4aaff19 19:08:16,593 ERROR [org.keycloak.services] (default task-7) KC-SERVICES0013: failed authentication: org.keycloak.authentication.AuthenticationFlowException at org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:85) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:756) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:353) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:335) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:380) ...many more lines This seems open to a DOS vulnerability that would fill up logs by bombing the system with failed login attempts. In addition, logging the failure at ERROR means that the only way to keep the second log entry from showing up is to turn off all logging for org.keycloak.services. In my ideal world, we could set Keycloak so that login failures were simply recorded as events but don't show up in the server log at all. Is there a way to do that? -- http://www.fastmail.com - A fast, anti-spam email service. From aikeaguinea at xsmail.com Tue Apr 12 10:28:28 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 12 Apr 2016 10:28:28 -0400 Subject: [keycloak-user] Guidelines for protecting Keycloak Endpoints In-Reply-To: References: Message-ID: <1460471308.662398.576440121.0C9770D7@webmail.messagingengine.com> +1 for being able to disable exposing admin links to the outside world. On Tue, Mar 24, 2016, at 6:48 AM, Thomas Darimont wrote: > Hello group, > > I'm about to configure our Web Application Firewall for Keycloak where > I want to implement > the following scenario: > > CLIENT_ENDPOINTS: > All endpoints needed for Web SSO via OAuth 2.0 / OpenID Connect, as > well as the account and > login/totp/registration/forgot password pages should be accessible > from the public internet. > > ADMIN_ENDPOINTS: > Admin endpoints like the Admin Console, Admin REST API etc. should > only be accessible > from the internal network. > > Are there any guidelines for which URL pattern applies to which > category (CLIENT_ENDPOINTS, ADMIN_ENDPOINTS)? > > To me, it seems that: > - "/auth/admin/*" belongs to the ADMIN_ENDPOINTS category. > - "/auth/realms/my-realm/*" belongs to the CLIENT_ENDPOINTS category. > Have I missed anything else? > > Btw. it turns out that some endpoints (unnecessarily) expose internal > links like: > "admin-api" if you go to: http://localhost:8080/auth/realms/my-realm/ > > { > realm: "my-realm", > public_key: "...", > token-service: " > http://localhost:8080/auth/realms/my-realm/protocol/openid-connect", > account-service: "http://localhost:8080/auth/realms/my-realm/account", > admin-api: "http://localhost:8080/auth/admin", > tokens-not-before: 0 > } > > Can this be disabled? > > Cheers, > Thomas > -- http://www.fastmail.com - Faster than the air-speed velocity of an unladen european swallow -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/af51bcad/attachment.html From bburke at redhat.com Tue Apr 12 10:55:00 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Apr 2016 10:55:00 -0400 Subject: [keycloak-user] Documentation subjects - need feedback Message-ID: <570D0C44.6010907@redhat.com> Created a wiki: https://github.com/keycloak/keycloak/wiki/Docs Please add things you want covered that are weak or non-existent in documentation. I'll be going through the email list as I know there were a number of threads on this stuff too. I'll post an outline sometime next week after we have a few internal meetings on the subject. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From lars.noldan at drillinginfo.com Tue Apr 12 11:06:43 2016 From: lars.noldan at drillinginfo.com (Lars Noldan) Date: Tue, 12 Apr 2016 10:06:43 -0500 Subject: [keycloak-user] Documentation subjects - need feedback In-Reply-To: <570D0C44.6010907@redhat.com> References: <570D0C44.6010907@redhat.com> Message-ID: I'd love more documentation about how entitlements are being handled by keycloak users, and best practices for configuring the same. On Tue, Apr 12, 2016 at 9:55 AM, Bill Burke wrote: > Created a wiki: > > https://github.com/keycloak/keycloak/wiki/Docs > > Please add things you want covered that are weak or non-existent in > documentation. I'll be going through the email list as I know there > were a number of threads on this stuff too. I'll post an outline > sometime next week after we have a few internal meetings on the subject. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/77f32e36/attachment.html From bburke at redhat.com Tue Apr 12 11:21:49 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 12 Apr 2016 11:21:49 -0400 Subject: [keycloak-user] Documentation subjects - need feedback In-Reply-To: References: <570D0C44.6010907@redhat.com> Message-ID: <570D128D.2010906@redhat.com> Not sure what you mean by entitlements. User role mappings is about all we got. Please edit the Wiki directly. On 4/12/2016 11:06 AM, Lars Noldan wrote: > I'd love more documentation about how entitlements are being handled > by keycloak users, and best practices for configuring the same. > > On Tue, Apr 12, 2016 at 9:55 AM, Bill Burke > wrote: > > Created a wiki: > > https://github.com/keycloak/keycloak/wiki/Docs > > Please add things you want covered that are weak or non-existent in > documentation. I'll be going through the email list as I know there > were a number of threads on this stuff too. I'll post an outline > sometime next week after we have a few internal meetings on the > subject. > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/2a630b18/attachment.html From rllavallee at hotmail.com Tue Apr 12 13:32:50 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Tue, 12 Apr 2016 17:32:50 +0000 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: , , , Message-ID: Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Wouldn't the below suffice for regex? Thus avoiding needing custom work for the short-term? forward = "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", backward = "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", regex = "(" + forward + "|" + backward + ")+"; Date: Tue, 12 Apr 2016 06:37:41 +0200 Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: keycloak-user at lists.jboss.org On 11 April 2016 at 20:49, Richard Lavallee wrote: Does Keycloak support the following requirements? Password:Password should be changed in every 60 days (configurable)Yes If user enters password wrong three times account is locked out for 15 min (configurable)Yes Password chosen should not be previous 24 passwordsYes Password should have a letter and a numberYes Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes, you can configure idle timeout for a session. Idle for a session is if there are no app logins or token refreshes Account inactivity - account inactivity is 30 days default (configurable)Yes -Richard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/bdd295d3/attachment-0001.html From aikeaguinea at xsmail.com Tue Apr 12 17:03:00 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 12 Apr 2016 17:03:00 -0400 Subject: [keycloak-user] Default clients for a new realm Message-ID: <1460494980.762737.576863825.142C0C81@webmail.messagingengine.com> When I create a new realm, I see that the following clients are automatically created in that realm: account admin-cl broker realm-management security-admin-console It's hard for me to tell whether or not to delete these clients without knowing what they're for, and I haven't successfully found documentation on the subject. Might someone explain what these are about? -- http://www.fastmail.com - Accessible with your email software or over the web From thomas.darimont at googlemail.com Tue Apr 12 17:45:50 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 12 Apr 2016 23:45:50 +0200 Subject: [keycloak-user] Default clients for a new realm In-Reply-To: <1460494980.762737.576863825.142C0C81@webmail.messagingengine.com> References: <1460494980.762737.576863825.142C0C81@webmail.messagingengine.com> Message-ID: Hello, from my understanding and from reading the docs & mailing lists I'd explain the clients as follows: /account web application with UI, currently embedded in keycloak itself, that serves as a self-service account management application where users can change information about ther user account, change passwords, have a look at their active sessions etc. You should leave this if you want your users to be able to manage their account themselves. /admin-cli "technical" client (no UI) that was introduced in 1.7 and is used for direct-grants with access-type "public" and has scope to realm-management (which implies some client roles like: realm-admin, management-realm, manage-users, etc.) similarly like the security-admin-console. This client can also be used for configuring the realm via the REST API or the Keycloak admin-client. You should leave this if you want to administer your realm via the REST API. /broker "technical" client (no UI) is used for standard flow and has scope to read-token, allows the user to access any stored external tokens (via the broker service). You should leave this if you want to do indentity brokering. (guessing here) /realm-management "technical" client (no UI), similar to admin-cli but uses access-type bearer-only, which means that instead of doing the oauth dance you need to pass the access_token via the Authorization: Bearer TOKEN HTTP request header. You should leave this if you want to administer your realm via the REST API. /security-admin-console web application with UI, currently embedded in keycloak itself, which serves as the management console you are using to configure your realm via the browser. >From keycloaks perspective the admin-console is also just an oauth client. You should leave this if you want to administer your realm via the admin console (which you probably do). -- Perhaps it would help to populate description field with a brief summary for the "default" client definitions. Having those clients mentioned in the docs somewhere would be helpful as well. Cheers, Thomas 2016-04-12 23:03 GMT+02:00 Aikeaguinea : > When I create a new realm, I see that the following clients are > automatically created in that realm: > > account > admin-cl > broker > realm-management > security-admin-console > > It's hard for me to tell whether or not to delete these clients without > knowing what they're for, and I haven't successfully found documentation > on the subject. Might someone explain what these are about? > > -- > http://www.fastmail.com - Accessible with your email software > or over the web > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/caa4ee6b/attachment.html From aikeaguinea at xsmail.com Tue Apr 12 19:32:27 2016 From: aikeaguinea at xsmail.com (Aikeaguinea) Date: Tue, 12 Apr 2016 19:32:27 -0400 Subject: [keycloak-user] Default clients for a new realm In-Reply-To: References: <1460494980.762737.576863825.142C0C81@webmail.messagingengine.com> Message-ID: <1460503947.794847.576981201.729BD695@webmail.messagingengine.com> Thank you very much for this; it's very helpful. On Tue, Apr 12, 2016, at 05:45 PM, Thomas Darimont wrote: > Hello, > > from my understanding and from reading the docs & mailing lists I'd > explain the clients as follows: > > /account > web application with UI, currently embedded in keycloak itself, that > serves as a self-service > account management application where users can change information > about ther user account, > change passwords, have a look at their active sessions etc. > > You should leave this if you want your users to be able to manage > their account themselves. > > /admin-cli > "technical" client (no UI) that was introduced in 1.7 and is used for > direct-grants with > access-type "public" and has scope to realm-management (which implies > some client roles like: > realm-admin, management-realm, manage-users, etc.) similarly like the > security-admin-console. > This client can also be used for configuring the realm via the REST > API or the Keycloak admin-client. > > You should leave this if you want to administer your realm via the > REST API. > > /broker > "technical" client (no UI) is used for standard flow and has scope to > read-token, allows the user > to access any stored external tokens (via the broker service). > > You should leave this if you want to do indentity brokering. > (guessing here) > > /realm-management > "technical" client (no UI), similar to admin-cli but uses access-type > bearer-only, > which means that instead of doing the oauth dance you need to pass > the access_token via the Authorization: Bearer TOKEN HTTP > request header. > > You should leave this if you want to administer your realm via the > REST API. > > /security-admin-console > web application with UI, currently embedded in keycloak itself, ?which > serves as the management console > you are using to configure your realm via the browser. > > From keycloaks perspective the admin-console is also just an > oauth client. > > You should leave this if you want to administer your realm via the > admin console (which you probably do). > -- > > Perhaps it would help to populate description field with a brief > summary for the "default" client definitions. > Having those clients mentioned in the docs somewhere would be helpful > as well. > > Cheers, > Thomas > > > 2016-04-12 23:03 GMT+02:00 Aikeaguinea : >> When I create a new realm, I see that the following clients are >> automatically created in that realm: >> >> account >> admin-cl >> broker >> realm-management >> security-admin-console >> >> It's hard for me to tell whether or not to delete these clients >> without >> knowing what they're for, and I haven't successfully found >> documentation >> on the subject. Might someone explain what these are about? >> >> -- >> http://www.fastmail.com - Accessible with your email software or over >> the web >> >> _______________________________________________ >> keycloak-user mailing list keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- Aikeaguinea aikeaguinea at xsmail.com -- http://www.fastmail.com - Same, same, but different... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160412/ff11e14a/attachment.html From sthorger at redhat.com Wed Apr 13 00:44:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 06:44:55 +0200 Subject: [keycloak-user] Default clients for a new realm In-Reply-To: References: <1460494980.762737.576863825.142C0C81@webmail.messagingengine.com> Message-ID: Nice summary and everything spot on! On 12 April 2016 at 23:45, Thomas Darimont wrote: > Hello, > > from my understanding and from reading the docs & mailing lists I'd > explain the clients as follows: > > /account > web application with UI, currently embedded in keycloak itself, that > serves as a self-service > account management application where users can change information about > ther user account, > change passwords, have a look at their active sessions etc. > > You should leave this if you want your users to be able to manage their > account themselves. > > /admin-cli > "technical" client (no UI) that was introduced in 1.7 and is used for > direct-grants with > access-type "public" and has scope to realm-management (which implies some > client roles like: > realm-admin, management-realm, manage-users, etc.) similarly like the > security-admin-console. > This client can also be used for configuring the realm via the REST API or > the Keycloak admin-client. > > You should leave this if you want to administer your realm via the REST > API. > > /broker > "technical" client (no UI) is used for standard flow and has scope to > read-token, allows the user > to access any stored external tokens (via the broker service). > > You should leave this if you want to do indentity brokering. (guessing > here) > > /realm-management > "technical" client (no UI), similar to admin-cli but uses access-type > bearer-only, > which means that instead of doing the oauth dance you need to pass > the access_token via the Authorization: Bearer TOKEN HTTP request header. > > You should leave this if you want to administer your realm via the REST > API. > > /security-admin-console > web application with UI, currently embedded in keycloak itself, which > serves as the management console > you are using to configure your realm via the browser. > > From keycloaks perspective the admin-console is also just an oauth client. > > You should leave this if you want to administer your realm via the admin > console (which you probably do). > -- > > Perhaps it would help to populate description field with a brief summary > for the "default" client definitions. > Having those clients mentioned in the docs somewhere would be helpful as > well. > This is the plan. We're also going to remove "broker" and "realm-management", these are just used as a "container" for roles and will be replaced with role namespaces. > > Cheers, > Thomas > > > 2016-04-12 23:03 GMT+02:00 Aikeaguinea : > >> When I create a new realm, I see that the following clients are >> automatically created in that realm: >> >> account >> admin-cl >> broker >> realm-management >> security-admin-console >> >> It's hard for me to tell whether or not to delete these clients without >> knowing what they're for, and I haven't successfully found documentation >> on the subject. Might someone explain what these are about? >> >> -- >> http://www.fastmail.com - Accessible with your email software >> or over the web >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/ca51f6ef/attachment-0001.html From sthorger at redhat.com Wed Apr 13 00:47:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 06:47:09 +0200 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: Message-ID: That'd do it. I got confused and thought you didn't want to repetitive letters. On 12 April 2016 at 19:32, Richard Lavallee wrote: > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > Wouldn't the below suffice for regex? Thus avoiding needing custom work > for the short-term? > > forward = > "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", > backward = > "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", > regex = "(" + forward + "|" + backward + ")+"; > > > ------------------------------ > Date: Tue, 12 Apr 2016 06:37:41 +0200 > Subject: Re: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: keycloak-user at lists.jboss.org > > > > > On 11 April 2016 at 20:49, Richard Lavallee > wrote: > > Does Keycloak support the following requirements? > > *Password:* > > - Password should be changed in every 60 days (configurable) > > Yes > > > - If user enters password wrong three times account is locked out for > 15 min (configurable) > > Yes > > > - Password chosen should not be previous 24 passwords > > Yes > > > - Password should have a letter and a number > > Yes > > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > > - > > *Inactivity:* > > - Application session inactivity - default is 45 minutes (can be > configured) > > Yes, you can configure idle timeout for a session. Idle for a session is > if there are no app logins or token refreshes > > > - Account inactivity - account inactivity is 30 days default > (configurable) > > Yes > > > -Richard > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/43f0634e/attachment.html From sthorger at redhat.com Wed Apr 13 00:51:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 06:51:27 +0200 Subject: [keycloak-user] Authentication failure logs at ERROR level In-Reply-To: <1460470667.660016.576429577.509CD43C@webmail.messagingengine.com> References: <1460470667.660016.576429577.509CD43C@webmail.messagingengine.com> Message-ID: org.keycloak.events is fully configurable you can set what level you want it to log success and failures. Logging failures are supposed to only be logged by event mechanism so this is a bug, can you create a JIRA please? On 12 April 2016 at 16:17, Aikeaguinea wrote: > I'm implementing a custom authenticator, and I'm noticing that whenever > I get an authentication failure I get a long exception in the log at > level ERROR as well as one at level WARN: > > > 19:08:16,592 WARN [org.keycloak.events] (default task-7) > type=LOGIN_ERROR, realmId=CustomAuthTest, clientId=account, > userId=null, ipAddress=127.0.0.1, error=invalid_user_credentials, > auth_method=openid-connect, auth_type=code, > redirect_uri=' > http://localhost:9080/auth/realms/CustomAuthTest/account/login-redirect', > code_id=117bfe17-d8be-431d-9c7f-5fcfd4aaff19 > 19:08:16,593 ERROR [org.keycloak.services] (default task-7) > KC-SERVICES0013: failed authentication: > org.keycloak.authentication.AuthenticationFlowException > at > > org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:207) > at > > org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:85) > at > > org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:756) > at > > org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:353) > at > > org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:335) > at > > org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:380) > ...many more lines > > > This seems open to a DOS vulnerability that would fill up logs by > bombing the system with failed login attempts. In addition, logging the > failure at ERROR means that the only way to keep the second log entry > from showing up is to turn off all logging for org.keycloak.services. > > In my ideal world, we could set Keycloak so that login failures were > simply recorded as events but don't show up in the server log at all. Is > there a way to do that? > > -- > http://www.fastmail.com - A fast, anti-spam email service. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/a412aeee/attachment.html From sthorger at redhat.com Wed Apr 13 00:54:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 06:54:33 +0200 Subject: [keycloak-user] Authenticator provider config properties In-Reply-To: <1460469655.655774.576415417.5E4F0609@webmail.messagingengine.com> References: <1459880548.1827579.569873665.40974897@webmail.messagingengine.com> <1460469655.655774.576415417.5E4F0609@webmail.messagingengine.com> Message-ID: The notification is mainly there for product reasons. We're not supporting SPIs in the first product release (supported version of Keycloak). It's also a warning to point out that we reserve the right to change the SPI in the future, so you may need to refactor your authenticator once we do. On 12 April 2016 at 16:00, Aikeaguinea wrote: > I figured out the issue here: The isConfigurable() method in the > implementation of the authenticator factory was returning false, so the > configuration screen wasn't showing. > > On a related question, in the Keycloak log I'm seeing: > > 09:58:20,494 WARN [org.keycloak.services] (ServerService Thread > Pool -- 50) KC-SERVICES0047: CustomAuthenticator > (test.keycloak.CustomAuthenticatorFactory) is implementing the > internal SPI authenticator. This SPI is internal and may change > without notice > > I see public documentation about the Authenticator SPI on the Keycloak > site. Is this log message obsolete? > > > > On Tue, Apr 5, 2016, at 02:22 PM, Aikeaguinea wrote: > > I've just implemented a new authenticator, following the instructions > > here: > > > http://keycloak.github.io/docs/userguide/keycloak-server/html/auth_spi.html#d4e3785 > > > > In my implementation of the authenticator factory, I have a > > ProviderConfigProperty set up in a static block as is done in the > > example. My impression was that the value of this property would be set > > as a config option in the admin console. Right now I'm not seeing my > > property in the admin console, but it's possible I'm not looking in the > > right place. I was able to create a new flow and add my authenticator to > > it as a new execution, but I don't see anywhere to add this > > configuration property. > > > > I'm not seeing any errors in the Keycloak console log, so I'm assuming > > that I have things set up right. Any ideas? > > > > -- > > http://www.fastmail.com - Faster than the air-speed velocity of an > > unladen european swallow > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- > Aikeaguinea > aikeaguinea at xsmail.com > > -- > http://www.fastmail.com - The way an email service should be > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/0d0354f7/attachment-0001.html From phofficial at centrum.cz Wed Apr 13 06:39:18 2016 From: phofficial at centrum.cz (=?utf-8?q?Pavel_Hora?=) Date: Wed, 13 Apr 2016 12:39:18 +0200 Subject: [keycloak-user] =?utf-8?q?Token_cant_be_decoded_with_base64?= In-Reply-To: References: Message-ID: <20160413123918.2286048A@centrum.cz> Hi, ? we are using Keycloak 1.7.0 Final and for users with national characters in lastname (O?en??ek) is not possible to decode generated token with base64. ...firstname is?Luk?? ? String[] splited = src_bad.split("\\."); String srcToEnc = splited[1]; Decoder d = Base64.getDecoder(); d.decode(srcToEnc); ? ...Illegal base64 character ? ? Any suggestion? thx, pH. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/cbbab1b1/attachment.html From phofficial at centrum.cz Wed Apr 13 10:35:00 2016 From: phofficial at centrum.cz (=?utf-8?q?Pavel_Hora?=) Date: Wed, 13 Apr 2016 16:35:00 +0200 Subject: [keycloak-user] =?utf-8?q?Token_cant_be_decoded_with_base64?= In-Reply-To: <20160413123918.2286048A@centrum.cz> References: <20160413123918.2286048A@centrum.cz> Message-ID: <20160413163500.B016D97A@centrum.cz> ...we have custom mapper of type user property with property value lastName ? Full user name mapper type works fine ______________________________________________________________ > Od: "Pavel Hora" > Komu: > Datum: 13.04.2016 12:39 > P?edm?t: Token cant be decoded with base64 > Hi, ? we are using Keycloak 1.7.0 Final and for users with national characters in lastname (O?en??ek) is not possible to decode generated token with base64. ...firstname is?Luk?? ? String[] splited = src_bad.split("\\."); String srcToEnc = splited[1]; Decoder d = Base64.getDecoder(); d.decode(srcToEnc); ? ...Illegal base64 character ? ? Any suggestion? thx, pH. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/135dcc46/attachment.html From rllavallee at hotmail.com Wed Apr 13 11:18:43 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Wed, 13 Apr 2016 15:18:43 +0000 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: , , , , , Message-ID: Thanks. But even for repetitive letters such as "aaaa"I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes? Date: Wed, 13 Apr 2016 06:47:09 +0200 Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: keycloak-user at lists.jboss.org That'd do it. I got confused and thought you didn't want to repetitive letters. On 12 April 2016 at 19:32, Richard Lavallee wrote: Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Wouldn't the below suffice for regex? Thus avoiding needing custom work for the short-term? forward = "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", backward = "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", regex = "(" + forward + "|" + backward + ")+"; Date: Tue, 12 Apr 2016 06:37:41 +0200 Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: keycloak-user at lists.jboss.org On 11 April 2016 at 20:49, Richard Lavallee wrote: Does Keycloak support the following requirements? Password:Password should be changed in every 60 days (configurable)Yes If user enters password wrong three times account is locked out for 15 min (configurable)Yes Password chosen should not be previous 24 passwordsYes Password should have a letter and a numberYes Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes, you can configure idle timeout for a session. Idle for a session is if there are no app logins or token refreshes Account inactivity - account inactivity is 30 days default (configurable)Yes -Richard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/8d7ceada/attachment.html From sblanc at redhat.com Wed Apr 13 12:52:42 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 13 Apr 2016 18:52:42 +0200 Subject: [keycloak-user] Error with the nodejs example and KC 1.9.1 Message-ID: Hi, I'm trying the nodejs example provided here https://github.com/sebastienblanc/keycloak-nodejs-connect/tree/master/example and using Keycloak 1.9.1.Final. Once the nodejs app launched I am corectly redirected to the login page. But once I log in I can see a stacktrace in KC : https://gist.github.com/sebastienblanc/337597c8e570e5267c26f30b93c3c804 and the nodejs app hangs. Is it because of KC version, should I try with KC master ? Thx, Sebi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/ee7c6c1c/attachment.html From lholmqui at redhat.com Wed Apr 13 12:55:00 2016 From: lholmqui at redhat.com (Luke Holmquist) Date: Wed, 13 Apr 2016 12:55:00 -0400 Subject: [keycloak-user] Error with the nodejs example and KC 1.9.1 In-Reply-To: References: Message-ID: seb, is it because of this? https://issues.jboss.org/browse/KEYCLOAK-2798 On Wed, Apr 13, 2016 at 12:52 PM, Sebastien Blanc wrote: > Hi, > > I'm trying the nodejs example provided here > https://github.com/sebastienblanc/keycloak-nodejs-connect/tree/master/example > and using Keycloak 1.9.1.Final. > > Once the nodejs app launched I am corectly redirected to the login page. > But once I log in I can see a stacktrace in KC : > https://gist.github.com/sebastienblanc/337597c8e570e5267c26f30b93c3c804 > and the nodejs app hangs. > > Is it because of KC version, should I try with KC master ? > > Thx, > > Sebi > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/269e2e02/attachment-0001.html From sblanc at redhat.com Wed Apr 13 13:02:16 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 13 Apr 2016 19:02:16 +0200 Subject: [keycloak-user] Error with the nodejs example and KC 1.9.1 In-Reply-To: References: Message-ID: I don't think so , stack trace sounds more like an old school wildly error ;) Le mercredi 13 avril 2016, Luke Holmquist a ?crit : > seb, > > is it because of this? https://issues.jboss.org/browse/KEYCLOAK-2798 > > On Wed, Apr 13, 2016 at 12:52 PM, Sebastien Blanc > wrote: > >> Hi, >> >> I'm trying the nodejs example provided here >> https://github.com/sebastienblanc/keycloak-nodejs-connect/tree/master/example >> and using Keycloak 1.9.1.Final. >> >> Once the nodejs app launched I am corectly redirected to the login page. >> But once I log in I can see a stacktrace in KC : >> https://gist.github.com/sebastienblanc/337597c8e570e5267c26f30b93c3c804 >> and the nodejs app hangs. >> >> Is it because of KC version, should I try with KC master ? >> >> Thx, >> >> Sebi >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/edb2fb3b/attachment.html From scott at xigole.com Wed Apr 13 13:52:23 2016 From: scott at xigole.com (Scott Dunbar) Date: Wed, 13 Apr 2016 11:52:23 -0600 Subject: [keycloak-user] Can't add OpenID (Auth0) provider Message-ID: Hello, I'm trying to add an OpenID provider to KeyCloak to use to log in with. I am attempting to use Auth0's provider as that is what the company I'm working with has chosen as a authentication provider. I can use the import feature to get the parameters into KeyCloak and have set my id and secret. Additionally, I changed the Default Scopes to "openid profile email". I'm trying to test with the KeyCloak console. The first thing I see when going to http://localhost:8080/auth/admin/ is a 404 when the browser tries to get http://localhost:8080/auth/realms/master/protocol/openid-connect/undefined If I attempt to login anyway with the Auth0 provider I've created I see: RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/master/protocol/openid-connect/undefined several times in the logs and, eventually, org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-9) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: token signature validation failed I'm using Wildfly 10.0.0.Final, and keycloak-overlay-1.9.1.Final. This installation is pretty much "out of the box" - I've don't nothing more than extract Wildfly, extract KeyCloak, run keycloak-install.cli, and create a user. Any pointers of what I'm messing up? -- Scott Dunbar Cell: 303 667 6343 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/8b3692a1/attachment.html From sthorger at redhat.com Wed Apr 13 14:42:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 20:42:20 +0200 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: Message-ID: Sure, but it would be a rather lengthy one. On 13 Apr 2016 17:18, "Richard Lavallee" wrote: > Thanks. But even for repetitive letters such as "aaaa" > I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes? > > ------------------------------ > Date: Wed, 13 Apr 2016 06:47:09 +0200 > Subject: Re: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: keycloak-user at lists.jboss.org > > That'd do it. I got confused and thought you didn't want to repetitive > letters. > > On 12 April 2016 at 19:32, Richard Lavallee > wrote: > > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > Wouldn't the below suffice for regex? Thus avoiding needing custom work > for the short-term? > > forward = > "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", > backward = > "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", > regex = "(" + forward + "|" + backward + ")+"; > > > ------------------------------ > Date: Tue, 12 Apr 2016 06:37:41 +0200 > Subject: Re: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: keycloak-user at lists.jboss.org > > > > > On 11 April 2016 at 20:49, Richard Lavallee > wrote: > > Does Keycloak support the following requirements? > > *Password:* > > - Password should be changed in every 60 days (configurable) > > Yes > > > - If user enters password wrong three times account is locked out for > 15 min (configurable) > > Yes > > > - Password chosen should not be previous 24 passwords > > Yes > > > - Password should have a letter and a number > > Yes > > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > > - > > *Inactivity:* > > - Application session inactivity - default is 45 minutes (can be > configured) > > Yes, you can configure idle timeout for a session. Idle for a session is > if there are no app logins or token refreshes > > > - Account inactivity - account inactivity is 30 days default > (configurable) > > Yes > > > -Richard > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/89f59100/attachment.html From sthorger at redhat.com Wed Apr 13 14:43:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 20:43:26 +0200 Subject: [keycloak-user] Token cant be decoded with base64 In-Reply-To: <20160413163500.B016D97A@centrum.cz> References: <20160413123918.2286048A@centrum.cz> <20160413163500.B016D97A@centrum.cz> Message-ID: It's base64 URL encoded which is slightly different, but only sometimes On 13 Apr 2016 16:36, "Pavel Hora" wrote: > ...we have custom mapper of type user property with property value lastName > > > > Full user name mapper type works fine > > ______________________________________________________________ > > Od: "Pavel Hora" > > Komu: > > Datum: 13.04.2016 12:39 > > P?edm?t: Token cant be decoded with base64 > > > > Hi, > > > > we are using Keycloak 1.7.0 Final and for users with national characters > in lastname (O?en??ek) is not possible to decode generated token with > base64. ...firstname is Luk?? > > > > String[] splited = src_bad.split("\\."); > > String srcToEnc = splited[1]; > > Decoder d = Base64.getDecoder(); > > d.decode(srcToEnc); > > > > ...Illegal base64 character > > > > > > Any suggestion? > > thx, > > pH. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/b840d445/attachment-0001.html From rllavallee at hotmail.com Wed Apr 13 14:46:12 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Wed, 13 Apr 2016 18:46:12 +0000 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: , , , , , , , Message-ID: Is the below policy supported in Keycloak? If not can it be done in some custom way? You are only allowed to change your password every 30 days Date: Wed, 13 Apr 2016 20:42:20 +0200 Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: stian at redhat.com; keycloak-user at lists.jboss.org Sure, but it would be a rather lengthy one. On 13 Apr 2016 17:18, "Richard Lavallee" wrote: Thanks. But even for repetitive letters such as "aaaa"I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes? Date: Wed, 13 Apr 2016 06:47:09 +0200 Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: keycloak-user at lists.jboss.org That'd do it. I got confused and thought you didn't want to repetitive letters. On 12 April 2016 at 19:32, Richard Lavallee wrote: Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Wouldn't the below suffice for regex? Thus avoiding needing custom work for the short-term? forward = "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", backward = "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", regex = "(" + forward + "|" + backward + ")+"; Date: Tue, 12 Apr 2016 06:37:41 +0200 Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: keycloak-user at lists.jboss.org On 11 April 2016 at 20:49, Richard Lavallee wrote: Does Keycloak support the following requirements? Password:Password should be changed in every 60 days (configurable)Yes If user enters password wrong three times account is locked out for 15 min (configurable)Yes Password chosen should not be previous 24 passwordsYes Password should have a letter and a numberYes Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes, you can configure idle timeout for a session. Idle for a session is if there are no app logins or token refreshes Account inactivity - account inactivity is 30 days default (configurable)Yes -Richard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/ddc52e2c/attachment.html From sthorger at redhat.com Wed Apr 13 14:46:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 20:46:19 +0200 Subject: [keycloak-user] Error with the nodejs example and KC 1.9.1 In-Reply-To: References: Message-ID: It's trying to invoke a deprecated endpoint. This should already be fixed. On 13 Apr 2016 19:03, "Sebastien Blanc" wrote: > I don't think so , stack trace sounds more like an old school wildly error > ;) > > Le mercredi 13 avril 2016, Luke Holmquist a ?crit : > >> seb, >> >> is it because of this? https://issues.jboss.org/browse/KEYCLOAK-2798 >> >> On Wed, Apr 13, 2016 at 12:52 PM, Sebastien Blanc >> wrote: >> >>> Hi, >>> >>> I'm trying the nodejs example provided here >>> https://github.com/sebastienblanc/keycloak-nodejs-connect/tree/master/example >>> and using Keycloak 1.9.1.Final. >>> >>> Once the nodejs app launched I am corectly redirected to the login page. >>> But once I log in I can see a stacktrace in KC : >>> https://gist.github.com/sebastienblanc/337597c8e570e5267c26f30b93c3c804 >>> and the nodejs app hangs. >>> >>> Is it because of KC version, should I try with KC master ? >>> >>> Thx, >>> >>> Sebi >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/82426bef/attachment.html From sthorger at redhat.com Wed Apr 13 14:47:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 13 Apr 2016 20:47:37 +0200 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: Message-ID: Nope, that one is not there. You can add a jira request for it. On 13 Apr 2016 20:46, "Richard Lavallee" wrote: > *Is the below policy supported in Keycloak? If not can it be done in some > custom way?* > > You are only allowed to change your password every 30 days > > ------------------------------ > Date: Wed, 13 Apr 2016 20:42:20 +0200 > Subject: RE: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: stian at redhat.com; keycloak-user at lists.jboss.org > > Sure, but it would be a rather lengthy one. > On 13 Apr 2016 17:18, "Richard Lavallee" wrote: > > Thanks. But even for repetitive letters such as "aaaa" > I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes? > > ------------------------------ > Date: Wed, 13 Apr 2016 06:47:09 +0200 > Subject: Re: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: keycloak-user at lists.jboss.org > > That'd do it. I got confused and thought you didn't want to repetitive > letters. > > On 12 April 2016 at 19:32, Richard Lavallee > wrote: > > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > Wouldn't the below suffice for regex? Thus avoiding needing custom work > for the short-term? > > forward = > "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", > backward = > "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", > regex = "(" + forward + "|" + backward + ")+"; > > > ------------------------------ > Date: Tue, 12 Apr 2016 06:37:41 +0200 > Subject: Re: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: keycloak-user at lists.jboss.org > > > > > On 11 April 2016 at 20:49, Richard Lavallee > wrote: > > Does Keycloak support the following requirements? > > *Password:* > > - Password should be changed in every 60 days (configurable) > > Yes > > > - If user enters password wrong three times account is locked out for > 15 min (configurable) > > Yes > > > - Password chosen should not be previous 24 passwords > > Yes > > > - Password should have a letter and a number > > Yes > > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > > - > > *Inactivity:* > > - Application session inactivity - default is 45 minutes (can be > configured) > > Yes, you can configure idle timeout for a session. Idle for a session is > if there are no app logins or token refreshes > > > - Account inactivity - account inactivity is 30 days default > (configurable) > > Yes > > > -Richard > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/de510cb9/attachment-0001.html From traviskds at gmail.com Wed Apr 13 14:51:10 2016 From: traviskds at gmail.com (Travis De Silva) Date: Wed, 13 Apr 2016 18:51:10 +0000 Subject: [keycloak-user] Internal and External Keycloak IDP's Message-ID: Hi, I have a client that as per their corporate security policy, require a seperate KeyCloak instance for external users and a seperate one for internal users. The external one is located in a different DMZ zone and the internal one is located inside the firewall. The internal and external client applications are also different. Each of these client applications connect to a common java services layer (JAX-RS based REST API's) The Java Restful services are located in the same zone as the internal KeyCloak IDP. External users can access these services via proxy and firewall controls. My issue is how do I secure the common services war against two IDP's? Option 1 Had a look at the multi-tenant example ( https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant) which is the closet to my use case but it seems to work off a single or clustered Keycloak instance and not seperate keycloak instances. Option 2 My next idea is to maybe on the services.war store the keys from the two different keycloak instances and then have a filter than will read the token and validate it against they keys. But this means I will not be able to use the standard Java security annotations in my services classes to project the classes/methods via annotations. Option 3 Can I use the internal Keycloak instance to somehow use the external keycloak instance as a federated user provider? Then I am hoping to secure the common war against the internal keycloak? Is this a viable option to explore? Has anyone encountered a similar use case? I suspect this is a common practice in corporate environments? Cheers Travis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/becf5389/attachment.html From rllavallee at hotmail.com Wed Apr 13 15:48:41 2016 From: rllavallee at hotmail.com (Richard Lavallee) Date: Wed, 13 Apr 2016 19:48:41 +0000 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: , , , , , , , , , Message-ID: I appreciate your patience, Stian,is the below list also supported by Keycloak? Do you want to enable password aging?YesNoSelect the number of days before password must be changed.30354045505560657075808590Do you want to enable session timeouts?YesNoEnforce password complexity rulesYesNoMinimum password length0 (Disabled)4812Block reuse of how many recent passwords0 (Disabled)61224Block change of new passwords for how many days?0 (Disabled)153045Force change of new account passwords on first login?YesNoSelect amount of time before session will be terminated.15304560Do you want to check for common passwords?YesNoInactivate user after how many days of inactivity?Never306090120 Number of failed login attempts to allow before temporary lockout0 (Disabled)35Number of minutes to block user after failed login attempts0 Min15 Min30 Min60 Min Date: Wed, 13 Apr 2016 20:47:37 +0200 Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: stian at redhat.com; keycloak-user at lists.jboss.org Nope, that one is not there. You can add a jira request for it. On 13 Apr 2016 20:46, "Richard Lavallee" wrote: Is the below policy supported in Keycloak? If not can it be done in some custom way? You are only allowed to change your password every 30 days Date: Wed, 13 Apr 2016 20:42:20 +0200 Subject: RE: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: stian at redhat.com; keycloak-user at lists.jboss.org Sure, but it would be a rather lengthy one. On 13 Apr 2016 17:18, "Richard Lavallee" wrote: Thanks. But even for repetitive letters such as "aaaa"I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes? Date: Wed, 13 Apr 2016 06:47:09 +0200 Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: keycloak-user at lists.jboss.org That'd do it. I got confused and thought you didn't want to repetitive letters. On 12 April 2016 at 19:32, Richard Lavallee wrote: Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Wouldn't the below suffice for regex? Thus avoiding needing custom work for the short-term? forward = "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", backward = "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", regex = "(" + forward + "|" + backward + ")+"; Date: Tue, 12 Apr 2016 06:37:41 +0200 Subject: Re: [keycloak-user] Question re Keycloak password / session ploicies From: sthorger at redhat.com To: rllavallee at hotmail.com CC: keycloak-user at lists.jboss.org On 11 April 2016 at 20:49, Richard Lavallee wrote: Does Keycloak support the following requirements? Password:Password should be changed in every 60 days (configurable)Yes If user enters password wrong three times account is locked out for 15 min (configurable)Yes Password chosen should not be previous 24 passwordsYes Password should have a letter and a numberYes Password should not have consecutive lettersMaybe, if you can come up with a way to write that as regex (probably not though). We'll add ability to create custom password policies in the future though. Inactivity:Application session inactivity - default is 45 minutes (can be configured)Yes, you can configure idle timeout for a session. Idle for a session is if there are no app logins or token refreshes Account inactivity - account inactivity is 30 days default (configurable)Yes -Richard _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/cf89380e/attachment-0001.html From jazz at sqmail.me Wed Apr 13 16:03:20 2016 From: jazz at sqmail.me (jazz) Date: Wed, 13 Apr 2016 22:03:20 +0200 Subject: [keycloak-user] keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Message-ID: <1460577800.28586.13.camel@sqmail.me> Hi, I have wildfly 10 installed using nginx as https proxy server [1, standalone-full.xml]. Works great when using weak ciphers in nginx. In that case keycloak can connect back to the app after authentication (redirect SSL). When using strong ciphers in nginx [2] is fails the ssl handshake [4]. JCE seems enabled since the deployed app reports?2016- 04-13 21:41:33,304 INFO??[stdout] (ServerService Thread Pool -- 83) max allowed keylength = 2147483647 My question is: does keycloak use a limited set of ciphers? SNI works fine according to the log. I was digging in the code, but could not find something obvious [5] Best regards, Jazz [1] wildfly standalone-full.xml ???????????????????????????????????????? [... snip ...]???????? ???????? ???????? ???????? ???????? ???????? [2] nginx ssl.conf ?ssl_protocols? TLSv1 TLSv1.1 TLSv1.2; ?ssl_prefer_server_ciphers on; ????ssl_session_timeout 5m; ????ssl_ciphers? ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE- RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256- SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE- ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; ? ?? [3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service? [4] 2016-04-13 21:41:46,495 INFO??[stdout] (default task-7) default task-7, setSoTimeout(0) called 2016-04-13 21:41:46,498 INFO??[stdout] (default task-7) Allow unsafe renegotiation: false 2016-04-13 21:41:46,500 INFO??[stdout] (default task-7) Allow legacy hello messages: true 2016-04-13 21:41:46,502 INFO??[stdout] (default task-7) Is initial handshake: true 2016-04-13 21:41:46,503 INFO??[stdout] (default task-7) Is secure renegotiation: false 2016-04-13 21:41:46,505 INFO??[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 2016-04-13 21:41:46,506 INFO??[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 2016-04-13 21:41:46,508 INFO??[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 2016-04-13 21:41:46,509 INFO??[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 2016-04-13 21:41:46,511 INFO??[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 2016-04-13 21:41:46,512 INFO??[stdout] (default task-7) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 2016-04-13 21:41:46,514 INFO??[stdout] (default task-7) %% No cached client session 2016-04-13 21:41:46,518 INFO??[stdout] (default task-7) *** ClientHello, TLSv1.2 2016-04-13 21:41:46,522 INFO??[stdout] (default task-7) RandomCookie:??GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130, 99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12, 171, 41, 74, 46, 186, 180, 88 } 2016-04-13 21:41:46,523 INFO??[stdout] (default task-7) Session ID:??{} 2016-04-13 21:41:46,525 INFO??[stdout] (default task-7) Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 2016-04-13 21:41:46,526 INFO??[stdout] (default task-7) Compression Methods:??{ 0 } 2016-04-13 21:41:46,527 INFO??[stdout] (default task-7) Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA 2016-04-13 21:41:46,529 INFO??[stdout] (default task-7) Extension server_name, server_name: [type=host_name (0), value=keycloak.example.com] 2016-04-13 21:41:46,530 INFO??[stdout] (default task-7) *** 2016-04-13 21:41:46,531 INFO??[stdout] (default task-7) default task-7, WRITE: TLSv1.2 Handshake, length = 138 2016-04-13 21:41:46,533 INFO??[stdout] (default task-7) default task-7, READ: TLSv1.2 Alert, length = 2 2016-04-13 21:41:46,534 INFO??[stdout] (default task-7) default task-7, RECV TLSv1.2 ALERT:??fatal, handshake_failure 2016-04-13 21:41:46,535 INFO??[stdout] (default task-7) default task-7, called closeSocket() 2016-04-13 21:41:46,536 INFO??[stdout] (default task-7) default task-7, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 2016-04-13 21:41:46,537 INFO??[stdout] (default task-7) default task-7, called close() 2016-04-13 21:41:46,538 INFO??[stdout] (default task-7) default task-7, called closeInternal(true) 2016-04-13 21:41:46,539 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) failed to turn code into token: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.ja va:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor y.java:543) at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFac tory.java:109) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor y.java:409) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnectio n(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java :144) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooled ConnAdapter.java:131) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRe questDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReque stDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpCl ient.java:882) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl ient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl ient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl ient.java:55) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReque st.java:107) at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthReques tAuthenticator.java:314) at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReque stAuthenticator.java:260) at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenti cator.java:112) at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloa kAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(Ser vletKeycloakAuthMech.java:92) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition( SecurityContextImpl.java:233) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition( SecurityContextImpl.java:250) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100( SecurityContextImpl.java:219) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Sec urityContextImpl.java:121) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityCo ntextImpl.java:96) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityCont extImpl.java:89) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler. handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCa cheHandler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan dler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleReq uest(AuthenticationConstraintHandler.java:51) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequ est(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintH andler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler. handleRequest(ServletSecurityConstraintHandler.java:56) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReq uest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler .handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest (NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler .handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan dler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handl eRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan dler.java:43) at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleReque st(ServletPreAuthActionsHandler.java:69) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan dler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(S ervletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Serv letInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIn itialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Serv letInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793 ) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.ja va:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.j ava:617) at java.lang.Thread.run(Thread.java:745) [5] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adap ter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/4faed0df/attachment-0001.html From sblanc at redhat.com Wed Apr 13 16:49:05 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 13 Apr 2016 22:49:05 +0200 Subject: [keycloak-user] Error with the nodejs example and KC 1.9.1 In-Reply-To: References: Message-ID: So, in the end, yes, I found out it's the same bug, I was using the latest git version but it has a dependency on keycloak-auth-utils 0.0.16 retrieved from npm which is really old. On Wed, Apr 13, 2016 at 6:55 PM, Luke Holmquist wrote: > seb, > > is it because of this? https://issues.jboss.org/browse/KEYCLOAK-2798 > > On Wed, Apr 13, 2016 at 12:52 PM, Sebastien Blanc > wrote: > >> Hi, >> >> I'm trying the nodejs example provided here >> https://github.com/sebastienblanc/keycloak-nodejs-connect/tree/master/example >> and using Keycloak 1.9.1.Final. >> >> Once the nodejs app launched I am corectly redirected to the login page. >> But once I log in I can see a stacktrace in KC : >> https://gist.github.com/sebastienblanc/337597c8e570e5267c26f30b93c3c804 >> and the nodejs app hangs. >> >> Is it because of KC version, should I try with KC master ? >> >> Thx, >> >> Sebi >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/bb7b57ce/attachment.html From mstrukel at redhat.com Wed Apr 13 17:15:10 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 13 Apr 2016 23:15:10 +0200 Subject: [keycloak-user] keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure In-Reply-To: <1460577800.28586.13.camel@sqmail.me> References: <1460577800.28586.13.camel@sqmail.me> Message-ID: If you are using Oracle JDK you may need to install strong encryption. http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html On Apr 13, 2016 10:03 PM, "jazz" wrote: > Hi, > > I have wildfly 10 installed using nginx as https proxy server [1, > standalone-full.xml]. Works great when using weak ciphers in nginx. In that > case keycloak can connect back to the app after authentication (redirect > SSL). When using strong ciphers in nginx [2] is fails the ssl handshake > [4]. JCE seems enabled since the deployed app reports 2016-04-13 > 21:41:33,304 INFO [stdout] (ServerService Thread Pool -- 83) max allowed > keylength = 2147483647 > > My question is: does keycloak use a limited set of ciphers? SNI works fine > according to the log. I was digging in the code, but could not find > something obvious [5] > > Best regards, Jazz > > > > > [1] wildfly standalone-full.xml > > name="default"/> name="default" proxy-address-forwarding="true" socket-binding="http" > redirect-socket="proxy-https"/> > [... snip ...] > > > > > > > > > > > > > > > [2] nginx ssl.conf > ssl_protocols TLSv1 TLSv1.1 TLSv1.2; > ssl_prefer_server_ciphers on; > ssl_session_timeout 5m; > ssl_ciphers > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; > > > [3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service > > [4] > > 2016-04-13 21:41:46,495 INFO [stdout] (default task-7) default task-7, > setSoTimeout(0) called > 2016-04-13 21:41:46,498 INFO [stdout] (default task-7) Allow unsafe > renegotiation: false > 2016-04-13 21:41:46,500 INFO [stdout] (default task-7) Allow legacy hello > messages: true > 2016-04-13 21:41:46,502 INFO [stdout] (default task-7) Is initial > handshake: true > 2016-04-13 21:41:46,503 INFO [stdout] (default task-7) Is secure > renegotiation: false > 2016-04-13 21:41:46,505 INFO [stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 > 2016-04-13 21:41:46,506 INFO [stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 > 2016-04-13 21:41:46,508 INFO [stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 > 2016-04-13 21:41:46,509 INFO [stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 > 2016-04-13 21:41:46,511 INFO [stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 > 2016-04-13 21:41:46,512 INFO [stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 > 2016-04-13 21:41:46,514 INFO [stdout] (default task-7) %% No cached > client session > 2016-04-13 21:41:46,518 INFO [stdout] (default task-7) *** ClientHello, > TLSv1.2 > 2016-04-13 21:41:46,522 INFO [stdout] (default task-7) > RandomCookie: GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130, 99, > 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12, 171, 41, > 74, 46, 186, 180, 88 } > 2016-04-13 21:41:46,523 INFO [stdout] (default task-7) Session ID: {} > 2016-04-13 21:41:46,525 INFO [stdout] (default task-7) Cipher Suites: > [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > 2016-04-13 21:41:46,526 INFO [stdout] (default task-7) Compression > Methods: { 0 } > 2016-04-13 21:41:46,527 INFO [stdout] (default task-7) Extension > signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, > SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, > SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA > 2016-04-13 21:41:46,529 INFO [stdout] (default task-7) Extension > server_name, server_name: [type=host_name (0), value=keycloak.example.com] > 2016-04-13 21:41:46,530 INFO [stdout] (default task-7) *** > 2016-04-13 21:41:46,531 INFO [stdout] (default task-7) default task-7, > WRITE: TLSv1.2 Handshake, length = 138 > 2016-04-13 21:41:46,533 INFO [stdout] (default task-7) default task-7, > READ: TLSv1.2 Alert, length = 2 > 2016-04-13 21:41:46,534 INFO [stdout] (default task-7) default task-7, > RECV TLSv1.2 ALERT: fatal, handshake_failure > 2016-04-13 21:41:46,535 INFO [stdout] (default task-7) default task-7, > called closeSocket() > 2016-04-13 21:41:46,536 INFO [stdout] (default task-7) default task-7, > handling exception: javax.net.ssl.SSLHandshakeException: Received fatal > alert: handshake_failure > 2016-04-13 21:41:46,537 INFO [stdout] (default task-7) default task-7, > called close() > 2016-04-13 21:41:46,538 INFO [stdout] (default task-7) default task-7, > called closeInternal(true) > 2016-04-13 21:41:46,539 ERROR > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) failed > to turn code into token: javax.net.ssl.SSLHandshakeException: Received > fatal alert: handshake_failure > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) > at > org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314) > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260) > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112) > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > [5] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/fbe84feb/attachment-0001.html From juandiego83 at gmail.com Wed Apr 13 20:04:11 2016 From: juandiego83 at gmail.com (Juan Diego) Date: Wed, 13 Apr 2016 19:04:11 -0500 Subject: [keycloak-user] Connecting custom user federation provider to database Message-ID: Hi, What is proper way to connect my user federation provider to my database. I was reading something online about adding a connectionsJpa another DataSource, I could add my app datasource. Does anybody has an example on how to do this. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/0f84a427/attachment.html From jessec at dnbcloud.com Wed Apr 13 21:53:14 2016 From: jessec at dnbcloud.com (Jesse Chahal) Date: Wed, 13 Apr 2016 18:53:14 -0700 Subject: [keycloak-user] Login works sometimes, sometimes doesn't Message-ID: Hi, So it looks like the previous fix to the logout URL did the trick. I've now run into a much harder to solve problem (and harder to describe). We are inconsistently able to login to our client applications using keycloak for authentication. Trying the same username+password has about an 80% chance of logging you in correctly. It has a 15% chance of logging you in correctly if a keycloak node within a keycloak cluster dies. I made up the %'s but its based on what we are observing. So a user is actually able to login in the sense of putting in a username+password and getting redirected to the client applications, after that things may or may not go wrong. Often times they will access the client application with the correct role and everything will work ok. Sometimes though if something goes wrong they will be redirected back to the client and will not be able to access the client correctly. The below stacktraces usually show up in those cases. I think it might be related to keycloak cache + browser cache having weird issues as the only way to I've seen to resolve this issues is to destroy the session cache within keycloak and get rid of the browser cache (browser cache is more of a fault of the client app probably). Even with this it can take multiple attempts before a user regains the ability to go to the keycloak admin page and still may or may not lead to a successful redirect to the client with a correctly authenticated account (could start this whole weird loop again with the stracktraces below). I don't know if anyone has come into an issue like this. I was also hoping to find examples of client applications that have their own accounts which somehow get mapped to keycloak accounts but I haven't seen any. Environment ------------------------ - keycloak 1.9.1.Final - running using standalone-HA.xml - using JGroups+JDBC_Ping - postgres database - on AWS - some global roles (set on user accounts) Client ------------ - running on Wildfly10 - using keycloak subsystem - client protocol = openid-connect - access type = confidential - standard flow enabled - client authenticator = client id and secret Keycloak 1.9.1 server error ------------------------------------------- 2016-04-14 01:20:11,112 WARN [org.keycloak.events] (default task-17) type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId=some_wildfly_client, userId=null, ipAddress=123.456.789.0, error=invalid_code, grant_type=authorization_code, code_id=b2744ba1-7f74-4849-8077-b17659af3095, client_auth_method=client-secret 2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2) type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId= some_wildfly_client, userId=null, ipAddress=123.456.789.0, error=invalid_code, grant_type=authorization_code, code_id=58a57076-1f8e-404e-813b-13c31abe8efb, client_auth_method=client-secret 2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2) type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId= some_wildfly_client, userId=null, ipAddress=123.456.789.0, error=invalid_code, grant_type=authorization_code, code_id=58a57076-1f8e-404e-813b-13c31abe8efb, client_auth_method=client-secret Wildfly 10 client server error: ----------------------------------------- 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-13) [gwt_pc3q14cr_101 blah at example.com ] failed to turn code into token 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-13) [gwt_pc3q14cr_101 blah at example.com ] status from server: 400 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-13) [gwt_pc3q14cr_101 blah at example.com ] {"error_description":"Code not found","error":"invalid_grant"} From bburke at redhat.com Wed Apr 13 23:13:46 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 13 Apr 2016 23:13:46 -0400 Subject: [keycloak-user] Login works sometimes, sometimes doesn't In-Reply-To: References: Message-ID: <570F0AEA.9010102@redhat.com> These problems only happen when a cluster node dies? If so: How are you setting up the distributed cache for user sessions? If you have only 1 owner, then the session is only replicated on one node. This is the default behavior. 302 redirects should not be cached by the browser unless a Cache-Control header is set. Do you have a filter doing this? http://stackoverflow.com/questions/12212839/how-long-is-a-302-redirect-saved-in-browser On 4/13/2016 9:53 PM, Jesse Chahal wrote: > Hi, > > So it looks like the previous fix to the logout URL did the trick. > I've now run into a much harder to solve problem (and harder to > describe). We are inconsistently able to login to our client > applications using keycloak for authentication. Trying the same > username+password has about an 80% chance of logging you in correctly. > It has a 15% chance of logging you in correctly if a keycloak node > within a keycloak cluster dies. I made up the %'s but its based on > what we are observing. So a user is actually able to login in the > sense of putting in a username+password and getting redirected to the > client applications, after that things may or may not go wrong. Often > times they will access the client application with the correct role > and everything will work ok. Sometimes though if something goes wrong > they will be redirected back to the client and will not be able to > access the client correctly. The below stacktraces usually show up in > those cases. I think it might be related to keycloak cache + browser > cache having weird issues as the only way to I've seen to resolve this > issues is to destroy the session cache within keycloak and get rid of > the browser cache (browser cache is more of a fault of the client app > probably). Even with this it can take multiple attempts before a user > regains the ability to go to the keycloak admin page and still may or > may not lead to a successful redirect to the client with a correctly > authenticated account (could start this whole weird loop again with > the stracktraces below). I don't know if anyone has come into an issue > like this. I was also hoping to find examples of client applications > that have their own accounts which somehow get mapped to keycloak > accounts but I haven't seen any. > > > Environment > ------------------------ > - keycloak 1.9.1.Final > - running using standalone-HA.xml > - using JGroups+JDBC_Ping > - postgres database > - on AWS > - some global roles (set on user accounts) > > Client > ------------ > - running on Wildfly10 > - using keycloak subsystem > - client protocol = openid-connect > - access type = confidential > - standard flow enabled > - client authenticator = client id and secret > > > Keycloak 1.9.1 server error > ------------------------------------------- > 2016-04-14 01:20:11,112 WARN [org.keycloak.events] (default task-17) > type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, > clientId=some_wildfly_client, userId=null, ipAddress=123.456.789.0, > error=invalid_code, grant_type=authorization_code, > code_id=b2744ba1-7f74-4849-8077-b17659af3095, > client_auth_method=client-secret > 2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2) > type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId= > some_wildfly_client, userId=null, ipAddress=123.456.789.0, > error=invalid_code, grant_type=authorization_code, > code_id=58a57076-1f8e-404e-813b-13c31abe8efb, > client_auth_method=client-secret > 2016-04-14 01:29:27,402 WARN [org.keycloak.events] (default task-2) > type=CODE_TO_TOKEN_ERROR, realmId=1234-5678-9012-3456-7890, clientId= > some_wildfly_client, userId=null, ipAddress=123.456.789.0, > error=invalid_code, grant_type=authorization_code, > code_id=58a57076-1f8e-404e-813b-13c31abe8efb, > client_auth_method=client-secret > > > > Wildfly 10 client server error: > ----------------------------------------- > 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] > (default task-13) [gwt_pc3q14cr_101 blah at example.com ] failed to turn > code into token > 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] > (default task-13) [gwt_pc3q14cr_101 blah at example.com ] status from > server: 400 > 01:29:27,410 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] > (default task-13) [gwt_pc3q14cr_101 blah at example.com ] > {"error_description":"Code not found","error":"invalid_grant"} > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com From jazz at sqmail.me Thu Apr 14 01:19:01 2016 From: jazz at sqmail.me (jazz at sqmail.me) Date: Thu, 14 Apr 2016 07:19:01 +0200 Subject: [keycloak-user] keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure In-Reply-To: Message-ID: <20160414071901.Horde.T9uak356KytpJ0OCjs87gvJ@secure.sqmail.me> Hi Marko, Thanks for the feedback. I verified that strong encryption is available in the JVM: 2016-04-13 21:41:33,304 INFO [stdout] (ServerService Thread Pool -- 83) max allowed keylength = 2147483647 This seems to be the case. Any other ideas? Thanks in advance, Jazz Marko Strukelj ? Wed., 13. April 2016 23:15 > If you are using Oracle JDK you may need to install strong encryption. > > http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html > > On Apr 13, 2016 10:03 PM, "jazz" wrote: > Hi, > > > I have wildfly 10 installed using nginx as https proxy server [1, > standalone-full.xml]. Works great when using weak ciphers in nginx. > In that case keycloak can connect back to the app after > authentication (redirect SSL). When using strong ciphers in nginx > [2] is fails the ssl handshake [4]. JCE seems enabled since the > deployed app reports?2016-04-13 21:41:33,304 INFO??[stdout] > (ServerService Thread Pool -- 83) max allowed keylength = 2147483647 > > > My question is: does keycloak use a limited set of ciphers? SNI > works fine according to the log. I was digging in the code, but > could not find something obvious [5] > > > Best regards, Jazz > > > > > > > > > [1] wildfly standalone-full.xml > > > xmlns="urn:jboss:domain:undertow:3.0">???????????? name="default"/>???????????? name="default-server">???????????????? proxy-address-forwarding="true" socket-binding="http" > redirect-socket="proxy-https"/> > [... snip ...]???????? default-interface="public" > port-offset="${jboss.socket.binding.port-offset:0}">???????? name="management-http" interface="management" > port="${jboss.management.http.port:9990}"/>???????? name="management-https" interface="management" > port="${jboss.management.https.port:9993}"/>???????? name="http" port="${jboss.http.port:8080}"/>???????? name="https" > port="${jboss.https.port:8444}"/>???????? name="proxy-https" port="443"/> > [2] nginx ssl.conf > ?ssl_protocols? TLSv1 TLSv1.1 TLSv1.2; > ?ssl_prefer_server_ciphers on; > ????ssl_session_timeout 5m; > ????ssl_ciphers? ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; > ? ?? > > > [3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service? > > > [4] > > > 2016-04-13 21:41:46,495 INFO??[stdout] (default task-7) default > task-7, setSoTimeout(0) called > 2016-04-13 21:41:46,498 INFO??[stdout] (default task-7) Allow unsafe > renegotiation: false > 2016-04-13 21:41:46,500 INFO??[stdout] (default task-7) Allow legacy > hello messages: true > 2016-04-13 21:41:46,502 INFO??[stdout] (default task-7) Is initial > handshake: true > 2016-04-13 21:41:46,503 INFO??[stdout] (default task-7) Is secure > renegotiation: false > 2016-04-13 21:41:46,505 INFO??[stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 > 2016-04-13 21:41:46,506 INFO??[stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > 2016-04-13 21:41:46,508 INFO??[stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1 > 2016-04-13 21:41:46,509 INFO??[stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 > 2016-04-13 21:41:46,511 INFO??[stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > 2016-04-13 21:41:46,512 INFO??[stdout] (default task-7) Ignoring > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > 2016-04-13 21:41:46,514 INFO??[stdout] (default task-7) %% No cached > client session > 2016-04-13 21:41:46,518 INFO??[stdout] (default task-7) *** > ClientHello, TLSv1.2 > 2016-04-13 21:41:46,522 INFO??[stdout] (default task-7) > RandomCookie:??GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, > 130, 99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, > 180, 12, 171, 41, 74, 46, 186, 180, 88 } > 2016-04-13 21:41:46,523 INFO??[stdout] (default task-7) Session ID:??{} > 2016-04-13 21:41:46,525 INFO??[stdout] (default task-7) Cipher > Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] > 2016-04-13 21:41:46,526 INFO??[stdout] (default task-7) Compression > Methods:??{ 0 } > 2016-04-13 21:41:46,527 INFO??[stdout] (default task-7) Extension > signature_algorithms, signature_algorithms: SHA512withECDSA, > SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, > SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, > SHA1withRSA, SHA1withDSA > 2016-04-13 21:41:46,529 INFO??[stdout] (default task-7) Extension > server_name, server_name: [type=host_name (0), > value=keycloak.example.com] > 2016-04-13 21:41:46,530 INFO??[stdout] (default task-7) *** > 2016-04-13 21:41:46,531 INFO??[stdout] (default task-7) default > task-7, WRITE: TLSv1.2 Handshake, length = 138 > 2016-04-13 21:41:46,533 INFO??[stdout] (default task-7) default > task-7, READ: TLSv1.2 Alert, length = 2 > 2016-04-13 21:41:46,534 INFO??[stdout] (default task-7) default > task-7, RECV TLSv1.2 ALERT:??fatal, handshake_failure > 2016-04-13 21:41:46,535 INFO??[stdout] (default task-7) default > task-7, called closeSocket() > 2016-04-13 21:41:46,536 INFO??[stdout] (default task-7) default > task-7, handling exception: javax.net.ssl.SSLHandshakeException: > Received fatal alert: handshake_failure > 2016-04-13 21:41:46,537 INFO??[stdout] (default task-7) default > task-7, called close() > 2016-04-13 21:41:46,538 INFO??[stdout] (default task-7) default > task-7, called closeInternal(true) > 2016-04-13 21:41:46,539 ERROR > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7) > failed to turn code into token: javax.net.ssl.SSLHandshakeException: > Received fatal alert: handshake_failure > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543) > at > org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) > at > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314) > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260) > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112) > at > org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110) > at > org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250) > at > io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219) > at > io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121) > at > io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96) > at > io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) > at > io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > > [5] > https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java > > > > > > > From phofficial at centrum.cz Thu Apr 14 01:38:52 2016 From: phofficial at centrum.cz (=?utf-8?q?Pavel_Hora?=) Date: Thu, 14 Apr 2016 07:38:52 +0200 Subject: [keycloak-user] =?utf-8?q?Token_cant_be_decoded_with_base64?= In-Reply-To: References: , <20160413123918.2286048A@centrum.cz>, <20160413163500.B016D97A@centrum.cz> Message-ID: <20160414073852.5BEEE4F5@centrum.cz> No one Base64 decoder can decode it. Even atob JS function, ... ? ? ______________________________________________________________ > Od: Stian Thorgersen > Komu: Pavel Hora > Datum: 13.04.2016 20:43 > P?edm?t: Re: [keycloak-user] Token cant be decoded with base64 > > CC: "keycloak-user" It's base64 URL encoded which is slightly different, but only sometimes On 13 Apr 2016 16:36, "Pavel Hora" > wrote: ...we have custom mapper of type user property with property value lastName ? Full user name mapper type works fine ______________________________________________________________ > Od: "Pavel Hora" > > Komu: > > Datum: 13.04.2016 12:39 > P?edm?t: Token cant be decoded with base64 > Hi, ? we are using Keycloak 1.7.0 Final and for users with national characters in lastname (O?en??ek) is not possible to decode generated token with base64. ...firstname is?Luk?? ? String[] splited = src_bad.split("\\."); String srcToEnc = splited[1]; Decoder d = Base64.getDecoder(); d.decode(srcToEnc); ? ...Illegal base64 character ? ? Any suggestion? thx, pH. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/c2a9061d/attachment.html From sthorger at redhat.com Thu Apr 14 02:03:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Apr 2016 08:03:38 +0200 Subject: [keycloak-user] Token cant be decoded with base64 In-Reply-To: <20160414073852.5BEEE4F5@centrum.cz> References: <20160413123918.2286048A@centrum.cz> <20160413163500.B016D97A@centrum.cz> <20160414073852.5BEEE4F5@centrum.cz> Message-ID: It's Base64 url encoded, so you need to use a Base64 url decoder, not a Base64 decoder On 14 April 2016 at 07:38, Pavel Hora wrote: > No one Base64 decoder can decode it. Even atob JS function, ... > > > > > > ______________________________________________________________ > > Od: Stian Thorgersen > > Komu: Pavel Hora > > Datum: 13.04.2016 20:43 > > P?edm?t: Re: [keycloak-user] Token cant be decoded with base64 > > > > > CC: "keycloak-user" > > It's base64 URL encoded which is slightly different, but only sometimes > On 13 Apr 2016 16:36, "Pavel Hora" wrote: > >> ...we have custom mapper of type user property with property value >> lastName >> >> >> >> Full user name mapper type works fine >> >> ______________________________________________________________ >> > Od: "Pavel Hora" >> > Komu: >> > Datum: 13.04.2016 12:39 >> > P?edm?t: Token cant be decoded with base64 >> > >> >> Hi, >> >> >> >> we are using Keycloak 1.7.0 Final and for users with national characters >> in lastname (O?en??ek) is not possible to decode generated token with >> base64. ...firstname is Luk?? >> >> >> >> String[] splited = src_bad.split("\\."); >> >> String srcToEnc = splited[1]; >> >> Decoder d = Base64.getDecoder(); >> >> d.decode(srcToEnc); >> >> >> >> ...Illegal base64 character >> >> >> >> >> >> Any suggestion? >> >> thx, >> >> pH. >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/eda988d7/attachment.html From sthorger at redhat.com Thu Apr 14 02:05:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Apr 2016 08:05:27 +0200 Subject: [keycloak-user] Token cant be decoded with base64 In-Reply-To: References: <20160413123918.2286048A@centrum.cz> <20160413163500.B016D97A@centrum.cz> <20160414073852.5BEEE4F5@centrum.cz> Message-ID: Take a look at https://github.com/keycloak/keycloak/blob/master/adapters/oidc/js/src/main/resources/keycloak.js#L640, it's not just calling atob, it's doing some other stuff first. On 14 April 2016 at 08:03, Stian Thorgersen wrote: > It's Base64 url encoded, so you need to use a Base64 url decoder, not a > Base64 decoder > > On 14 April 2016 at 07:38, Pavel Hora wrote: > >> No one Base64 decoder can decode it. Even atob JS function, ... >> >> >> >> >> >> ______________________________________________________________ >> > Od: Stian Thorgersen >> > Komu: Pavel Hora >> > Datum: 13.04.2016 20:43 >> > P?edm?t: Re: [keycloak-user] Token cant be decoded with base64 >> > >> >> > CC: "keycloak-user" >> >> It's base64 URL encoded which is slightly different, but only sometimes >> On 13 Apr 2016 16:36, "Pavel Hora" wrote: >> >>> ...we have custom mapper of type user property with property value >>> lastName >>> >>> >>> >>> Full user name mapper type works fine >>> >>> ______________________________________________________________ >>> > Od: "Pavel Hora" >>> > Komu: >>> > Datum: 13.04.2016 12:39 >>> > P?edm?t: Token cant be decoded with base64 >>> > >>> >>> Hi, >>> >>> >>> >>> we are using Keycloak 1.7.0 Final and for users with national characters >>> in lastname (O?en??ek) is not possible to decode generated token with >>> base64. ...firstname is Luk?? >>> >>> >>> >>> String[] splited = src_bad.split("\\."); >>> >>> String srcToEnc = splited[1]; >>> >>> Decoder d = Base64.getDecoder(); >>> >>> d.decode(srcToEnc); >>> >>> >>> >>> ...Illegal base64 character >>> >>> >>> >>> >>> >>> Any suggestion? >>> >>> thx, >>> >>> pH. >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/562b43e7/attachment.html From sthorger at redhat.com Thu Apr 14 02:08:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Apr 2016 08:08:13 +0200 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: Message-ID: On 13 April 2016 at 21:48, Richard Lavallee wrote: > I appreciate your patience, Stian, > is the below list also supported by Keycloak? > > Do you want to enable password aging? YesNo > Yes > Select the number of days before password must be changed. 30354045505560 > 657075808590 > Yes > Do you want to enable session timeouts? YesNo > Yes > Enforce password complexity rules YesNo > Depends what the rules are ;) > Minimum password length 0 (Disabled)4812 > Yes > Block reuse of how many recent passwords 0 (Disabled)61224 > Yes > Block change of new passwords for how many days? 0 (Disabled)153045 > No, you can create a JIRA for this one though > Force change of new account passwords on first login? YesNo > Yes > Select amount of time before session will be terminated. 15304560 > Yes > Do you want to check for common passwords? YesNo > No, we really should have this one. JIRA please > Inactivate user after how many days of inactivity? Never306090120 > Yes > Number of failed login attempts to allow before temporary lockout 0 > (Disabled)35 > Yes > Number of minutes to block user after failed login attempts 0 Min15 Min30 > Min60 Min > Yes > > > ------------------------------ > Date: Wed, 13 Apr 2016 20:47:37 +0200 > > Subject: RE: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: stian at redhat.com; keycloak-user at lists.jboss.org > > Nope, that one is not there. You can add a jira request for it. > On 13 Apr 2016 20:46, "Richard Lavallee" wrote: > > *Is the below policy supported in Keycloak? If not can it be done in some > custom way?* > > You are only allowed to change your password every 30 days > > ------------------------------ > Date: Wed, 13 Apr 2016 20:42:20 +0200 > Subject: RE: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: stian at redhat.com; keycloak-user at lists.jboss.org > > Sure, but it would be a rather lengthy one. > On 13 Apr 2016 17:18, "Richard Lavallee" wrote: > > Thanks. But even for repetitive letters such as "aaaa" > I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes? > > ------------------------------ > Date: Wed, 13 Apr 2016 06:47:09 +0200 > Subject: Re: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: keycloak-user at lists.jboss.org > > That'd do it. I got confused and thought you didn't want to repetitive > letters. > > On 12 April 2016 at 19:32, Richard Lavallee > wrote: > > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > Wouldn't the below suffice for regex? Thus avoiding needing custom work > for the short-term? > > forward = > "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", > backward = > "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", > regex = "(" + forward + "|" + backward + ")+"; > > > ------------------------------ > Date: Tue, 12 Apr 2016 06:37:41 +0200 > Subject: Re: [keycloak-user] Question re Keycloak password / session > ploicies > From: sthorger at redhat.com > To: rllavallee at hotmail.com > CC: keycloak-user at lists.jboss.org > > > > > On 11 April 2016 at 20:49, Richard Lavallee > wrote: > > Does Keycloak support the following requirements? > > *Password:* > > - Password should be changed in every 60 days (configurable) > > Yes > > > - If user enters password wrong three times account is locked out for > 15 min (configurable) > > Yes > > > - Password chosen should not be previous 24 passwords > > Yes > > > - Password should have a letter and a number > > Yes > > > - Password should not have consecutive letters > > Maybe, if you can come up with a way to write that as regex (probably not > though). We'll add ability to create custom password policies in the future > though. > > > - > > *Inactivity:* > > - Application session inactivity - default is 45 minutes (can be > configured) > > Yes, you can configure idle timeout for a session. Idle for a session is > if there are no app logins or token refreshes > > > - Account inactivity - account inactivity is 30 days default > (configurable) > > Yes > > > -Richard > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/71c42911/attachment-0001.html From sthorger at redhat.com Thu Apr 14 02:55:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Apr 2016 08:55:25 +0200 Subject: [keycloak-user] Internal and External Keycloak IDP's In-Reply-To: References: Message-ID: On 13 April 2016 at 20:51, Travis De Silva wrote: > Hi, > > I have a client that as per their corporate security policy, require a > seperate KeyCloak instance for external users and a seperate one for > internal users. > > The external one is located in a different DMZ zone and the internal one > is located inside the firewall. > > The internal and external client applications are also different. Each of > these client applications connect to a common java services layer (JAX-RS > based REST API's) > > The Java Restful services are located in the same zone as the internal > KeyCloak IDP. External users can access these services via proxy and > firewall controls. > > My issue is how do I secure the common services war against two IDP's? > > Option 1 > Had a look at the multi-tenant example ( > https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant) > which is the closet to my use case but it seems to work off a single or > clustered Keycloak instance and not seperate keycloak instances. > This! Your use-case is exactly why this was implemented in the first place ;) > > Option 2 > My next idea is to maybe on the services.war store the keys from the two > different keycloak instances and then have a filter than will read the > token and validate it against they keys. But this means I will not be able > to use the standard Java security annotations in my services classes to > project the classes/methods via annotations. > > Option 3 > Can I use the internal Keycloak instance to somehow use the external > keycloak instance as a federated user provider? Then I am hoping to secure > the common war against the internal keycloak? Is this a viable option to > explore? > That's not going to work as the service needs to be able to verify the token which is dependent on what Keycloak instance and realm issued it. So sharing users is not going help here. > > Has anyone encountered a similar use case? I suspect this is a common > practice in corporate environments? > > Cheers > Travis > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/a49c6a52/attachment.html From sthorger at redhat.com Thu Apr 14 03:28:35 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Apr 2016 09:28:35 +0200 Subject: [keycloak-user] [keycloak-dev] Documentation subjects - need feedback In-Reply-To: <570D128D.2010906@redhat.com> References: <570D0C44.6010907@redhat.com> <570D128D.2010906@redhat.com> Message-ID: A few things here: https://issues.jboss.org/issues/?jql=statusCategory%20%3D%20new%20AND%20project%20%3D%2012313920%20AND%20fixVersion%20%3D%2012329877%20AND%20component%20%3D%20Documentation On 12 April 2016 at 17:21, Bill Burke wrote: > Not sure what you mean by entitlements. User role mappings is about all > we got. Please edit the Wiki directly. > > > On 4/12/2016 11:06 AM, Lars Noldan wrote: > > I'd love more documentation about how entitlements are being handled by > keycloak users, and best practices for configuring the same. > > On Tue, Apr 12, 2016 at 9:55 AM, Bill Burke wrote: > >> Created a wiki: >> >> https://github.com/keycloak/keycloak/wiki/Docs >> >> Please add things you want covered that are weak or non-existent in >> documentation. I'll be going through the email list as I know there >> were a number of threads on this stuff too. I'll post an outline >> sometime next week after we have a few internal meetings on the subject. >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- > Bill Burke > JBoss, a division of Red Hathttp://bill.burkecentral.com > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/53f2f789/attachment.html From traviskds at gmail.com Thu Apr 14 03:31:04 2016 From: traviskds at gmail.com (Travis De Silva) Date: Thu, 14 Apr 2016 07:31:04 +0000 Subject: [keycloak-user] Internal and External Keycloak IDP's In-Reply-To: References: Message-ID: Thanks Stian. Yes I went with option1 and that is working like a charm. Had to make some changes where I check a header value rather than the path value and also loaded the keycloak.json files externally to the war file so if the keys are regenerated the support guys can update the file without having to build and deploy the war file. On Thu, 14 Apr 2016 at 16:55 Stian Thorgersen wrote: > On 13 April 2016 at 20:51, Travis De Silva wrote: > >> Hi, >> >> I have a client that as per their corporate security policy, require a >> seperate KeyCloak instance for external users and a seperate one for >> internal users. >> >> The external one is located in a different DMZ zone and the internal one >> is located inside the firewall. >> >> The internal and external client applications are also different. Each of >> these client applications connect to a common java services layer (JAX-RS >> based REST API's) >> >> The Java Restful services are located in the same zone as the internal >> KeyCloak IDP. External users can access these services via proxy and >> firewall controls. >> >> My issue is how do I secure the common services war against two IDP's? >> >> Option 1 >> Had a look at the multi-tenant example ( >> https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant) >> which is the closet to my use case but it seems to work off a single or >> clustered Keycloak instance and not seperate keycloak instances. >> > > This! Your use-case is exactly why this was implemented in the first place > ;) > > >> >> Option 2 >> My next idea is to maybe on the services.war store the keys from the two >> different keycloak instances and then have a filter than will read the >> token and validate it against they keys. But this means I will not be able >> to use the standard Java security annotations in my services classes to >> project the classes/methods via annotations. >> >> Option 3 >> Can I use the internal Keycloak instance to somehow use the external >> keycloak instance as a federated user provider? Then I am hoping to secure >> the common war against the internal keycloak? Is this a viable option to >> explore? >> > > That's not going to work as the service needs to be able to verify the > token which is dependent on what Keycloak instance and realm issued it. So > sharing users is not going help here. > > >> >> Has anyone encountered a similar use case? I suspect this is a common >> practice in corporate environments? >> >> Cheers >> Travis >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/1d75d869/attachment.html From guus.der.kinderen at gmail.com Thu Apr 14 06:09:43 2016 From: guus.der.kinderen at gmail.com (Guus der Kinderen) Date: Thu, 14 Apr 2016 12:09:43 +0200 Subject: [keycloak-user] Question re Keycloak password / session ploicies In-Reply-To: References: Message-ID: JIRA issue for common password check: https://issues.jboss.org/browse/KEYCLOAK-2822 On 14 April 2016 at 08:08, Stian Thorgersen wrote: > > > On 13 April 2016 at 21:48, Richard Lavallee > wrote: > >> I appreciate your patience, Stian, >> is the below list also supported by Keycloak? >> >> Do you want to enable password aging? YesNo >> > > Yes > > >> Select the number of days before password must be changed. 30354045505560 >> 657075808590 >> > > Yes > > >> Do you want to enable session timeouts? YesNo >> > > Yes > > >> Enforce password complexity rules YesNo >> > > Depends what the rules are ;) > > >> Minimum password length 0 (Disabled)4812 >> > > Yes > > >> Block reuse of how many recent passwords 0 (Disabled)61224 >> > > Yes > > >> Block change of new passwords for how many days? 0 (Disabled)153045 >> > > No, you can create a JIRA for this one though > > >> Force change of new account passwords on first login? YesNo >> > > Yes > > >> Select amount of time before session will be terminated. 15304560 >> > > Yes > > >> Do you want to check for common passwords? YesNo >> > > No, we really should have this one. JIRA please > > >> Inactivate user after how many days of inactivity? Never306090120 >> > > Yes > > >> Number of failed login attempts to allow before temporary lockout 0 >> (Disabled)35 >> > > Yes > > >> Number of minutes to block user after failed login attempts 0 Min15 Min30 >> Min60 Min >> > > Yes > > >> >> >> ------------------------------ >> Date: Wed, 13 Apr 2016 20:47:37 +0200 >> >> Subject: RE: [keycloak-user] Question re Keycloak password / session >> ploicies >> From: sthorger at redhat.com >> To: rllavallee at hotmail.com >> CC: stian at redhat.com; keycloak-user at lists.jboss.org >> >> Nope, that one is not there. You can add a jira request for it. >> On 13 Apr 2016 20:46, "Richard Lavallee" wrote: >> >> *Is the below policy supported in Keycloak? If not can it be done in >> some custom way?* >> >> You are only allowed to change your password every 30 days >> >> ------------------------------ >> Date: Wed, 13 Apr 2016 20:42:20 +0200 >> Subject: RE: [keycloak-user] Question re Keycloak password / session >> ploicies >> From: sthorger at redhat.com >> To: rllavallee at hotmail.com >> CC: stian at redhat.com; keycloak-user at lists.jboss.org >> >> Sure, but it would be a rather lengthy one. >> On 13 Apr 2016 17:18, "Richard Lavallee" wrote: >> >> Thanks. But even for repetitive letters such as "aaaa" >> I could still devise a regex such as "xx" | "xX" | "Xx" | "XX", yes? >> >> ------------------------------ >> Date: Wed, 13 Apr 2016 06:47:09 +0200 >> Subject: Re: [keycloak-user] Question re Keycloak password / session >> ploicies >> From: sthorger at redhat.com >> To: rllavallee at hotmail.com >> CC: keycloak-user at lists.jboss.org >> >> That'd do it. I got confused and thought you didn't want to repetitive >> letters. >> >> On 12 April 2016 at 19:32, Richard Lavallee >> wrote: >> >> >> - Password should not have consecutive letters >> >> Maybe, if you can come up with a way to write that as regex (probably not >> though). We'll add ability to create custom password policies in the future >> though. >> >> Wouldn't the below suffice for regex? Thus avoiding needing custom work >> for the short-term? >> >> forward = >> "ab|bc|cd|de|ef|fg|gh|hi|ij|jk|kl|lm|mn|no|op|pq|qr|rs|st|tu|uv|vw|wx|xy|yz", >> backward = >> "zy|yx|xw|wv|vu|ut|ts|sr|rq|qp|po|on|nm|ml|lk|kj|ji|ih|hg|gf|fe|ed|dc|cb|ba", >> regex = "(" + forward + "|" + backward + ")+"; >> >> >> ------------------------------ >> Date: Tue, 12 Apr 2016 06:37:41 +0200 >> Subject: Re: [keycloak-user] Question re Keycloak password / session >> ploicies >> From: sthorger at redhat.com >> To: rllavallee at hotmail.com >> CC: keycloak-user at lists.jboss.org >> >> >> >> >> On 11 April 2016 at 20:49, Richard Lavallee >> wrote: >> >> Does Keycloak support the following requirements? >> >> *Password:* >> >> - Password should be changed in every 60 days (configurable) >> >> Yes >> >> >> - If user enters password wrong three times account is locked out for >> 15 min (configurable) >> >> Yes >> >> >> - Password chosen should not be previous 24 passwords >> >> Yes >> >> >> - Password should have a letter and a number >> >> Yes >> >> >> - Password should not have consecutive letters >> >> Maybe, if you can come up with a way to write that as regex (probably not >> though). We'll add ability to create custom password policies in the future >> though. >> >> >> - >> >> *Inactivity:* >> >> - Application session inactivity - default is 45 minutes (can be >> configured) >> >> Yes, you can configure idle timeout for a session. Idle for a session is >> if there are no app logins or token refreshes >> >> >> - Account inactivity - account inactivity is 30 days default >> (configurable) >> >> Yes >> >> >> -Richard >> >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/f13021cb/attachment-0001.html From kga.official at gmail.com Thu Apr 14 07:22:03 2016 From: kga.official at gmail.com (Akshay Kini) Date: Thu, 14 Apr 2016 16:52:03 +0530 Subject: [keycloak-user] Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's crypto provider, keycloak should use that. Message-ID: Hi Folks, *Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's cryptography provider to a custom one, Keycloak should use that provider for all cryptography operations.* Some context for this: In our use case, our entire JVM runs with a FIPS compliant Cryptography Provider being available. If code that is running, on it is using the JCA correctly, then that code will also be FIPS ready. Thanks, Regards, Akshay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/8263305e/attachment.html From sthorger at redhat.com Thu Apr 14 07:28:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 14 Apr 2016 13:28:19 +0200 Subject: [keycloak-user] Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if I change the JVM's crypto provider, keycloak should use that. In-Reply-To: References: Message-ID: Afraid it's hardcoded to use Bouncycastle as the provider. You can open a JIRA for it though. On 14 April 2016 at 13:22, Akshay Kini wrote: > Hi Folks, > > *Does Keycloak adhere to the JCA (Java Cryptography Architecture)? i.e. if > I change the JVM's cryptography provider to a custom one, Keycloak should > use that provider for all cryptography operations.* > > Some context for this: > In our use case, our entire JVM runs with a FIPS compliant Cryptography > Provider being available. If code that is running, on it is using the JCA > correctly, then that code will also be FIPS ready. > > Thanks, > Regards, > Akshay > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160414/a67de259/attachment.html From thomas.raehalme at aitiofinland.com Thu Apr 14 08:47:49 2016 From: thomas.raehalme at aitiofinland.com (Thomas Raehalme) Date: Thu, 14 Apr 2016 15:47:49 +0300 Subject: [keycloak-user] JavaScript client, iframe and IE Message-ID: Hi! Has anyone encountered any problems with a JavaScript client running on Internet Explorer? It seems that IE applies some restrictions regarding