From ssilvert at redhat.com Sat Oct 1 08:49:20 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Sat, 01 Oct 2016 08:49:20 -0400 Subject: [keycloak-user] migrate-json operation produces WFLYCTL0212: Duplicate resource In-Reply-To: <1475264393988.59394@smartstream-stp.com> References: <1475261743121.14584@smartstream-stp.com> <1475264393988.59394@smartstream-stp.com> Message-ID: <57EFB0D0.8070704@redhat.com> You did it right. Any time you migrate a WildFly-based server, you need to use your current standalone.xml configuration. But this is not clear from the Keycloak docs. We will be updating the doc very soon. On 9/30/2016 3:39 PM, Patrick Boe wrote: > I resolved this by first copying standalone.xml from the previous (2.0.0) installation into the new installation, then running the migrate-json task. I also had to copy the .db files from the standalone/data directory of the old to the new. These are both steps not listed in > > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/MigrationFromOlderVersions.html. Should I file a bug about this? Did I actually do the right thing? > > > Patrick Boe > ________________________________ > From: Patrick Boe > Sent: Friday, September 30, 2016 2:55 PM > To: keycloak-user at lists.jboss.org > Subject: migrate-json operation produces WFLYCTL0212: Duplicate resource > > > Hello, > > > I'm not sure if I'm invoking this incorrectly, but I could use some help diagnosing an error I get when attempting to upgrade my Keycloak installation from 2.0.0 to 2.2.1. > > > When, from the root of my new keycloak installation, I do: > > >> .\bin\jboss-cli.bat > [disconnected /] embed-server --server-config=standalone.xml > > [standalone at embedded /] /subsystem=keycloak-server:migrate-json > > > I get the following error: > > > { > "outcome" => "failed", > "failure-description" => "WFLYCTL0212: Duplicate resource [ > (\"subsystem\" => \"keycloak-server\"), > (\"theme\" => \"defaults\") > ]", > "rolled-back" => true > } > > Does anyone have some advice on how to resolve this, or suggestions as to what I may have misconfigured? > > > Best, > > Patrick Boe > ________________________________ > The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From java at neposoft.com Sun Oct 2 10:15:05 2016 From: java at neposoft.com (java at neposoft.com) Date: Sun, 2 Oct 2016 10:15:05 -0400 Subject: [keycloak-user] SAML/spring sec adapter : keycloak SP -> ssocircle IDS Message-ID: Hi, Am trying to do SSO using Keycloak as SO configured with ssocircle Idp. Injected Keycloak client (SAML) SSO descriptor into ssocircle. Using Keycloak spring sec java adapter. Configured kecloak.json. Question: can I use the Keycloak spring sec java adapter to protect the war? Would Keycloak do all the SAML handshake with Idp and return me some key and let the flow go on ? Appreciate if anyone can answer my questions. Anyone has done anything like this? thanks From traviskds at gmail.com Mon Oct 3 00:01:58 2016 From: traviskds at gmail.com (Travis De Silva) Date: Mon, 03 Oct 2016 04:01:58 +0000 Subject: [keycloak-user] User Groups in Token Message-ID: Hi, Does anyone know if the user groups assigned to a user can be retrieved from the token? I haven't found a method that can pull this and I also checked OtherClaims and it was not there. Basically, I want to get a list of groups that the logged in user is assigned to. Cheers Travis From traviskds at gmail.com Mon Oct 3 01:12:15 2016 From: traviskds at gmail.com (Travis De Silva) Date: Mon, 03 Oct 2016 05:12:15 +0000 Subject: [keycloak-user] User Groups in Token In-Reply-To: References: Message-ID: Figured it out. I added a Group Membership mapper and the group list was in the OtherClaims. On Mon, 3 Oct 2016 at 15:01 Travis De Silva wrote: > Hi, > > Does anyone know if the user groups assigned to a user can be retrieved > from the token? I haven't found a method that can pull this and I also > checked OtherClaims and it was not there. > > Basically, I want to get a list of groups that the logged in user is > assigned to. > > Cheers > Travis > > From teknodjs at gmail.com Mon Oct 3 02:42:55 2016 From: teknodjs at gmail.com (Padmaka Wijaygoonawardena) Date: Mon, 3 Oct 2016 12:12:55 +0530 Subject: [keycloak-user] With Keycloak 2.2.1 the DB migration fails In-Reply-To: References: Message-ID: Hi, This issue started to occur from Keycloak version 2.1.0, I have tested the migration from a fresh DB in 1.7.0 and 1.9.0 and it worked. This issue has been raised by others as well but haven't been answers yet. https://developer.jboss.org/thread/272010 and I have the JTA configuration in the standalone.xml. The root course of the problem as I understand is "IJ030022: Lock owned during cleanup: ServerService Thread Pool -- 56: java.lang.Throwable: Lock owned during cleanup" can you please investigate why this happens? https://access.redhat.com/solutions/467903 Thanks, Padmaka On Thu, Sep 29, 2016 at 6:04 PM, Bill Burke wrote: > Keycloak interaction now uses JTA. Make sure you have the following in > standalone.xml or keycloak-server.json > > "jta-lookup": { > "provider": "${keycloak.jta.lookup.provider:jboss}", > "jboss" : { > "enabled": true } > > } > \ ${keycloak.jta.lookup.provider:jboss}\ \ > > On 9/29/16 5:23 AM, Stian Thorgersen wrote: > > Looks more like a database connection issue than a migration issue. Did > you try Googling for "IJ031040: Connection is not associated with a > managed connection"? > On 29 September 2016 at 07:17, Padmaka Wijaygoonawardena < > teknodjs at gmail.com> wrote: >> >> Hi, >> With Keycloak 2.2.1 release the DB migration from a fresh DB fails this >> also occurred in 2.1.0 as well. I use a MySQL DB as the database. attached >> herewith is the stack trace. >> [2016-09-28 10:35:18.0609], WARN , org.jboss.jca.core.connectionm >> anager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool >> ServerService Thread Pool -- 62 - IJ000615: Destroying active connection in >> pool: mysql_keycloak (org.jboss.jca.adapters.jdbc.l >> ocal.LocalManagedConnection at 2899b74f) >> [2016-09-28 10:35:18.0618], WARN , org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection >> ServerService Thread Pool -- 62 - IJ030022: Lock owned during cleanup: >> ServerService Thread Pool -- 56: java.lang.Throwable: Lock owned during >> cleanup: ServerService Thread Pool -- 56 >> at java.net.SocketInputStream.socketRead0(Native Method) >> at java.net.SocketInputStream.socketRead(SocketInputStream.java:116) >> at java.net.SocketInputStream.read(SocketInputStream.java:170) >> at java.net.SocketInputStream.read(SocketInputStream.java:141) >> at com.mysql.jdbc.util.ReadAheadInputStream.fill(ReadAheadInput >> Stream.java:100) >> at com.mysql.jdbc.util.ReadAheadInputStream.readFromUnderlyingS >> treamIfNecessary(ReadAheadInputStream.java:143) >> at com.mysql.jdbc.util.ReadAheadInputStream.read(ReadAheadInput >> Stream.java:173) >> at com.mysql.jdbc.MysqlIO.readFully(MysqlIO.java:2911) >> at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3337) >> at com.mysql.jdbc.MysqlIO.reuseAndReadPacket(MysqlIO.java:3327) >> at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3814) >> at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2435) >> at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2582) >> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2526) >> at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2484) >> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:848) >> at com.mysql.jdbc.StatementImpl.execute(StatementImpl.java:742) >> at org.jboss.jca.adapters.jdbc.WrappedStatement.execute(Wrapped >> Statement.java:198) >> at liquibase.executor.jvm.JdbcExecutor$ExecuteStatementCallback >> .doInStatement(JdbcExecutor.java:314) >> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:55) >> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) >> at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbc >> Database.java:1247) >> at liquibase.database.AbstractJdbcDatabase.executeStatements(Ab >> stractJdbcDatabase.java:1230) >> at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) >> at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) >> at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) >> at liquibase.Liquibase.update(Liquibase.java:210) >> at liquibase.Liquibase.update(Liquibase.java:190) >> at liquibase.Liquibase.update(Liquibase.java:186) >> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaU >> pdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114) >> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaU >> pdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) >> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaU >> pdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.update(DefaultJpaConnectionProviderFactory.java:329) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.migration(DefaultJpaConnectionProviderFactory.java:299) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory$$Lambda$105/1378148237.run(Unknown Source) >> at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTrans >> action(KeycloakModelUtils.java:677) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.create(DefaultJpaConnectionProviderFactory.java:85) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.create(DefaultJpaConnectionProviderFactory.java:63) >> at org.keycloak.services.DefaultKeycloakSession.getProvider(Def >> aultKeycloakSession.java:158) >> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRe >> almProviderFactory.java:51) >> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRe >> almProviderFactory.java:33) >> at org.keycloak.services.DefaultKeycloakSession.getProvider(Def >> aultKeycloakSession.java:158) >> at org.keycloak.models.cache.infinispan.RealmCacheSession.getDe >> legate(RealmCacheSession.java:161) >> at org.keycloak.models.cache.infinispan.RealmCacheSession.getMi >> grationModel(RealmCacheSession.java:154) >> at org.keycloak.migration.MigrationModelManager.migrate(Migrati >> onModelManager.java:60) >> at org.keycloak.services.resources.KeycloakApplication.migrateM >> odel(KeycloakApplication.java:221) >> at org.keycloak.services.resources.KeycloakApplication.migrateA >> ndBootstrap(KeycloakApplication.java:162) >> at org.keycloak.services.resources.KeycloakApplication$1.run( >> KeycloakApplication.java:121) >> at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransac >> tion(KeycloakModelUtils.java:295) >> at org.keycloak.services.resources.KeycloakApplication.( >> KeycloakApplication.java:112) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >> ConstructorAccessorImpl.java:62) >> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >> legatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >> nstructorInjectorImpl.java:150) >> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >> rInstance(ResteasyProviderFactory.java:2209) >> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >> ResteasyDeployment.java:299) >> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >> oyment.java:240) >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher.init(ServletContainerDispatcher.java:113) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.init(HttpServletDispatcher.java:36) >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:117) >> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >> eptor.init(RunAsLifecycleInterceptor.java:78) >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:103) >> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >> egy.start(ManagedServlet.java:231) >> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >> dServlet.java:132) >> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >> entManagerImpl.java:526) >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service.startContext(UndertowDeploymentService.java:101) >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service$1.run(UndertowDeploymentService.java:82) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> [2016-09-28 10:35:18.0634], INFO , org.jboss.as.connector.services.driver.DriverService >> MSC service thread 1-6 - WFLYJCA0019: Stopped Driver service with >> driver-name = mysql-connector-java-5.1.33-bi >> n.jar_com.mysql.jdbc.Driver_5_1 >> [2016-09-28 10:35:19.0107], INFO , org.hibernate.validator.internal.util.Version >> MSC service thread 1-5 - HV000001: Hibernate Validator 5.2.3.Final >> [2016-09-28 10:35:19.0592], DEBUG, org.keycloak.connections.jpa.u >> pdater.liquibase.conn.DefaultLiquibaseConnectionProvider$LogWrapper$1 >> ServerService Thread Pool -- 56 - Foreign key constraint added to >> RESOURCE_POLICY (RESOURCE_ID) >> [2016-09-28 10:35:19.0593], DEBUG, org.keycloak.transaction.JtaTransactionWrapper >> ServerService Thread Pool -- 56 - JtaTransactionWrapper rollback >> [2016-09-28 10:35:19.0593], DEBUG, org.keycloak.transaction.JtaTransactionWrapper >> ServerService Thread Pool -- 56 - JtaTransactionWrapper end >> [2016-09-28 10:35:19.0594], DEBUG, org.keycloak.transaction.JtaTransactionWrapper >> ServerService Thread Pool -- 56 - JtaTransactionWrapper resuming suspended >> [2016-09-28 10:35:19.0595], DEBUG, org.keycloak.connections.jpa.u >> pdater.liquibase.lock.CustomLockService ServerService Thread Pool -- 56 >> - Going to release database lock >> [2016-09-28 10:35:19.0595], ERROR, org.keycloak.connections.jpa.u >> pdater.liquibase.lock.CustomLockService ServerService Thread Pool -- 56 >> - Database error during release lock: liquibase.exception.DatabaseException: >> liquibase.exception.DatabaseException: java.sql.SQLException: IJ031040: >> Connection is not associated with a managed connection: >> org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 >> at liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcD >> atabase.java:1130) >> at org.keycloak.connections.jpa.updater.liquibase.lock.CustomLo >> ckService.releaseLock(CustomLockService.java:184) >> at org.keycloak.connections.jpa.updater.liquibase.lock.Liquibas >> eDBLockProvider.lambda$releaseLock$1(LiquibaseDBLockProvider.java:126) >> at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTrans >> action(KeycloakModelUtils.java:677) >> at org.keycloak.connections.jpa.updater.liquibase.lock.Liquibas >> eDBLockProvider.releaseLock(LiquibaseDBLockProvider.java:123) >> at org.keycloak.services.resources.KeycloakApplication$1.run( >> KeycloakApplication.java:123) >> at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransac >> tion(KeycloakModelUtils.java:295) >> at org.keycloak.services.resources.KeycloakApplication.( >> KeycloakApplication.java:112) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >> ConstructorAccessorImpl.java:62) >> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >> legatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >> nstructorInjectorImpl.java:150) >> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >> rInstance(ResteasyProviderFactory.java:2209) >> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >> ResteasyDeployment.java:299) >> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >> oyment.java:240) >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher.init(ServletContainerDispatcher.java:113) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.init(HttpServletDispatcher.java:36) >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:117) >> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >> eptor.init(RunAsLifecycleInterceptor.java:78) >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:103) >> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >> egy.start(ManagedServlet.java:231) >> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >> dServlet.java:132) >> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >> entManagerImpl.java:526) >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service.startContext(UndertowDeploymentService.java:101) >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service$1.run(UndertowDeploymentService.java:82) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> Caused by: liquibase.exception.DatabaseException: java.sql.SQLException: >> IJ031040: Connection is not associated with a managed connection: >> org.jboss.jca.adapters.jdbc.jdk7.WrappedConnectionJDK7 at 88d58a5 >> at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:126) >> at liquibase.database.AbstractJdbcDatabase.commit(AbstractJdbcD >> atabase.java:1128) >> ... 31 more >> Caused by: java.sql.SQLException: IJ031040: Connection is not associated >> with a managed connection: org.jboss.jca.adapters.jdbc.jd >> k7.WrappedConnectionJDK7 at 88d58a5 >> at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedCo >> nnection.java:164) >> at org.jboss.jca.adapters.jdbc.WrappedConnection.getAutoCommit( >> WrappedConnection.java:802) >> at liquibase.database.jvm.JdbcConnection.commit(JdbcConnection.java:122) >> ... 32 more >> [2016-09-28 10:35:19.0596], DEBUG, org.keycloak.transaction.JtaTransactionWrapper >> ServerService Thread Pool -- 56 - JtaTransactionWrapper rollback >> [2016-09-28 10:35:19.0596], DEBUG, org.keycloak.transaction.JtaTransactionWrapper >> ServerService Thread Pool -- 56 - JtaTransactionWrapper end >> [2016-09-28 10:35:19.0598], INFO , org.jboss.as.server.BootstrapImpl$ShutdownHook >> Thread-2 - WFLYSRV0220: Server shutdown has been requested. >> [2016-09-28 10:35:19.0601], DEBUG, org.jboss.as.security.service.SecurityDomainService >> MSC service thread 1-8 - Stopping security domain service jboss-ejb-policy >> [2016-09-28 10:35:19.0601], DEBUG, org.jboss.as.mail.extension.MailSessionAdd$1 >> MSC service thread 1-2 - WFLYMAIL0003: Removed mail session >> [java:jboss/mail/Default] >> [2016-09-28 10:35:19.0602], DEBUG, org.infinispan.manager.DefaultCacheManager >> MSC service thread 1-7 - Stopping cache manager server on padmaka >> [2016-09-28 10:35:19.0602], DEBUG, org.wildfly.extension.undertow.ConsoleRedirectService >> MSC service thread 1-2 - Stopping console redirect for default-host >> [2016-09-28 10:35:19.0606], DEBUG, org.jboss.as.connector.subsyst >> ems.datasources.CommonDeploymentService MSC service thread 1-3 - Stopped >> CommonDeployment %s >> [2016-09-28 10:35:19.0606], INFO , org.jboss.as.connector.subsyst >> ems.datasources.AbstractDataSourceAdd$2 MSC service thread 1-6 - >> WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS] >> [2016-09-28 10:35:19.0607], DEBUG, org.jboss.as.connector.subsyst >> ems.datasources.CommonDeploymentService MSC service thread 1-6 - Stopped >> CommonDeployment %s >> [2016-09-28 10:35:19.0612], DEBUG, org.jboss.as.security.service.SecurityDomainService >> MSC service thread 1-3 - Stopping security domain service jboss-web-policy >> [2016-09-28 10:35:19.0624], DEBUG, org.jboss.as.security.service.SecurityDomainService >> MSC service thread 1-4 - Stopping security domain service jaspitest >> [2016-09-28 10:35:19.0628], DEBUG, org.jboss.as.connector.service >> s.resourceadapters.deployment.registry.ResourceAdapterDeploymentRegistryService >> MSC service thread 1-1 - Stopping service service jboss.raregistry >> [2016-09-28 10:35:19.0628], DEBUG, org.infinispan.manager.DefaultCacheManager >> MSC service thread 1-8 - Stopping cache manager web on padmaka >> [2016-09-28 10:35:19.0630], DEBUG, org.infinispan.manager.DefaultCacheManager >> MSC service thread 1-6 - Stopping cache manager ejb on padmaka >> [2016-09-28 10:35:19.0630], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport >> MSC service thread 1-7 - ISPN000080: Disconnecting JGroups channel server >> [2016-09-28 10:35:19.0631], DEBUG, org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1 >> ServerService Thread Pool -- 62 - Un-registered >> org.jboss.as.ejb3.remote.EJBTransactionRecoveryService$1 at 5bc6f06a from >> the transaction recovery manager >> [2016-09-28 10:35:19.0632], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport >> MSC service thread 1-7 - ISPN000082: Stopping the RpcDispatcher for channel >> server >> [2016-09-28 10:35:19.0638], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport >> MSC service thread 1-8 - ISPN000080: Disconnecting JGroups channel web >> [2016-09-28 10:35:19.0638], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport >> MSC service thread 1-8 - ISPN000082: Stopping the RpcDispatcher for channel >> web >> [2016-09-28 10:35:19.0636], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport >> MSC service thread 1-6 - ISPN000080: Disconnecting JGroups channel ejb >> [2016-09-28 10:35:19.0640], INFO , org.infinispan.remoting.transport.jgroups.JGroupsTransport >> MSC service thread 1-6 - ISPN000082: Stopping the RpcDispatcher for channel >> ejb >> [2016-09-28 10:35:19.0637], DEBUG, org.infinispan.manager.DefaultCacheManager >> MSC service thread 1-1 - Stopping cache manager hibernate on padmaka >> [2016-09-28 10:35:19.0642], DEBUG, org.jboss.tm.usertx.UserTransactionRegistry >> MSC service thread 1-2 - org.jboss.tm.usertx.UserTransa >> ctionRegistry at daa6d39 removeListener org.jboss.as.jpa.container.JPA >> UserTransactionListener at 47424e73 >> [2016-09-28 10:35:19.0642], DEBUG, org.jboss.as.connector.subsyst >> ems.datasources.AbstractDataSourceAdd$2 MSC service thread 1-3 - Removed >> JDBC Data-source [java:jboss/datasources/KeycloakDS] >> [2016-09-28 10:35:19.0641], DEBUG, org.jboss.as.clustering.infini >> span.subsystem.CacheContainerBuilder MSC service thread 1-7 - server >> cache container stopped >> [2016-09-28 10:35:19.0641], DEBUG, org.jboss.as.clustering.infini >> span.subsystem.CacheContainerBuilder MSC service thread 1-6 - ejb cache >> container stopped >> [2016-09-28 10:35:19.0640], INFO , org.wildfly.extension.undertow.HttpsListenerService >> MSC service thread 1-4 - WFLYUT0008: Undertow HTTPS listener https >> suspending >> [2016-09-28 10:35:19.0639], DEBUG, org.jboss.as.clustering.infini >> span.subsystem.CacheContainerBuilder MSC service thread 1-8 - web cache >> container stopped >> [2016-09-28 10:35:19.0654], INFO , org.wildfly.extension.undertow.HttpsListenerService >> MSC service thread 1-4 - WFLYUT0007: Undertow HTTPS listener https stopped, >> was bound to 10.1.11.48:8101 >> [2016-09-28 10:35:19.0651], ERROR, org.jboss.msc.service.ServiceControllerImpl$StartContextImpl >> ServerService Thread Pool -- 56 - MSC000001: Failed to start service >> jboss.undertow.deployment.default-server.default-host./auth: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax. >> servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service$1.run(UndertowDeploymentService.java:85) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >> construct public org.keycloak.services.resource >> s.KeycloakApplication(javax.servlet.ServletContext,org. >> jboss.resteasy.core.Dispatcher) >> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >> nstructorInjectorImpl.java:162) >> at org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >> rInstance(ResteasyProviderFactory.java:2209) >> at org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >> ResteasyDeployment.java:299) >> at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDepl >> oyment.java:240) >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher.init(ServletContainerDispatcher.java:113) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.init(HttpServletDispatcher.java:36) >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:117) >> at org.wildfly.extension.undertow.security.RunAsLifecycleInterc >> eptor.init(RunAsLifecycleInterceptor.java:78) >> at io.undertow.servlet.core.LifecyleInterceptorInvocation.proce >> ed(LifecyleInterceptorInvocation.java:103) >> at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrat >> egy.start(ManagedServlet.java:231) >> at io.undertow.servlet.core.ManagedServlet.createServlet(Manage >> dServlet.java:132) >> at io.undertow.servlet.core.DeploymentManagerImpl.start(Deploym >> entManagerImpl.java:526) >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service.startContext(UndertowDeploymentService.java:101) >> at org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service$1.run(UndertowDeploymentService.java:82) >> ... 6 more >> Caused by: java.lang.RuntimeException: Failed to update database >> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaU >> pdaterProvider.update(LiquibaseJpaUpdaterProvider.java:90) >> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaU >> pdaterProvider.update(LiquibaseJpaUpdaterProvider.java:59) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.update(DefaultJpaConnectionProviderFactory.java:329) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.migration(DefaultJpaConnectionProviderFactory.java:299) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.lambda$lazyInit$0(DefaultJpaConnectionProviderFactory.java:186) >> at org.keycloak.models.utils.KeycloakModelUtils.suspendJtaTrans >> action(KeycloakModelUtils.java:677) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.lazyInit(DefaultJpaConnectionProviderFactory.java:137) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.create(DefaultJpaConnectionProviderFactory.java:85) >> at org.keycloak.connections.jpa.DefaultJpaConnectionProviderFac >> tory.create(DefaultJpaConnectionProviderFactory.java:63) >> at org.keycloak.services.DefaultKeycloakSession.getProvider(Def >> aultKeycloakSession.java:158) >> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRe >> almProviderFactory.java:51) >> at org.keycloak.models.jpa.JpaRealmProviderFactory.create(JpaRe >> almProviderFactory.java:33) >> at org.keycloak.services.DefaultKeycloakSession.getProvider(Def >> aultKeycloakSession.java:158) >> at org.keycloak.models.cache.infinispan.RealmCacheSession.getDe >> legate(RealmCacheSession.java:161) >> at org.keycloak.models.cache.infinispan.RealmCacheSession.getMi >> grationModel(RealmCacheSession.java:154) >> at org.keycloak.migration.MigrationModelManager.migrate(Migrati >> onModelManager.java:60) >> at org.keycloak.services.resources.KeycloakApplication.migrateM >> odel(KeycloakApplication.java:221) >> at org.keycloak.services.resources.KeycloakApplication.migrateA >> ndBootstrap(KeycloakApplication.java:162) >> at org.keycloak.services.resources.KeycloakApplication$1.run( >> KeycloakApplication.java:121) >> at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransac >> tion(KeycloakModelUtils.java:295) >> at org.keycloak.services.resources.KeycloakApplication.( >> KeycloakApplication.java:112) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) >> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >> ConstructorAccessorImpl.java:62) >> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >> legatingConstructorAccessorImpl.java:45) >> at java.lang.reflect.Constructor.newInstance(Constructor.java:423) >> at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >> nstructorInjectorImpl.java:150) >> ... 19 more >> Caused by: liquibase.exception.MigrationFailedException: Migration >> failed for change set META-INF/jpa-changelog-authz-2 >> .0.0.xml::authz-2.0.0::psilva at redhat.com: >> Reason: liquibase.exception.UnexpectedLiquibaseException: >> java.sql.SQLException: IJ031040: Connection is not associated with a >> managed connection: org.jboss.jca.adapters.jdbc.jd >> k7.WrappedConnectionJDK7 at 503aa43a >> at liquibase.changelog.ChangeSet.execute(ChangeSet.java:573) >> at liquibase.changelog.visitor.UpdateVisitor.visit(UpdateVisitor.java:51) >> at liquibase.changelog.ChangeLogIterator.run(ChangeLogIterator.java:73) >> at liquibase.Liquibase.update(Liquibase.java:210) >> at liquibase.Liquibase.update(Liquibase.java:190) >> at liquibase.Liquibase.update(Liquibase.java:186) >> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaU >> pdaterProvider.updateChangeSet(LiquibaseJpaUpdaterProvider.java:114) >> at org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaU >> pdaterProvider.update(LiquibaseJpaUpdaterProvider.java:76) >> ... 44 more >> Caused by: liquibase.exception.UnexpectedLiquibaseException: >> java.sql.SQLException: IJ031040: Connection is not associated with a >> managed connection: org.jboss.jca.adapters.jdbc.jd >> k7.WrappedConnectionJDK7 at 503aa43a >> at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:79) >> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:62) >> at liquibase.executor.jvm.JdbcExecutor.execute(JdbcExecutor.java:122) >> at liquibase.database.AbstractJdbcDatabase.execute(AbstractJdbc >> Database.java:1247) >> at liquibase.database.AbstractJdbcDatabase.executeStatements(Ab >> stractJdbcDatabase.java:1230) >> at liquibase.changelog.ChangeSet.execute(ChangeSet.java:548) >> ... 51 more >> Caused by: java.sql.SQLException: IJ031040: Connection is not associated >> with a managed connection: org.jboss.jca.adapters.jdbc.jd >> k7.WrappedConnectionJDK7 at 503aa43a >> at org.jboss.jca.adapters.jdbc.WrappedConnection.lock(WrappedCo >> nnection.java:164) >> at org.jboss.jca.adapters.jdbc.WrappedConnection.getMetaData(Wr >> appedConnection.java:913) >> at liquibase.database.jvm.JdbcConnection.getURL(JdbcConnection.java:77) >> ... 56 more >> is there any solution for this? >> Thanks in advance. >> Padmaka >> _______________________________________________ keycloak-user mailing >> list keycloak-user at lists.jboss.org https://lists.jboss.org/mailma >> n/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pulgupta at redhat.com Mon Oct 3 03:13:31 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Mon, 3 Oct 2016 12:43:31 +0530 Subject: [keycloak-user] multiple redirects after authentication Message-ID: Hi All, I am facing a problem with my keycloak integration. When I enter the URL of my application it gets redirected to the keycloak server. After I enter the credentials the server redirects back to my application URL. Till now things look ok. Once authentication is successful weird thing starts. Keycloak server redirects back to my application. My application again redirects to the keycloak server which without showing the login page again redirects to my application. This happens once or twice after which finally my application page loads. In this process, I can see multiple SAML XMLs being exchanged. Environment and setup Details SP EntityID : /wapps/distributors Page I am visiting directly : https://www.xxxx.com/wapps/ distributors/protected/nachannelsearch.html Server : 2 Jboss 6 servers running behind a LB Please let me know in case this is something related to configuration or might be some issue related to proxies or load balancers in my environment. -- Thanks, Pulkit AMS From Edgar at info.nl Mon Oct 3 05:21:37 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 3 Oct 2016 09:21:37 +0000 Subject: [keycloak-user] Remember me doesn't work after keycloak restart Message-ID: <6E25D5E6-C4DC-4065-87F1-E8CEFB104D5B@info.nl> Hi Stian, How does this relate to a previous remark you made regarding persisting user sessions: http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html Also I do see Java code in Keycloak related to persisting user sessions and there is the USER_SESSIONS database table? With the correct settings in keycloak-server.json with caching disabled should Keycloak persist user sessions? cheers Edgar User sessions are not persisted which is why users have to re-authenticate after server is restarted. To make sessions work cross server restarts you need a cluster with multiple server nodes and increase owners for the user session cache. On 28 September 2016 at 09:44, Mariusz Chruscielewski - Info.nl < mariusz at info.nl> wrote: > Hi. Is it possible to persist sessions after keycloak restart? We are > using remember me functionality, and after keycloak server is restarted, > all users have to login again (I?m not sure if this is about session, or > maybe some other remember-me-session). Is there any way to configure that? > Thanks in advance. > > > > Kind Regards, > > > > Mariusz Chruscielewski From sthorger at redhat.com Mon Oct 3 06:03:00 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 3 Oct 2016 12:03:00 +0200 Subject: [keycloak-user] Remember me doesn't work after keycloak restart In-Reply-To: <6E25D5E6-C4DC-4065-87F1-E8CEFB104D5B@info.nl> References: <6E25D5E6-C4DC-4065-87F1-E8CEFB104D5B@info.nl> Message-ID: JPA provider was removed a long time ago. On 3 October 2016 at 11:21, Edgar Vonk - Info.nl wrote: > Hi Stian, > > How does this relate to a previous remark you made regarding persisting > user sessions: > http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html > > Also I do see Java code in Keycloak related to persisting user sessions > and there is the USER_SESSIONS database table? > > With the correct settings in keycloak-server.json with caching disabled > should Keycloak persist user sessions? > > cheers > > Edgar > > > User sessions are not persisted which is why users have to re-authenticate > after server is restarted. To make sessions work cross server restarts you > need a cluster with multiple server nodes and increase owners for the user > session cache. > > On 28 September 2016 at 09:44, Mariusz Chruscielewski - Info.nl > wrote: > > >* Hi. Is it possible to persist sessions after keycloak restart? We are > *>* using remember me functionality, and after keycloak server is restarted, > *>* all users have to login again (I?m not sure if this is about session, or > *>* maybe some other remember-me-session). Is there any way to configure that? > *>* Thanks in advance. > *>>>>* Kind Regards, > *>>>>* Mariusz Chruscielewski* > > > From Edgar at info.nl Mon Oct 3 06:56:34 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Mon, 3 Oct 2016 10:56:34 +0000 Subject: [keycloak-user] Remember me doesn't work after keycloak restart In-Reply-To: References: <6E25D5E6-C4DC-4065-87F1-E8CEFB104D5B@info.nl> Message-ID: <9EFDE9BE-A119-4FB9-A72A-84303EBE3513@info.nl> Ah thanks. For may understanding: why does the keycloak-server.json still have this setting as the default (by looking at the source code)? "userSessionPersister": { "provider": "jpa" }, And also I do still see a JpaUserSessionPersisterProvider class in the source code. Guess this is not used anymore? cheers On 03 Oct 2016, at 12:03, Stian Thorgersen > wrote: JPA provider was removed a long time ago. On 3 October 2016 at 11:21, Edgar Vonk - Info.nl > wrote: Hi Stian, How does this relate to a previous remark you made regarding persisting user sessions: http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html Also I do see Java code in Keycloak related to persisting user sessions and there is the USER_SESSIONS database table? With the correct settings in keycloak-server.json with caching disabled should Keycloak persist user sessions? cheers Edgar User sessions are not persisted which is why users have to re-authenticate after server is restarted. To make sessions work cross server restarts you need a cluster with multiple server nodes and increase owners for the user session cache. On 28 September 2016 at 09:44, Mariusz Chruscielewski - Info.nl < mariusz at info.nl> wrote: > Hi. Is it possible to persist sessions after keycloak restart? We are > using remember me functionality, and after keycloak server is restarted, > all users have to login again (I?m not sure if this is about session, or > maybe some other remember-me-session). Is there any way to configure that? > Thanks in advance. > > > > Kind Regards, > > > > Mariusz Chruscielewski From sthorger at redhat.com Mon Oct 3 06:59:43 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 3 Oct 2016 12:59:43 +0200 Subject: [keycloak-user] Remember me doesn't work after keycloak restart In-Reply-To: <9EFDE9BE-A119-4FB9-A72A-84303EBE3513@info.nl> References: <6E25D5E6-C4DC-4065-87F1-E8CEFB104D5B@info.nl> <9EFDE9BE-A119-4FB9-A72A-84303EBE3513@info.nl> Message-ID: Sorry, I looked at it a bit to quick. The JPA user session provider was dropped (performance was horrible so we deemed it unusable). The user session persister is only used for offline sessions, they survive a server restart. On 3 October 2016 at 12:56, Edgar Vonk - Info.nl wrote: > Ah thanks. > > For may understanding: why does the keycloak-server.json still have this > setting as the default (by looking at the source code)? > > "userSessionPersister": { > "provider": "jpa" > }, > > And also I do still see a JpaUserSessionPersisterProvider class in the > source code. Guess this is not used anymore? > > cheers > > > On 03 Oct 2016, at 12:03, Stian Thorgersen wrote: > > JPA provider was removed a long time ago. > > On 3 October 2016 at 11:21, Edgar Vonk - Info.nl < > Edgar at info.nl> wrote: > >> Hi Stian, >> >> How does this relate to a previous remark you made regarding persisting >> user sessions: >> http://lists.jboss.org/pipermail/keycloak-user/2015-April/001921.html >> >> Also I do see Java code in Keycloak related to persisting user sessions >> and there is the USER_SESSIONS database table? >> >> With the correct settings in keycloak-server.json with caching disabled >> should Keycloak persist user sessions? >> >> cheers >> >> Edgar >> >> >> User sessions are not persisted which is why users have to re-authenticate >> after server is restarted. To make sessions work cross server restarts you >> need a cluster with multiple server nodes and increase owners for the user >> session cache. >> >> On 28 September 2016 at 09:44, Mariusz Chruscielewski - Info.nl > wrote: >> >> >* Hi. Is it possible to persist sessions after keycloak restart? We are >> *>* using remember me functionality, and after keycloak server is restarted, >> *>* all users have to login again (I?m not sure if this is about session, or >> *>* maybe some other remember-me-session). Is there any way to configure that? >> *>* Thanks in advance. >> *>>>>* Kind Regards, >> *>>>>* Mariusz Chruscielewski* >> >> >> > > From zeus.arias at beeva.com Mon Oct 3 09:09:01 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Mon, 3 Oct 2016 15:09:01 +0200 Subject: [keycloak-user] Deploy theme Message-ID: Hi! I'm developing a theme and when copied to the folder /op/keycloak/theme occurs this: 2016-10-03 13:00:39,237 ERROR [io.undertow.request] (default task-5) UT005023: Exception handling request to /auth/admin/serverinfo: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.theme.ExtendingThemeManager$ExtendingTheme.getProperties(ExtendingThemeManager.java:284) at org.keycloak.services.resources.admin.info.ServerInfoAdminResource.setThemes(ServerInfoAdminResource.java:170) at org.keycloak.services.resources.admin.info.ServerInfoAdminResource.getInfo(ServerInfoAdminResource.java:90) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more This happens occasionally Any ideas? From bruno at abstractj.org Mon Oct 3 11:32:48 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 3 Oct 2016 12:32:48 -0300 Subject: [keycloak-user] Deploy theme In-Reply-To: References: Message-ID: <20161003153248.GD7450@abstractj.org> Are you following the instructions from here: https://keycloak.gitbooks.io/server-developer-guide/content/topics/themes.html ? Which version of Keycloak? How your property file looks like? What are the steps to reproduce? On 2016-10-03, Zeus Arias Lucero | BEEVA wrote: > Hi! > > I'm developing a theme and when copied to the folder > /op/keycloak/theme occurs this: > > 2016-10-03 13:00:39,237 ERROR [io.undertow.request] (default task-5) > UT005023: Exception handling request to /auth/admin/serverinfo: > org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException > at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > at > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.lang.NullPointerException > at > org.keycloak.theme.ExtendingThemeManager$ExtendingTheme.getProperties(ExtendingThemeManager.java:284) > at > org.keycloak.services.resources.admin.info.ServerInfoAdminResource.setThemes(ServerInfoAdminResource.java:170) > at > org.keycloak.services.resources.admin.info.ServerInfoAdminResource.getInfo(ServerInfoAdminResource.java:90) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > ... 37 more > > > This happens occasionally > > > Any ideas? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From bburke at redhat.com Mon Oct 3 11:54:10 2016 From: bburke at redhat.com (Bill Burke) Date: Mon, 3 Oct 2016 11:54:10 -0400 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: References: Message-ID: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> Are you using our adapters? On 10/3/16 3:13 AM, Pulkit Gupta wrote: > Hi All, > > I am facing a problem with my keycloak integration. > When I enter the URL of my application it gets redirected to the keycloak > server. > > After I enter the credentials the server redirects back to my application > URL. > Till now things look ok. Once authentication is successful weird thing > starts. > > Keycloak server redirects back to my application. > My application again redirects to the keycloak server which without showing > the login page again redirects to my application. This happens once or > twice after which finally my application page loads. In this process, I can > see multiple SAML XMLs being exchanged. > > Environment and setup Details > SP EntityID : /wapps/distributors > Page I am visiting directly : https://www.xxxx.com/wapps/ > distributors/protected/nachannelsearch.html > Server : 2 Jboss 6 servers running behind a LB > > Please let me know in case this is something related to configuration or > might be some issue related to proxies or load balancers in my environment. > From zeus.arias at beeva.com Mon Oct 3 11:59:49 2016 From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA) Date: Mon, 3 Oct 2016 17:59:49 +0200 Subject: [keycloak-user] Deploy theme In-Reply-To: <20161003153248.GD7450@abstractj.org> References: <20161003153248.GD7450@abstractj.org> Message-ID: The version is: 2.2.1 The file is identical. The steps: - Copy keycloak theme - Rename the copy to mytheme - Modify CSS and templates - Theme.properties change and modify import=common/keycloak by import=common/mytheme - Reload administration page theme.properties: parent=base import=common/mytheme locales=en,es forumURL=https://URL styles=css/login.css css/buttons.css css/footer.css css/social-buttons.css css/typography.css meta=viewport==width=device-width,initial-scale=1 kcHtmlClass=login-pf kcLogoLink=http://www.URL.com kcContentClass=col-sm-12 col-md-12 col-lg-12 container kcContentWrapperClass=row kcHeaderClass=col-xs-12 col-sm-8 col-md-8 col-lg-7 kcFeedbackAreaClass=col-md-12 kcLocaleClass=col-xs-12 col-sm-1 kcAlertIconClasserror=pficon pficon-error-circle-o kcFormAreaClass=col-xs-12 col-sm-8 col-md-8 col-lg-7 login kcFeedbackErrorIcon=pficon pficon-error-circle-o kcFeedbackWarningIcon=pficon pficon-warning-triangle-o kcFeedbackSuccessIcon=pficon pficon-ok kcFeedbackInfoIcon=pficon pficon-info kcFormClass=form-horizontal kcFormGroupClass=form-group kcFormGroupClassUsername=form-group username kcFormGroupClassPassword=form-group password kcFormGroupErrorClass=has-error kcLabelClass=control-label kcLabelWrapperClass=col-xs-12 col-sm-12 col-md-12 col-lg-12 kcInputClass=form-control kcInputWrapperClass=col-xs-12 col-sm-12 col-md-12 col-lg-12 kcFormOptionsClass=col-xs-4 col-sm-5 col-md-offset-4 col-md-4 col-lg-offset-3 col-lg-5 kcFormButtonsClass=col-xs-8 col-sm-7 col-md-4 col-lg-4 submit kcTextareaClass=form-control kcForfotPassword=forgotPass kcInfoAreaClass=col-xs-12 col-sm-4 col-md-4 col-lg-5 details ##### css classes for form buttons # main class used for all buttons kcButtonClass=btn # classes defining priority of the button - primary or default (there is typically only one priority button for the form) kcButtonPrimaryClass=btn-primary kcButtonDefaultClass=btn-default # classes defining size of the button kcButtonLargeClass=btn-lg 2016-10-03 17:32 GMT+02:00 Bruno Oliveira : > Are you following the instructions from here: > https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/themes.html ? > > Which version of Keycloak? How your property file looks like? What are > the steps to reproduce? > > On 2016-10-03, Zeus Arias Lucero | BEEVA wrote: > > Hi! > > > > I'm developing a theme and when copied to the folder > > /op/keycloak/theme occurs this: > > > > 2016-10-03 13:00:39,237 ERROR [io.undertow.request] (default task-5) > > UT005023: Exception handling request to /auth/admin/serverinfo: > > org.jboss.resteasy.spi.UnhandledException: > java.lang.NullPointerException > > at > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( > ExceptionHandler.java:76) > > at > > org.jboss.resteasy.core.ExceptionHandler.handleException( > ExceptionHandler.java:212) > > at > > org.jboss.resteasy.core.SynchronousDispatcher.writeException( > SynchronousDispatcher.java:168) > > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:411) > > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > > at > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:56) > > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at > > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > > at > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > > at io.undertow.servlet.core.ManagedFilter.doFilter( > ManagedFilter.java:60) > > at > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > > at > > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > > at > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > > at > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > > at > > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > > at > > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > > at > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > > at > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > > at > > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > > at > > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > > at > > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at > > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > > at > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > > at > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > > at > > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > > at > > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > > at > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > > at > > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > > at > > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > > at > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > > at > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > > at > > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > > at > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.lang.NullPointerException > > at > > org.keycloak.theme.ExtendingThemeManager$ExtendingTheme.getProperties( > ExtendingThemeManager.java:284) > > at > > org.keycloak.services.resources.admin.info.ServerInfoAdminResource. > setThemes(ServerInfoAdminResource.java:170) > > at > > org.keycloak.services.resources.admin.info.ServerInfoAdminResource. > getInfo(ServerInfoAdminResource.java:90) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > > at > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:138) > > at > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > > at > > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > > ... 37 more > > > > > > This happens occasionally > > > > > > Any ideas? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > PGP: 0x84DC9914 > -- Un saludo! *Zeus Arias * Grupo APIVersity. T?cnico de Sistemas. zeus.arias at bbva.com zeus.arias at beeva.com Aviso Legal: Este mensaje, su contenido y cualquier fichero transmitido con ?l, est? dirigido ?nicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la informaci?n contenida en ?l es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma v?a, as? como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su borrado de manera inmediata. Disclaimer: This message, its content and any file attached thereto is for the intended recipient only and is confidential. If you have received this e-mail in error or had access to it, you should note that the information in it is private and any use there of is unauthorized. In such an event please notify us by e-mail. Any reproduction of this e-mail by whatsoever means and any transmission or dissemination thereof to other persons is prohibited. It should be deleted immediately from your system. From chris.savory at edlogics.com Mon Oct 3 17:21:37 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Mon, 3 Oct 2016 21:21:37 +0000 Subject: [keycloak-user] Looking for a non Admin Java client Message-ID: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> We need to make several types of calls to KeyCloak from the server side of our application. Some are in the context of a logged in user and others are not. We have the latter case handled right now by using the KeyCloak Admin Client. But we are unable to locate another Java client for the purposes of making calls to KC for the currently authenticated user. I have found the AuthZ Client, but that appears to just be for authenticating. The particular use case I?m researching now is we have an endpoint like /profile-service/users/current, which will return the currently logged in user profile. Some of that information comes from KC and some comes from the local app database. Currently we the app configured to make the server-side call as a KC admin while it is orchestrating this data, but I?d prefer for the user to use the same credentials as it did when it came to the server with a BEARER token. This will help us when it comes to auditing, especially for updates. Does such a java client exist? Or do I need to use the KeycloakRestTemplate to make those calls to KC? -- Christopher Savory Software Engineer | EdLogics From chris.savory at edlogics.com Mon Oct 3 17:21:41 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Mon, 3 Oct 2016 21:21:41 +0000 Subject: [keycloak-user] Looking for a non Admin Java client Message-ID: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> We need to make several types of calls to KeyCloak from the server side of our application. Some are in the context of a logged in user and others are not. We have the latter case handled right now by using the KeyCloak Admin Client. But we are unable to locate another Java client for the purposes of making calls to KC for the currently authenticated user. I have found the AuthZ Client, but that appears to just be for authenticating. The particular use case I?m researching now is we have an endpoint like /profile-service/users/current, which will return the currently logged in user profile. Some of that information comes from KC and some comes from the local app database. Currently we the app configured to make the server-side call as a KC admin while it is orchestrating this data, but I?d prefer for the user to use the same credentials as it did when it came to the server with a BEARER token. This will help us when it comes to auditing, especially for updates. Does such a java client exist? Or do I need to use the KeycloakRestTemplate to make those calls to KC? -- Christopher Savory Software Engineer | EdLogics From sthorger at redhat.com Mon Oct 3 23:32:25 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Oct 2016 05:32:25 +0200 Subject: [keycloak-user] Looking for a non Admin Java client In-Reply-To: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> References: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> Message-ID: Are you saying you want to invoke the Keycloak admin endpoints? You are currently using the Keycloak Java Admin Client, but you want to use something else? Why use something else when you already have something? On 3 October 2016 at 23:21, Chris Savory wrote: > We need to make several types of calls to KeyCloak from the server side of > our application. Some are in the context of a logged in user and others > are not. We have the latter case handled right now by using the KeyCloak > Admin Client. But we are unable to locate another Java client for the > purposes of making calls to KC for the currently authenticated user. I > have found the AuthZ Client, but that appears to just be for authenticating. > > The particular use case I?m researching now is we have an endpoint like > /profile-service/users/current, which will return the currently logged in > user profile. Some of that information comes from KC and some comes from > the local app database. Currently we the app configured to make the > server-side call as a KC admin while it is orchestrating this data, but I?d > prefer for the user to use the same credentials as it did when it came to > the server with a BEARER token. This will help us when it comes to > auditing, especially for updates. > > Does such a java client exist? Or do I need to use the > KeycloakRestTemplate to make those calls to KC? > > > -- > Christopher Savory > Software Engineer | EdLogics > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From chris.savory at edlogics.com Tue Oct 4 00:51:39 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Tue, 4 Oct 2016 04:51:39 +0000 Subject: [keycloak-user] Looking for a non Admin Java client In-Reply-To: References: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> Message-ID: <587B2C81-6E1B-47B3-9970-220F75DC8466@edlogics.com> I can use the Admin endpoints, but I would have thought you had to be at least realm-admin to do that. Are you saying that a user can use the Admin Endpoints/Clent for urls directly related to themselves? If so, then we can just use that. -- Christopher Savory Software Engineer | EdLogics From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Monday, October 3, 2016 at 10:32 PM To: Chris Savory Cc: "keycloak-user at lists.jboss.org" , David Hartfield , Danilo Bonilla , Ali Elhajj Subject: Re: [keycloak-user] Looking for a non Admin Java client Are you saying you want to invoke the Keycloak admin endpoints? You are currently using the Keycloak Java Admin Client, but you want to use something else? Why use something else when you already have something? On 3 October 2016 at 23:21, Chris Savory wrote: We need to make several types of calls to KeyCloak from the server side of our application.? Some are in the context of a logged in user and others are not.? We have the latter case handled right now by using the KeyCloak Admin Client.? ?But we are unable to locate another Java client for the purposes of making calls to KC for the currently authenticated user.? I have found the AuthZ Client, but that appears to just be for authenticating. The particular use case I?m researching now is we have an endpoint like /profile-service/users/current, which will return the currently logged in user profile.? Some of that information comes from KC and some comes from the local app database.? Currently we the app configured to make the server-side call as a KC admin while it is orchestrating this data, but I?d prefer for the user to use the same credentials as it did when it came to the server with a BEARER token.? This will help us when it comes to auditing, especially for updates. Does such a java client exist? Or do I need to use the KeycloakRestTemplate to make those calls to KC? -- Christopher Savory Software Engineer | EdLogics _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From Mohan.Radhakrishnan at cognizant.com Tue Oct 4 03:18:47 2016 From: Mohan.Radhakrishnan at cognizant.com (Mohan.Radhakrishnan at cognizant.com) Date: Tue, 4 Oct 2016 07:18:47 +0000 Subject: [keycloak-user] JWT token auth. advice Message-ID: Hi, I have a general question about how we use JWT tokens. Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains. That seems to be our scenario. AFAIK there is no OAuth/OpenID in this system. Our JWT token from the browser is sent in a header to Rest Endpoint-1. This endpoint isn't secured. I mean that it can't verify the claims in the token. The claims don't represent any information related To this endpoint. It just passes the token along to Endpoint-2 which is capable of verifying the token. Is this Endpoint-1 considered insecure now ? It is just a mediator but anyone with the token can access it. How do I make Endpoint-2 trust Endpoint-1 ? Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored. From bruno at abstractj.org Tue Oct 4 06:51:15 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 04 Oct 2016 10:51:15 +0000 Subject: [keycloak-user] Deploy theme In-Reply-To: References: <20161003153248.GD7450@abstractj.org> Message-ID: I couldn't reproduce your issue. What I did was just: cp -Rv themes/keycloak themes/mytheme, enabled it at the admin console and changed the background to make sure it works. Maybe try the examples here[1], to double check your setup? [1] - https://github.com/keycloak/keycloak/tree/master/examples/themes On Mon, Oct 3, 2016 at 12:59 PM Zeus Arias Lucero | BEEVA < zeus.arias at beeva.com> wrote: > The version is: 2.2.1 > > The file is identical. > > The steps: > > > - Copy keycloak theme > - Rename the copy to mytheme > - Modify CSS and templates > - Theme.properties change and modify import=common/keycloak by > import=common/mytheme > - Reload administration page > > theme.properties: > parent=base > import=common/mytheme > locales=en,es > forumURL=https://URL > > styles=css/login.css css/buttons.css css/footer.css css/social-buttons.css > css/typography.css > meta=viewport==width=device-width,initial-scale=1 > > kcHtmlClass=login-pf > > kcLogoLink=http://www.URL.com > > kcContentClass=col-sm-12 col-md-12 col-lg-12 container > kcContentWrapperClass=row > > kcHeaderClass=col-xs-12 col-sm-8 col-md-8 col-lg-7 > kcFeedbackAreaClass=col-md-12 > kcLocaleClass=col-xs-12 col-sm-1 > kcAlertIconClasserror=pficon pficon-error-circle-o > > kcFormAreaClass=col-xs-12 col-sm-8 col-md-8 col-lg-7 login > > kcFeedbackErrorIcon=pficon pficon-error-circle-o > kcFeedbackWarningIcon=pficon pficon-warning-triangle-o > kcFeedbackSuccessIcon=pficon pficon-ok > kcFeedbackInfoIcon=pficon pficon-info > > > kcFormClass=form-horizontal > kcFormGroupClass=form-group > kcFormGroupClassUsername=form-group username > kcFormGroupClassPassword=form-group password > kcFormGroupErrorClass=has-error > kcLabelClass=control-label > kcLabelWrapperClass=col-xs-12 col-sm-12 col-md-12 col-lg-12 > kcInputClass=form-control > kcInputWrapperClass=col-xs-12 col-sm-12 col-md-12 col-lg-12 > kcFormOptionsClass=col-xs-4 col-sm-5 col-md-offset-4 col-md-4 > col-lg-offset-3 col-lg-5 > kcFormButtonsClass=col-xs-8 col-sm-7 col-md-4 col-lg-4 submit > kcTextareaClass=form-control > kcForfotPassword=forgotPass > > kcInfoAreaClass=col-xs-12 col-sm-4 col-md-4 col-lg-5 details > > ##### css classes for form buttons > # main class used for all buttons > kcButtonClass=btn > # classes defining priority of the button - primary or default (there is > typically only one priority button for the form) > kcButtonPrimaryClass=btn-primary > kcButtonDefaultClass=btn-default > # classes defining size of the button > kcButtonLargeClass=btn-lg > > > 2016-10-03 17:32 GMT+02:00 Bruno Oliveira : > > Are you following the instructions from here: > https://keycloak.gitbooks.io/server-developer-guide/content/topics/themes.html > ? > > Which version of Keycloak? How your property file looks like? What are > the steps to reproduce? > > On 2016-10-03, Zeus Arias Lucero | BEEVA wrote: > > Hi! > > > > I'm developing a theme and when copied to the folder > > /op/keycloak/theme occurs this: > > > > 2016-10-03 13:00:39,237 ERROR [io.undertow.request] (default task-5) > > UT005023: Exception handling request to /auth/admin/serverinfo: > > org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException > > at > > > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) > > at > > > org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) > > at > > > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) > > at > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) > > at > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > > at > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > > at > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > at > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > at > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > > at > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > > at > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > > at > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > > at > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > > at > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > at > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > at > > > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > > > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > > at > > > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > > > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > at > > > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > at > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > > at > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > > at > > > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > at > > > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > > > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > > at > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > > at > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.lang.NullPointerException > > at > > > org.keycloak.theme.ExtendingThemeManager$ExtendingTheme.getProperties(ExtendingThemeManager.java:284) > > at > > org.keycloak.services.resources.admin.info > .ServerInfoAdminResource.setThemes(ServerInfoAdminResource.java:170) > > at > > org.keycloak.services.resources.admin.info > .ServerInfoAdminResource.getInfo(ServerInfoAdminResource.java:90) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > > at > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > > at > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > > at > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > > at > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > > at > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > > ... 37 more > > > > > > This happens occasionally > > > > > > Any ideas? > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > abstractj > PGP: 0x84DC9914 > > > > > -- > Un saludo! > > *Zeus Arias * > Grupo APIVersity. T?cnico de Sistemas. > zeus.arias at bbva.com > zeus.arias at beeva.com > > > > > > Aviso Legal: > Este mensaje, su contenido y cualquier fichero transmitido con ?l, est? > dirigido ?nicamente a su destinatario y es confidencial. Por ello, se > informa a quien lo reciba por error o tenga conocimiento del mismo sin ser > su destinatario, que la informaci?n contenida en ?l es reservada y su uso > no autorizado, por lo que en tal caso le rogamos nos lo comunique por la > misma v?a, as? como que se abstenga de reproducir el mensaje mediante > cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su > borrado de manera inmediata. > Disclaimer: > This message, its content and any file attached thereto is for the > intended recipient only and is confidential. If you have received this > e-mail in error or had access to it, you should note that the information > in it is private and any use there of is unauthorized. In such an event > please notify us by e-mail. Any reproduction of this e-mail by whatsoever > means and any transmission or dissemination thereof to other persons is > prohibited. It should be deleted immediately from your system. > > From pulgupta at redhat.com Tue Oct 4 06:51:39 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Tue, 4 Oct 2016 16:21:39 +0530 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> Message-ID: Yes, I am using the standard adapter. This is happening more frequently now. Regards, Pulkit. On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke wrote: > Are you using our adapters? > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: > > Hi All, > > > > I am facing a problem with my keycloak integration. > > When I enter the URL of my application it gets redirected to the keycloak > > server. > > > > After I enter the credentials the server redirects back to my application > > URL. > > Till now things look ok. Once authentication is successful weird thing > > starts. > > > > Keycloak server redirects back to my application. > > My application again redirects to the keycloak server which without > showing > > the login page again redirects to my application. This happens once or > > twice after which finally my application page loads. In this process, I > can > > see multiple SAML XMLs being exchanged. > > > > Environment and setup Details > > SP EntityID : /wapps/distributors > > Page I am visiting directly : https://www.xxxx.com/wapps/ > > distributors/protected/nachannelsearch.html > > Server : 2 Jboss 6 servers running behind a LB > > > > Please let me know in case this is something related to configuration or > > might be some issue related to proxies or load balancers in my > environment. > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Thanks, Pulkit AMS From mariusz at info.nl Tue Oct 4 09:36:49 2016 From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl) Date: Tue, 4 Oct 2016 13:36:49 +0000 Subject: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal object Message-ID: Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after we access protected resource we are redirected to keycloak and after login we go back to our app. After that, we can get KeycloakPrincipal object from web context (request). Is there a way to create / get this object without using Tomcat Adapter ? We want to make API call (like http://keycloak/auth/realms/vi/protocol/openid-connect/token) and get (or create manually) this object using AccessTokenResponse (or any other object we can get from API). Ultimate goal is to login to keycloak like adapter does, but directly from Java, without any interaction from user on keycloak forms. Is it even possible? Kind Regards, Mariusz Chruscielewski From jcain at redhat.com Tue Oct 4 09:45:38 2016 From: jcain at redhat.com (Josh Cain) Date: Tue, 04 Oct 2016 08:45:38 -0500 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> Message-ID: <1475588738.5421.19.camel@redhat.com> I used to see something similar in Picketlink if I configured a web.xml without paying attention to the trailing slash (I.E. https://example.co m/foo?vs https://example.com/foo/). ?The IDP would isse an assertion/token for the audience that did not match the security constraint (based on the trailing slash), then an infinite redirect loop would occur. Maybe check your trailing slashes? On Tue, 2016-10-04 at 16:21 +0530, Pulkit Gupta wrote: > Yes, > > I am using the standard adapter. > This is happening more frequently now. > > Regards, > Pulkit. > > On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke wrote: > > > > > Are you using our adapters? > > > > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: > > > > > > Hi All, > > > > > > I am facing a problem with my keycloak integration. > > > When I enter the URL of my application it gets redirected to the > > > keycloak > > > server. > > > > > > After I enter the credentials the server redirects back to my > > > application > > > URL. > > > Till now things look ok. Once authentication is successful weird > > > thing > > > starts. > > > > > > Keycloak server redirects back to my application. > > > My application again redirects to the keycloak server which > > > without > > showing > > > > > > the login page again redirects to my application. This happens > > > once or > > > twice after which finally my application page loads. In this > > > process, I > > can > > > > > > see multiple SAML XMLs being exchanged. > > > > > > Environment and setup Details > > > ?????????????SP EntityID??:??/wapps/distributors > > > ?????????????Page I am visiting directly : https://www.xxxx.com/w > > > apps/ > > > distributors/protected/nachannelsearch.html > > > ?????????????Server : 2 Jboss 6 servers running behind a LB > > > > > > Please let me know in case this is something related to > > > configuration or > > > might be some issue related to proxies or load balancers in my > > environment. > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From pulgupta at redhat.com Tue Oct 4 10:45:03 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Tue, 4 Oct 2016 20:15:03 +0530 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: <1475588738.5421.19.camel@redhat.com> References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> <1475588738.5421.19.camel@redhat.com> Message-ID: Hi Josh, I have the paths with trailing slashes in my web.xml. Just my entityId does not has a trailing slash. Also the application sometime works in one assertion and sometime it will take 3-4 round trips but it always works eventually. We enabled the debug logging but it seems adapter does not put anything in the logs. I am not sure where to look next. In case you can think of anything else that will really help me unblock myself. Regards, Pulkit. On Tue, Oct 4, 2016 at 7:15 PM, Josh Cain wrote: > I used to see something similar in Picketlink if I configured a web.xml > without paying attention to the trailing slash (I.E. https://example.co > m/foo vs https://example.com/foo/). The IDP would isse an > assertion/token for the audience that did not match the security > constraint (based on the trailing slash), then an infinite redirect > loop would occur. > > Maybe check your trailing slashes? > On Tue, 2016-10-04 at 16:21 +0530, Pulkit Gupta wrote: > > Yes, > > > > I am using the standard adapter. > > This is happening more frequently now. > > > > Regards, > > Pulkit. > > > > On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke wrote: > > > > > > > > Are you using our adapters? > > > > > > > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: > > > > > > > > Hi All, > > > > > > > > I am facing a problem with my keycloak integration. > > > > When I enter the URL of my application it gets redirected to the > > > > keycloak > > > > server. > > > > > > > > After I enter the credentials the server redirects back to my > > > > application > > > > URL. > > > > Till now things look ok. Once authentication is successful weird > > > > thing > > > > starts. > > > > > > > > Keycloak server redirects back to my application. > > > > My application again redirects to the keycloak server which > > > > without > > > showing > > > > > > > > the login page again redirects to my application. This happens > > > > once or > > > > twice after which finally my application page loads. In this > > > > process, I > > > can > > > > > > > > see multiple SAML XMLs being exchanged. > > > > > > > > Environment and setup Details > > > > SP EntityID : /wapps/distributors > > > > Page I am visiting directly : https://www.xxxx.com/w > > > > apps/ > > > > distributors/protected/nachannelsearch.html > > > > Server : 2 Jboss 6 servers running behind a LB > > > > > > > > Please let me know in case this is something related to > > > > configuration or > > > > might be some issue related to proxies or load balancers in my > > > environment. > > > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- Thanks, Pulkit AMS From Tomas.GRMAN at orange.com Tue Oct 4 11:10:34 2016 From: Tomas.GRMAN at orange.com (GRMAN, Tomas) Date: Tue, 4 Oct 2016 15:10:34 +0000 Subject: [keycloak-user] CORS headers not sent issue Message-ID: Hello I have come across weird issue regarding CORS implementation in Keycloak (ver. 2.2.1 ) I have properly specified "Web Origins" settings in Admin Console for the OIDC client. The problem is that the CORS headers (Access-Control-Allow-Origin) are not sent for all the requests coming towards idp.example.com (Implicit Flow) https://idp.example.com/auth/realms/test/.well-known/openid-configuration (CORS headers are sent) https://idp.example.com/auth/realms/test/protocol/openid-connect/certs (CORS headers are not sent) Is there something more to be configured in order to make Keycloak send CORS headers with all the requests? Maybe a bug? Curently I have added CORS headers on NGINX reverse proxy for this endpoint. (certs) Any advice is appreciated :) Tomas Grman From chris.savory at edlogics.com Tue Oct 4 11:23:00 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Tue, 4 Oct 2016 15:23:00 +0000 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> <1475588738.5421.19.camel@redhat.com> Message-ID: <050B6E08-1AD0-44B7-8878-BB69341A7DD5@edlogics.com> Is this using the JavaScript adapter? We ran into a similar problem yesterday. -- Christopher Savory Software Engineer | EdLogics www.edlogics.com On 10/4/16, 9:45 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Pulkit Gupta" wrote: Hi Josh, I have the paths with trailing slashes in my web.xml. Just my entityId does not has a trailing slash. Also the application sometime works in one assertion and sometime it will take 3-4 round trips but it always works eventually. We enabled the debug logging but it seems adapter does not put anything in the logs. I am not sure where to look next. In case you can think of anything else that will really help me unblock myself. Regards, Pulkit. On Tue, Oct 4, 2016 at 7:15 PM, Josh Cain wrote: > I used to see something similar in Picketlink if I configured a web.xml > without paying attention to the trailing slash (I.E. https://example.co > m/foo vs https://example.com/foo/). The IDP would isse an > assertion/token for the audience that did not match the security > constraint (based on the trailing slash), then an infinite redirect > loop would occur. > > Maybe check your trailing slashes? > On Tue, 2016-10-04 at 16:21 +0530, Pulkit Gupta wrote: > > Yes, > > > > I am using the standard adapter. > > This is happening more frequently now. > > > > Regards, > > Pulkit. > > > > On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke wrote: > > > > > > > > Are you using our adapters? > > > > > > > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: > > > > > > > > Hi All, > > > > > > > > I am facing a problem with my keycloak integration. > > > > When I enter the URL of my application it gets redirected to the > > > > keycloak > > > > server. > > > > > > > > After I enter the credentials the server redirects back to my > > > > application > > > > URL. > > > > Till now things look ok. Once authentication is successful weird > > > > thing > > > > starts. > > > > > > > > Keycloak server redirects back to my application. > > > > My application again redirects to the keycloak server which > > > > without > > > showing > > > > > > > > the login page again redirects to my application. This happens > > > > once or > > > > twice after which finally my application page loads. In this > > > > process, I > > > can > > > > > > > > see multiple SAML XMLs being exchanged. > > > > > > > > Environment and setup Details > > > > SP EntityID : /wapps/distributors > > > > Page I am visiting directly : https://www.xxxx.com/w > > > > apps/ > > > > distributors/protected/nachannelsearch.html > > > > Server : 2 Jboss 6 servers running behind a LB > > > > > > > > Please let me know in case this is something related to > > > > configuration or > > > > might be some issue related to proxies or load balancers in my > > > environment. > > > > > > > > > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- Thanks, Pulkit AMS _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jblashka at redhat.com Tue Oct 4 11:53:53 2016 From: jblashka at redhat.com (Jared Blashka) Date: Tue, 4 Oct 2016 11:53:53 -0400 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: <050B6E08-1AD0-44B7-8878-BB69341A7DD5@edlogics.com> References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> <1475588738.5421.19.camel@redhat.com> <050B6E08-1AD0-44B7-8878-BB69341A7DD5@edlogics.com> Message-ID: Just a guess, but if your app is behind a load balancer you need to have either sticky sessions on (to make sure client requests always end up at the same server) or put the tag in your web.xml to enable session replication between nodes. We had a similar issue that was resolved by enabling session replication. Jared On Oct 4, 2016 11:25 AM, "Chris Savory" wrote: > Is this using the JavaScript adapter? We ran into a similar problem > yesterday. > > -- > Christopher Savory > Software Engineer | EdLogics > www.edlogics.com > > > > > > On 10/4/16, 9:45 AM, "keycloak-user-bounces at lists.jboss.org on behalf of > Pulkit Gupta" pulgupta at redhat.com> wrote: > > Hi Josh, > > I have the paths with trailing slashes in my web.xml. Just my entityId > does > not has a trailing slash. > Also the application sometime works in one assertion and sometime it > will > take 3-4 round trips but it always works eventually. > We enabled the debug logging but it seems adapter does not put > anything in > the logs. > > I am not sure where to look next. In case you can think of anything > else > that will really help me unblock myself. > > Regards, > Pulkit. > > > On Tue, Oct 4, 2016 at 7:15 PM, Josh Cain wrote: > > > I used to see something similar in Picketlink if I configured a > web.xml > > without paying attention to the trailing slash (I.E. > https://example.co > > m/foo vs https://example.com/foo/). The IDP would isse an > > assertion/token for the audience that did not match the security > > constraint (based on the trailing slash), then an infinite redirect > > loop would occur. > > > > Maybe check your trailing slashes? > > On Tue, 2016-10-04 at 16:21 +0530, Pulkit Gupta wrote: > > > Yes, > > > > > > I am using the standard adapter. > > > This is happening more frequently now. > > > > > > Regards, > > > Pulkit. > > > > > > On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke > wrote: > > > > > > > > > > > Are you using our adapters? > > > > > > > > > > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: > > > > > > > > > > Hi All, > > > > > > > > > > I am facing a problem with my keycloak integration. > > > > > When I enter the URL of my application it gets redirected to > the > > > > > keycloak > > > > > server. > > > > > > > > > > After I enter the credentials the server redirects back to my > > > > > application > > > > > URL. > > > > > Till now things look ok. Once authentication is successful > weird > > > > > thing > > > > > starts. > > > > > > > > > > Keycloak server redirects back to my application. > > > > > My application again redirects to the keycloak server which > > > > > without > > > > showing > > > > > > > > > > the login page again redirects to my application. This happens > > > > > once or > > > > > twice after which finally my application page loads. In this > > > > > process, I > > > > can > > > > > > > > > > see multiple SAML XMLs being exchanged. > > > > > > > > > > Environment and setup Details > > > > > SP EntityID : /wapps/distributors > > > > > Page I am visiting directly : > https://www.xxxx.com/w > > > > > apps/ > > > > > distributors/protected/nachannelsearch.html > > > > > Server : 2 Jboss 6 servers running behind a LB > > > > > > > > > > Please let me know in case this is something related to > > > > > configuration or > > > > > might be some issue related to proxies or load balancers in my > > > > environment. > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > -- > Thanks, > Pulkit > AMS > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pulgupta at redhat.com Tue Oct 4 12:11:01 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Tue, 4 Oct 2016 21:41:01 +0530 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> <1475588738.5421.19.camel@redhat.com> <050B6E08-1AD0-44B7-8878-BB69341A7DD5@edlogics.com> Message-ID: Hi Jared, We already have in our web.xml but.still facing the issue. Also Chris, no this is a Java adapter for Jboss. Regards, Pulkit. On Tue, Oct 4, 2016 at 9:23 PM, Jared Blashka wrote: > Just a guess, but if your app is behind a load balancer you need to have > either sticky sessions on (to make sure client requests always end up at > the same server) or put the tag in your web.xml to enable > session replication between nodes. We had a similar issue that was resolved > by enabling session replication. > > Jared > > On Oct 4, 2016 11:25 AM, "Chris Savory" wrote: > >> Is this using the JavaScript adapter? We ran into a similar problem >> yesterday. >> >> -- >> Christopher Savory >> Software Engineer | EdLogics >> www.edlogics.com >> >> >> < >> https://twitter.com/EdLogics> >> >> On 10/4/16, 9:45 AM, "keycloak-user-bounces at lists.jboss.org on behalf of >> Pulkit Gupta" > pulgupta at redhat.com> wrote: >> >> Hi Josh, >> >> I have the paths with trailing slashes in my web.xml. Just my >> entityId does >> not has a trailing slash. >> Also the application sometime works in one assertion and sometime it >> will >> take 3-4 round trips but it always works eventually. >> We enabled the debug logging but it seems adapter does not put >> anything in >> the logs. >> >> I am not sure where to look next. In case you can think of anything >> else >> that will really help me unblock myself. >> >> Regards, >> Pulkit. >> >> >> On Tue, Oct 4, 2016 at 7:15 PM, Josh Cain wrote: >> >> > I used to see something similar in Picketlink if I configured a >> web.xml >> > without paying attention to the trailing slash (I.E. >> https://example.co >> > m/foo vs https://example.com/foo/). The IDP would isse an >> > assertion/token for the audience that did not match the security >> > constraint (based on the trailing slash), then an infinite redirect >> > loop would occur. >> > >> > Maybe check your trailing slashes? >> > On Tue, 2016-10-04 at 16:21 +0530, Pulkit Gupta wrote: >> > > Yes, >> > > >> > > I am using the standard adapter. >> > > This is happening more frequently now. >> > > >> > > Regards, >> > > Pulkit. >> > > >> > > On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke >> wrote: >> > > >> > > > >> > > > Are you using our adapters? >> > > > >> > > > >> > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: >> > > > > >> > > > > Hi All, >> > > > > >> > > > > I am facing a problem with my keycloak integration. >> > > > > When I enter the URL of my application it gets redirected to >> the >> > > > > keycloak >> > > > > server. >> > > > > >> > > > > After I enter the credentials the server redirects back to my >> > > > > application >> > > > > URL. >> > > > > Till now things look ok. Once authentication is successful >> weird >> > > > > thing >> > > > > starts. >> > > > > >> > > > > Keycloak server redirects back to my application. >> > > > > My application again redirects to the keycloak server which >> > > > > without >> > > > showing >> > > > > >> > > > > the login page again redirects to my application. This happens >> > > > > once or >> > > > > twice after which finally my application page loads. In this >> > > > > process, I >> > > > can >> > > > > >> > > > > see multiple SAML XMLs being exchanged. >> > > > > >> > > > > Environment and setup Details >> > > > > SP EntityID : /wapps/distributors >> > > > > Page I am visiting directly : >> https://www.xxxx.com/w >> > > > > apps/ >> > > > > distributors/protected/nachannelsearch.html >> > > > > Server : 2 Jboss 6 servers running behind a LB >> > > > > >> > > > > Please let me know in case this is something related to >> > > > > configuration or >> > > > > might be some issue related to proxies or load balancers in my >> > > > environment. >> > > > > >> > > > > >> > > > >> > > > _______________________________________________ >> > > > keycloak-user mailing list >> > > > keycloak-user at lists.jboss.org >> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > >> > > >> > > >> > > >> > >> >> >> >> -- >> Thanks, >> Pulkit >> AMS >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- Thanks, Pulkit AMS From mposolda at redhat.com Tue Oct 4 13:40:05 2016 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 4 Oct 2016 19:40:05 +0200 Subject: [keycloak-user] CORS headers not sent issue In-Reply-To: References: Message-ID: <37f44f40-d8f5-32dc-23f1-e7ca9e5c01b6@redhat.com> Hi Tomas, Nice to see you on our ML :-) I think you're right. The Cors headers are not added to the "certs" endpoint. Probably we should just add "*" similarly like it's done for well-known endpoint as the public keys are defacto public information. Feel free to create JIRA and/or even better send PR :-) Btv. I am bit curious why exactly you need it? AFAIK Cors are usually needed for the browser apps, but if you're using our keycloak.js adapter, it doesn't need public keys as it doesn't do any signature verifications by itself. Token's signature verifications are always done on server side (eg. REST endpoint where JS application sent it's token). Cheers, Marek On 04/10/16 17:10, GRMAN, Tomas wrote: > Hello > > I have come across weird issue regarding CORS implementation in Keycloak (ver. 2.2.1 ) > > I have properly specified "Web Origins" settings in Admin Console for the OIDC client. > The problem is that the CORS headers (Access-Control-Allow-Origin) are not sent for all the requests coming towards idp.example.com (Implicit Flow) > > https://idp.example.com/auth/realms/test/.well-known/openid-configuration (CORS headers are sent) > > https://idp.example.com/auth/realms/test/protocol/openid-connect/certs (CORS headers are not sent) > > Is there something more to be configured in order to make Keycloak send CORS headers with all the requests? Maybe a bug? > > Curently I have added CORS headers on NGINX reverse proxy for this endpoint. (certs) > > Any advice is appreciated :) > > Tomas Grman > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From java at neposoft.com Tue Oct 4 19:38:26 2016 From: java at neposoft.com (java at neposoft.com) Date: Tue, 4 Oct 2016 19:38:26 -0400 Subject: [keycloak-user] broker saml - forbidden Message-ID: <8eabda7916bce390e0a55e0f03c26342.squirrel@neposoft.com> Hi I'm implementing a solution as shown saml-broker-authentication, trying to protect a war (spring-rest). All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC tocken back from Keycloak , but when it returns back to the URL I was initially hit, I get forbidden. Anyone gone through this pain - any tips? Thank you. John From hcamp at muerte.net Tue Oct 4 20:47:02 2016 From: hcamp at muerte.net (Harold Campbell) Date: Tue, 04 Oct 2016 19:47:02 -0500 Subject: [keycloak-user] deployed provider + EJB = infinispan lock timeout Message-ID: <1475628422.2566.17.camel@muerte.net> I'm trying to implement a user storage provider following the user- storage-jpa example project as a guide. My problem is that I can only try to authenticate once. Subsequent attempts fail with the exception below. It seems to be related to the provider being a Stateful EJB. I have an older style federation provider, which uses jdbc directly, which I converted from a wildfly module to a deployed jar. It works just fine until I turn it into a Stateful EJB. It then fails the same as the user storage provider. I can't see anything I'm doing significantly different from the example project. Can anyone help? I'm using KC 2.2.1.Final 2016-10-05 00:35:56,645 ERROR [io.undertow.request] (default task-69) UT005023: Exception handling request to /auth/realms/envestnet-ops/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: org.infinispan.util.concurrent.TimeoutException: ISPN000299: Unable to acquire lock after 10 seconds for key envestnet-ops.username.winthorpe and requestor GlobalTransaction::120:local. Lock is held by GlobalTransaction::108:local at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.infinispan.util.concurrent.TimeoutException: ISPN000299: Unable to acquire lock after 10 seconds for key myprovider.username.myuser and requestor GlobalTransaction::120:local. Lock is held by GlobalTransaction::108:local at org.infinispan.util.concurrent.locks.impl.DefaultLockManager$KeyAwareExtendedLockPromise.lock(DefaultLockManager.java:236) at org.infinispan.interceptors.locking.AbstractLockingInterceptor.lockAndRecord(AbstractLockingInterceptor.java:190) at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.checkPendingAndLockKey(AbstractTxLockingInterceptor.java:192) at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.lockOrRegisterBackupLock(AbstractTxLockingInterceptor.java:113) at org.infinispan.interceptors.locking.PessimisticLockingInterceptor.visitDataWriteCommand(PessimisticLockingInterceptor.java:121) at org.infinispan.interceptors.locking.AbstractTxLockingInterceptor.visitPutKeyValueCommand(AbstractTxLockingInterceptor.java:62) at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74) at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99) at org.infinispan.interceptors.TxInterceptor.enlistWriteAndInvokeNext(TxInterceptor.java:366) at org.infinispan.interceptors.TxInterceptor.visitPutKeyValueCommand(TxInterceptor.java:220) at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74) at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99) at org.infinispan.interceptors.CacheMgmtInterceptor.updateStoreStatistics(CacheMgmtInterceptor.java:191) at org.infinispan.interceptors.CacheMgmtInterceptor.visitPutKeyValueCommand(CacheMgmtInterceptor.java:177) at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74) at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99) at org.infinispan.interceptors.InvocationContextInterceptor.handleAll(InvocationContextInterceptor.java:107) at org.infinispan.interceptors.InvocationContextInterceptor.handleDefault(InvocationContextInterceptor.java:76) at org.infinispan.commands.AbstractVisitor.visitPutKeyValueCommand(AbstractVisitor.java:43) at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74) at org.infinispan.interceptors.base.CommandInterceptor.invokeNextInterceptor(CommandInterceptor.java:99) at org.infinispan.interceptors.BatchingInterceptor.handleDefault(BatchingInterceptor.java:66) at org.infinispan.commands.AbstractVisitor.visitPutKeyValueCommand(AbstractVisitor.java:43) at org.infinispan.commands.write.PutKeyValueCommand.acceptVisitor(PutKeyValueCommand.java:74) at org.infinispan.interceptors.InterceptorChain.invoke(InterceptorChain.java:336) at org.infinispan.cache.impl.CacheImpl.executeCommandAndCommitIfNeeded(CacheImpl.java:1672) at org.infinispan.cache.impl.CacheImpl.putInternal(CacheImpl.java:1121) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1111) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:1742) at org.infinispan.cache.impl.CacheImpl.put(CacheImpl.java:248) at org.infinispan.cache.impl.AbstractDelegatingCache.put(AbstractDelegatingCache.java:291) at org.keycloak.models.cache.infinispan.CacheManager.addRevisioned(CacheManager.java:137) at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:232) at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:266) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:281) at org.keycloak.authentication.authenticators.directgrant.ValidateUsername.authenticate(ValidateUsername.java:64) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:394) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:128) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) ? ? ? ? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) ????????at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) ????????at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) ????????at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ????????... 37 more -- Harold Campbell Ever notice that the word "therapist" breaks down into "the rapist"? Simple coincidence? Maybe... From Tomas.GRMAN at orange.com Wed Oct 5 04:07:26 2016 From: Tomas.GRMAN at orange.com (GRMAN, Tomas) Date: Wed, 5 Oct 2016 08:07:26 +0000 Subject: [keycloak-user] CORS headers not sent issue In-Reply-To: <37f44f40-d8f5-32dc-23f1-e7ca9e5c01b6@redhat.com> References: <37f44f40-d8f5-32dc-23f1-e7ca9e5c01b6@redhat.com> Message-ID: Hi Marek, In our case the client application is not using keycloak.js adapter. Application was developed by the partner and they used their own OIDC identity server. When we connected the application to our keycloak instance, the CORS problem I have previously described appeared. As you said, I think CORS headers should be added to all the public endpoints (including certs). In our case the client application (AngularJS) is using implicit flow and is trying to verify jwt token it receives and for that it needs certs. This is only my understanding of the problem, I don't know the architecture of the application, I am just trying to integrate it :) I can create bug on JIRA, but I am not sure what you meant by PR? Thanks for info. Tomas -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: 4. okt?bra 2016 19:40 To: GRMAN, Tomas ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] CORS headers not sent issue Hi Tomas, Nice to see you on our ML :-) I think you're right. The Cors headers are not added to the "certs" endpoint. Probably we should just add "*" similarly like it's done for well-known endpoint as the public keys are defacto public information. Feel free to create JIRA and/or even better send PR :-) Btv. I am bit curious why exactly you need it? AFAIK Cors are usually needed for the browser apps, but if you're using our keycloak.js adapter, it doesn't need public keys as it doesn't do any signature verifications by itself. Token's signature verifications are always done on server side (eg. REST endpoint where JS application sent it's token). Cheers, Marek On 04/10/16 17:10, GRMAN, Tomas wrote: > Hello > > I have come across weird issue regarding CORS implementation in > Keycloak (ver. 2.2.1 ) > > I have properly specified "Web Origins" settings in Admin Console for the OIDC client. > The problem is that the CORS headers (Access-Control-Allow-Origin) are > not sent for all the requests coming towards idp.example.com (Implicit > Flow) > > https://idp.example.com/auth/realms/test/.well-known/openid-configurat > ion (CORS headers are sent) > > https://idp.example.com/auth/realms/test/protocol/openid-connect/certs > (CORS headers are not sent) > > Is there something more to be configured in order to make Keycloak send CORS headers with all the requests? Maybe a bug? > > Curently I have added CORS headers on NGINX reverse proxy for this > endpoint. (certs) > > Any advice is appreciated :) > > Tomas Grman > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bystrik.horvath at gmail.com Wed Oct 5 07:22:24 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Wed, 5 Oct 2016 13:22:24 +0200 Subject: [keycloak-user] Create user in one realm, delete it from different one Message-ID: Dear members, I currently use Keycloak 1.9.3 and came to very strange behavior. My case is following: 1.) authenticate to realm1 using a client with service account 2.) create an user in realm1 3.) retrieve the created user to get its UID 4.) authenticate to realm2 using the same client and same service account 5.) delete the user in realm2 using the mentioned UID without error Analyzing the code I found that the class UserCacheSession does not check in this case the realm in the method getUserById(String id, RealmModel realm). When I restart Keycloak after step 3 and execute the steps 4 and 5 afterwards, the case finishes with error (which I found ok). Is my case somehow wrong or could it be a real issue? Best regards, Bystrik From java at neposoft.com Wed Oct 5 07:46:17 2016 From: java at neposoft.com (java at neposoft.com) Date: Wed, 5 Oct 2016 07:46:17 -0400 Subject: [keycloak-user] broker saml - forbidden In-Reply-To: <8eabda7916bce390e0a55e0f03c26342.squirrel@neposoft.com> References: <8eabda7916bce390e0a55e0f03c26342.squirrel@neposoft.com> Message-ID: Further more: I am seeing in keycloak logs: 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) failed to turn code into token 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) status from server: 403 This is happening after the handshake done with Idp and returned back to keycloak oidc. anyone has any tips. Appreciate it. > Hi > I'm implementing a solution as shown saml-broker-authentication, trying to > protect a war (spring-rest). > All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC > tocken back from Keycloak , but when it returns back to the URL I was > initially hit, I get forbidden. > Anyone gone through this pain - any tips? Thank you. > John > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From java at neposoft.com Wed Oct 5 07:48:17 2016 From: java at neposoft.com (java at neposoft.com) Date: Wed, 5 Oct 2016 07:48:17 -0400 Subject: [keycloak-user] broker saml - forbidden In-Reply-To: References: <8eabda7916bce390e0a55e0f03c26342.squirrel@neposoft.com> Message-ID: This is happening in OAuthRequestAuthenticator.java code snippet: === try { // For COOKIE store we don't have httpSessionId and single sign-out won't be available String httpSessionId = deployment.getTokenStore() == TokenStore.SESSION ? reqAuthenticator.changeHttpSessionId(true) : null; tokenResponse = ServerRequest.invokeAccessCodeToToken(deployment, code, strippedOauthParametersRequestUri, httpSessionId); } catch (ServerRequest.HttpFailure failure) { log.error("failed to turn code into token"); log.error("status from server: " + failure.getStatus()); if (failure.getStatus() == 400 && failure.getError() != null) { log.error(" " + failure.getError()); } return challenge(403, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null); === > Further more: > I am seeing in keycloak logs: > 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] > (default task-2) failed to turn code into token > 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] > (default task-2) status from server: 403 > > This is happening after the handshake done with Idp and returned back to > keycloak oidc. > > anyone has any tips. > Appreciate it. > > >> Hi >> I'm implementing a solution as shown saml-broker-authentication, trying >> to >> protect a war (spring-rest). >> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC >> tocken back from Keycloak , but when it returns back to the URL I was >> initially hit, I get forbidden. >> Anyone gone through this pain - any tips? Thank you. >> John >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From andyyar66 at gmail.com Wed Oct 5 08:02:32 2016 From: andyyar66 at gmail.com (Andy Yar) Date: Wed, 5 Oct 2016 14:02:32 +0200 Subject: [keycloak-user] Logging from execute-action-email? Message-ID: Hello, I'm trying to debug sending of email notifications in my standalone installation of Keycloak 2.2.1.Final. When I manually trigger a notification in Admin Console it spits out an alert message: "*Error!* Failed to send email to user". However, my standalone/log/server.log is empty - no ERROR, stacktrace, nothing... Where is the proper place to turn on logging of these exceptions? Thanks From bburke at redhat.com Wed Oct 5 09:37:37 2016 From: bburke at redhat.com (Bill Burke) Date: Wed, 5 Oct 2016 09:37:37 -0400 Subject: [keycloak-user] broker saml - forbidden In-Reply-To: References: <8eabda7916bce390e0a55e0f03c26342.squirrel@neposoft.com> Message-ID: For your application, does the security constraint require a role? My guess is that the token does not have the role required by the security constraint in your application. On 10/5/16 7:48 AM, java at neposoft.com wrote: > This is happening in OAuthRequestAuthenticator.java > code snippet: > === > try { > // For COOKIE store we don't have httpSessionId and single > sign-out won't be available > String httpSessionId = deployment.getTokenStore() == > TokenStore.SESSION ? > reqAuthenticator.changeHttpSessionId(true) : null; > tokenResponse = > ServerRequest.invokeAccessCodeToToken(deployment, code, > strippedOauthParametersRequestUri, httpSessionId); > } catch (ServerRequest.HttpFailure failure) { > log.error("failed to turn code into token"); > log.error("status from server: " + failure.getStatus()); > if (failure.getStatus() == 400 && failure.getError() != null) { > log.error(" " + failure.getError()); > } > return challenge(403, > OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null); > > === > >> Further more: >> I am seeing in keycloak logs: >> 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >> (default task-2) failed to turn code into token >> 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >> (default task-2) status from server: 403 >> >> This is happening after the handshake done with Idp and returned back to >> keycloak oidc. >> >> anyone has any tips. >> Appreciate it. >> >> >>> Hi >>> I'm implementing a solution as shown saml-broker-authentication, trying >>> to >>> protect a war (spring-rest). >>> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC >>> tocken back from Keycloak , but when it returns back to the URL I was >>> initially hit, I get forbidden. >>> Anyone gone through this pain - any tips? Thank you. >>> John >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From CDollar at rydin.com Wed Oct 5 09:39:11 2016 From: CDollar at rydin.com (Chris S. Dollar) Date: Wed, 5 Oct 2016 13:39:11 +0000 Subject: [keycloak-user] Can't get adapter subsystem config to work in KC2.2.1 - keycloak.json works Message-ID: <5CB1FA85EAB4FD488586630AF005DF4D0176E159@mail.rydindecal.com> Hi All, I'm working with some POC code based on this blog post: http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html Up till now I've been using WF10 Final and KC 2.0.0 Final, and everything has been going fine. I could configure the security of my .war (which is packaged in an .ear) via the per-war keycloak.json method or via the adapter subsystem method and both worked. Today I started on migrating our POC to WF 10.1 Final and KC 2.2.1 Final. With this new combo I'm not having any problems configuring war security using keycloak.json - that seems to work fine, but I can't seem to get the adapter subsystem method working. Using the adapter subsystem it appears that KC isn't trying to authenticate my app as I'm prompted for basic auth credentials. Enabling trace logging for KC and org.jboss.security didn't give any clues. Are there any changes known issues with the adapter config method with KC 2.2.1? And/or is there anyone using that system successfully in their configuration? Also, as I was investigating this I noticed (what I think is) an inconsistency in the docs. The java adapters config page shows the config option "credentials" and shows how to use it in the keycloak.json file. https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html However, on the page for JBoss/EAP/WF adapters it references the option as "credenial" without the trailing "s", and the examples shown there also do not have the trailing s character. https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/jboss-adapter.html Should that value be different in each case as the docs seem to indicate? The adapters config page also states that that value is required, but as best I can tell it isn't? And I'm 99% sure that the 'credential' deal isn't my real issue here, but I thought I'd point it out in case the docs are incorrect. Any suggestions would be appreciated! Thanks! Chris From bystrik.horvath at gmail.com Wed Oct 5 09:59:04 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Wed, 5 Oct 2016 15:59:04 +0200 Subject: [keycloak-user] Create user in one realm, delete it from different one In-Reply-To: References: Message-ID: I would like to correct the step 4 - authenticate to realm2 using different client and service account But the behavior is still the same - I'm able to delete a user creted for realm1 when using realm2. On Wed, Oct 5, 2016 at 1:22 PM, Bystrik Horvath wrote: > Dear members, > > I currently use Keycloak 1.9.3 and came to very strange behavior. My case > is following: > 1.) authenticate to realm1 using a client with service account > 2.) create an user in realm1 > 3.) retrieve the created user to get its UID > 4.) authenticate to realm2 using the same client and same service account > 5.) delete the user in realm2 using the mentioned UID without error > > Analyzing the code I found that the class UserCacheSession does not check > in this case the realm in the method getUserById(String id, RealmModel > realm). When I restart Keycloak after step 3 and execute the steps 4 and > 5 afterwards, the case finishes with error (which I found ok). > > Is my case somehow wrong or could it be a real issue? > > Best regards, > Bystrik > From Edgar at info.nl Wed Oct 5 10:37:16 2016 From: Edgar at info.nl (Edgar Vonk - Info.nl) Date: Wed, 5 Oct 2016 14:37:16 +0000 Subject: [keycloak-user] Possible LDAP injection issue found - '(' character in user name is not escaped before LDAP query (as found by OWASP ZAP security tool) Message-ID: <430C159D-8F0A-4771-9B9A-B5976E3B6C9F@info.nl> Hi, We are using the OWASP ZAP tool (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) to run basic security testing against our web portal of which Keycloak is a key part. When ZAP runs the Keycloak log fills up quickly with all kinds of stack traces. One of them is the one below. In this case the ZAP tool attempts to login on the Keycloak login page securing our custom realm with the following username: ZAP') UNION ALL select NULL -- It seems from the stacktrace below that Keycloak uses this ?username? as is without any escaping when querying LDAP(/AD) This results in an incorrect LDAP query because the parenthesis are now ?unbalanced?. I think all special characters in a username should be escaped before the LDAP query is done? It seems that this is a case of LDAP Injection (https://www.owasp.org/index.php/LDAP_injection) 14:06:37,437 ERROR [org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager] (default task-21) Could not query server using DN [ou=Users,ou=Customers,dc=graydon-test,dc=hf,dc=info,dc=nl] and filter [(&(userPrincipalname=ZAP') UNION ALL select NULL -- )(objectclass=person)(objectclass=organizationalPerson)(objectclass=user)(objectclass=graydonCustomerPerson))]: javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'ou=Users,ou=Customers,dc=graydon-test,dc=hf,dc=info,dc=nl' at com.sun.jndi.ldap.Filter.findRightParen(Filter.java:694) at com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:733) at com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657) at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104) at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:169) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager$2.execute(LDAPOperationManager.java:166) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.execute(LDAPOperationManager.java:536) at org.keycloak.federation.ldap.idm.store.ldap.LDAPOperationManager.search(LDAPOperationManager.java:166) at org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore.fetchQueryResults(LDAPIdentityStore.java:160) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getResultList(LDAPQuery.java:165) at org.keycloak.federation.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:176) at org.keycloak.federation.ldap.LDAPFederationProvider.loadLDAPUserByUsername(LDAPFederationProvider.java:510) at org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:305) at org.keycloak.models.UserFederationManager.getUserByUsername(UserFederationManager.java:237) at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:273) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:127) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:84) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:75) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:356) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:338) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:383) at sun.reflect.GeneratedMethodAccessor480.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 14:06:37,439 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=graydon-customers, clientId=account, userId=null, ipAddress=172.23.6.21, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://gry-test.hf.info.nl/auth/realms/graydon-customers/account/login-redirect, code_id=7ee2f340-5bf8-42a2-b1ef-32890a78c305, username='ZAP') UNION ALL select NULL -- ' From java at neposoft.com Wed Oct 5 15:01:51 2016 From: java at neposoft.com (java at neposoft.com) Date: Wed, 5 Oct 2016 15:01:51 -0400 Subject: [keycloak-user] broker saml - forbidden In-Reply-To: References: <8eabda7916bce390e0a55e0f03c26342.squirrel@neposoft.com> Message-ID: Yes, auth-constraint/role-name in web.xml. I've tried creating Roles (same name as the app) at Realm level , as well at 'client' level - no change, same error. Any more clues - appreciate it. > For your application, does the security constraint require a role? My > guess is that the token does not have the role required by the security > constraint in your application. > > > On 10/5/16 7:48 AM, java at neposoft.com wrote: >> This is happening in OAuthRequestAuthenticator.java >> code snippet: >> === >> try { >> // For COOKIE store we don't have httpSessionId and single >> sign-out won't be available >> String httpSessionId = deployment.getTokenStore() == >> TokenStore.SESSION ? >> reqAuthenticator.changeHttpSessionId(true) : null; >> tokenResponse = >> ServerRequest.invokeAccessCodeToToken(deployment, code, >> strippedOauthParametersRequestUri, httpSessionId); >> } catch (ServerRequest.HttpFailure failure) { >> log.error("failed to turn code into token"); >> log.error("status from server: " + failure.getStatus()); >> if (failure.getStatus() == 400 && failure.getError() != >> null) { >> log.error(" " + failure.getError()); >> } >> return challenge(403, >> OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null); >> >> === >> >>> Further more: >>> I am seeing in keycloak logs: >>> 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >>> (default task-2) failed to turn code into token >>> 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] >>> (default task-2) status from server: 403 >>> >>> This is happening after the handshake done with Idp and returned back >>> to >>> keycloak oidc. >>> >>> anyone has any tips. >>> Appreciate it. >>> >>> >>>> Hi >>>> I'm implementing a solution as shown saml-broker-authentication, >>>> trying >>>> to >>>> protect a war (spring-rest). >>>> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC >>>> tocken back from Keycloak , but when it returns back to the URL I was >>>> initially hit, I get forbidden. >>>> Anyone gone through this pain - any tips? Thank you. >>>> John >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hcamp at muerte.net Wed Oct 5 17:13:22 2016 From: hcamp at muerte.net (Harold Campbell) Date: Wed, 05 Oct 2016 16:13:22 -0500 Subject: [keycloak-user] deployed provider + EJB = infinispan lock timeout In-Reply-To: <1475628422.2566.17.camel@muerte.net> References: <1475628422.2566.17.camel@muerte.net> Message-ID: <1475702002.2566.19.camel@muerte.net> On Tue, 2016-10-04 at 19:47 -0500, Harold Campbell wrote: > I'm trying to implement a user storage provider following the user- > storage-jpa example project as a guide. My problem is that I can only > try to authenticate once. Subsequent attempts fail with the exception > below. > > It seems to be related to the provider being a Stateful EJB. >? To answer my own question, I'd failed to put @Remove on my Provider#close(). Having corrected that, the problem seems to have gone away. -- Harold Campbell BELA LUGOSI is my co-pilot ... From akaya at expedia.com Thu Oct 6 02:05:12 2016 From: akaya at expedia.com (Sarp Kaya) Date: Thu, 6 Oct 2016 06:05:12 +0000 Subject: [keycloak-user] No state cookie returned from the keycloak adapter Message-ID: Hello, A use case I have noticed is: 1) User tries to use the web application. Say http://www.app.com 2) The application redirects you to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol? 3) Before logging in, user bookmarks this page. 4) User logs in and then gets redirected to http://www.app.com 5) All works fine up till now Now user logs out, closes browser etc. Now user starts the workflow from bookmarked page (http://www.keycloaklogin.com/auth?) 1) User sees a login page 2) User logs in 3) User gets redirected to http://www.app.com?state=? 4) At this point this below code: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java#L234 is executed and user sees a 400 page due not having OAuth_Token_Request_State . So far you can argue that, well we didn?t want user not to have OAuth_Token_Request_State in the first place, but the next step that user can do is: 5) User goes to http://www.app.com page and then gets a redirect back to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol? 6) Keycloak sees that user is already logged in so redirects back to the same page 7) User now can see http://www.app.com due to the OAuth_Token_Request_State created in step 5 So to me it seems like this check is obsolete, however I?m curious whether this has a user case or prevents anything. If not, then it might be worth fixing at the step 4 where user actually gets to see the page (or re issue OAuth_Token_Request_State ) instead of showing 400 page. Thanks, Sarp From michael_furman at hotmail.com Thu Oct 6 02:40:48 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Thu, 6 Oct 2016 06:40:48 +0000 Subject: [keycloak-user] Newbie API question Message-ID: Hi all, I have started to learn Keycloak and I need your help. 1. Is it possible to resister a new client using REST API? http://www.keycloak.org/docs/rest-api/ I want to use the static client registration. 2. Is it possible to configure whitelist using REST API? I want to be able to access from a client to Keycloak withaout an additional manual confirmation Thank you in advance for your help. Best regards, Michael From pulgupta at redhat.com Thu Oct 6 02:46:15 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Thu, 6 Oct 2016 12:16:15 +0530 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> <1475588738.5421.19.camel@redhat.com> <050B6E08-1AD0-44B7-8878-BB69341A7DD5@edlogics.com> Message-ID: Hi All, Just a thought, can this be related to session replication. Also where can I find more documentation on how Keycloak uses sessions or saml tokens to authenticate users. Might be once I know the internal working of the adapter and the server authentication involved I can try something more. Regards, Pulkit. On Tue, Oct 4, 2016 at 9:41 PM, Pulkit Gupta wrote: > Hi Jared, > > We already have in our web.xml but.still facing the > issue. > Also Chris, no this is a Java adapter for Jboss. > > Regards, > Pulkit. > > On Tue, Oct 4, 2016 at 9:23 PM, Jared Blashka wrote: > >> Just a guess, but if your app is behind a load balancer you need to have >> either sticky sessions on (to make sure client requests always end up at >> the same server) or put the tag in your web.xml to enable >> session replication between nodes. We had a similar issue that was resolved >> by enabling session replication. >> >> Jared >> >> On Oct 4, 2016 11:25 AM, "Chris Savory" >> wrote: >> >>> Is this using the JavaScript adapter? We ran into a similar problem >>> yesterday. >>> >>> -- >>> Christopher Savory >>> Software Engineer | EdLogics >>> www.edlogics.com >>> >>> >>> < >>> https://twitter.com/EdLogics> >>> >>> On 10/4/16, 9:45 AM, "keycloak-user-bounces at lists.jboss.org on behalf >>> of Pulkit Gupta" >> pulgupta at redhat.com> wrote: >>> >>> Hi Josh, >>> >>> I have the paths with trailing slashes in my web.xml. Just my >>> entityId does >>> not has a trailing slash. >>> Also the application sometime works in one assertion and sometime it >>> will >>> take 3-4 round trips but it always works eventually. >>> We enabled the debug logging but it seems adapter does not put >>> anything in >>> the logs. >>> >>> I am not sure where to look next. In case you can think of anything >>> else >>> that will really help me unblock myself. >>> >>> Regards, >>> Pulkit. >>> >>> >>> On Tue, Oct 4, 2016 at 7:15 PM, Josh Cain wrote: >>> >>> > I used to see something similar in Picketlink if I configured a >>> web.xml >>> > without paying attention to the trailing slash (I.E. >>> https://example.co >>> > m/foo vs https://example.com/foo/). The IDP would isse an >>> > assertion/token for the audience that did not match the security >>> > constraint (based on the trailing slash), then an infinite redirect >>> > loop would occur. >>> > >>> > Maybe check your trailing slashes? >>> > On Tue, 2016-10-04 at 16:21 +0530, Pulkit Gupta wrote: >>> > > Yes, >>> > > >>> > > I am using the standard adapter. >>> > > This is happening more frequently now. >>> > > >>> > > Regards, >>> > > Pulkit. >>> > > >>> > > On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke >>> wrote: >>> > > >>> > > > >>> > > > Are you using our adapters? >>> > > > >>> > > > >>> > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: >>> > > > > >>> > > > > Hi All, >>> > > > > >>> > > > > I am facing a problem with my keycloak integration. >>> > > > > When I enter the URL of my application it gets redirected to >>> the >>> > > > > keycloak >>> > > > > server. >>> > > > > >>> > > > > After I enter the credentials the server redirects back to my >>> > > > > application >>> > > > > URL. >>> > > > > Till now things look ok. Once authentication is successful >>> weird >>> > > > > thing >>> > > > > starts. >>> > > > > >>> > > > > Keycloak server redirects back to my application. >>> > > > > My application again redirects to the keycloak server which >>> > > > > without >>> > > > showing >>> > > > > >>> > > > > the login page again redirects to my application. This >>> happens >>> > > > > once or >>> > > > > twice after which finally my application page loads. In this >>> > > > > process, I >>> > > > can >>> > > > > >>> > > > > see multiple SAML XMLs being exchanged. >>> > > > > >>> > > > > Environment and setup Details >>> > > > > SP EntityID : /wapps/distributors >>> > > > > Page I am visiting directly : >>> https://www.xxxx.com/w >>> > > > > apps/ >>> > > > > distributors/protected/nachannelsearch.html >>> > > > > Server : 2 Jboss 6 servers running behind a LB >>> > > > > >>> > > > > Please let me know in case this is something related to >>> > > > > configuration or >>> > > > > might be some issue related to proxies or load balancers in >>> my >>> > > > environment. >>> > > > > >>> > > > > >>> > > > >>> > > > _______________________________________________ >>> > > > keycloak-user mailing list >>> > > > keycloak-user at lists.jboss.org >>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > > > >>> > > >>> > > >>> > > >>> > >>> >>> >>> >>> -- >>> Thanks, >>> Pulkit >>> AMS >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> > > > -- > Thanks, > Pulkit > AMS > -- Thanks, Pulkit AMS From mposolda at redhat.com Thu Oct 6 03:09:17 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 6 Oct 2016 09:09:17 +0200 Subject: [keycloak-user] CORS headers not sent issue In-Reply-To: References: <37f44f40-d8f5-32dc-23f1-e7ca9e5c01b6@redhat.com> Message-ID: <6c0a8781-c864-2a8f-5e00-afb694c70c9e@redhat.com> Ok, I understand better now. Thanks. By "PR" I meant "Pull Request" to Github to fix the issue in Keycloak master. You can always create JIRA, but if you have time and you want quick fix, fixing the issue by yourself and sending PR is always a bit better :-) Marek On 05/10/16 10:07, GRMAN, Tomas wrote: > Hi Marek, > > In our case the client application is not using keycloak.js adapter. > Application was developed by the partner and they used their own OIDC identity server. When we connected the application to our keycloak instance, the CORS problem I have previously described appeared. > > As you said, I think CORS headers should be added to all the public endpoints (including certs). In our case the client application (AngularJS) is using implicit flow and is trying to verify jwt token it receives and for that it needs certs. This is only my understanding of the problem, I don't know the architecture of the application, I am just trying to integrate it :) > > I can create bug on JIRA, but I am not sure what you meant by PR? Thanks for info. > > Tomas > > > > -----Original Message----- > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: 4. okt?bra 2016 19:40 > To: GRMAN, Tomas ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] CORS headers not sent issue > > Hi Tomas, > > Nice to see you on our ML :-) > > I think you're right. The Cors headers are not added to the "certs" > endpoint. Probably we should just add "*" similarly like it's done for well-known endpoint as the public keys are defacto public information. > Feel free to create JIRA and/or even better send PR :-) > > Btv. I am bit curious why exactly you need it? AFAIK Cors are usually needed for the browser apps, but if you're using our keycloak.js adapter, it doesn't need public keys as it doesn't do any signature verifications by itself. Token's signature verifications are always done on server side (eg. REST endpoint where JS application sent it's token). > > Cheers, > Marek > > On 04/10/16 17:10, GRMAN, Tomas wrote: >> Hello >> >> I have come across weird issue regarding CORS implementation in >> Keycloak (ver. 2.2.1 ) >> >> I have properly specified "Web Origins" settings in Admin Console for the OIDC client. >> The problem is that the CORS headers (Access-Control-Allow-Origin) are >> not sent for all the requests coming towards idp.example.com (Implicit >> Flow) >> >> https://idp.example.com/auth/realms/test/.well-known/openid-configurat >> ion (CORS headers are sent) >> >> https://idp.example.com/auth/realms/test/protocol/openid-connect/certs >> (CORS headers are not sent) >> >> Is there something more to be configured in order to make Keycloak send CORS headers with all the requests? Maybe a bug? >> >> Curently I have added CORS headers on NGINX reverse proxy for this >> endpoint. (certs) >> >> Any advice is appreciated :) >> >> Tomas Grman >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Thu Oct 6 04:15:29 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 6 Oct 2016 10:15:29 +0200 Subject: [keycloak-user] Create user in one realm, delete it from different one In-Reply-To: References: Message-ID: <6c4536ed-7c22-8573-f279-c5776691b1a3@redhat.com> There were some caching fixes meanwhile. Do you have an opportunity to upgrade either to latest 2.2.1 or at least to 1.9.8 and check if the same behaviour can be still reproduced? Marek On 05/10/16 13:22, Bystrik Horvath wrote: > Dear members, > > I currently use Keycloak 1.9.3 and came to very strange behavior. My case > is following: > 1.) authenticate to realm1 using a client with service account > 2.) create an user in realm1 > 3.) retrieve the created user to get its UID > 4.) authenticate to realm2 using the same client and same service account > 5.) delete the user in realm2 using the mentioned UID without error > > Analyzing the code I found that the class UserCacheSession does not check > in this case the realm in the method getUserById(String id, RealmModel > realm). When I restart Keycloak after step 3 and execute the steps 4 and 5 > afterwards, the case finishes with error (which I found ok). > > Is my case somehow wrong or could it be a real issue? > > Best regards, > Bystrik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Oct 6 04:18:23 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 6 Oct 2016 10:18:23 +0200 Subject: [keycloak-user] Logging from execute-action-email? In-Reply-To: References: Message-ID: <77166fd1-abe4-ee6a-2aae-f9937b61e189@redhat.com> This is probably SMTP settings I guess. For logging you can go to standalone/configuration/standalone.xml and add something like this into logging section: Marek On 05/10/16 14:02, Andy Yar wrote: > Hello, > I'm trying to debug sending of email notifications in my standalone > installation of Keycloak 2.2.1.Final. > > When I manually trigger a notification in Admin Console it spits out an > alert message: "*Error!* Failed to send email to user". However, my > standalone/log/server.log is empty - no ERROR, stacktrace, nothing... > > Where is the proper place to turn on logging of these exceptions? > > Thanks > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Oct 6 04:26:17 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 6 Oct 2016 10:26:17 +0200 Subject: [keycloak-user] Can't get adapter subsystem config to work in KC2.2.1 - keycloak.json works In-Reply-To: <5CB1FA85EAB4FD488586630AF005DF4D0176E159@mail.rydindecal.com> References: <5CB1FA85EAB4FD488586630AF005DF4D0176E159@mail.rydindecal.com> Message-ID: <7275d0f6-6698-c02e-f89f-5ea1e1076cdb@redhat.com> On 05/10/16 15:39, Chris S. Dollar wrote: > Hi All, > > I'm working with some POC code based on this blog post: http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html > > Up till now I've been using WF10 Final and KC 2.0.0 Final, and everything has been going fine. I could configure the security of my .war (which is packaged in an .ear) via the per-war keycloak.json method or via the adapter subsystem method and both worked. > > Today I started on migrating our POC to WF 10.1 Final and KC 2.2.1 Final. With this new combo I'm not having any problems configuring war security using keycloak.json - that seems to work fine, but I can't seem to get the adapter subsystem method working. Using the adapter subsystem it appears that KC isn't trying to authenticate my app as I'm prompted for basic auth credentials. Enabling trace logging for KC and org.jboss.security didn't give any clues. > > Are there any changes known issues with the adapter config method with KC 2.2.1? And/or is there anyone using that system successfully in their configuration? I've tried it earlier this week and it should work fine. At least with latest master. Could you paste your subsystem configuration? > > Also, as I was investigating this I noticed (what I think is) an inconsistency in the docs. The java adapters config page shows the config option "credentials" and shows how to use it in the keycloak.json file. https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html However, on the page for JBoss/EAP/WF adapters it references the option as "credenial" without the trailing "s", and the examples shown there also do not have the trailing s character. https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/jboss-adapter.html Should that value be different in each case as the docs seem to indicate? The adapters config page also states that that value is required, but as best I can tell it isn't? And I'm 99% sure that the 'credential' deal isn't my real issue here, but I thought I'd point it out in case the docs are incorrect. The docs looks correct. In subsystem, the element name is "credential" . However you just mentioned "credenial" without "t" :-) Don't you have same mistake in your standalone.xml ? Marek > > Any suggestions would be appreciated! Thanks! > Chris > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From emanuel.palacio at gmail.com Thu Oct 6 04:31:07 2016 From: emanuel.palacio at gmail.com (Manuel Palacio) Date: Thu, 06 Oct 2016 08:31:07 +0000 Subject: [keycloak-user] SAML attribute importer with multiple values In-Reply-To: References: Message-ID: I created the JIRA and the pull request linked to it. This solves my problem. All the existing integration tests continue passing. I don't know if I need to write any more special integration tests for this case. https://issues.jboss.org/browse/KEYCLOAK-3648 On Fri, Sep 30, 2016 at 10:06 AM Stian Thorgersen wrote: > Looks like a limitation of the user attribute importer: > > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/broker/saml/mappers/UserAttributeMapper.java#L130 > > It simply picks the first value and uses that. > > You can create a JIRA feature request to have support for importing multi > valued attributes. A PR for this would be great if you're up for it. If you > need a solution quick you can create your own custom mapper. > > On 28 September 2016 at 11:04, Manuel Palacio > wrote: > > Hello, > > I am trying to process a SAML attribute with multiple values. > > To that end I have created a client mapper of type User Attribute with > "Multivalued" on. > > I also have an "attribute importer" mapper in the SAML v2.0 identity > provider. It points to user attribute name defined in the client mapper > mentioned above. > > Unfortunately, it is only mapping the first value into the access token. > > The attribute in the SAML response looks like this > > > value1 value2 < > AttributeValue>value3 > > In the access token only the first value appears as part of "otherClaims" > map. > > What do I need to do in order to get all the values in the access token? > > Thanks > > /Manuel > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From bystrik.horvath at gmail.com Thu Oct 6 04:36:26 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Thu, 6 Oct 2016 10:36:26 +0200 Subject: [keycloak-user] Create user in one realm, delete it from different one In-Reply-To: <6c4536ed-7c22-8573-f279-c5776691b1a3@redhat.com> References: <6c4536ed-7c22-8573-f279-c5776691b1a3@redhat.com> Message-ID: Hi Marek, thank you for your response. I downloaded the latest 2.2.1 today and checked it - the behavior is the same. Best regards, Bystrik On Thu, Oct 6, 2016 at 10:15 AM, Marek Posolda wrote: > There were some caching fixes meanwhile. Do you have an opportunity to > upgrade either to latest 2.2.1 or at least to 1.9.8 and check if the same > behaviour can be still reproduced? > > Marek > > > On 05/10/16 13:22, Bystrik Horvath wrote: > >> Dear members, >> >> I currently use Keycloak 1.9.3 and came to very strange behavior. My case >> is following: >> 1.) authenticate to realm1 using a client with service account >> 2.) create an user in realm1 >> 3.) retrieve the created user to get its UID >> 4.) authenticate to realm2 using the same client and same service account >> 5.) delete the user in realm2 using the mentioned UID without error >> >> Analyzing the code I found that the class UserCacheSession does not check >> in this case the realm in the method getUserById(String id, RealmModel >> realm). When I restart Keycloak after step 3 and execute the steps 4 and 5 >> afterwards, the case finishes with error (which I found ok). >> >> Is my case somehow wrong or could it be a real issue? >> >> Best regards, >> Bystrik >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From mposolda at redhat.com Thu Oct 6 04:46:07 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 6 Oct 2016 10:46:07 +0200 Subject: [keycloak-user] No state cookie returned from the keycloak adapter In-Reply-To: References: Message-ID: <2b3bbd76-c493-c4d8-281b-9861af02f976@redhat.com> The "state" is just meant to provide more security. See OAuth2 / OpenID Connect specification around this. For example if we don't require OAuth_Token_Request_State cookie and we won't mandate "state" check, then attacker just can pass you somehow URL with his own code "http://www.app.com?code=attackers-own-code" and you will be logged automatically to the application with an attacker identity. BTV. If the default behaviour is not suitable for you, you can probably configure error handling in web.xml of your application and handle 400 error with the state cookie message to automatically do another redirect to your application. Then users won't see any error page. Another option is to just instruct your users to not bookmark login page ;) Marek On 06/10/16 08:05, Sarp Kaya wrote: > Hello, > > A use case I have noticed is: > > > 1) User tries to use the web application. Say http://www.app.com > > 2) The application redirects you to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol? > > 3) Before logging in, user bookmarks this page. > > 4) User logs in and then gets redirected to http://www.app.com > > 5) All works fine up till now > > Now user logs out, closes browser etc. > > Now user starts the workflow from bookmarked page (http://www.keycloaklogin.com/auth?) > > > 1) User sees a login page > > 2) User logs in > > 3) User gets redirected to http://www.app.com?state=? > > 4) At this point this below code: > > https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java#L234 > is executed and user sees a 400 page due not having OAuth_Token_Request_State . So far you can argue that, well we didn?t want user not to have OAuth_Token_Request_State in the first place, but the next step that user can do is: > > 5) User goes to http://www.app.com page and then gets a redirect back to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol? > > 6) Keycloak sees that user is already logged in so redirects back to the same page > > 7) User now can see http://www.app.com due to the OAuth_Token_Request_State created in step 5 > > > So to me it seems like this check is obsolete, however I?m curious whether this has a user case or prevents anything. If not, then it might be worth fixing at the step 4 where user actually gets to see the page (or re issue OAuth_Token_Request_State ) instead of showing 400 page. > > Thanks, > Sarp > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Oct 6 04:48:11 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 6 Oct 2016 10:48:11 +0200 Subject: [keycloak-user] multiple redirects after authentication In-Reply-To: References: <3bf87e56-7c2f-d195-735e-33b50a1deee0@redhat.com> <1475588738.5421.19.camel@redhat.com> <050B6E08-1AD0-44B7-8878-BB69341A7DD5@edlogics.com> Message-ID: <1189ea66-5795-2536-0a44-c10cadff197f@redhat.com> Some related docs is here : https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/application-clustering.html Marek On 06/10/16 08:46, Pulkit Gupta wrote: > Hi All, > > Just a thought, can this be related to session replication. > Also where can I find more documentation on how Keycloak uses sessions or > saml tokens to authenticate users. > Might be once I know the internal working of the adapter and the server > authentication involved I can try something more. > > Regards, > Pulkit. > > On Tue, Oct 4, 2016 at 9:41 PM, Pulkit Gupta wrote: > >> Hi Jared, >> >> We already have in our web.xml but.still facing the >> issue. >> Also Chris, no this is a Java adapter for Jboss. >> >> Regards, >> Pulkit. >> >> On Tue, Oct 4, 2016 at 9:23 PM, Jared Blashka wrote: >> >>> Just a guess, but if your app is behind a load balancer you need to have >>> either sticky sessions on (to make sure client requests always end up at >>> the same server) or put the tag in your web.xml to enable >>> session replication between nodes. We had a similar issue that was resolved >>> by enabling session replication. >>> >>> Jared >>> >>> On Oct 4, 2016 11:25 AM, "Chris Savory" >>> wrote: >>> >>>> Is this using the JavaScript adapter? We ran into a similar problem >>>> yesterday. >>>> >>>> -- >>>> Christopher Savory >>>> Software Engineer | EdLogics >>>> www.edlogics.com >>>> >>>> >>>> < >>>> https://twitter.com/EdLogics> >>>> >>>> On 10/4/16, 9:45 AM, "keycloak-user-bounces at lists.jboss.org on behalf >>>> of Pulkit Gupta" >>> pulgupta at redhat.com> wrote: >>>> >>>> Hi Josh, >>>> >>>> I have the paths with trailing slashes in my web.xml. Just my >>>> entityId does >>>> not has a trailing slash. >>>> Also the application sometime works in one assertion and sometime it >>>> will >>>> take 3-4 round trips but it always works eventually. >>>> We enabled the debug logging but it seems adapter does not put >>>> anything in >>>> the logs. >>>> >>>> I am not sure where to look next. In case you can think of anything >>>> else >>>> that will really help me unblock myself. >>>> >>>> Regards, >>>> Pulkit. >>>> >>>> >>>> On Tue, Oct 4, 2016 at 7:15 PM, Josh Cain wrote: >>>> >>>> > I used to see something similar in Picketlink if I configured a >>>> web.xml >>>> > without paying attention to the trailing slash (I.E. >>>> https://example.co >>>> > m/foo vs https://example.com/foo/). The IDP would isse an >>>> > assertion/token for the audience that did not match the security >>>> > constraint (based on the trailing slash), then an infinite redirect >>>> > loop would occur. >>>> > >>>> > Maybe check your trailing slashes? >>>> > On Tue, 2016-10-04 at 16:21 +0530, Pulkit Gupta wrote: >>>> > > Yes, >>>> > > >>>> > > I am using the standard adapter. >>>> > > This is happening more frequently now. >>>> > > >>>> > > Regards, >>>> > > Pulkit. >>>> > > >>>> > > On Mon, Oct 3, 2016 at 9:24 PM, Bill Burke >>>> wrote: >>>> > > >>>> > > > >>>> > > > Are you using our adapters? >>>> > > > >>>> > > > >>>> > > > On 10/3/16 3:13 AM, Pulkit Gupta wrote: >>>> > > > > >>>> > > > > Hi All, >>>> > > > > >>>> > > > > I am facing a problem with my keycloak integration. >>>> > > > > When I enter the URL of my application it gets redirected to >>>> the >>>> > > > > keycloak >>>> > > > > server. >>>> > > > > >>>> > > > > After I enter the credentials the server redirects back to my >>>> > > > > application >>>> > > > > URL. >>>> > > > > Till now things look ok. Once authentication is successful >>>> weird >>>> > > > > thing >>>> > > > > starts. >>>> > > > > >>>> > > > > Keycloak server redirects back to my application. >>>> > > > > My application again redirects to the keycloak server which >>>> > > > > without >>>> > > > showing >>>> > > > > >>>> > > > > the login page again redirects to my application. This >>>> happens >>>> > > > > once or >>>> > > > > twice after which finally my application page loads. In this >>>> > > > > process, I >>>> > > > can >>>> > > > > >>>> > > > > see multiple SAML XMLs being exchanged. >>>> > > > > >>>> > > > > Environment and setup Details >>>> > > > > SP EntityID : /wapps/distributors >>>> > > > > Page I am visiting directly : >>>> https://www.xxxx.com/w >>>> > > > > apps/ >>>> > > > > distributors/protected/nachannelsearch.html >>>> > > > > Server : 2 Jboss 6 servers running behind a LB >>>> > > > > >>>> > > > > Please let me know in case this is something related to >>>> > > > > configuration or >>>> > > > > might be some issue related to proxies or load balancers in >>>> my >>>> > > > environment. >>>> > > > > >>>> > > > > >>>> > > > >>>> > > > _______________________________________________ >>>> > > > keycloak-user mailing list >>>> > > > keycloak-user at lists.jboss.org >>>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > > > >>>> > > >>>> > > >>>> > > >>>> > >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Pulkit >>>> AMS >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >> -- >> Thanks, >> Pulkit >> AMS >> > > From mposolda at redhat.com Thu Oct 6 05:34:14 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 6 Oct 2016 11:34:14 +0200 Subject: [keycloak-user] Create user in one realm, delete it from different one In-Reply-To: References: <6c4536ed-7c22-8573-f279-c5776691b1a3@redhat.com> Message-ID: Thanks, can you please create JIRA for it? Marek On 06/10/16 10:36, Bystrik Horvath wrote: > Hi Marek, > thank you for your response. I downloaded the latest 2.2.1 today and > checked it - the behavior is the same. > > Best regards, > Bystrik > > On Thu, Oct 6, 2016 at 10:15 AM, Marek Posolda > wrote: > > There were some caching fixes meanwhile. Do you have an > opportunity to upgrade either to latest 2.2.1 or at least to 1.9.8 > and check if the same behaviour can be still reproduced? > > Marek > > > On 05/10/16 13:22, Bystrik Horvath wrote: > > Dear members, > > I currently use Keycloak 1.9.3 and came to very strange > behavior. My case > is following: > 1.) authenticate to realm1 using a client with service account > 2.) create an user in realm1 > 3.) retrieve the created user to get its UID > 4.) authenticate to realm2 using the same client and same > service account > 5.) delete the user in realm2 using the mentioned UID without > error > > Analyzing the code I found that the class UserCacheSession > does not check > in this case the realm in the method getUserById(String id, > RealmModel > realm). When I restart Keycloak after step 3 and execute the > steps 4 and 5 > afterwards, the case finishes with error (which I found ok). > > Is my case somehow wrong or could it be a real issue? > > Best regards, > Bystrik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From bystrik.horvath at gmail.com Thu Oct 6 07:06:44 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Thu, 6 Oct 2016 13:06:44 +0200 Subject: [keycloak-user] Create user in one realm, delete it from different one In-Reply-To: References: <6c4536ed-7c22-8573-f279-c5776691b1a3@redhat.com> Message-ID: Created: https://issues.jboss.org/browse/KEYCLOAK-3667 On Thu, Oct 6, 2016 at 11:34 AM, Marek Posolda wrote: > Thanks, can you please create JIRA for it? > > Marek > > > On 06/10/16 10:36, Bystrik Horvath wrote: > > Hi Marek, > thank you for your response. I downloaded the latest 2.2.1 today and > checked it - the behavior is the same. > > Best regards, > Bystrik > > On Thu, Oct 6, 2016 at 10:15 AM, Marek Posolda > wrote: > >> There were some caching fixes meanwhile. Do you have an opportunity to >> upgrade either to latest 2.2.1 or at least to 1.9.8 and check if the same >> behaviour can be still reproduced? >> >> Marek >> >> >> On 05/10/16 13:22, Bystrik Horvath wrote: >> >>> Dear members, >>> >>> I currently use Keycloak 1.9.3 and came to very strange behavior. My case >>> is following: >>> 1.) authenticate to realm1 using a client with service account >>> 2.) create an user in realm1 >>> 3.) retrieve the created user to get its UID >>> 4.) authenticate to realm2 using the same client and same service account >>> 5.) delete the user in realm2 using the mentioned UID without error >>> >>> Analyzing the code I found that the class UserCacheSession does not check >>> in this case the realm in the method getUserById(String id, RealmModel >>> realm). When I restart Keycloak after step 3 and execute the steps 4 and >>> 5 >>> afterwards, the case finishes with error (which I found ok). >>> >>> Is my case somehow wrong or could it be a real issue? >>> >>> Best regards, >>> Bystrik >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > > From Patrick.Boe at smartstream-stp.com Thu Oct 6 08:11:38 2016 From: Patrick.Boe at smartstream-stp.com (Patrick Boe) Date: Thu, 6 Oct 2016 12:11:38 +0000 Subject: [keycloak-user] how to use spring boot adapterq Message-ID: <1475755898316.57664@smartstream-stp.com> Hello, I'm trying to understand how to use the spring boot adapter for keycloak. As a test case, I'm attempting to use it from one of the spring boot quickstart projects. Please see the following question: http://stackoverflow.com/questions/39794779/how-do-i-configure-the-spring-boot-quickstart-for-keycloak Full text: 0down votefavorite I am trying to set up a basic example spring boot site which uses keycloak for security. I have done the following * cloned and ran (gradlew bootRun) the 'complete' example fromhttps://spring.io/guides/gs/serving-web-content/ (https://github.com/spring-guides/gs-serving-web-content.git) to verify that it works * added the following to the project's gradle dependencies: compile("org.keycloak:keycloak-spring-boot-adapter:2.2.1.Final") compile("org.keycloak:keycloak-tomcat8-adapter:2.2.1.Final") * put the following in config/application.yml: spring: profiles: default server.port: 8090 keycloak: securityConstraints: - securityCollections: - name: application section authRoles: - user patterns: - / realm: stl realmKey: MIIBIjANBgkqh[etc...]? auth-server-url: http://localhost:8280/auth ssl-required: none resource: example-ui credentials: secret: a117[etc...] With these steps, I believe I've followed all the directions in https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/spring-boot-adapter.html. But now when I attempt to browse to the application, I get an error. This is what's logged to the console: No login page was defined for FORM authentication in context [] What am I missing to complete configuration of this app? From prior experience with earlier versions of other keycloak adapters, I would expect to have to specify an auth method of KEYCLOAKsomewhere, but I don't know where that would go in spring boot, if indeed it goes anywhere. ________________________________ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. From sthorger at redhat.com Thu Oct 6 08:37:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Oct 2016 14:37:44 +0200 Subject: [keycloak-user] Looking for a non Admin Java client In-Reply-To: <587B2C81-6E1B-47B3-9970-220F75DC8466@edlogics.com> References: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> <587B2C81-6E1B-47B3-9970-220F75DC8466@edlogics.com> Message-ID: I'm honestly lost in what you're trying to achieve, can you please try to explain it again? On 4 October 2016 at 06:51, Chris Savory wrote: > I can use the Admin endpoints, but I would have thought you had to be at > least realm-admin to do that. Are you saying that a user can use the Admin > Endpoints/Clent for urls directly related to themselves? If so, then we > can just use that. > > -- > Christopher Savory > Software Engineer | EdLogics > > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Monday, October 3, 2016 at 10:32 PM > To: Chris Savory > Cc: "keycloak-user at lists.jboss.org" , > David Hartfield , Danilo Bonilla < > danilo.bonilla at edlogics.com>, Ali Elhajj > Subject: Re: [keycloak-user] Looking for a non Admin Java client > > Are you saying you want to invoke the Keycloak admin endpoints? You are > currently using the Keycloak Java Admin Client, but you want to use > something else? Why use something else when you already have something? > > On 3 October 2016 at 23:21, Chris Savory > wrote: > We need to make several types of calls to KeyCloak from the server side of > our application. Some are in the context of a logged in user and others > are not. We have the latter case handled right now by using the KeyCloak > Admin Client. But we are unable to locate another Java client for the > purposes of making calls to KC for the currently authenticated user. I > have found the AuthZ Client, but that appears to just be for authenticating. > > The particular use case I?m researching now is we have an endpoint like > /profile-service/users/current, which will return the currently logged in > user profile. Some of that information comes from KC and some comes from > the local app database. Currently we the app configured to make the > server-side call as a KC admin while it is orchestrating this data, but I?d > prefer for the user to use the same credentials as it did when it came to > the server with a BEARER token. This will help us when it comes to > auditing, especially for updates. > > Does such a java client exist? Or do I need to use the > KeycloakRestTemplate to make those calls to KC? > > > -- > Christopher Savory > Software Engineer | EdLogics > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From sblanc at redhat.com Thu Oct 6 08:48:52 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Thu, 6 Oct 2016 14:48:52 +0200 Subject: [keycloak-user] how to use spring boot adapterq In-Reply-To: <1475755898316.57664@smartstream-stp.com> References: <1475755898316.57664@smartstream-stp.com> Message-ID: I can reproduce the issue and I have created a ticket https://issues.jboss.org/browse/KEYCLOAK-3669 to track this. On Thu, Oct 6, 2016 at 2:11 PM, Patrick Boe wrote: > Hello, > > > I'm trying to understand how to use the spring boot adapter for keycloak. > As a test case, I'm attempting to use it from one of the spring boot > quickstart projects. Please see the following question: > > > http://stackoverflow.com/questions/39794779/how-do-i- > configure-the-spring-boot-quickstart-for-keycloak > > > Full text: > > > 0down votefavorite 39794779/how-do-i-configure-the-spring-boot-quickstart-for-keycloak#> > > > I am trying to set up a basic example spring boot site which uses keycloak > for security. I have done the following > > * cloned and ran (gradlew bootRun) the 'complete' example fromhttps:// > spring.io/guides/gs/serving-web-content/ (https://github.com/spring- > guides/gs-serving-web-content.git) to verify that it works > * added the following to the project's gradle dependencies: > > compile("org.keycloak:keycloak-spring-boot-adapter:2.2.1.Final") > compile("org.keycloak:keycloak-tomcat8-adapter:2.2.1.Final") > > > * put the following in config/application.yml: > > spring: > profiles: default > > server.port: 8090 > > keycloak: > securityConstraints: > - securityCollections: > - name: application section > authRoles: > - user > patterns: > - / > realm: stl > realmKey: MIIBIjANBgkqh[etc...]? > auth-server-url: http://localhost:8280/auth > ssl-required: none > resource: example-ui > credentials: > secret: a117[etc...] > > > With these steps, I believe I've followed all the directions in > https://keycloak.gitbooks.io/securing-client-applications- > guide/content/v/2.2/topics/oidc/java/spring-boot-adapter.html. But now > when I attempt to browse to the application, I get an error. This is what's > logged to the console: No login page was defined for FORM authentication in > context [] > > What am I missing to complete configuration of this app? From prior > experience with earlier versions of other keycloak adapters, I would expect > to have to specify an auth method of KEYCLOAKsomewhere, but I don't know > where that would go in spring boot, if indeed it goes anywhere. > > > > > > ________________________________ > The information in this email is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this email > by anyone else is unauthorised. If you are not the intended recipient, any > disclosure, copying, distribution or any action taken or omitted to be > taken in reliance on it, is prohibited and may be unlawful. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jfalkner at redhat.com Thu Oct 6 09:25:00 2016 From: jfalkner at redhat.com (James Falkner) Date: Thu, 06 Oct 2016 09:25:00 -0400 Subject: [keycloak-user] Newbie API question In-Reply-To: References: Message-ID: <57F650AC.5010808@redhat.com> > Michael Furman > October 6, 2016 at 2:40 AM > Hi all, > I have started to learn Keycloak and I need your help. > > 1. Is it possible to resister a new client using REST API? > http://www.keycloak.org/docs/rest-api/ > I want to use the static client registration. Yes, it's possible - for example, this is how the JBoss EAP/Wildfly adapter does automatic client registration - it does a POST to /admin/realms//clients with a json blob that looks something like { "clientId": "some-client-id", "rootUrl": "", "adminUrl": "https://some-host:8443/", "baseUrl": "", "secret": "", "redirectUris": [], "bearerOnly": true, "publicClient": false, "protocol": "openid-connect" } -James From chris.savory at edlogics.com Thu Oct 6 10:15:30 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Thu, 6 Oct 2016 14:15:30 +0000 Subject: [keycloak-user] Looking for a non Admin Java client In-Reply-To: References: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> <587B2C81-6E1B-47B3-9970-220F75DC8466@edlogics.com> Message-ID: <480EB12C-C387-400A-88E1-13441C76502D@edlogics.com> We have a JS App that is making XHR calls to our server to update the user?s profile. The server will save some of the profile data (e.g preferences) locally and then update some of the data in keycloak (e.g. name, email). Currently the way our server is setup, all of the Tomcat/Spring to Keycloak calls are done to via the keycloak-admin-client as a single user who has a realm admin role. For example, on that update call that I previously mentioned, here is the java code that uses the admin client to perform the update with an admin user token (not the logged in user). @PostConstruct public void initilization() { keyCloak = KeycloakBuilder.builder() .serverUrl( applicationSettings.getKeycloakApplicationProperties().getAuthServerUrl() ) .realm( applicationSettings.getKeycloakApplicationProperties().getRealm() ) .username( applicationSettings.getKeycloakApplicationProperties().getRestClientAdminUser() ) .password( applicationSettings.getKeycloakApplicationProperties().getRestClientAdminPassword() ) .clientId( applicationSettings.getKeycloakApplicationProperties().getRestClientAdmin() ) .resteasyClient( new ResteasyClientBuilder().connectionPoolSize( 20 ).build() ) .build(); } public void updateUser( String userId, UserRepresentation userRep ) { keyCloak.realm( applicationSettings.getKeycloakApplicationProperties().getRealm() ) .users().get( userId ).update( userRep ); } Looking at the API for updating a user, http://www.keycloak.org/docs/rest-api/index.html#_update_the_user It appears that I can call that with the logged in user?s token and not a generic admin account. This would be better for auditing since all the updates wouldn?t come from a generic admin account. Is there a preferred way to do this? Should I create a rest template to make this PUT call or just simply use the admin java client to make a call on behalf of a regular user? I?m pretty sure I could get the logged in user?s token out of the Spring Security context, but there is no way to inject that into the Keycloak admin client object; that object wants the user?s username and pw to establish a token. I?m looking on some direction on what is the preferred way to do this. -- Christopher Savory Software Engineer | EdLogics ? From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Thursday, October 6, 2016 at 7:37 AM To: Chris Savory Cc: "keycloak-user at lists.jboss.org" , David Hartfield , Danilo Bonilla , Ali Elhajj Subject: Re: [keycloak-user] Looking for a non Admin Java client I'm honestly lost in what you're trying to achieve, can you please try to explain it again? On 4 October 2016 at 06:51, Chris Savory wrote: I can use the Admin endpoints, but I would have thought you had to be at least realm-admin to do that.? Are you saying that a user can use the Admin Endpoints/Clent for urls directly related to themselves?? If so, then we can just use that. -- Christopher Savory Software Engineer | EdLogics From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Monday, October 3, 2016 at 10:32 PM To: Chris Savory Cc: "keycloak-user at lists.jboss.org" , David Hartfield , Danilo Bonilla , Ali Elhajj Subject: Re: [keycloak-user] Looking for a non Admin Java client Are you saying you want to invoke the Keycloak admin endpoints? You are currently using the Keycloak Java Admin Client, but you want to use something else? Why use something else when you already have something? On 3 October 2016 at 23:21, Chris Savory wrote: We need to make several types of calls to KeyCloak from the server side of our application.? Some are in the context of a logged in user and others are not.? We have the latter case handled right now by using the KeyCloak Admin Client.? ?But we are unable to locate another Java client for the purposes of making calls to KC for the currently authenticated user.? I have found the AuthZ Client, but that appears to just be for authenticating. The particular use case I?m researching now is we have an endpoint like /profile-service/users/current, which will return the currently logged in user profile.? Some of that information comes from KC and some comes from the local app database.? Currently we the app configured to make the server-side call as a KC admin while it is orchestrating this data, but I?d prefer for the user to use the same credentials as it did when it came to the server with a BEARER token.? This will help us when it comes to auditing, especially for updates. Does such a java client exist? Or do I need to use the KeycloakRestTemplate to make those calls to KC? -- Christopher Savory Software Engineer | EdLogics _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From glavoie at gmail.com Thu Oct 6 14:06:16 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Thu, 6 Oct 2016 14:06:16 -0400 Subject: [keycloak-user] 307 redirect issue + OAuth2/OpenID Connect possible vulnerability Message-ID: Hi, We currently have the following setup: External service --- SAML --> Keycloak --- OpenID Connect --> External IdP When a SP-initiated authentication request is being done to Keycloak by posting a SAML assertion, Keycloak goes through a set of redirect to authenticate the user to the external IdP through OpenID Connect first. The redirects are currently being done using a 307 temporary redirect HTTP code with a Location header. This makes the browser issue a POST request to the external IdP with the SAML assertion which is basically could leak informations. While OpenID Connect allow 302, 303 and 307 as the HTTP code, using anything else than 303 that would transform the request to a GET request seems to be known as an attack vector on the protocol: http://securityaffairs.co/wordpress/43518/digital-id/oauth-2-vulnerability.html Is there a way to change the HTTP code that is used by Keycloak to issue temporary redirections? Thanks, Gabriel -- Gabriel Lavoie glavoie at gmail.com From rkonkala at yahoo.com Thu Oct 6 14:59:01 2016 From: rkonkala at yahoo.com (Raja Sekhar) Date: Thu, 6 Oct 2016 18:59:01 +0000 (UTC) Subject: [keycloak-user] Application to Application OAuth using KeyCloak Clients References: <1331419825.370366.1475780341758.ref@mail.yahoo.com> Message-ID: <1331419825.370366.1475780341758@mail.yahoo.com> I have a REST Service and multiple REST Clients. There is no user interaction involved in this case, communication is APP to APP. I need to use Java Servlet Filter Adapter as there is no Adapter for WebLogic. Please help me setting up my REST Service Keycloak client and my REST Client Keycloak Clients. I used?OpenID?Bearer-Only KeyCloak client on my Service side and?OpenID?Confidential KeyCloak Client on my Client side. Using a user credentials and OpenID Confidential KeyCloak Client secret I am able generate an access token and able to make calls to my secured Service. (Service is configured with OpenID Bearer-Only KeyCloak client). Any user with or with out a role assigned to them can generate the access token using the OpenID confidential KeyCloak client and able to make calls to my secured service. (How to configure bearer-only KeyCloak client to filter or accept certain users who are using OpenID confidential KeyCloak clients)?Thanks and Regards Raja Konkala From bburke at redhat.com Thu Oct 6 15:03:59 2016 From: bburke at redhat.com (Bill Burke) Date: Thu, 6 Oct 2016 15:03:59 -0400 Subject: [keycloak-user] 307 redirect issue + OAuth2/OpenID Connect possible vulnerability In-Reply-To: References: Message-ID: <32e2510d-ddf0-1ead-ecfd-23659bb2bbf9@redhat.com> Made a quick fix and it will be in next release. https://github.com/keycloak/keycloak/pull/3297 On 10/6/16 2:06 PM, Gabriel Lavoie wrote: > Hi, > We currently have the following setup: > > External service --- SAML --> Keycloak --- OpenID Connect --> External IdP > > When a SP-initiated authentication request is being done to Keycloak by > posting a SAML assertion, Keycloak goes through a set of redirect to > authenticate the user to the external IdP through OpenID Connect first. > > The redirects are currently being done using a 307 temporary redirect HTTP > code with a Location header. This makes the browser issue a POST request to > the external IdP with the SAML assertion which is basically could leak > informations. > > While OpenID Connect allow 302, 303 and 307 as the HTTP code, using > anything else than 303 that would transform the request to a GET request > seems to be known as an attack vector on the protocol: > http://securityaffairs.co/wordpress/43518/digital-id/oauth-2-vulnerability.html > > Is there a way to change the HTTP code that is used by Keycloak to issue > temporary redirections? > > Thanks, > > Gabriel From timo.pulkkinen at myinfomonitor.com Thu Oct 6 15:54:05 2016 From: timo.pulkkinen at myinfomonitor.com (Timo Pulkkinen) Date: Thu, 6 Oct 2016 22:54:05 +0300 Subject: [keycloak-user] Resources: create/remove by app (resource server)? Message-ID: <141A98A1-F9EA-41E7-9843-C4CFDDD9AFBC@myinfomonitor.com> Hello, in your opinion, what is the best way to manage dynamically changing resources within Keycloak - is it by hooking the Authorization Client Java API to the resource server server-side page add/change/remove events/event handlers ? A good example of this kind of system could be a CMS system in which the content admins add/remove content nodes(pages) dynamically, and the resource read/write access would be controlled using Keycloak. br, Timo From sthorger at redhat.com Fri Oct 7 00:55:50 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 7 Oct 2016 06:55:50 +0200 Subject: [keycloak-user] Looking for a non Admin Java client In-Reply-To: <480EB12C-C387-400A-88E1-13441C76502D@edlogics.com> References: <321AF56E-A617-4E84-8EAA-09529A6E7351@edlogics.com> <587B2C81-6E1B-47B3-9970-220F75DC8466@edlogics.com> <480EB12C-C387-400A-88E1-13441C76502D@edlogics.com> Message-ID: There's no REST API for users to access directly. We plan to add it at some point, see https://issues.jboss.org/browse/KEYCLOAK-943. On 6 October 2016 at 16:15, Chris Savory wrote: > We have a JS App that is making XHR calls to our server to update the > user?s profile. The server will save some of the profile data (e.g > preferences) locally and then update some of the data in keycloak (e.g. > name, email). > > Currently the way our server is setup, all of the Tomcat/Spring to > Keycloak calls are done to via the keycloak-admin-client as a single user > who has a realm admin role. > > For example, on that update call that I previously mentioned, here is the > java code that uses the admin client to perform the update with an admin > user token (not the logged in user). > > @PostConstruct > public void initilization() { > keyCloak = KeycloakBuilder.builder() > .serverUrl( applicationSettings. > getKeycloakApplicationProperties().getAuthServerUrl() ) > .realm( applicationSettings. > getKeycloakApplicationProperties().getRealm() ) > .username( applicationSettings. > getKeycloakApplicationProperties().getRestClientAdminUser() ) > .password( applicationSettings. > getKeycloakApplicationProperties().getRestClientAdminPassword() ) > .clientId( applicationSettings. > getKeycloakApplicationProperties().getRestClientAdmin() ) > .resteasyClient( new > ResteasyClientBuilder().connectionPoolSize( 20 ).build() ) > .build(); > } > > public void updateUser( String userId, UserRepresentation userRep ) { > keyCloak.realm( applicationSettings.getKeycloakApplicationProperties().getRealm() > ) > .users().get( userId ).update( userRep ); > > } > > Looking at the API for updating a user, http://www.keycloak.org/docs/ > rest-api/index.html#_update_the_user It appears that I can call that with > the logged in user?s token and not a generic admin account. This would be > better for auditing since all the updates wouldn?t come from a generic > admin account. > > Is there a preferred way to do this? Should I create a rest template to > make this PUT call or just simply use the admin java client to make a call > on behalf of a regular user? I?m pretty sure I could get the logged in > user?s token out of the Spring Security context, but there is no way to > inject that into the Keycloak admin client object; that object wants the > user?s username and pw to establish a token. > > I?m looking on some direction on what is the preferred way to do this. > > > -- > Christopher Savory > Software Engineer | EdLogics > > > > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Thursday, October 6, 2016 at 7:37 AM > To: Chris Savory > Cc: "keycloak-user at lists.jboss.org" , > David Hartfield , Danilo Bonilla < > danilo.bonilla at edlogics.com>, Ali Elhajj > Subject: Re: [keycloak-user] Looking for a non Admin Java client > > I'm honestly lost in what you're trying to achieve, can you please try to > explain it again? > > On 4 October 2016 at 06:51, Chris Savory > wrote: > I can use the Admin endpoints, but I would have thought you had to be at > least realm-admin to do that. Are you saying that a user can use the Admin > Endpoints/Clent for urls directly related to themselves? If so, then we > can just use that. > > -- > Christopher Savory > Software Engineer | EdLogics > > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Monday, October 3, 2016 at 10:32 PM > To: Chris Savory > Cc: "keycloak-user at lists.jboss.org" , > David Hartfield , Danilo Bonilla < > danilo.bonilla at edlogics.com>, Ali Elhajj > Subject: Re: [keycloak-user] Looking for a non Admin Java client > > Are you saying you want to invoke the Keycloak admin endpoints? You are > currently using the Keycloak Java Admin Client, but you want to use > something else? Why use something else when you already have something? > > On 3 October 2016 at 23:21, Chris Savory > wrote: > We need to make several types of calls to KeyCloak from the server side of > our application. Some are in the context of a logged in user and others > are not. We have the latter case handled right now by using the KeyCloak > Admin Client. But we are unable to locate another Java client for the > purposes of making calls to KC for the currently authenticated user. I > have found the AuthZ Client, but that appears to just be for authenticating. > > The particular use case I?m researching now is we have an endpoint like > /profile-service/users/current, which will return the currently logged in > user profile. Some of that information comes from KC and some comes from > the local app database. Currently we the app configured to make the > server-side call as a KC admin while it is orchestrating this data, but I?d > prefer for the user to use the same credentials as it did when it came to > the server with a BEARER token. This will help us when it comes to > auditing, especially for updates. > > Does such a java client exist? Or do I need to use the > KeycloakRestTemplate to make those calls to KC? > > > -- > Christopher Savory > Software Engineer | EdLogics > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > From psilva at redhat.com Fri Oct 7 05:47:14 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Fri, 07 Oct 2016 10:47:14 +0100 Subject: [keycloak-user] Resources: create/remove by app (resource server)? In-Reply-To: <141A98A1-F9EA-41E7-9843-C4CFDDD9AFBC@myinfomonitor.com> References: <141A98A1-F9EA-41E7-9843-C4CFDDD9AFBC@myinfomonitor.com> Message-ID: <1475833634.2663.5.camel@redhat.com> Hello Timo, The AuthZ Client is meant to be used by apps using Java. If that is your case, it should be the easiest approach. Just remember that this API is basically a wrapper to our Protection API. Regards. On Thu, 2016-10-06 at 22:54 +0300, Timo Pulkkinen wrote: > Hello, > > in your opinion, what is the best way to manage dynamically changing > resources within Keycloak - is it by hooking the Authorization Client > Java API to the resource server server-side page add/change/remove > events/event handlers ?? > > A good example of this kind of system could be a CMS system in which > the content admins add/remove content nodes(pages) dynamically, and > the resource read/write access would be controlled using Keycloak. > ? > br, > Timo > > ? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Pedro Igor From bdalenoord at gmail.com Fri Oct 7 06:57:14 2016 From: bdalenoord at gmail.com (Bas Dalenoord) Date: Fri, 07 Oct 2016 10:57:14 +0000 Subject: [keycloak-user] Exceptions when including 'keycloak-spring-boot-adapter' under Jetty Message-ID: Hello, I'm trying to secure a Spring Boot-based application using Keycloak, but as soon as I include the 'keycloak-spring-boot-adapter' artifact, my application does not start anymore, throwing seemingly unrelated exceptions. I'm following this tutorial for the backend part, but I upgraded all version numbers to the latest final releases available. I've created a stripped down version of the application with which I can reproduce the errors. It can be found on my GitHub . If I remove the adapter-artifact, everything starts normally. I'm guessing it has to do with Spring Boots autoconfiguration, but I cannot figure out what I should change to get everything working. Can anyone tell me what I'm doing wrong and what I can do to fix the problem? Thanks, Bas From palermo at pobox.com Fri Oct 7 08:10:51 2016 From: palermo at pobox.com (Bruno Palermo) Date: Fri, 7 Oct 2016 09:10:51 -0300 Subject: [keycloak-user] FW: Custom User Attributes In-Reply-To: References: Message-ID: Hi, I'm trying to implement some custom user attributes on the registration page. I followed the steps on: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/custom-attributes.html It works fine, but when the user submits a form with an error, the custom attribute value is not saved. There's any way to save it between invalid submissions? Maybe use something like: value="${(account.attributes.mobile!'')?html}" Thanks, Bruno From info at flex-guse.de Fri Oct 7 09:26:39 2016 From: info at flex-guse.de (Christoph Guse) Date: Fri, 7 Oct 2016 15:26:39 +0200 Subject: [keycloak-user] Problems with bearer-only client Message-ID: <57F7A28F.8060505@flex-guse.de> Hi, currently I have some trouble getting an Access Token using a bearer-only client in combination with Keycloak 2.2.1. In my Proof Of Concept realm (sso-poc) I created a client which was configured to accept bearer-only authentication. If I got this right no user login is needed and this client type is perfect for technical users. Then I do a HTTP Post like this: curl -X POST -F "grant_type=client_credentials" -F "client_id=auth-app2" -F "client_secret=2fd7033a-1971-4855-b64c-b9783f1ff14d" https://web-sso/auth/realms/sso-poc/protocol/openid-connect/token Unfortunately the response is not an AccessToken but the error message { "error": "invalid_client", "error_description": "Bearer-only not allowed" } As I configured the client as bearer-only authentication, I'm a little helpless and I ran out of ideas what I could do. Any ideas? Thank you in advance, Christoph From niko at n-k.de Fri Oct 7 11:14:01 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Fri, 7 Oct 2016 17:14:01 +0200 Subject: [keycloak-user] Exceptions when including 'keycloak-spring-boot-adapter' under Jetty In-Reply-To: References: Message-ID: Hi Bas, I just had a quick look into your GitHub repo and didn?t run any boot app with Jetty so far, but what I figured out is, that your application.properties file is completely empty. That?s normally the place where to put your Keycloak properties. Without them, the KC adapter doesn?t know what to do? Have a look at my KC Spring Boot Example: https://github.com/dasniko/keycloak-springboot-demo/ perhaps this will help you (and of course, have a look into the official KC documentation!) Cheers, - Niko > Am 07.10.2016 um 12:57 schrieb Bas Dalenoord : > > Hello, > > I'm trying to secure a Spring Boot-based application using Keycloak, but as > soon as I include the 'keycloak-spring-boot-adapter' artifact, my > application does not start anymore, throwing seemingly unrelated > exceptions. I'm following this tutorial > for > the backend part, but I upgraded all version numbers to the latest final > releases available. > > I've created a stripped down version of the application with which I can > reproduce the errors. It can be found on my GitHub > . If I remove the > adapter-artifact, everything starts normally. I'm guessing it has to do > with Spring Boots autoconfiguration, but I cannot figure out what I should > change to get everything working. > > Can anyone tell me what I'm doing wrong and what I can do to fix the > problem? > > Thanks, > Bas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From m.hayen at first8.nl Fri Oct 7 11:29:48 2016 From: m.hayen at first8.nl (Mark Hayen) Date: Fri, 7 Oct 2016 17:29:48 +0200 Subject: [keycloak-user] custom locale not loaded from theme module Message-ID: Hi, We're upgrading to 2.2.1.Final and run into a problem with our locale 'nl'. Together with a new theme we've added dutch translations. We use this as a module. now the dutch locale isn't loaded when following the instructions on keycloak.org about the theme.properties etc. after trying out a lot of combinations I could only get it to work when I also added my locale to the theme.properties of the base themes login, email and account like this "locales=nl,ca,de,en,es,fr,it,ja,lt,no,pt-BR,ru". this used not to be neccesary, at least not in 1.8.1.Final. Can you confirm this? Thank you Mark Hayen First8 B.V. From Chris.Brandhorst at topicus.nl Fri Oct 7 12:22:42 2016 From: Chris.Brandhorst at topicus.nl (Chris Brandhorst) Date: Fri, 7 Oct 2016 16:22:42 +0000 Subject: [keycloak-user] Attribute / Session persistence in IdP-initiated SAML + OIDC authentication setup Message-ID: <5F842C50-5697-4088-9960-889539C759C9@topicus.nl> I have the following situation: a user has an application (AppSource) for which he has credentials and which can act as a SAML IdP. He also uses another application (AppTarget) for which he has credentials and which can act as a OIDC IdP. Finally I have Keycloak which can give the user access to a number of other applications. [[AppSource]] ------ IdP-initiated SAML ------> [[Keycloak]] <------ OIDC ------> [[AppTarget]] I?ve got the basics running: I can login to Keycloak using both IdPs and can adjust the behaviour using the Authentication Flows. The initial situation however is that the users are not present in Keycloak yet. I would like the following: 1. User access Keycloak from AppSource through the IdP-initiated SAML POST binding (the only one AppSource supports). With this call, a unique ID is sent from AppSource. AppSource is trusted (signed SAML etc); 2. Keycloak checks if this AppSource ID is known for a user. If so, it retrieves that user and sets it in the context: we have a successful login! 3. If the AppSource ID is not known, it should present the user with some instructions and methods for signing in, including signing in with their AppTarget account through OIDC. The AppSource ID is somehow remembered; 4. The user clicks that IdP, enters his credentials and once he is redirected back to Keycloak, Keycloak collects the user profile from AppTarget, creates a Keycloak user with that data, sets the AppSource ID on this account and sets this user in the context: we have login! I?ve got steps 1 and 2 working using a scripted Authentication flow. If I set this one to optional and add an alternative Username Password Form or Identity Provider Redirector, I am able to continue to the AppTarget IdP when the AppSource ID is not known (using context.attempted in the script). However I do not know how to link the two logins once the user comes back from AppTarget to Keycloak. I tried storing the AppSource ID in the session in the script (context.getSession.setAttribute), but this value is gone after coming back from the AppTarget federated login. Can anybody shed some light on how I am able to achieve what I want? Maybe my approach is flawed? Thanks for any ideas! Regards, Chris Brandhorst From bdalenoord at gmail.com Fri Oct 7 12:39:11 2016 From: bdalenoord at gmail.com (Bas Dalenoord) Date: Fri, 07 Oct 2016 16:39:11 +0000 Subject: [keycloak-user] Exceptions when including 'keycloak-spring-boot-adapter' under Jetty In-Reply-To: References: Message-ID: Hello Niko, Thanks for your reply! I forgot to copy the relevant parts of our Yaml file (AFAIK using Yaml over properties should not change behavior of Spring Boot) to the demo project, but after doing so the same stacktrace still occurs. I've pushed an update to the repository with the correct Yaml file. The stacktrace seems very related to the usage of Jetty, so I think that's part of the problem. Other than that, my repository is quite similar to your demo so I don't see what could otherwise be causing this behavior... Regards, Bas On Fri, Oct 7, 2016 at 5:14 PM Niko K?bler wrote: Hi Bas, I just had a quick look into your GitHub repo and didn?t run any boot app with Jetty so far, but what I figured out is, that your application.properties file is completely empty. That?s normally the place where to put your Keycloak properties. Without them, the KC adapter doesn?t know what to do? Have a look at my KC Spring Boot Example: https://github.com/dasniko/keycloak-springboot-demo/ perhaps this will help you (and of course, have a look into the official KC documentation!) Cheers, - Niko Am 07.10.2016 um 12:57 schrieb Bas Dalenoord : Hello, I'm trying to secure a Spring Boot-based application using Keycloak, but as soon as I include the 'keycloak-spring-boot-adapter' artifact, my application does not start anymore, throwing seemingly unrelated exceptions. I'm following this tutorial < http://slackspace.de/articles/authentication-with-spring-boot-angularjs-and-keycloak/ >for the backend part, but I upgraded all version numbers to the latest final releases available. I've created a stripped down version of the application with which I can reproduce the errors. It can be found on my GitHub . If I remove the adapter-artifact, everything starts normally. I'm guessing it has to do with Spring Boots autoconfiguration, but I cannot figure out what I should change to get everything working. Can anyone tell me what I'm doing wrong and what I can do to fix the problem? Thanks, Bas _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From cmoullia at redhat.com Fri Oct 7 13:37:48 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 7 Oct 2016 19:37:48 +0200 Subject: [keycloak-user] Scenario : Java Client (get a token) -> call a Rest service (control token) --> accept/refuse Message-ID: Hi, I would like in a project to perform the following scenario A Java HTTP Client calls a HTTP Endpoint exposed by WildFly Swarm where the address URL ("/rest/say") of the endpoint is secured using Keycloak WildFly plugin (keycloak.json contains the OIC). In order at the client side to get the OpenID token that I must send next to the endpoint using "Authentication: Bearer", is it this class that I must use to get an instance of Keycloak Keycloak.getInstance("http/localhost:8080/auth",realm, username, password, clientId) & next the token to send Keycloak.tokenManager().grantToken(); ? Class --> https://github.com/keycloak/keycloak/blob/2.2.1.Final/integration/admin-client/src/main/java/org/keycloak/admin/client/Keycloak.java Regards Charles From sblanc at redhat.com Fri Oct 7 13:55:03 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Fri, 7 Oct 2016 19:55:03 +0200 Subject: [keycloak-user] Scenario : Java Client (get a token) -> call a Rest service (control token) --> accept/refuse In-Reply-To: References: Message-ID: You can use : Keycloak.tokenManager().getAccessTokenString() An then you pass it in the header of your request , for instance : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/product-app/src/main/java/org/keycloak/example/oauth/ProductDatabaseClient.java#L58-L80 And use your String here : https://github.com/keycloak/keycloak/blob/master/examples/demo-template/product-app/src/main/java/org/keycloak/example/oauth/ProductDatabaseClient.java#L61 On Fri, Oct 7, 2016 at 7:37 PM, Charles Moulliard wrote: > Hi, > > I would like in a project to perform the following scenario > > A Java HTTP Client calls a HTTP Endpoint exposed by WildFly Swarm where the > address URL ("/rest/say") of the endpoint is secured using Keycloak WildFly > plugin (keycloak.json contains the OIC). > > In order at the client side to get the OpenID token that I must send next > to the endpoint using "Authentication: Bearer", is it this class that I > must use to get an instance of Keycloak > > Keycloak.getInstance("http/localhost:8080/auth",realm, username, password, > clientId) > > & next the token to send > > Keycloak.tokenManager().grantToken(); > > ? > > Class --> > https://github.com/keycloak/keycloak/blob/2.2.1.Final/ > integration/admin-client/src/main/java/org/keycloak/admin/ > client/Keycloak.java > > Regards > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Chris.Brandhorst at topicus.nl Fri Oct 7 16:43:07 2016 From: Chris.Brandhorst at topicus.nl (Chris Brandhorst) Date: Fri, 7 Oct 2016 20:43:07 +0000 Subject: [keycloak-user] StaleCodeMessage on IDP Initiated SAML SSO Message-ID: I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should. However, I can?t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name? field with a name (say ?bbbbb?) in A. When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb i always end up with the following logging: 22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null 22:42:02,994 WARN [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage 22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that?s the whole idea of IDP Initiated SSO, no? What must I do to get this to work? Thanks, Chris Brandhorst From cmoullia at redhat.com Mon Oct 10 02:16:29 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Mon, 10 Oct 2016 08:16:29 +0200 Subject: [keycloak-user] Scenario : Java Client (get a token) -> call a Rest service (control token) --> accept/refuse In-Reply-To: References: Message-ID: Thx Seb. The code you proposed supposes that we will run the application with a HttpContainer. My question is related to a Java Client not running in a Web or JavaEE container On Fri, Oct 7, 2016 at 7:55 PM, Sebastien Blanc wrote: > You can use : > > Keycloak.tokenManager().getAccessTokenString() > > An then you pass it in the header of your request , for instance : > > https://github.com/keycloak/keycloak/blob/master/examples/ > demo-template/product-app/src/main/java/org/keycloak/example/oauth/ > ProductDatabaseClient.java#L58-L80 > > And use your String here : https://github.com/keycloak/ > keycloak/blob/master/examples/demo-template/product-app/src/ > main/java/org/keycloak/example/oauth/ProductDatabaseClient.java#L61 > > > > > On Fri, Oct 7, 2016 at 7:37 PM, Charles Moulliard > wrote: > >> Hi, >> >> I would like in a project to perform the following scenario >> >> A Java HTTP Client calls a HTTP Endpoint exposed by WildFly Swarm where >> the >> address URL ("/rest/say") of the endpoint is secured using Keycloak >> WildFly >> plugin (keycloak.json contains the OIC). >> >> In order at the client side to get the OpenID token that I must send next >> to the endpoint using "Authentication: Bearer", is it this class that I >> must use to get an instance of Keycloak >> >> Keycloak.getInstance("http/localhost:8080/auth",realm, username, >> password, >> clientId) >> >> & next the token to send >> >> Keycloak.tokenManager().grantToken(); >> >> ? >> >> Class --> >> https://github.com/keycloak/keycloak/blob/2.2.1.Final/integr >> ation/admin-client/src/main/java/org/keycloak/admin/client/Keycloak.java >> >> Regards >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Mon Oct 10 02:17:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 10 Oct 2016 08:17:49 +0200 Subject: [keycloak-user] Prevent JS Adapter from redirecting if already logged in In-Reply-To: <2060626445-34129@kerio1.zmi.at> References: <2060626445-34129@kerio1.zmi.at> Message-ID: You can open a feature request for it in JIRA. On 30 September 2016 at 13:26, Gregor Jarisch wrote: > I totally understand the security first approach and fully agree with > having it as default behavior. > > Nonetheless would it be nice if the adapter would support storing the > security context with an optional parameter if one would need it this way > and understands the trade off. > In the end, having a clean solution implemented that works is definitely > better than hacking this by oneself and maybe thus opening up serious > security vulnerability.. > > Would that be an option for you guys allowing this behavior with an > optional configuration of the adapter? > > * From: * Stian Thorgersen > * To: * Gregor Jarisch > * Cc: * keycloak-user > * Sent: * 30.09.2016 13:07 > * Subject: * Re: [keycloak-user] Prevent JS Adapter from redirecting if > already logged in > > keycloak.js was primarily written aiming a single page-app. For security > reasons it doesn't store any security context information outside the > window memory (single tab). So when you open a new tab or refresh the page > you are not actually authenticated with the application, only with the > Keycloak SSO server. Hence the need to do a redirect. That's how OAuth2 and > OpenID Connect flows work and there's no support to retrieve tokens using > XHR requests as that would make it rather insecure. > > You can however share the security context between tabs and page refreshes > if you want. That's then a trade-off you make on usability vs security. We > chose security by default in this case. To do that all you need to do is > store the tokens in HTML5 storage and initialize keycloak.js with the > tokens. If you do this I would be careful about what permissions the tokens > have in case they are indeed leaked (don't give super priviledges to this > app for instance). > > On 30 September 2016 at 11:12, Gregor Jarisch wrote: > > We tried login-required as well as check-sso. In case of a user logged in, > it doesn't seem to do anything different. > > Stian, in fact, it seem to be as you described it. A logged on user loads > the page and it gets redirected to keycloak and back again, than loads the > website a second time. So twice. > But why is this necessary? This is a bad UX experience and a performance > loss as well. If the user is logged in, it should not redirect anywhere. > > Couldn't the js adapter simple make an XHR request to the keycloak server > - as other js requests would do it - and only redirect in case the user > isn't logged in? > I believe that way would be much more user friendly (visually appealing in > particular) and faster as well, because you don't have twice the loading > time of your page. > > Am I missing something here or could this be improved that way? > > Gregor > > > > From: Stian Thorgersen > To: Jess Sightler > Cc: keycloak-user > Sent: 30.09.2016 8:42 > Subject: Re: [keycloak-user] Prevent JS Adapter from redirecting if > already logged in > > With check-sso what should happen is: > > * keycloak.js checks session cookie. If no cookie it does nothing > * If session cookie exists redirect to login page with prompt=none > * If session is valid Keycloak redirects back to app with code and > keycloak.js swaps the code > * If session wasn't valid Keycloak redirects back to app > > With a logged-in user the app page should be loaded twice. Once when first > visited then a second time after the prompt=none redirect. Are you seeing > the page being loaded twice or three times? > > On 29 September 2016 at 17:27, Jess Sightler wrote: > > > I am, and I believe that I have noticed this behavior as well. I get > > redirected back to the app with "?prompt=none" appended to the URL. > > > > On 09/29/2016 10:16 AM, Sebastien Blanc wrote: > > > > Hi, > > > > Are you using > > > > keycloak.init({ onLoad: 'check-sso' }) ? > > > > > > Sebi > > > > > > > > On Thu, Sep 29, 2016 at 4:01 PM, Gregor Jarisch > > wrote: > > > >> Hi there, > >> > >> we have a single page application using the JS adapter. Once the user is > >> logged in and a page redirect occurs, the SPA loads, but immediately > >> reloads once again when keycloak adapter authenticates. > >> Since the user was logged in before already, we would have assumed that > >> no further page refresh has to be made. > >> > >> Interestingly, when we manually pass on all the token values in the init > >> method (for testing purposes), the page doesn't refresh a second time > and > >> the user is authenticated. As we would have expected it to be. > >> > >> This might be just a misunderstanding of how this adapter is supposed to > >> work, but from our understanding the purpose of the iframe and the set > >> cookie is to make sure the user stays authenticated. > >> Thus, shouldn't the keycloak adapter "store" the tokens and use them on > a > >> page refresh if they are valid in order to authenticate without the need > >> for an additional page refresh? > >> > >> Would be nice if somebody can explain this mechanism a bit further and > >> maybe even give a hint on what we are doing wrong here.. We are puzzled > at > >> the moment. > >> > >> Thanks > >> > >> Gregor > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > > > _______________________________________________ > > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps:// > lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sblanc at redhat.com Mon Oct 10 02:47:53 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 10 Oct 2016 08:47:53 +0200 Subject: [keycloak-user] Scenario : Java Client (get a token) -> call a Rest service (control token) --> accept/refuse In-Reply-To: References: Message-ID: You can run that code snippet without running a Web Container. Just replace "session.getTokenString()" with "Keycloak.tokenManager().getAccessTokenString()" On Mon, Oct 10, 2016 at 8:16 AM, Charles Moulliard wrote: > Thx Seb. The code you proposed supposes that we will run the application > with a HttpContainer. > > My question is related to a Java Client not running in a Web or JavaEE > container > > On Fri, Oct 7, 2016 at 7:55 PM, Sebastien Blanc wrote: > >> You can use : >> >> Keycloak.tokenManager().getAccessTokenString() >> >> An then you pass it in the header of your request , for instance : >> >> https://github.com/keycloak/keycloak/blob/master/examples/de >> mo-template/product-app/src/main/java/org/keycloak/example/ >> oauth/ProductDatabaseClient.java#L58-L80 >> >> And use your String here : https://github.com/keycloak/ke >> ycloak/blob/master/examples/demo-template/product-app/src/ma >> in/java/org/keycloak/example/oauth/ProductDatabaseClient.java#L61 >> >> >> >> >> On Fri, Oct 7, 2016 at 7:37 PM, Charles Moulliard >> wrote: >> >>> Hi, >>> >>> I would like in a project to perform the following scenario >>> >>> A Java HTTP Client calls a HTTP Endpoint exposed by WildFly Swarm where >>> the >>> address URL ("/rest/say") of the endpoint is secured using Keycloak >>> WildFly >>> plugin (keycloak.json contains the OIC). >>> >>> In order at the client side to get the OpenID token that I must send next >>> to the endpoint using "Authentication: Bearer", is it this class that I >>> must use to get an instance of Keycloak >>> >>> Keycloak.getInstance("http/localhost:8080/auth",realm, username, >>> password, >>> clientId) >>> >>> & next the token to send >>> >>> Keycloak.tokenManager().grantToken(); >>> >>> ? >>> >>> Class --> >>> https://github.com/keycloak/keycloak/blob/2.2.1.Final/integr >>> ation/admin-client/src/main/java/org/keycloak/admin/client/Keycloak.java >>> >>> Regards >>> >>> Charles >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From sthorger at redhat.com Mon Oct 10 04:17:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 10 Oct 2016 10:17:27 +0200 Subject: [keycloak-user] Custom Adapter Logout logic In-Reply-To: References: Message-ID: It would be better to start a separate thread about that as it's completely irrelevant to this thread. Also, please describe what you are trying to achieve. On 30 September 2016 at 17:29, Josh Cain wrote: > What would you recommend for this on the IDP side? I know we can hook > into events, but doing operations with the response in an > EventListenerProvider just feels wrong. What's more, on the IDP side I > wouldn't want to touch the Keycloak deployment descriptors. > > Josh Cain | Software Applications Engineer > *Identity and Access Management* > *Red Hat* > +1 256-452-0150 > > On Tue, Sep 20, 2016 at 3:00 AM, Stian Thorgersen > wrote: > >> Could you use a HttpSessionListener? >> >> On 15 September 2016 at 23:16, Jared Blashka wrote: >> >>> Is it currently possible to hook into the adapter's logout logic to >>> trigger some custom behavior without interrupting the logout flow? >>> >>> For example, if I want to audit logout activity on a particular SP or >>> delete some cookies (if it was a front-channel logout request) without >>> stopping the normal federated logout process. >>> >>> Jared >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Mon Oct 10 04:21:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 10 Oct 2016 10:21:46 +0200 Subject: [keycloak-user] JWT token auth. advice In-Reply-To: References: Message-ID: If endpoint-1 always triggers endpoint-2 which verifies the token I would consider it secured, although indirectly. Not sure what you mean about making endpoint-2 trust endpoint-1. Endpoint-2 doesn't directly trust endpoint-1, rather it trust the details from the access token that endpoint-1 has retrieved. So in effect it trusts the user of endpoint-1 rather than endpoint-1 itself. On 4 October 2016 at 09:18, wrote: > Hi, > I have a general question about how we use JWT tokens. > > Authentication: This is the most common scenario for using JWT. Once the > user is logged in, each subsequent request will include the JWT, allowing > the user to access routes, services, and resources that are permitted with > that token. Single Sign On is a feature that widely uses JWT nowadays, > because of its small overhead and its ability to be easily used across > different domains. > > That seems to be our scenario. AFAIK there is no OAuth/OpenID in this > system. > Our JWT token from the browser is sent in a header to Rest Endpoint-1. > This endpoint isn't secured. I mean that it can't verify the claims in the > token. The claims don't represent any information related > To this endpoint. It just passes the token along to Endpoint-2 which is > capable of verifying the token. > > Is this Endpoint-1 considered insecure now ? It is just a mediator but > anyone with the token can access it. How do I make Endpoint-2 trust > Endpoint-1 ? > > > Thanks, > Mohan > This e-mail and any files transmitted with it are for the sole use of the > intended recipient(s) and may contain confidential and privileged > information. If you are not the intended recipient(s), please reply to the > sender and destroy all copies of the original message. Any unauthorized > review, use, disclosure, dissemination, forwarding, printing or copying of > this email, and/or any action taken in reliance on the contents of this > e-mail is strictly prohibited and may be unlawful. Where permitted by > applicable law, this e-mail and other e-mail communications sent to and > from Cognizant e-mail addresses may be monitored. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 10 04:23:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 10 Oct 2016 10:23:37 +0200 Subject: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal object In-Reply-To: References: Message-ID: By using token directly I assume you mean exchanging username/password for a token directly. I'd strongly recommend against this and it's not something our adapters support directly. On 4 October 2016 at 15:36, Mariusz Chruscielewski - Info.nl < mariusz at info.nl> wrote: > Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after we > access protected resource we are redirected to keycloak and after login we > go back to our app. After that, we can get KeycloakPrincipal object from > web context (request). > > Is there a way to create / get this object without using Tomcat Adapter ? > We want to make API call (like http://keycloak/auth/realms/ > vi/protocol/openid-connect/token) and get (or create manually) this > object using AccessTokenResponse (or any other object we can get from API). > > Ultimate goal is to login to keycloak like adapter does, but directly from > Java, without any interaction from user on keycloak forms. > > Is it even possible? > > Kind Regards, > > Mariusz Chruscielewski > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Mon Oct 10 09:08:32 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Mon, 10 Oct 2016 13:08:32 +0000 Subject: [keycloak-user] Newbie Keycloak question: the Keycloak server deployment option Message-ID: Hi all, I have started to learn Keycloak and I need your help. I have downloaded the Keycloak server from here http://www.keycloak.org/downloads.html I can find only JBoss7 deployment option. Is it possible to deploy the Keycloak IDP as separate WAR? Thank you in advance for your help. Best regards, Michael From chris.savory at edlogics.com Mon Oct 10 09:30:13 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Mon, 10 Oct 2016 13:30:13 +0000 Subject: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal object In-Reply-To: References: Message-ID: <452DD408-1ABF-4241-AF05-FB393D095607@edlogics.com> I actually had a similar question for our register user workflow. We are registering users on our site using our own custom registration form; in this flow we use the Admin client to create the user in keycloak. Since the user just gave us their un/pw it doesn?t make sense for us to send them over to Keycloak to login, but rather we would like to passively log them in either via the backend or via some ajax call. I know I can get a token if I do something like this, but I?m not sure if it?s going to drop all the right cookies back to the user?s browser to consider them logged in across all the clients: curl -d "client_id=admin-cli" -d "username=chris.savory at edlogics.com" -d "password=password" -d "grant_type=password" "/auth/realms//protocol/openid-connect/token" -- On 10/10/16, 3:23 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Stian Thorgersen" wrote: By using token directly I assume you mean exchanging username/password for a token directly. I'd strongly recommend against this and it's not something our adapters support directly. On 4 October 2016 at 15:36, Mariusz Chruscielewski - Info.nl < mariusz at info.nl> wrote: > Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after we > access protected resource we are redirected to keycloak and after login we > go back to our app. After that, we can get KeycloakPrincipal object from > web context (request). > > Is there a way to create / get this object without using Tomcat Adapter ? > We want to make API call (like http://keycloak/auth/realms/ > vi/protocol/openid-connect/token) and get (or create manually) this > object using AccessTokenResponse (or any other object we can get from API). > > Ultimate goal is to login to keycloak like adapter does, but directly from > Java, without any interaction from user on keycloak forms. > > Is it even possible? > > Kind Regards, > > Mariusz Chruscielewski > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Mon Oct 10 10:00:14 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 10 Oct 2016 16:00:14 +0200 Subject: [keycloak-user] Problems with bearer-only client In-Reply-To: <57F7A28F.8060505@flex-guse.de> References: <57F7A28F.8060505@flex-guse.de> Message-ID: Hi Christoph, You won't be able to obtain a token from a bearer-only client, you need to obtain it from another client that offers a login or use a service account ( https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/oidc/service-accounts.html) Sebi On Fri, Oct 7, 2016 at 3:26 PM, Christoph Guse wrote: > Hi, > > currently I have some trouble getting an Access Token using a > bearer-only client in combination with Keycloak 2.2.1. > > In my Proof Of Concept realm (sso-poc) I created a client which was > configured to accept bearer-only authentication. If I got this right no > user login is needed and this client type is perfect for technical users. > > Then I do a HTTP Post like this: > > curl -X POST -F "grant_type=client_credentials" -F "client_id=auth-app2" > -F "client_secret=2fd7033a-1971-4855-b64c-b9783f1ff14d" > https://web-sso/auth/realms/sso-poc/protocol/openid-connect/token > protocol/openid-connect/token> > > Unfortunately the response is not an AccessToken but the error message > > { > > "error": "invalid_client", > > "error_description": "Bearer-only not allowed" > > } > > As I configured the client as bearer-only authentication, I'm a little > helpless and I ran out of ideas what I could do. > > Any ideas? > > Thank you in advance, > Christoph > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From cmoullia at redhat.com Mon Oct 10 10:32:45 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Mon, 10 Oct 2016 16:32:45 +0200 Subject: [keycloak-user] Run locally a Keycloak Server within a Java Maven Project Message-ID: Hi, The Keycloak project proposes this class to start locally a Keycloak Server without the need to install a distribution of KeyCloak https://github.com/keycloak/keycloak/blob/2.2.1.Final/testsuite/integration/src/test/java/org/keycloak/testsuite/KeycloakServer.java#L51 Unfortunately, the artefact "keycloak-testsuite-integration" containing the class is not published under a maven repository (" https://repository.jboss.org/nexus/content/groups/public/org/keycloak/"). Question : Is there an alternative approach that I could follow to run a local KeycloakServer instance ? Best regards Charles From cmoullia at redhat.com Mon Oct 10 10:50:01 2016 From: cmoullia at redhat.com (Charles Moulliard) Date: Mon, 10 Oct 2016 16:50:01 +0200 Subject: [keycloak-user] Scenario : Java Client (get a token) -> call a Rest service (control token) --> accept/refuse In-Reply-To: References: Message-ID: The client code that you are proposing to use is based the code that I was suggesting (= Keycloak Admin Client") ;-) On Mon, Oct 10, 2016 at 8:47 AM, Sebastien Blanc wrote: > You can run that code snippet without running a Web Container. Just > replace "session.getTokenString()" with "Keycloak.tokenManager()`" > > On Mon, Oct 10, 2016 at 8:16 AM, Charles Moulliard > wrote: > >> Thx Seb. The code you proposed supposes that we will run the application >> with a HttpContainer. >> >> My question is related to a Java Client not running in a Web or JavaEE >> container >> >> On Fri, Oct 7, 2016 at 7:55 PM, Sebastien Blanc >> wrote: >> >>> You can use : >>> >>> Keycloak.tokenManager().getAccessTokenString() >>> >>> An then you pass it in the header of your request , for instance : >>> >>> https://github.com/keycloak/keycloak/blob/master/examples/de >>> mo-template/product-app/src/main/java/org/keycloak/example/o >>> auth/ProductDatabaseClient.java#L58-L80 >>> >>> And use your String here : https://github.com/keycloak/ke >>> ycloak/blob/master/examples/demo-template/product-app/src/ma >>> in/java/org/keycloak/example/oauth/ProductDatabaseClient.java#L61 >>> >>> >>> >>> >>> On Fri, Oct 7, 2016 at 7:37 PM, Charles Moulliard >>> wrote: >>> >>>> Hi, >>>> >>>> I would like in a project to perform the following scenario >>>> >>>> A Java HTTP Client calls a HTTP Endpoint exposed by WildFly Swarm where >>>> the >>>> address URL ("/rest/say") of the endpoint is secured using Keycloak >>>> WildFly >>>> plugin (keycloak.json contains the OIC). >>>> >>>> In order at the client side to get the OpenID token that I must send >>>> next >>>> to the endpoint using "Authentication: Bearer", is it this class that I >>>> must use to get an instance of Keycloak >>>> >>>> Keycloak.getInstance("http/localhost:8080/auth",realm, username, >>>> password, >>>> clientId) >>>> >>>> & next the token to send >>>> >>>> Keycloak.tokenManager().grantToken(); >>>> >>>> ? >>>> >>>> Class --> >>>> https://github.com/keycloak/keycloak/blob/2.2.1.Final/integr >>>> ation/admin-client/src/main/java/org/keycloak/admin/client/K >>>> eycloak.java >>>> >>>> Regards >>>> >>>> Charles >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From luigi.demasi at extrasys.it Mon Oct 10 11:16:53 2016 From: luigi.demasi at extrasys.it (Luigi De Masi) Date: Mon, 10 Oct 2016 17:16:53 +0200 Subject: [keycloak-user] Scenario : Java Client (get a token) -> call a Rest service (control token) --> accept/refuse In-Reply-To: References: Message-ID: Charles, to get the token you have to invoke a REST service, unless you wanna code low level http calls, you have to use a JAX-RS implementation library. If you are familiar with CXF (and I know you are ;) ) I created a porting of Admin Client that use CXF as JAX-RS implementation: https://github.com/luigidemasi/keycloak-cxf-admin-client Regards, Luigi. 2016-10-10 16:50 GMT+02:00 Charles Moulliard : > The client code that you are proposing to use is based the code that I was > suggesting (= Keycloak Admin Client") ;-) > > > > On Mon, Oct 10, 2016 at 8:47 AM, Sebastien Blanc > wrote: > > > You can run that code snippet without running a Web Container. Just > > replace "session.getTokenString()" with "Keycloak.tokenManager()`" > > > > On Mon, Oct 10, 2016 at 8:16 AM, Charles Moulliard > > wrote: > > > >> Thx Seb. The code you proposed supposes that we will run the application > >> with a HttpContainer. > >> > >> My question is related to a Java Client not running in a Web or JavaEE > >> container > >> > >> On Fri, Oct 7, 2016 at 7:55 PM, Sebastien Blanc > >> wrote: > >> > >>> You can use : > >>> > >>> Keycloak.tokenManager().getAccessTokenString() > >>> > >>> An then you pass it in the header of your request , for instance : > >>> > >>> https://github.com/keycloak/keycloak/blob/master/examples/de > >>> mo-template/product-app/src/main/java/org/keycloak/example/o > >>> auth/ProductDatabaseClient.java#L58-L80 > >>> > >>> And use your String here : https://github.com/keycloak/ke > >>> ycloak/blob/master/examples/demo-template/product-app/src/ma > >>> in/java/org/keycloak/example/oauth/ProductDatabaseClient.java#L61 > >>> > >>> > >>> > >>> > >>> On Fri, Oct 7, 2016 at 7:37 PM, Charles Moulliard > > >>> wrote: > >>> > >>>> Hi, > >>>> > >>>> I would like in a project to perform the following scenario > >>>> > >>>> A Java HTTP Client calls a HTTP Endpoint exposed by WildFly Swarm > where > >>>> the > >>>> address URL ("/rest/say") of the endpoint is secured using Keycloak > >>>> WildFly > >>>> plugin (keycloak.json contains the OIC). > >>>> > >>>> In order at the client side to get the OpenID token that I must send > >>>> next > >>>> to the endpoint using "Authentication: Bearer", is it this class that > I > >>>> must use to get an instance of Keycloak > >>>> > >>>> Keycloak.getInstance("http/localhost:8080/auth",realm, username, > >>>> password, > >>>> clientId) > >>>> > >>>> & next the token to send > >>>> > >>>> Keycloak.tokenManager().grantToken(); > >>>> > >>>> ? > >>>> > >>>> Class --> > >>>> https://github.com/keycloak/keycloak/blob/2.2.1.Final/integr > >>>> ation/admin-client/src/main/java/org/keycloak/admin/client/K > >>>> eycloak.java > >>>> > >>>> Regards > >>>> > >>>> Charles > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>> > >>> > >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Luigi De Masi *"Talk is cheap. Show me the code."* * -- Linus Torvalds* ------------------------------ RED HAT SALES ENGINEER & DELIVERY SPECIALIST MIDDLEWARE APPLICATION DEVELOPMENT Extra S.r.l Headquarter & Office North Italy: Pontedera (PI) - Via Salvo D'acquisto, 40/P 56025 phone : +39 0587 975820 mobile: +39 392 9448189 fax: +39 0587 975810 skype: l.demasi web: http://www.extrasrl.it Office South Italy: Rende (CS) - Via Pedro Alvares Cabrai - C.da Lecco 87036 Rende (CS) The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -- ------------------------------ Extra srl p: +39 0587975800 a: Via Salvo D'Acquisto 40/P - 56025 - Pontedera - Italy w: www.extrasrl.it e: info at extrasys.it Le informazioni trasmesse sono riservate alla persona o ente alla quali sono indirizzate e possono contenere informazioni riservate e/o materiale di valore. Qualsiasi revisione, ritrasmissione, diffusione o altro uso, o l'adozione di azioni basate su tali informazioni da parte di soggetti diversi dal destinatario ? proibita. Se avete ricevuto per errore questo messaggio, siete pregati di informare il mittente e cancellare il materiale contenuto da ogni computer. The information transmitted is intended for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From robin1233 at gmail.com Mon Oct 10 11:21:25 2016 From: robin1233 at gmail.com (robinfernandes .) Date: Mon, 10 Oct 2016 11:21:25 -0400 Subject: [keycloak-user] Out of memory error on Keycloak cluster Message-ID: Hi, We are using Keycloak 1.9.2.Final and have a cluster with an hap and 3 keycloak nodes behind it. For the first time in about 4-6 months we received errors that java heap space out of memory and the nodes just went down. We had around 100k users as well as 35k active connections at the time. We have around 512MB heap space assigned. I am not able to reproduce it after restarting the nodes. Is there any reason that this could happen? From chris.stephens at edlogics.com Mon Oct 10 12:20:33 2016 From: chris.stephens at edlogics.com (Chris Stephens) Date: Mon, 10 Oct 2016 16:20:33 +0000 Subject: [keycloak-user] Impersonate User Message-ID: Hello, Is there any info inside the KeycloakAuthenticationToken or KeycloakPrincipal that will tell you if an admin is currently impersonating another user? Thank you -- Christopher Stephens Web Developer | EdLogics 414.335.6870 | chris.stephens at edlogics.com www.edlogics.com From ssilvert at redhat.com Mon Oct 10 13:03:27 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 10 Oct 2016 13:03:27 -0400 Subject: [keycloak-user] Newbie Keycloak question: the Keycloak server deployment option In-Reply-To: References: Message-ID: <57FBC9DF.7080200@redhat.com> The Keycloak server depends on WildFly-specific features. You can't deploy it as a separate WAR. Stan On 10/10/2016 9:08 AM, Michael Furman wrote: > Hi all, > I have started to learn Keycloak and I need your help. > I have downloaded the Keycloak server from here http://www.keycloak.org/downloads.html > I can find only JBoss7 deployment option. > Is it possible to deploy the Keycloak IDP as separate WAR? > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jcain at redhat.com Mon Oct 10 16:31:21 2016 From: jcain at redhat.com (Josh Cain) Date: Mon, 10 Oct 2016 15:31:21 -0500 Subject: [keycloak-user] Galera Replication and Caching Message-ID: <1476131481.5614.17.camel@redhat.com> Hi all, We're running into a problem with a couple of MariaDB instances + Galera. ?When I go to add a client on the first Keycloak node/DB (we'll call it DB01), it add successfully. ?I can then go to the second Keycloak Node/DB (call this one DB02) and do not see the client on the 'clients' list. ?However, if I were to add the same client on DB02, I get the expected 'client with ID already exists' message. ?What's more, if I bounce the Keycloak node that talks to DB02, the client list populates with the new entry added at DB01. Was guessing it's some kind of caching issue - is there a setting where I can alter this behavior? -- Josh Cain | Software Applications Engineer Identity and Access Management Red Hat +1 256-452-0150 From adam.keily at adelaide.edu.au Tue Oct 11 01:47:17 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Tue, 11 Oct 2016 05:47:17 +0000 Subject: [keycloak-user] User Session Note Mapper Message-ID: Hi, I'm trying to find the BROKER_PROVIDER_ID as per https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/identity-broker/session-data.html. I've configured the mapper for my client but it isn't in the access token when logging in to the realm via a configured IdP. Any ideas? Places to start looking? Thanks Adam From Stefan.Kasala at posam.sk Tue Oct 11 05:53:36 2016 From: Stefan.Kasala at posam.sk (=?utf-8?B?S0FTQUxBIMWgdGVmYW4=?=) Date: Tue, 11 Oct 2016 09:53:36 +0000 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated In-Reply-To: References: <4a9d5d7e814844688de32257d943ff48@posam.sk> <2f95362f-41df-486b-d8c5-29e123ed9fa5@redhat.com> <0f4b1c9cc1c646f9b0375d6e9f29a65d@posam.sk> Message-ID: Hello, Finally we managed to fix the issue. Problem was with org.apache.httpcomponents module on Keycloak adapter side. We have there JBoss EAP 6.3.0.GA installation, which has httpclient jar version 4.2.1. After debug we found out problem was SNI. SNI support in httpclient was added from version 4.3.2 (https://issues.apache.org/jira/browse/HTTPCLIENT-1119). We managed to upgrade httpcomponents to 4.3.6 and 4.3.3 version, now it works fine. One more thanks for help. Stefan From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, September 27, 2016 10:03 AM To: KASALA ?tefan ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Found this during quick googling : http://stackoverflow.com/questions/9578129/exception-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated . So looks like different Java version can be possibly an issue... Other possibility can be an expired certificate. If it's possible for you, I would try to generate new keystore for auth-server and then export new key again to the adapter truststore. Also it can help to check if moving both Java 8 will help. Marek On 27/09/16 08:30, KASALA ?tefan wrote: Hello, One more information to add: - keycloak-as7-adapter-2.1.0 ? is running on JBoss EAP 6.3.0.GA (AS 7.4.0.Final-redhat-19) (Java 7) - keycloak-2.1.0.Final (server) ? is running on WildFly Core 2.0.10.Final (Java 8) Stefan From: KASALA ?tefan Sent: Tuesday, September 27, 2016 8:02 AM To: 'Marek Posolda' ; keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Hello, Thanks for tip. If you check my first email, I already tried this configuration for adapter Our keycloak adapter config: ?. true ? ? ? We also tried: ? /etc/pki/ca-trust/extracted/java/cacerts cacerts_password ? But in all cases we get the exception - javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Stefan From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, September 26, 2016 4:46 PM To: KASALA ?tefan >; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated It seems you need to configure truststore on adapter side, so the adapter (which uses Apache HTTP Client under the hood) is able to communicate with Keycloak server and trust it. You can take a look at docs and see the options related to truststore [1] . [1] https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html Marek On 26/09/16 09:46, KASALA ?tefan wrote: Hello, Please let me know, if you need more information to make the problem better to understand. Thanks a lot. Stefan From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Sent: Thursday, September 22, 2016 10:55 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated Hello all, We have keycloak-2.1.0.Final server and keycloak-as7-adapter-2.1.0 adapter version installed. We are trying to configure https proxy / lb for keycloak server. I am getting the following error from keycloak adapter after succesfull sign in to keycloak server. Here is the keycloak adapter log part: 2016-09-22 10:45:50,643 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,643 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,644 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was no code 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) redirecting to auth server 2016-09-22 10:45:50,644 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) callback uri: https://lbbams.intra.dcom.sk/rtgov-ui/ 2016-09-22 10:45:50,645 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) Sending redirect to login page: https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid 2016-09-22 10:45:50,663 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (http-/0.0.0.0:8080-1) adminRequest https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a 2016-09-22 10:45:50,663 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) --> authenticate() 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try bearer 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try query paramter auth 2016-09-22 10:45:50,664 TRACE [org.keycloak.adapters.RequestAuthenticator] (http-/0.0.0.0:8080-1) try oauth 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) there was a code, resolving 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) checking state cookie for after code 2016-09-22 10:45:50,664 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) ** reseting application state cookie 2016-09-22 10:45:50,668 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) [jsse.jar:1.7.0_67] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] Our keycloak adapter config: public key string? ${keycloak.auth.url:/auth} preferred_username true true governance rtgov-ui password governance overlord-rtgov true password Could you please help us, how can we fix this? Thanks a log. Stefan Kasala. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. ________________________________ T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. This message is for the designated recipient only and may contain confidential or internal information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. From bburke at redhat.com Tue Oct 11 09:33:53 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 11 Oct 2016 09:33:53 -0400 Subject: [keycloak-user] Out of memory error on Keycloak cluster In-Reply-To: References: Message-ID: I believe we fixed some cache leakage problems sometime between 1.9.1 and 1.9.8. You'll have to search JIRA. I strongly suggest you upgrade to 1.9.8. We did a huge amount of stability, performance, and bug fixes between 1.9.1 and 1.9.8 to get Keycloak ready for product. RH-SSO is based on Keycloak 1.9.8. On 10/10/16 11:21 AM, robinfernandes . wrote: > Hi, > > We are using Keycloak 1.9.2.Final and have a cluster with an hap and 3 > keycloak nodes behind it. > For the first time in about 4-6 months we received errors that java heap > space out of memory and the nodes just went down. > We had around 100k users as well as 35k active connections at the time. > We have around 512MB heap space assigned. > > I am not able to reproduce it after restarting the nodes. > > Is there any reason that this could happen? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hcamp at muerte.net Tue Oct 11 14:10:07 2016 From: hcamp at muerte.net (Harold Campbell) Date: Tue, 11 Oct 2016 13:10:07 -0500 Subject: [keycloak-user] AbstractUserAdapterFederatedStorage & Roles Message-ID: <1476209407.2566.27.camel@muerte.net> I'm using the new user storage provider stuff to federate users from an existing database. It's mostly working, but I'm having trouble with role updates propogating. My UserAdapter extends?AbstractUserAdapterFederatedStorage. If I do not override grantRole(), deleteRoleMapping(), and getFederatedRoleMappings(), KC's view of the users roles is only set the first time the user is loaded. Neither adding nor removing roles changes the list. If I *do* override those methods, then at least adding a role updates the list. Removing them still does not. I'm using UserAdapter#grantRole() to add the roles I've tried all of UserAdapter#deleteRoleMapping() UserAdapter#getRealmRoleMappings()#remove() UserAdapter#getRoleMappings()#remove() to remove roles to no avail. What am I missing? KC 2.1.1.Final -- Harold Campbell we just switched to Sprint. From TBarcia at wfscorp.com Tue Oct 11 16:32:19 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Tue, 11 Oct 2016 20:32:19 +0000 Subject: [keycloak-user] Keycloak cannot change LDAP user password Message-ID: <237d9fa1d62748f7a59e3d213162de52@MIA-WEX-P16.wfs.com> After fighting thru getting Keycloak able to create users, I'm now trying to change an LDAP user's password but the only message I get is on the screen that says "Could not modify attribute for DN" and there are no messages in the logs nor on the console output or in "Events" in the UI. Can anyone suggest what I may need to change to be able to change LDAP passwords? Thank you. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** From TBarcia at wfscorp.com Tue Oct 11 16:39:10 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Tue, 11 Oct 2016 20:39:10 +0000 Subject: [keycloak-user] Keycloak cannot change LDAP user password In-Reply-To: <237d9fa1d62748f7a59e3d213162de52@MIA-WEX-P16.wfs.com> References: <237d9fa1d62748f7a59e3d213162de52@MIA-WEX-P16.wfs.com> Message-ID: <37ee8d3eda3e4349bb7fc51f195f8698@MIA-WEX-P16.wfs.com> FYI, I'm running 2.2.1.Final, using LDAPS and literally created the user, clicked save and tried to change the password after getting the acknowledgement that the save was successful. I've also gone into previously created users and am unable to modify their passwords either. Thanks in advance! -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Thomas Barcia Sent: Tuesday, October 11, 2016 4:32 PM To: keycloak-user at lists.jboss.org Subject: [EXTERNAL][keycloak-user] Keycloak cannot change LDAP user password After fighting thru getting Keycloak able to create users, I'm now trying to change an LDAP user's password but the only message I get is on the screen that says "Could not modify attribute for DN" and there are no messages in the logs nor on the console output or in "Events" in the UI. Can anyone suggest what I may need to change to be able to change LDAP passwords? Thank you. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 12 02:39:52 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Oct 2016 08:39:52 +0200 Subject: [keycloak-user] Keycloak cannot change LDAP user password In-Reply-To: <37ee8d3eda3e4349bb7fc51f195f8698@MIA-WEX-P16.wfs.com> References: <237d9fa1d62748f7a59e3d213162de52@MIA-WEX-P16.wfs.com> <37ee8d3eda3e4349bb7fc51f195f8698@MIA-WEX-P16.wfs.com> Message-ID: <996c0d27-0f28-8cbb-5ce4-769ef182b1f8@redhat.com> Which LDAP are you using? Is it MS Active Directory? Typical case is, that there are some password policies on MSAD side, maybe you can try with some more tricky password like "MyPASSwor"!#d154;:@" and see if it helps? Also you can enable try to enable TRACE logging for "org.keycloak.federation.ldap" category in standalone.xml and see more logging messages in standalone/log/server.log. Marek On 11/10/16 22:39, Thomas Barcia wrote: > FYI, I'm running 2.2.1.Final, using LDAPS and literally created the user, clicked save and tried to change the password after getting the acknowledgement that the save was successful. I've also gone into previously created users and am unable to modify their passwords either. > > Thanks in advance! > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Thomas Barcia > Sent: Tuesday, October 11, 2016 4:32 PM > To: keycloak-user at lists.jboss.org > Subject: [EXTERNAL][keycloak-user] Keycloak cannot change LDAP user password > > After fighting thru getting Keycloak able to create users, I'm now trying to change an LDAP user's password but the only message I get is on the screen that says "Could not modify attribute for DN" and there are no messages in the logs nor on the console output or in "Events" in the UI. Can anyone suggest what I may need to change to be able to change LDAP passwords? > > Thank you. > *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 12 02:45:01 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Oct 2016 08:45:01 +0200 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: <1476131481.5614.17.camel@redhat.com> References: <1476131481.5614.17.camel@redhat.com> Message-ID: <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> Which Keycloak version are you using? If it's older than 1.9.8.Final, then it's suggested to upgrade as there were caching fixes meanwhile. There is also possibility to disable caching in keycloak-server.json (or in standalone.xml in latest version). It's mentioned in the docs how to do it. Finally it may also help if you have opportunity to try with 2 Keycloak cluster nodes configured against same DB node. This may help to better isolate the problem and see if it's related to caching or to MariaDB cluster. Marek On 10/10/16 22:31, Josh Cain wrote: > Hi all, > > We're running into a problem with a couple of MariaDB instances + > Galera. When I go to add a client on the first Keycloak node/DB (we'll > call it DB01), it add successfully. I can then go to the second > Keycloak Node/DB (call this one DB02) and do not see the client on the > 'clients' list. However, if I were to add the same client on DB02, I > get the expected 'client with ID already exists' message. What's more, > if I bounce the Keycloak node that talks to DB02, the client list > populates with the new entry added at DB01. > > Was guessing it's some kind of caching issue - is there a setting where > I can alter this behavior? > From mposolda at redhat.com Wed Oct 12 02:55:54 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Oct 2016 08:55:54 +0200 Subject: [keycloak-user] User Session Note Mapper In-Reply-To: References: Message-ID: <51589e2c-690f-2ea3-6f87-2e395cc1390f@redhat.com> It seems the docs is outdated. I can't see any reference to BROKER_PROVIDER_ID in the code. Could you please create JIRA for fix the docs? Instead there are 2 userSession notes added after broker login : "identity_provider" - ID (alias) of the identity/social provider used to login "identity_provider_identity" - IdentityProvider identity (username) of the authenticated user I believe both should work fine and you should see claims in the token if you configure appropriate userSessionNote protocol mappers with them. Marek On 11/10/16 07:47, Adam Keily wrote: > Hi, > > I'm trying to find the BROKER_PROVIDER_ID as per https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/identity-broker/session-data.html. > > I've configured the mapper for my client but it isn't in the access token when logging in to the realm via a configured IdP. > > Any ideas? Places to start looking? > > Thanks > Adam > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 12 03:03:11 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Oct 2016 09:03:11 +0200 Subject: [keycloak-user] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated In-Reply-To: References: <4a9d5d7e814844688de32257d943ff48@posam.sk> <2f95362f-41df-486b-d8c5-29e123ed9fa5@redhat.com> <0f4b1c9cc1c646f9b0375d6e9f29a65d@posam.sk> Message-ID: <8c2863a4-7541-fa41-fb87-50fdbe0920f0@redhat.com> Thanks for your investigation. I've created JIRA https://issues.jboss.org/browse/KEYCLOAK-3688 . Feel free to add as watcher. Marek On 11/10/16 11:53, KASALA ?tefan wrote: > > Hello, > > Finally we managed to fix the issue. Problem was with > org.apache.httpcomponents module on Keycloak adapter side. We have > there JBoss EAP 6.3.0.GA installation, which has httpclient jar > version 4.2.1. After debug we found out problem was SNI. SNI support > in httpclient was added from version 4.3.2 > (https://issues.apache.org/jira/browse/HTTPCLIENT-1119). We managed to > upgrade httpcomponents to 4.3.6 and 4.3.3 version, now it works fine. > > One more thanks for help. > > Stefan** > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Tuesday, September 27, 2016 10:03 AM > *To:* KASALA ?tefan ; > keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > Found this during quick googling : > http://stackoverflow.com/questions/9578129/exception-javax-net-ssl-sslpeerunverifiedexception-peer-not-authenticated > . So looks like different Java version can be possibly an issue... > Other possibility can be an expired certificate. > > If it's possible for you, I would try to generate new keystore for > auth-server and then export new key again to the adapter truststore. > Also it can help to check if moving both Java 8 will help. > > Marek > > On 27/09/16 08:30, KASALA ?tefan wrote: > > Hello, > > One more information to add: > > -keycloak-as7-adapter-2.1.0 ? is running on JBoss EAP 6.3.0.GA (AS > 7.4.0.Final-redhat-19) (Java 7) > > -keycloak-2.1.0.Final (server) ? is running on WildFly Core > 2.0.10.Final (Java 8) > > Stefan > > *From:*KASALA ?tefan > *Sent:* Tuesday, September 27, 2016 8:02 AM > *To:* 'Marek Posolda' > ; keycloak-user at lists.jboss.org > > *Subject:* RE: [keycloak-user] > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > Hello, > > Thanks for tip. If you check my first email, I already tried this > configuration for adapter > > Our keycloak adapter config: > > > > > > ?. > > *true* > > ? > > > > > > ? > > > > ? > > > > We also tried: > > ? > > */etc/pki/ca-trust/extracted/java/cacerts* > > *cacerts_password* > > ? > > But in all cases we get the exception - > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > Stefan > > *From:*Marek Posolda [mailto:mposolda at redhat.com] > *Sent:* Monday, September 26, 2016 4:46 PM > *To:* KASALA ?tefan >; keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > It seems you need to configure truststore on adapter side, so the > adapter (which uses Apache HTTP Client under the hood) is able to > communicate with Keycloak server and trust it. You can take a look > at docs and see the options related to truststore [1] . > > [1] > https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.2/topics/oidc/java/java-adapter-config.html > > Marek > > On 26/09/16 09:46, KASALA ?tefan wrote: > > Hello, > > Please let me know, if you need more information to make the > problem better to understand. Thanks a lot. > > Stefan > > *From:* keycloak-user-bounces at lists.jboss.org > > [mailto:keycloak-user-bounces at lists.jboss.org] > *Sent:* Thursday, September 22, 2016 10:55 AM > *To:* keycloak-user at lists.jboss.org > > *Subject:* [keycloak-user] > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > Hello all, > > We have keycloak-2.1.0.Final server and > keycloak-as7-adapter-2.1.0 adapter version installed. We are > trying to configure https proxy / lb for keycloak server. I > am getting the following error from keycloak adapter after > succesfull sign in to keycloak server. Here is the keycloak > adapter log part: > > 2016-09-22 10:45:50,643 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] > (http-/0.0.0.0:8080-1) adminRequest > https://lbbams.intra.dcom.sk/rtgov-ui/ > > 2016-09-22 10:45:50,643 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) --> authenticate() > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try bearer > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try query paramter auth > > 2016-09-22 10:45:50,644 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try oauth > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) there was no code > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) redirecting to auth server > > 2016-09-22 10:45:50,644 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) callback uri: > https://lbbams.intra.dcom.sk/rtgov-ui/ > > 2016-09-22 10:45:50,645 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) Sending redirect to login page: > https://lbbams.intra.dcom.sk/auth/realms/governance/protocol/openid-connect/auth?response_type=code&cl > > ient_id=rtgov-ui&redirect_uri=https%3A%2F%2Flbbams.intra.dcom.sk%2Frtgov-ui%2F&state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&login=true&scope=openid > > 2016-09-22 10:45:50,663 DEBUG > [org.keycloak.adapters.PreAuthActionsHandler] > (http-/0.0.0.0:8080-1) adminRequest > https://lbbams.intra.dcom.sk/rtgov-ui/?state=2%2F0e9cc85b-42eb-42c5-812b-0e47e9ce8cb5&code=Q_sNdYGZ-St2psIoJwvTZCJTUgrvGwRlYa > > UprOc-2L8.eece03c6-f354-49b6-9742-8a41b40ad19a > > 2016-09-22 10:45:50,663 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) --> authenticate() > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try bearer > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try query paramter auth > > 2016-09-22 10:45:50,664 TRACE > [org.keycloak.adapters.RequestAuthenticator] > (http-/0.0.0.0:8080-1) try oauth > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) there was a code, resolving > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) checking state cookie for after code > > 2016-09-22 10:45:50,664 DEBUG > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) ** reseting application state cookie > > 2016-09-22 10:45:50,668 ERROR > [org.keycloak.adapters.OAuthRequestAuthenticator] > (http-/0.0.0.0:8080-1) failed to turn code into token: > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > > at > sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) > [jsse.jar:1.7.0_67] > > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) > [httpclient-4.2.1-redhat-1.jar:4.2.1-redhat-1] > > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) > [keycloak-adapter-core-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) > [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:43) > [keycloak-as7-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) > [keycloak-tomcat-core-adapter-2.1.0.Final.jar:2.1.0.Final] > > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:621) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67] > > Our keycloak adapter config: > > > > > > public key string? > > ${keycloak.auth.url:/auth} > > preferred_username > > true > > true > > > > > > governance > > rtgov-ui > > password > > > > > > governance > > overlord-rtgov > > true > > password > > > > > > Could you please help us, how can we fix this? Thanks a log. > > Stefan Kasala. > > ------------------------------------------------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e > obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom > obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. > Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may > contain confidential or internal information. If you have > received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is > prohibited. > > ------------------------------------------------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e > obsahova? d?vern? alebo intern? inform?cie. Ak ste ju omylom > obdr?ali, upovedomte o tom pros?m odosielate?a a vyma?te ju. > Ak?ko?vek in? sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may > contain confidential or internal information. If you have > received it in error, please notify the sender immediately and > delete the original. Any other use of the e-mail by you is > prohibited. > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ------------------------------------------------------------------------ > > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. > > > ------------------------------------------------------------------------ > > T?to spr?va je ur?en? iba pre uveden?ho pr?jemcu a m??e obsahova? > d?vern? alebo intern? inform?cie. Ak ste ju omylom obdr?ali, > upovedomte o tom pros?m odosielate?a a vyma?te ju. Ak?ko?vek in? > sp?sob pou?itia tohto e-mailu je zak?zan?. > > This message is for the designated recipient only and may contain > confidential or internal information. If you have received it in > error, please notify the sender immediately and delete the original. > Any other use of the e-mail by you is prohibited. From mposolda at redhat.com Wed Oct 12 03:07:01 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Oct 2016 09:07:01 +0200 Subject: [keycloak-user] User Session Note Mapper In-Reply-To: <51589e2c-690f-2ea3-6f87-2e395cc1390f@redhat.com> References: <51589e2c-690f-2ea3-6f87-2e395cc1390f@redhat.com> Message-ID: <64026fbd-b214-e94b-c348-58b8fbe7a8a5@redhat.com> Np, I've created JIRA already when I was on it https://issues.jboss.org/browse/KEYCLOAK-3689 . Feel free to add as watcher. Thanks, Marek On 12/10/16 08:55, Marek Posolda wrote: > Instead there are 2 userSession notes added after broker login : > "identity_provider" - ID (alias) of the identity/social provider used to > login > "identity_provider_identity" - IdentityProvider identity (username) of > the authenticated user From thomas.darimont at googlemail.com Wed Oct 12 03:57:58 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 12 Oct 2016 09:57:58 +0200 Subject: [keycloak-user] Interesting article about how redhat.com uses Keycloak Message-ID: Hello group, just stumbled upon an IMHO interesting article that some of you might find interesting - unfortunately this wasn't sent to the mailing lists. It's about: How Red Hat re-designed it?s Single Sign On (SSO) architecture, and why. http://developers.redhat.com/blog/2016/10/04/how-red-hat-re-designed-its-single-sign-on-sso-architecture-and-why/ Cheers, Thomas From Daniela.Weil at itzbund.de Wed Oct 12 07:20:50 2016 From: Daniela.Weil at itzbund.de (Daniela.Weil at itzbund.de) Date: Wed, 12 Oct 2016 11:20:50 +0000 Subject: [keycloak-user] User cannot be imported from LDAP - ModelDuplicateException - although userStorage does not contain any users yet Message-ID: Dear All, I installed keycloak 2.2.1 Final, added a new realm with an openLDAP federation provider with Kerberos integration. The "username LDAP attribute" I set to the ldap attribute (bfvNovellLogin) that contains the Kerberos username. The "UUID LDAP attribute" is set to the "uid" attribute. Kerberos auth succeeded: 2016-10-12 10:23:42,363 DEBUG [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-3) SPNEGO Security context accepted with token: oRQwEqADCgEAoQsGCSqGSIb3EgECAg==, established: true, credDelegState: false, mutualAuthState: false, lifetime: 2147483647, confState: true, integState: true, .... 2016-10-12 10:23:42,364 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getUserByUsername: WeiDayq The LDAP object could be created: 2016-10-12 10:23:42,515 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-3) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=dweil,ou=mitarbeiter,ou=personen,dc=bfinv,dc=de , uuid: dweil, attributes: {uid=[dweil], bfvNovellLogin=[WeiDayq], mail=[daniela.weil at zivit.de], bfvDstnr=[1481], sn=[Weil], cn=[Daniela Weil], modifyTimestamp=[20130308075833Z], createTimestamp=[20070704114832Z]}, readOnly attribute names: [sn, bfvdstnr, bfvnovelllogin, mail, uid, modifytimestamp, cn, createtimestamp] ] So far no users are in the keycloak datastore. On mapping the email attribute the user "dweil" is not recognized as the formerly by Kerberos authenticated user "weidayq": 2016-10-12 10:23:42,765 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=DStNummer, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=bfvDstnr, is.mandatory.in.ldap=false, user.model.attribute=DstNr} } during import user from LDAP 2016-10-12 10:23:42,769 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=email, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=mail, is.mandatory.in.ldap=false, user.model.attribute=email} } during import user from LDAP 2016-10-12 10:23:42,806 DEBUG [org.keycloak.services] (default task-3) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelDuplicateException: Can't import user 'weidayq' from LDAP because email 'daniela.weil at zivit.de' already exists in Keycloak. Existing user with this email is 'dweil' at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.checkDuplicateEmail(UserAttributeLDAPFederationMapper.java:168) at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:100) at org.keycloak.federation.ldap.mappers.LDAPFederationMapperBridge.onImportUserFromLDAP(LDAPFederationMapperBridge.java:61) at org.keycloak.federation.ldap.LDAPFederationProvider.importUserFromLDAP(LDAPFederationProvider.java:327) at org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:310) at org.keycloak.federation.ldap.LDAPFederationProvider.findOrCreateAuthenticatedUser(LDAPFederationProvider.java:499) at org.keycloak.federation.ldap.LDAPFederationProvider.validCredentials(LDAPFederationProvider.java:443) at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:595) at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)..... Why does keycloak assume that my one and only user is two different users (having a different Id)? Kind Regards, Daniela Weil From lbecarelli at gmail.com Wed Oct 12 07:52:13 2016 From: lbecarelli at gmail.com (lbecarelli_imap) Date: Wed, 12 Oct 2016 13:52:13 +0200 Subject: [keycloak-user] jboss 6.1.Final - OpenID Connect Message-ID: <2409e72d-595d-0ee4-3cc8-2ba52bb5ad13@gmail.com> Hello , I installed Keycloak 2.2.1 Final , all is fine if i use it with wildfly 10 and relative Adapter , more applications secured with keycloak in two different servers . My problem is that i have also an old application on jboss 6.1.Final that use seam 2.2.2 Final . What is the best approach for secure it, or at least be able to know who is the logged user? Kind Regards, Luca Becarelli From lbecarelli at gmail.com Wed Oct 12 09:28:18 2016 From: lbecarelli at gmail.com (lbecarelli_imap) Date: Wed, 12 Oct 2016 15:28:18 +0200 Subject: [keycloak-user] jboss 6.1.Final - OpenID Connect Message-ID: Hello , I installed Keycloak 2.2.1 Final , all is fine if i use it with wildfly 10 and relative Adapter , more applications secured with keycloak in two different servers . My problem is that i have also an old application on jboss 6.1.Final that use seam 2.2.2 Final . What is the best approach for secure it, or at least be able to know who is the logged user? Kind Regards, Luca Becarelli From TBarcia at wfscorp.com Wed Oct 12 09:59:29 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Wed, 12 Oct 2016 13:59:29 +0000 Subject: [keycloak-user] Keycloak cannot change LDAP user password In-Reply-To: <996c0d27-0f28-8cbb-5ce4-769ef182b1f8@redhat.com> References: <237d9fa1d62748f7a59e3d213162de52@MIA-WEX-P16.wfs.com> <37ee8d3eda3e4349bb7fc51f195f8698@MIA-WEX-P16.wfs.com> <996c0d27-0f28-8cbb-5ce4-769ef182b1f8@redhat.com> Message-ID: It is MS AD and it turns out that the service account didn't have sufficient privileges despite the AD guru telling me multiple times that it did. I'll look into trace logging for the next hurdle to getting this thing into production. Thank you. -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Wednesday, October 12, 2016 2:40 AM To: Thomas Barcia; keycloak-user at lists.jboss.org Subject: [EXTERNAL]Re: [keycloak-user] Keycloak cannot change LDAP user password Which LDAP are you using? Is it MS Active Directory? Typical case is, that there are some password policies on MSAD side, maybe you can try with some more tricky password like "MyPASSwor"!#d154;:@" and see if it helps? Also you can enable try to enable TRACE logging for "org.keycloak.federation.ldap" category in standalone.xml and see more logging messages in standalone/log/server.log. Marek On 11/10/16 22:39, Thomas Barcia wrote: > FYI, I'm running 2.2.1.Final, using LDAPS and literally created the user, clicked save and tried to change the password after getting the acknowledgement that the save was successful. I've also gone into previously created users and am unable to modify their passwords either. > > Thanks in advance! > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org > [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Thomas > Barcia > Sent: Tuesday, October 11, 2016 4:32 PM > To: keycloak-user at lists.jboss.org > Subject: [EXTERNAL][keycloak-user] Keycloak cannot change LDAP user > password > > After fighting thru getting Keycloak able to create users, I'm now trying to change an LDAP user's password but the only message I get is on the screen that says "Could not modify attribute for DN" and there are no messages in the logs nor on the console output or in "Events" in the UI. Can anyone suggest what I may need to change to be able to change LDAP passwords? > > Thank you. > *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, > copying, use, or distribution of the information included in this > communication and any attachments is strictly prohibited. If you have > received this communication in error, please notify us immediately by > replying to this communication and delete the communication, including > any attachments, from your computer. Electronic communications sent to > or from World Fuel Services Corporation or its subsidiaries or its > affiliates may be monitored for quality assurance and compliance > purposes.*** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Oct 12 10:03:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 12 Oct 2016 16:03:53 +0200 Subject: [keycloak-user] Out of memory error on Keycloak cluster In-Reply-To: References: Message-ID: Could be https://issues.jboss.org/browse/KEYCLOAK-3202 if so it's not fixed in 1.9.8. There's a work around though, you can set "" for the realmVersions cache. Also, make sure you have a sane max entries on the users cache. On 11 October 2016 at 15:33, Bill Burke wrote: > I believe we fixed some cache leakage problems sometime between 1.9.1 > and 1.9.8. You'll have to search JIRA. I strongly suggest you upgrade > to 1.9.8. We did a huge amount of stability, performance, and bug fixes > between 1.9.1 and 1.9.8 to get Keycloak ready for product. RH-SSO is > based on Keycloak 1.9.8. > > > On 10/10/16 11:21 AM, robinfernandes . wrote: > > Hi, > > > > We are using Keycloak 1.9.2.Final and have a cluster with an hap and 3 > > keycloak nodes behind it. > > For the first time in about 4-6 months we received errors that java heap > > space out of memory and the nodes just went down. > > We had around 100k users as well as 35k active connections at the time. > > We have around 512MB heap space assigned. > > > > I am not able to reproduce it after restarting the nodes. > > > > Is there any reason that this could happen? > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jblashka at redhat.com Wed Oct 12 13:08:51 2016 From: jblashka at redhat.com (Jared Blashka) Date: Wed, 12 Oct 2016 13:08:51 -0400 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> Message-ID: We're already running 1.9.8.Final. Our previous configuration was using 2 clustered nodes configured against the same DB node and we didn't run into this issue. On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda wrote: > Which Keycloak version are you using? If it's older than 1.9.8.Final, > then it's suggested to upgrade as there were caching fixes meanwhile. > > There is also possibility to disable caching in keycloak-server.json (or > in standalone.xml in latest version). It's mentioned in the docs how to > do it. > > Finally it may also help if you have opportunity to try with 2 Keycloak > cluster nodes configured against same DB node. This may help to better > isolate the problem and see if it's related to caching or to MariaDB > cluster. > > Marek > > On 10/10/16 22:31, Josh Cain wrote: > > Hi all, > > > > We're running into a problem with a couple of MariaDB instances + > > Galera. When I go to add a client on the first Keycloak node/DB (we'll > > call it DB01), it add successfully. I can then go to the second > > Keycloak Node/DB (call this one DB02) and do not see the client on the > > 'clients' list. However, if I were to add the same client on DB02, I > > get the expected 'client with ID already exists' message. What's more, > > if I bounce the Keycloak node that talks to DB02, the client list > > populates with the new entry added at DB01. > > > > Was guessing it's some kind of caching issue - is there a setting where > > I can alter this behavior? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Wed Oct 12 16:35:43 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Oct 2016 22:35:43 +0200 Subject: [keycloak-user] User cannot be imported from LDAP - ModelDuplicateException - although userStorage does not contain any users yet In-Reply-To: References: Message-ID: <28a18eb1-774a-49c5-72e1-28f0bed8baf9@redhat.com> It seems as mis-configuration of the federation provider. You didn't finish the logging line from SPNEGOAuthenticator and the value of srcName On 12/10/16 13:20, Daniela.Weil at itzbund.de wrote: > Dear All, > > I installed keycloak 2.2.1 Final, added a new realm with an openLDAP federation provider with Kerberos integration. > The "username LDAP attribute" I set to the ldap attribute (bfvNovellLogin) that contains the Kerberos username. The "UUID LDAP attribute" is set to the "uid" attribute. > > Kerberos auth succeeded: > 2016-10-12 10:23:42,363 DEBUG [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-3) SPNEGO Security context accepted with token: oRQwEqADCgEAoQsGCSqGSIb3EgECAg==, established: true, credDelegState: false, mutualAuthState: false, lifetime: 2147483647, confState: true, integState: true, .... You didn't finish this logging line from SPNEGOAuthenticator and the value of "srcName", which is next in the logging message, is the most important one :-) However I guess this name was "dweil" right? And LDAP is later looking for username "WeiDayq", so there are 2 different usernames but same email... It seems like the mis-configuration of the LDAP federation providers and/or mappers. Is the "username LDAP attribute" configured to same value like the LDAP attribute in the username mapper? Marek > > 2016-10-12 10:23:42,364 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getUserByUsername: WeiDayq > > The LDAP object could be created: > 2016-10-12 10:23:42,515 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-3) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=dweil,ou=mitarbeiter,ou=personen,dc=bfinv,dc=de , uuid: dweil, attributes: {uid=[dweil], bfvNovellLogin=[WeiDayq], mail=[daniela.weil at zivit.de], bfvDstnr=[1481], sn=[Weil], cn=[Daniela Weil], modifyTimestamp=[20130308075833Z], createTimestamp=[20070704114832Z]}, readOnly attribute names: [sn, bfvdstnr, bfvnovelllogin, mail, uid, modifytimestamp, cn, createtimestamp] ] > > So far no users are in the keycloak datastore. > > On mapping the email attribute the user "dweil" is not recognized as the formerly by Kerberos authenticated user "weidayq": > 2016-10-12 10:23:42,765 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=DStNummer, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=bfvDstnr, is.mandatory.in.ldap=false, user.model.attribute=DstNr} } during import user from LDAP > 2016-10-12 10:23:42,769 TRACE [org.keycloak.federation.ldap.LDAPFederationProvider] (default task-3) Using mapper { name=email, federationMapperType=user-attribute-ldap-mapper, config={always.read.value.from.ldap=false, read.only=true, ldap.attribute=mail, is.mandatory.in.ldap=false, user.model.attribute=email} } during import user from LDAP > 2016-10-12 10:23:42,806 DEBUG [org.keycloak.services] (default task-3) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelDuplicateException: Can't import user 'weidayq' from LDAP because email 'daniela.weil at zivit.de' already exists in Keycloak. Existing user with this email is 'dweil' > at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.checkDuplicateEmail(UserAttributeLDAPFederationMapper.java:168) > at org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper.onImportUserFromLDAP(UserAttributeLDAPFederationMapper.java:100) > at org.keycloak.federation.ldap.mappers.LDAPFederationMapperBridge.onImportUserFromLDAP(LDAPFederationMapperBridge.java:61) > at org.keycloak.federation.ldap.LDAPFederationProvider.importUserFromLDAP(LDAPFederationProvider.java:327) > at org.keycloak.federation.ldap.LDAPFederationProvider.getUserByUsername(LDAPFederationProvider.java:310) > at org.keycloak.federation.ldap.LDAPFederationProvider.findOrCreateAuthenticatedUser(LDAPFederationProvider.java:499) > at org.keycloak.federation.ldap.LDAPFederationProvider.validCredentials(LDAPFederationProvider.java:443) > at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:595) > at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)..... > > Why does keycloak assume that my one and only user is two different users (having a different Id)? > > Kind Regards, > Daniela Weil > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Oct 12 16:42:19 2016 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Oct 2016 22:42:19 +0200 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> Message-ID: Then it's probably related to the Galera cluster rather then to caching... Do you have DB configured with synchronous replication (eg. inserting some record on DB1 is successfully finished after the record is successfully replicated to DB2 too) ? You can maybe compare with the configuration in my docker image https://github.com/mposolda/keycloak-mariadb . I can't recall to see any issue like this, but not sure about other aspects of my configuration (performance etc). Marek On 12/10/16 19:08, Jared Blashka wrote: > We're already running 1.9.8.Final. Our previous configuration was > using 2 clustered nodes configured against the same DB node and we > didn't run into this issue. > > On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda > wrote: > > Which Keycloak version are you using? If it's older than 1.9.8.Final, > then it's suggested to upgrade as there were caching fixes meanwhile. > > There is also possibility to disable caching in > keycloak-server.json (or > in standalone.xml in latest version). It's mentioned in the docs > how to > do it. > > Finally it may also help if you have opportunity to try with 2 > Keycloak > cluster nodes configured against same DB node. This may help to better > isolate the problem and see if it's related to caching or to MariaDB > cluster. > > Marek > > On 10/10/16 22:31, Josh Cain wrote: > > Hi all, > > > > We're running into a problem with a couple of MariaDB instances + > > Galera. When I go to add a client on the first Keycloak node/DB > (we'll > > call it DB01), it add successfully. I can then go to the second > > Keycloak Node/DB (call this one DB02) and do not see the client > on the > > 'clients' list. However, if I were to add the same client on > DB02, I > > get the expected 'client with ID already exists' message. > What's more, > > if I bounce the Keycloak node that talks to DB02, the client list > > populates with the new entry added at DB01. > > > > Was guessing it's some kind of caching issue - is there a > setting where > > I can alter this behavior? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From jblashka at redhat.com Wed Oct 12 17:27:47 2016 From: jblashka at redhat.com (Jared Blashka) Date: Wed, 12 Oct 2016 17:27:47 -0400 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> Message-ID: We've got synchronous replication enabled. I've looked in the DB tables for both galera nodes and the data is there. e.g. both DB nodes have client 'myclient' but the UI for Keycloak node 2 doesn't list a 'myclient'. But Keycloak will error if you try to add 'myclient' saying it already exists. On Wed, Oct 12, 2016 at 4:42 PM, Marek Posolda wrote: > Then it's probably related to the Galera cluster rather then to caching... > > Do you have DB configured with synchronous replication (eg. inserting some > record on DB1 is successfully finished after the record is successfully > replicated to DB2 too) ? > > You can maybe compare with the configuration in my docker image > https://github.com/mposolda/keycloak-mariadb . I can't recall to see any > issue like this, but not sure about other aspects of my configuration > (performance etc). > > Marek > > > On 12/10/16 19:08, Jared Blashka wrote: > > We're already running 1.9.8.Final. Our previous configuration was using 2 > clustered nodes configured against the same DB node and we didn't run into > this issue. > > On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda > wrote: > >> Which Keycloak version are you using? If it's older than 1.9.8.Final, >> then it's suggested to upgrade as there were caching fixes meanwhile. >> >> There is also possibility to disable caching in keycloak-server.json (or >> in standalone.xml in latest version). It's mentioned in the docs how to >> do it. >> >> Finally it may also help if you have opportunity to try with 2 Keycloak >> cluster nodes configured against same DB node. This may help to better >> isolate the problem and see if it's related to caching or to MariaDB >> cluster. >> >> Marek >> >> On 10/10/16 22:31, Josh Cain wrote: >> > Hi all, >> > >> > We're running into a problem with a couple of MariaDB instances + >> > Galera. When I go to add a client on the first Keycloak node/DB (we'll >> > call it DB01), it add successfully. I can then go to the second >> > Keycloak Node/DB (call this one DB02) and do not see the client on the >> > 'clients' list. However, if I were to add the same client on DB02, I >> > get the expected 'client with ID already exists' message. What's more, >> > if I bounce the Keycloak node that talks to DB02, the client list >> > populates with the new entry added at DB01. >> > >> > Was guessing it's some kind of caching issue - is there a setting where >> > I can alter this behavior? >> > >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From adam.keily at adelaide.edu.au Wed Oct 12 22:27:04 2016 From: adam.keily at adelaide.edu.au (Adam Keily) Date: Thu, 13 Oct 2016 02:27:04 +0000 Subject: [keycloak-user] User Session Note Mapper In-Reply-To: <64026fbd-b214-e94b-c348-58b8fbe7a8a5@redhat.com> References: <51589e2c-690f-2ea3-6f87-2e395cc1390f@redhat.com> <64026fbd-b214-e94b-c348-58b8fbe7a8a5@redhat.com> Message-ID: Great. Thanks. -----Original Message----- From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Wednesday, 12 October 2016 5:37 PM To: Adam Keily ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] User Session Note Mapper Np, I've created JIRA already when I was on it https://issues.jboss.org/browse/KEYCLOAK-3689 . Feel free to add as watcher. Thanks, Marek On 12/10/16 08:55, Marek Posolda wrote: > Instead there are 2 userSession notes added after broker login : > "identity_provider" - ID (alias) of the identity/social provider used > to login "identity_provider_identity" - IdentityProvider identity > (username) of the authenticated user From huazonglin at gmail.com Thu Oct 13 00:13:02 2016 From: huazonglin at gmail.com (Joey) Date: Thu, 13 Oct 2016 12:13:02 +0800 Subject: [keycloak-user] Get error when I set https to keycloak and tomcat server. Message-ID: Hi Guys, I am trying to set SSL for both of keycloak and tomcat server. I apply a free cer from http://www.cacert.org. I installed cer to my keycloak server follow document 7.3 and 7.4 https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.2/topics/network/outgoing.html and installed cer to my tomcat server follow https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I started keycloak server from https, it works fine. But I started tomcat with my application (It works fine with http, I changed everything from http to https in all configuation files) but I saw this error message in tomcat server log. Anyone can help me out of this problem, thank you. ERROR MESSAGE 2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG org.springframework.web.servlet.DispatcherServlet - Servlet 'spring' configured successfully Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase addChildInternal SEVERE: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:162) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: Could not obtain configuration from server [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c-sso-test/.well-known/uma-configuration]. at org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:82) at org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:56) at org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:59) at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:118) at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:388) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) ... 10 more Caused by: java.lang.NullPointerException at java.lang.String.(String.java:566) at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:103) at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) at org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:80) ... 20 more Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig deployWAR SEVERE: Error deploying web application archive /root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:903) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) From sthorger at redhat.com Thu Oct 13 02:09:28 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 13 Oct 2016 08:09:28 +0200 Subject: [keycloak-user] custom locale not loaded from theme module In-Reply-To: References: Message-ID: This is explained in the internationalization section on https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/themes.html On 7 October 2016 at 17:29, Mark Hayen wrote: > Hi, > > We're upgrading to 2.2.1.Final and run into a problem with our locale 'nl'. > > Together with a new theme we've added dutch translations. We use this as > a module. > > now the dutch locale isn't loaded when following the instructions on > keycloak.org about the theme.properties etc. > > after trying out a lot of combinations I could only get it to work when > I also added my locale to the theme.properties > > of the base themes login, email and account like this > "locales=nl,ca,de,en,es,fr,it,ja,lt,no,pt-BR,ru". > > this used not to be neccesary, at least not in 1.8.1.Final. > > Can you confirm this? > > Thank you > > Mark Hayen > > First8 B.V. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Oct 13 02:11:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 13 Oct 2016 08:11:16 +0200 Subject: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal object In-Reply-To: <452DD408-1ABF-4241-AF05-FB393D095607@edlogics.com> References: <452DD408-1ABF-4241-AF05-FB393D095607@edlogics.com> Message-ID: You need to do the redirect based authentication and not use direct grant if you want an SSO session. Why are you not just using the registration form on the Keycloak server? It can be changed to match exactly what you need? On 10 October 2016 at 15:30, Chris Savory wrote: > I actually had a similar question for our register user workflow. We are > registering users on our site using our own custom registration form; in > this flow we use the Admin client to create the user in keycloak. Since > the user just gave us their un/pw it doesn?t make sense for us to send them > over to Keycloak to login, but rather we would like to passively log them > in either via the backend or via some ajax call. > > I know I can get a token if I do something like this, but I?m not sure if > it?s going to drop all the right cookies back to the user?s browser to > consider them logged in across all the clients: > > curl -d "client_id=admin-cli" -d "username=chris.savory at edlogics.com" > -d "password=password" -d "grant_type=password" > "/auth/realms//protocol/openid-connect/token" > > -- > > On 10/10/16, 3:23 AM, "keycloak-user-bounces at lists.jboss.org on behalf of > Stian Thorgersen" sthorger at redhat.com> wrote: > > By using token directly I assume you mean exchanging username/password > for > a token directly. I'd strongly recommend against this and it's not > something our adapters support directly. > > On 4 October 2016 at 15:36, Mariusz Chruscielewski - Info.nl < > mariusz at info.nl> wrote: > > > Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after > we > > access protected resource we are redirected to keycloak and after > login we > > go back to our app. After that, we can get KeycloakPrincipal object > from > > web context (request). > > > > Is there a way to create / get this object without using Tomcat > Adapter ? > > We want to make API call (like http://keycloak/auth/realms/ > > vi/protocol/openid-connect/token) and get (or create manually) this > > object using AccessTokenResponse (or any other object we can get > from API). > > > > Ultimate goal is to login to keycloak like adapter does, but > directly from > > Java, without any interaction from user on keycloak forms. > > > > Is it even possible? > > > > Kind Regards, > > > > Mariusz Chruscielewski > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From michael_furman at hotmail.com Thu Oct 13 04:55:14 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Thu, 13 Oct 2016 08:55:14 +0000 Subject: [keycloak-user] How to configure OpenID Connect authentication? Message-ID: Hi all, I have started to learn Keycloak and I need your help. I have downloaded the Keycloak Standalone server 2.2.1 distribution from here http://www.keycloak.org/downloads.html I am trying to get openid-configuration without success using this URL: http://localhost:8080/auth/admin/master/console/#/realms/master/.well-known/openid-configuration I cannot find any glue here: https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/sso-protocols/oidc.html Trying to use Demo distribution without success. Thank you in advance for your help. Best regards, Michael From java at neposoft.com Thu Oct 13 09:53:19 2016 From: java at neposoft.com (java at neposoft.com) Date: Thu, 13 Oct 2016 09:53:19 -0400 Subject: [keycloak-user] KeycloakSpringBootConfigResolver not firing under eap 7 Message-ID: <32ee8b051bed1679de1f458954c6c72c.squirrel@neposoft.com> Hi group. Keycloak Spring boot adapter works fine (driven by application.properties) under embedded tomcat , running off mvn spring-boot:run. Packaged into a war and deployed under jboss eap 7 (have installed the adapters) my rest endpoints are not protected anymore since KeycloakSpringBootConfigResolver is not wiring all that up. Anyone noticed this behavior? kecloak* ver 2.2.1 Appreciate john From mposolda at redhat.com Thu Oct 13 11:08:40 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 13 Oct 2016 17:08:40 +0200 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> Message-ID: <226e61db-ac13-a63b-139e-0922f9f8aab4@redhat.com> And are also both Keycloak nodes in the same infinispan cluster? Marek Dne 12.10.2016 v 23:27 Jared Blashka napsal(a): > We've got synchronous replication enabled. I've looked in the DB > tables for both galera nodes and the data is there. e.g. both DB nodes > have client 'myclient' but the UI for Keycloak node 2 doesn't list a > 'myclient'. But Keycloak will error if you try to add 'myclient' > saying it already exists. > > On Wed, Oct 12, 2016 at 4:42 PM, Marek Posolda > wrote: > > Then it's probably related to the Galera cluster rather then to > caching... > > Do you have DB configured with synchronous replication (eg. > inserting some record on DB1 is successfully finished after the > record is successfully replicated to DB2 too) ? > > You can maybe compare with the configuration in my docker image > https://github.com/mposolda/keycloak-mariadb > . I can't recall to > see any issue like this, but not sure about other aspects of my > configuration (performance etc). > > Marek > > > On 12/10/16 19:08, Jared Blashka wrote: >> We're already running 1.9.8.Final. Our previous configuration was >> using 2 clustered nodes configured against the same DB node and >> we didn't run into this issue. >> >> On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda >> > wrote: >> >> Which Keycloak version are you using? If it's older than >> 1.9.8.Final, >> then it's suggested to upgrade as there were caching fixes >> meanwhile. >> >> There is also possibility to disable caching in >> keycloak-server.json (or >> in standalone.xml in latest version). It's mentioned in the >> docs how to >> do it. >> >> Finally it may also help if you have opportunity to try with >> 2 Keycloak >> cluster nodes configured against same DB node. This may help >> to better >> isolate the problem and see if it's related to caching or to >> MariaDB >> cluster. >> >> Marek >> >> On 10/10/16 22:31, Josh Cain wrote: >> > Hi all, >> > >> > We're running into a problem with a couple of MariaDB >> instances + >> > Galera. When I go to add a client on the first Keycloak >> node/DB (we'll >> > call it DB01), it add successfully. I can then go to the >> second >> > Keycloak Node/DB (call this one DB02) and do not see the >> client on the >> > 'clients' list. However, if I were to add the same client >> on DB02, I >> > get the expected 'client with ID already exists' message. >> What's more, >> > if I bounce the Keycloak node that talks to DB02, the >> client list >> > populates with the new entry added at DB01. >> > >> > Was guessing it's some kind of caching issue - is there a >> setting where >> > I can alter this behavior? >> > >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > From Dimitrios.Gkazgkas at tangoservices.lu Thu Oct 13 13:14:46 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Thu, 13 Oct 2016 17:14:46 +0000 Subject: [keycloak-user] SAML in a keycloak cluster Message-ID: The response from the list on my initial mails was : After content filtering, the message was empty So I try to send the same mail without CC and without attached =========== Hello, We are trying to configure a SAML authentication system in a keycloak cluster. First, with only one node , we are currently managing to authenticate in SAML way. The architecture : --> we have one apache reverse proxy with a public and unique endpoint for saml authentication. We can call the pubic url : security.lu --> the reverse proxy will load-balance all calls that come on security.lu to two keycloak nodes : security1.lu and security2.lu ( the private urls) . The issue that we have : --> The client that integrates saml has a tomcat and integrates a keycloak-saml.xml file. Of course, in this file the configuration is refering to security1.lu ( the private address as the keycloak node only knows its private address). --> If we arrive during the load-balancing on the security1.lu node, it will work. If I arrive on the second security2.lu node, it will fail. When I dig a little bit more, it's because in fact, the SAMLRequest that is generated looks like this : xxxxx The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer From jeremy at jeremysimon.com Thu Oct 13 13:22:50 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Thu, 13 Oct 2016 13:22:50 -0400 Subject: [keycloak-user] Keycloak 2.2.1 Overlay on EAP 6.4.x Message-ID: Hi All, Is Keycloak 2.2.1's overlay supported on JBoss EAP 6.4.x (or thereabouts)? It appears it's more geared solely for Wildfly. We noticed the overlay is missing the keycloak specific standalone XML with SPI configurations. And in the bin directory of the overlay, there's a keycloak-install.cli which has an 'embed-server' command that EAP doesn't seem recognize. Previously we were on 1.7, running on EAP 6.4. We're in the process of upgrading our custom SPIs and noticed things are a bit different! Any insight appreciated! jeremy jeremy at jeremysimon.com From ssilvert at redhat.com Thu Oct 13 13:48:14 2016 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 13 Oct 2016 13:48:14 -0400 Subject: [keycloak-user] Keycloak 2.2.1 Overlay on EAP 6.4.x In-Reply-To: References: Message-ID: <57FFC8DE.9010405@redhat.com> I don't know if the overlay dist is meant to run on EAP 6.4 or not. I do admit that I never tested the overlay dist against EAP 6.4 after we got rid of keycloak-server.json. However, to do the upgrade, you don't want to use the keycloak-install.cli. That cli script is only for an overlay onto a server that has never had Keycloak installed before. For an upgrade, the procedure is to migrate your standalone.xml from the old server. Then you can use the migrate-json operation. That is documented in the "Migration from older versions" section of the server admin guide. That guide recommends that you do the operation in embedded mode, but that is not required. Stan On 10/13/2016 1:22 PM, Jeremy Simon wrote: > Hi All, > > Is Keycloak 2.2.1's overlay supported on JBoss EAP 6.4.x (or > thereabouts)? It appears it's more geared solely for Wildfly. We > noticed the overlay is missing the keycloak specific standalone XML > with SPI configurations. And in the bin directory of the overlay, > there's a keycloak-install.cli which has an 'embed-server' command > that EAP doesn't seem recognize. > > Previously we were on 1.7, running on EAP 6.4. We're in the process > of upgrading our custom SPIs and noticed things are a bit different! > Any insight appreciated! > > jeremy > jeremy at jeremysimon.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.savory at edlogics.com Thu Oct 13 15:46:52 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Thu, 13 Oct 2016 19:46:52 +0000 Subject: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal object In-Reply-To: References: <452DD408-1ABF-4241-AF05-FB393D095607@edlogics.com> Message-ID: <8156D771-6895-492D-A0BF-2D69BAA06F8F@edlogics.com> Stian, We aren?t using the Keycloak registration because our app has been existing for a couple of years before the current Kc integration. Our onboarding/registration process is pretty extensive and is about a 10 page angular flow that uses XHR requests to our server to create the data. Converting it over to using the Kc page that does a form/post would be very difficult for us. I?m curious why do you say: ?You need to do the redirect based authentication and not use direct grant if you want an SSO session.? Is this a requirement or just a best practice? I ran a test with this scenario and I?m able to get a password based grant from our admin_cli client and then go to our app with that token (app is using a different, confidential client that is has the Spring Security KC adapter configured) and it will not only recognize that token, but also establish a session for me. -- Christopher Savory ? From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Thursday, October 13, 2016 at 1:11 AM To: Chris Savory Cc: "Mariusz Chruscielewski - Info.nl" , "keycloak-user at lists.jboss.org" , David Hartfield Subject: Re: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal object You need to do the redirect based authentication and not use direct grant if you want an SSO session. Why are you not just using the registration form on the Keycloak server? It can be changed to match exactly what you need? On 10 October 2016 at 15:30, Chris Savory wrote: I actually had a similar question for our register user workflow.? We are registering users on our site using our own custom registration form; in this flow we use the Admin client to create the user in keycloak.? Since the user just gave us their un/pw it doesn?t make sense for us to send them over to Keycloak to login, but rather we would like to passively log them in either via the backend or via some ajax call. I know I can get a token if I do something like this, but I?m not sure if it?s going to drop all the right cookies back to the user?s browser to consider them logged in across all the clients: curl? ?-d "client_id=admin-cli"? ?-d "username=chris.savory at edlogics.com"? ?-d "password=password"? ?-d "grant_type=password"? ?"/auth/realms//protocol/openid-connect/token" -- On 10/10/16, 3:23 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Stian Thorgersen" wrote: ? ? By using token directly I assume you mean exchanging username/password for ? ? a token directly. I'd strongly recommend against this and it's not ? ? something our adapters support directly. ? ? On 4 October 2016 at 15:36, Mariusz Chruscielewski - Info.nl < ? ? mariusz at info.nl> wrote: ? ? > Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after we ? ? > access protected resource we are redirected to keycloak and after login we ? ? > go back to our app. After that, we can get KeycloakPrincipal object from ? ? > web context (request). ? ? > ? ? > Is there a way to create / get this object without using Tomcat Adapter ? ? ? > We want to make API call (like http://keycloak/auth/realms/ ? ? > vi/protocol/openid-connect/token) and get (or create manually) this ? ? > object using AccessTokenResponse (or any other object we can get from API). ? ? > ? ? > Ultimate goal is to login to keycloak like adapter does, but directly from ? ? > Java, without any interaction from user on keycloak forms. ? ? > ? ? > Is it even possible? ? ? > ? ? > Kind Regards, ? ? > ? ? > Mariusz Chruscielewski ? ? > ? ? > ? ? > ? ? > _______________________________________________ ? ? > keycloak-user mailing list ? ? > keycloak-user at lists.jboss.org ? ? > https://lists.jboss.org/mailman/listinfo/keycloak-user ? ? > ? ? _______________________________________________ ? ? keycloak-user mailing list ? ? keycloak-user at lists.jboss.org ? ? https://lists.jboss.org/mailman/listinfo/keycloak-user From cav at uniscope.jp Thu Oct 13 21:59:08 2016 From: cav at uniscope.jp (Carlos Villegas) Date: Fri, 14 Oct 2016 10:59:08 +0900 Subject: [keycloak-user] ECP example? Message-ID: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> I want to secure a servlet REST application. My client is java, so far I've been using apache httpclient. The Keycloak docs mention SAML ECP binding is supported, but I don't see an example. The admin pages seems to assume only POST or redirect binding. Does the client adapter support ECP binding. Any pointers or help on how to go about it? I need help on both the client adapter and how to use Keycloak as a SAML ECP IDP. Thanks, Carlos From nielsbne at gmail.com Thu Oct 13 22:31:47 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Fri, 14 Oct 2016 12:31:47 +1000 Subject: [keycloak-user] Map SAML Subject NameID to user email Message-ID: Hi guys, I have a requirement to map a user email to the /saml:Subject/saml:NameID field in a Keycloak SAML client. I can see that someone else is asking for the same at http://stackoverflow.com/questions/39854398/sending-username-emailid-in-the-saml-req-as-nameid-to-keycloak without much luck. The mapper only maps attributes while I need to change the subjects identifier. Could anyone help with a thought on how that can be achieved? Many thanks, Niels From sthorger at redhat.com Fri Oct 14 03:55:16 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 14 Oct 2016 09:55:16 +0200 Subject: [keycloak-user] Keycloak 2.2.1 Overlay on EAP 6.4.x In-Reply-To: <57FFC8DE.9010405@redhat.com> References: <57FFC8DE.9010405@redhat.com> Message-ID: Overlay is only supported on WidlFly 10 and EAP 7. On 13 October 2016 at 19:48, Stan Silvert wrote: > I don't know if the overlay dist is meant to run on EAP 6.4 or not. I > do admit that I never tested the overlay dist against EAP 6.4 after we > got rid of keycloak-server.json. > > However, to do the upgrade, you don't want to use the > keycloak-install.cli. That cli script is only for an overlay onto a > server that has never had Keycloak installed before. > > For an upgrade, the procedure is to migrate your standalone.xml from the > old server. Then you can use the migrate-json operation. That is > documented in the "Migration from older versions" section of the server > admin guide. That guide recommends that you do the operation in > embedded mode, but that is not required. > > Stan > > On 10/13/2016 1:22 PM, Jeremy Simon wrote: > > Hi All, > > > > Is Keycloak 2.2.1's overlay supported on JBoss EAP 6.4.x (or > > thereabouts)? It appears it's more geared solely for Wildfly. We > > noticed the overlay is missing the keycloak specific standalone XML > > with SPI configurations. And in the bin directory of the overlay, > > there's a keycloak-install.cli which has an 'embed-server' command > > that EAP doesn't seem recognize. > > > > Previously we were on 1.7, running on EAP 6.4. We're in the process > > of upgrading our custom SPIs and noticed things are a bit different! > > Any insight appreciated! > > > > jeremy > > jeremy at jeremysimon.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jeremy at jeremysimon.com Fri Oct 14 07:45:15 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Fri, 14 Oct 2016 07:45:15 -0400 Subject: [keycloak-user] Keycloak 2.2.1 Overlay on EAP 6.4.x In-Reply-To: References: <57FFC8DE.9010405@redhat.com> Message-ID: Ok, thank you for the info. Is that some which could be more specially details in the docs? (a humble compatibility matrix?) jeremy jeremy at jeremysimon.com www.JeremySimon.com On Fri, Oct 14, 2016 at 3:55 AM, Stian Thorgersen wrote: > Overlay is only supported on WidlFly 10 and EAP 7. > > On 13 October 2016 at 19:48, Stan Silvert wrote: > >> I don't know if the overlay dist is meant to run on EAP 6.4 or not. I >> do admit that I never tested the overlay dist against EAP 6.4 after we >> got rid of keycloak-server.json. >> >> However, to do the upgrade, you don't want to use the >> keycloak-install.cli. That cli script is only for an overlay onto a >> server that has never had Keycloak installed before. >> >> For an upgrade, the procedure is to migrate your standalone.xml from the >> old server. Then you can use the migrate-json operation. That is >> documented in the "Migration from older versions" section of the server >> admin guide. That guide recommends that you do the operation in >> embedded mode, but that is not required. >> >> Stan >> >> On 10/13/2016 1:22 PM, Jeremy Simon wrote: >> > Hi All, >> > >> > Is Keycloak 2.2.1's overlay supported on JBoss EAP 6.4.x (or >> > thereabouts)? It appears it's more geared solely for Wildfly. We >> > noticed the overlay is missing the keycloak specific standalone XML >> > with SPI configurations. And in the bin directory of the overlay, >> > there's a keycloak-install.cli which has an 'embed-server' command >> > that EAP doesn't seem recognize. >> > >> > Previously we were on 1.7, running on EAP 6.4. We're in the process >> > of upgrading our custom SPIs and noticed things are a bit different! >> > Any insight appreciated! >> > >> > jeremy >> > jeremy at jeremysimon.com >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jblashka at redhat.com Fri Oct 14 10:54:20 2016 From: jblashka at redhat.com (Jared Blashka) Date: Fri, 14 Oct 2016 10:54:20 -0400 Subject: [keycloak-user] Map SAML Subject NameID to user email In-Reply-To: References: Message-ID: Does setting the 'Name ID Format' option to email in the client settings not accomplish what you're looking for? That's supposed to use the user's email address as the NameID. Failing that, I know that if you use the 'persistent' Name ID format you can set an attribute of saml.persistent.name.id.for.$clientId for a user adnd the value of that field gets used as the NameID. Jared On Thu, Oct 13, 2016 at 10:31 PM, Niels Bertram wrote: > Hi guys, > > I have a requirement to map a user email to the /saml:Subject/saml:NameID > field in a Keycloak SAML client. I can see that someone else is asking for > the same at > http://stackoverflow.com/questions/39854398/sending- > username-emailid-in-the-saml-req-as-nameid-to-keycloak > without much luck. The mapper only maps attributes while I need to change > the subjects identifier. > > Could anyone help with a thought on how that can be achieved? > > Many thanks, > Niels > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mr.jari.kuusisto at gmail.com Sat Oct 15 08:38:06 2016 From: mr.jari.kuusisto at gmail.com (Jari Kuusisto) Date: Sat, 15 Oct 2016 15:38:06 +0300 Subject: [keycloak-user] About using Spring Boot adapter Message-ID: Hello there, I am using AngularJS client (fronted) and Spring Boot with Keycloak adapter (backend). In the backend, I am trying to expose a unprotected (naked) API for the client to use, so I would like to make sure that keycloak doesn't try to protect it. So I have the following questions related to using Keycloak with Spring Boot: 1) How the Keycloak intercepts incoming HTTP requests: do incoming requests come the Spring Boot and at what point the Keycloak comes into the play? Also, how can I make sure that certain Rest applications are left unprotected? From the documentation I can see a simple way of protecting certain URLs, but this brings me to my second question... 2) Where can I find full documentation about all the configuration possibilities for the Spring Boot Adapter? If I'll have to dive into the code, could some one kindly point a correct starting point and give instructions how to learn to extract all of the configuration properties like "security collections" etc. (see below). The traditional "web.xml" is quite easy the read and understand, but it isn't one-to-one mapping with "application.properties" file content. With further info it might be possible to use Spring Boot's code based configuration methods too. Thanks in advance, best regards, Jari --- The current documentation --- You also need to specify the J2EE security config that would normally go in the web.xml. Here?s an example configuration: keycloak.securityConstraints[0].securityCollections[0].name = insecure stuff keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /insecure keycloak.securityConstraints[0].securityCollections[1].name = admin stuff keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = admin keycloak.securityConstraints[0].securityCollections[1].patterns[0] = /admin From amaeztu at tesicnor.com Sat Oct 15 08:55:18 2016 From: amaeztu at tesicnor.com (Amaeztu) Date: Sat, 15 Oct 2016 14:55:18 +0200 Subject: [keycloak-user] About using Spring Boot adapter In-Reply-To: References: Message-ID: Hello, I'm using keycloak with spring boot and after trying for a while, I sticked to the spring security adapter. Just add the security starter and follow the documentation to set up the keycloak adapter, then you'll have the power of spring security combined with keycloak. For your second question, just configure spring security to leave the URLs you want unprotected. Regards Nire Sony Xperia? telefonotik bidalita ---- Jari Kuusisto igorleak idatzi du ---- >Hello there, I am using AngularJS client (fronted) and Spring Boot with >Keycloak adapter (backend). In the backend, I am trying to expose a >unprotected (naked) API for the client to use, so I would like to make sure >that keycloak doesn't try to protect it. So I have the following questions >related to using Keycloak with Spring Boot: > >1) How the Keycloak intercepts incoming HTTP requests: do incoming requests >come the Spring Boot and at what point the Keycloak comes into the play? >Also, how can I make sure that certain Rest applications are left >unprotected? From the documentation I can see a simple way of protecting >certain URLs, but this brings me to my second question... > >2) Where can I find full documentation about all the configuration >possibilities for the Spring Boot Adapter? If I'll have to dive into the >code, could some one kindly point a correct starting point and give >instructions how to learn to extract all of the configuration properties >like "security collections" etc. (see below). The traditional "web.xml" is >quite easy the read and understand, but it isn't one-to-one mapping with >"application.properties" file content. With further info it might be >possible to use Spring Boot's code based configuration methods too. > >Thanks in advance, best regards, Jari > >--- The current documentation --- > >You also need to specify the J2EE security config that would normally go in >the web.xml. Here?s an example configuration: > >keycloak.securityConstraints[0].securityCollections[0].name = insecure stuff >keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = admin >keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user >keycloak.securityConstraints[0].securityCollections[0].patterns[0] = >/insecure > >keycloak.securityConstraints[0].securityCollections[1].name = admin stuff >keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = admin >keycloak.securityConstraints[0].securityCollections[1].patterns[0] = /admin >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From java at neposoft.com Sat Oct 15 22:41:22 2016 From: java at neposoft.com (java_os) Date: Sat, 15 Oct 2016 22:41:22 -0400 Subject: [keycloak-user] About using Spring Boot adapter In-Reply-To: References: Message-ID: Around same context, here in the pain i go through My rest war is spring boot which i want to protect it through keycloak spring security adapter with no luck. I can see that keycloak filter gets in first, authenticates fine bearer, but then spring sec gets in, it redirects internally to the root context of my rest end point and starts the dance getting into too many redirects. This is deployed on jboss eap 7, goa all the adapters installed. Anyone here got a scenario like mine working, or are we saying spring sec not working under jboss eap/ undertow? thx > Hello there, I am using AngularJS client (fronted) and Spring Boot with > Keycloak adapter (backend). In the backend, I am trying to expose a > unprotected (naked) API for the client to use, so I would like to make > sure > that keycloak doesn't try to protect it. So I have the following questions > related to using Keycloak with Spring Boot: > > 1) How the Keycloak intercepts incoming HTTP requests: do incoming > requests > come the Spring Boot and at what point the Keycloak comes into the play? > Also, how can I make sure that certain Rest applications are left > unprotected? From the documentation I can see a simple way of protecting > certain URLs, but this brings me to my second question... > > 2) Where can I find full documentation about all the configuration > possibilities for the Spring Boot Adapter? If I'll have to dive into the > code, could some one kindly point a correct starting point and give > instructions how to learn to extract all of the configuration properties > like "security collections" etc. (see below). The traditional "web.xml" is > quite easy the read and understand, but it isn't one-to-one mapping with > "application.properties" file content. With further info it might be > possible to use Spring Boot's code based configuration methods too. > > Thanks in advance, best regards, Jari > > --- The current documentation --- > > You also need to specify the J2EE security config that would normally go > in > the web.xml. Here???s an example configuration: > > keycloak.securityConstraints[0].securityCollections[0].name = insecure > stuff > keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = > admin > keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user > keycloak.securityConstraints[0].securityCollections[0].patterns[0] = > /insecure > > keycloak.securityConstraints[0].securityCollections[1].name = admin stuff > keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = > admin > keycloak.securityConstraints[0].securityCollections[1].patterns[0] = > /admin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From amaeztu at tesicnor.com Sun Oct 16 02:01:24 2016 From: amaeztu at tesicnor.com (Amaeztu) Date: Sun, 16 Oct 2016 08:01:24 +0200 Subject: [keycloak-user] About using Spring Boot adapter In-Reply-To: References: Message-ID: So are you trying to access the rest endpoint using a browser? Try to access it using a dedicated tool like postman. Just grab an access token from the authentication endpoint and use it in the authorization header to access it. I originally had some problems with the browser similar to yours because of my reverse proxy filtering the cookie headers (which I think isn't your case). Nire Sony Xperia? telefonotik bidalita ---- java_os igorleak idatzi du ---- >Around same context, here in the pain i go through >My rest war is spring boot which i want to protect it through keycloak >spring security adapter with no luck. I can see that keycloak filter gets >in first, authenticates fine bearer, but then spring sec gets in, it >redirects internally to the root context of my rest end point and starts >the dance getting into too many redirects. This is deployed on jboss eap >7, goa all the adapters installed. >Anyone here got a scenario like mine working, or are we saying spring sec >not working under jboss eap/ undertow? >thx > >> Hello there, I am using AngularJS client (fronted) and Spring Boot with >> Keycloak adapter (backend). In the backend, I am trying to expose a >> unprotected (naked) API for the client to use, so I would like to make >> sure >> that keycloak doesn't try to protect it. So I have the following questions >> related to using Keycloak with Spring Boot: >> >> 1) How the Keycloak intercepts incoming HTTP requests: do incoming >> requests >> come the Spring Boot and at what point the Keycloak comes into the play? >> Also, how can I make sure that certain Rest applications are left >> unprotected? From the documentation I can see a simple way of protecting >> certain URLs, but this brings me to my second question... >> >> 2) Where can I find full documentation about all the configuration >> possibilities for the Spring Boot Adapter? If I'll have to dive into the >> code, could some one kindly point a correct starting point and give >> instructions how to learn to extract all of the configuration properties >> like "security collections" etc. (see below). The traditional "web.xml" is >> quite easy the read and understand, but it isn't one-to-one mapping with >> "application.properties" file content. With further info it might be >> possible to use Spring Boot's code based configuration methods too. >> >> Thanks in advance, best regards, Jari >> >> --- The current documentation --- >> >> You also need to specify the J2EE security config that would normally go >> in >> the web.xml. Here???s an example configuration: >> >> keycloak.securityConstraints[0].securityCollections[0].name = insecure >> stuff >> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = >> admin >> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user >> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = >> /insecure >> >> keycloak.securityConstraints[0].securityCollections[1].name = admin stuff >> keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = >> admin >> keycloak.securityConstraints[0].securityCollections[1].patterns[0] = >> /admin >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >_______________________________________________ >keycloak-user mailing list >keycloak-user at lists.jboss.org >https://lists.jboss.org/mailman/listinfo/keycloak-user From java at neposoft.com Sun Oct 16 06:11:23 2016 From: java at neposoft.com (java_os) Date: Sun, 16 Oct 2016 06:11:23 -0400 Subject: [keycloak-user] About using Spring Boot adapter In-Reply-To: References: Message-ID: I call the rest from a spa front(angular) sending in bearer token Authorization in the http header. I see Keycloak filter configured through spring sec does work , but right after spring sec redirects badly to the root context back and forth and getting too many redirects back to the front. This git ( https://github.com/cternes/slackspace-angular-spring-keycloak) works ok on mvn spring:boot run on localhost and embedded tomcat. I do the same but deployed in jboss eap 7 with keycloack as separate instance for auth. Anymore ideas? thx > So are you trying to access the rest endpoint using a browser? Try to > access it using a dedicated tool like postman. > > Just grab an access token from the authentication endpoint and use it in > the authorization header to access it. > > I originally had some problems with the browser similar to yours because > of my reverse proxy filtering the cookie headers (which I think isn't > your case). > > > Nire Sony Xperia??? telefonotik bidalita > > ---- java_os igorleak idatzi du ---- > >>Around same context, here in the pain i go through >>My rest war is spring boot which i want to protect it through keycloak >>spring security adapter with no luck. I can see that keycloak filter gets >>in first, authenticates fine bearer, but then spring sec gets in, it >>redirects internally to the root context of my rest end point and starts >>the dance getting into too many redirects. This is deployed on jboss eap >>7, goa all the adapters installed. >>Anyone here got a scenario like mine working, or are we saying spring sec >>not working under jboss eap/ undertow? >>thx >> >>> Hello there, I am using AngularJS client (fronted) and Spring Boot with >>> Keycloak adapter (backend). In the backend, I am trying to expose a >>> unprotected (naked) API for the client to use, so I would like to make >>> sure >>> that keycloak doesn't try to protect it. So I have the following >>> questions >>> related to using Keycloak with Spring Boot: >>> >>> 1) How the Keycloak intercepts incoming HTTP requests: do incoming >>> requests >>> come the Spring Boot and at what point the Keycloak comes into the >>> play? >>> Also, how can I make sure that certain Rest applications are left >>> unprotected? From the documentation I can see a simple way of >>> protecting >>> certain URLs, but this brings me to my second question... >>> >>> 2) Where can I find full documentation about all the configuration >>> possibilities for the Spring Boot Adapter? If I'll have to dive into >>> the >>> code, could some one kindly point a correct starting point and give >>> instructions how to learn to extract all of the configuration >>> properties >>> like "security collections" etc. (see below). The traditional "web.xml" >>> is >>> quite easy the read and understand, but it isn't one-to-one mapping >>> with >>> "application.properties" file content. With further info it might be >>> possible to use Spring Boot's code based configuration methods too. >>> >>> Thanks in advance, best regards, Jari >>> >>> --- The current documentation --- >>> >>> You also need to specify the J2EE security config that would normally >>> go >>> in >>> the web.xml. Here??????s an example configuration: >>> >>> keycloak.securityConstraints[0].securityCollections[0].name = insecure >>> stuff >>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = >>> admin >>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = >>> user >>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = >>> /insecure >>> >>> keycloak.securityConstraints[0].securityCollections[1].name = admin >>> stuff >>> keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = >>> admin >>> keycloak.securityConstraints[0].securityCollections[1].patterns[0] = >>> /admin >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >>_______________________________________________ >>keycloak-user mailing list >>keycloak-user at lists.jboss.org >>https://lists.jboss.org/mailman/listinfo/keycloak-user > From java at neposoft.com Sun Oct 16 06:47:36 2016 From: java at neposoft.com (java_os) Date: Sun, 16 Oct 2016 06:47:36 -0400 Subject: [keycloak-user] About using Spring Boot adapter In-Reply-To: References: Message-ID: if i switch to spring boot adapter, it works localhost embedded tomcat, but deployed under jboss/undertow it does not even protect the endpoint. In spring sec setup at least i can see it protects it but i suspect is undertow that is the isshe with the too many redirects. The only way i canget it working is standard jee protecting ir by web.xml, but it's not what i want to do. The gus at jboss wondering if they even tried this scenario that Im facing. thanks >I call the rest from a spa front(angular) sending in bearer token >- Authorization in the http header. I see Keycloak filter configured through > spring sec does work , but right after spring sec redirects badly to the > root context back and forth and getting too many redirects back to the > front. > This git ( https://github.com/cternes/slackspace-angular-spring-keycloak) > works ok on mvn spring:boot run on localhost and embedded tomcat. I do the > same but deployed in jboss eap 7 with keycloack as separate instance for > auth. > > Anymore ideas? thx > >> > So are you trying to access the rest endpoint using a browser? Try to >> access it using a dedicated tool like postman. >> >> Just grab an access token from the authentication endpoint and use it in >> the authorization header to access it. >> >> I originally had some problems with the browser similar to yours because >> of my reverse proxy filtering the cookie headers (which I think isn't >> your case). >> >> >> Nire Sony Xperia??? telefonotik bidalita >> >> ---- java_os igorleak idatzi du ---- >> >>>Around same context, here in the pain i go through >>>My rest war is spring boot which i want to protect it through keycloak >>>spring security adapter with no luck. I can see that keycloak filter >>> gets >>>in first, authenticates fine bearer, but then spring sec gets in, it >>>redirects internally to the root context of my rest end point and starts >>>the dance getting into too many redirects. This is deployed on jboss eap >>>7, goa all the adapters installed. >>>Anyone here got a scenario like mine working, or are we saying spring >>> sec >>>not working under jboss eap/ undertow? >>>thx >>> >>>> Hello there, I am using AngularJS client (fronted) and Spring Boot >>>> with >>>> Keycloak adapter (backend). In the backend, I am trying to expose a >>>> unprotected (naked) API for the client to use, so I would like to make >>>> sure >>>> that keycloak doesn't try to protect it. So I have the following >>>> questions >>>> related to using Keycloak with Spring Boot: >>>> >>>> 1) How the Keycloak intercepts incoming HTTP requests: do incoming >>>> requests >>>> come the Spring Boot and at what point the Keycloak comes into the >>>> play? >>>> Also, how can I make sure that certain Rest applications are left >>>> unprotected? From the documentation I can see a simple way of >>>> protecting >>>> certain URLs, but this brings me to my second question... >>>> >>>> 2) Where can I find full documentation about all the configuration >>>> possibilities for the Spring Boot Adapter? If I'll have to dive into >>>> the >>>> code, could some one kindly point a correct starting point and give >>>> instructions how to learn to extract all of the configuration >>>> properties >>>> like "security collections" etc. (see below). The traditional >>>> "web.xml" >>>> is >>>> quite easy the read and understand, but it isn't one-to-one mapping >>>> with >>>> "application.properties" file content. With further info it might be >>>> possible to use Spring Boot's code based configuration methods too. >>>> >>>> Thanks in advance, best regards, Jari >>>> >>>> --- The current documentation --- >>>> >>>> You also need to specify the J2EE security config that would normally >>>> go >>>> in >>>> the web.xml. Here??????s an example configuration: >>>> >>>> keycloak.securityConstraints[0].securityCollections[0].name = insecure >>>> stuff >>>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = >>>> admin >>>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = >>>> user >>>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = >>>> /insecure >>>> >>>> keycloak.securityConstraints[0].securityCollections[1].name = admin >>>> stuff >>>> keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = >>>> admin >>>> keycloak.securityConstraints[0].securityCollections[1].patterns[0] = >>>> /admin >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>>_______________________________________________ >>>keycloak-user mailing list >>>keycloak-user at lists.jboss.org >>>https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From nielsbne at gmail.com Mon Oct 17 02:25:37 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Mon, 17 Oct 2016 16:25:37 +1000 Subject: [keycloak-user] Map SAML Subject NameID to user email In-Reply-To: References: Message-ID: Hi Jared, setting the Name ID Format does not set the NameID field value to the email address of the user model. Whatever I set it to, the only value I can see in the SAML response is the realm users username. Thanks for pointing to the persistent Name ID configuration. Just to confirm, to make this work, one will also have to configure a Property Mapper in the SAML Client configuration with following details: Protocol: saml Name: Swap NameID username for email Consent Required: off Mapper Type: User Attribute User Attribute: email Friendly Name: Email SAML Attribute Name: saml.persistent.name.id.for.$clientId SAML Attribute NameFormat: Unspecified Does that look about right? Thanks, Niels On Sat, Oct 15, 2016 at 12:54 AM, Jared Blashka wrote: > Does setting the 'Name ID Format' option to email in the client settings > not accomplish what you're looking for? That's supposed to use the user's > email address as the NameID. > Failing that, I know that if you use the 'persistent' Name ID format you > can set an attribute of saml.persistent.name.id.for.$clientId for a user > adnd the value of that field gets used as the NameID. > > Jared > > On Thu, Oct 13, 2016 at 10:31 PM, Niels Bertram > wrote: > >> Hi guys, >> >> I have a requirement to map a user email to the /saml:Subject/saml:NameID >> field in a Keycloak SAML client. I can see that someone else is asking for >> the same at >> http://stackoverflow.com/questions/39854398/sending-username >> -emailid-in-the-saml-req-as-nameid-to-keycloak >> without much luck. The mapper only maps attributes while I need to change >> the subjects identifier. >> >> Could anyone help with a thought on how that can be achieved? >> >> Many thanks, >> Niels >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From musti.kuru at gmail.com Mon Oct 17 06:15:00 2016 From: musti.kuru at gmail.com (Mustafa Kuru) Date: Mon, 17 Oct 2016 12:15:00 +0200 Subject: [keycloak-user] Keycloak Upgrade to 2.2.1 Message-ID: Hi, We are planning to upgrade Keycloak from 1.8.1 to 2.2.1. Is it a good time to upgrade or should we better wait for the next release? I know we are far behind the current version but to be sure would like to know if a newer release coming soon. thx. Kind regards. Mustafa Kuru From nielsbne at gmail.com Mon Oct 17 06:30:25 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Mon, 17 Oct 2016 20:30:25 +1000 Subject: [keycloak-user] Keycloak angular SPA example does not work against an external Keycloak server - browser reject server response XHR Message-ID: Hi guys, I have configured the keycloak angular example to utilise a production grade setup Keycloak server and the example ends up in an endless redirect loop. I can see that the Keycloak server POST response in the authorization code exchange contains 2 identical Access-Control-Allow-Credentials headers, which the Chrome browser cannot understand and then subsequently fails the XHR request. I included the full HTTP trace below for reference. Keycloak server is 1.9.8 (RH SSO 7.0.0) and I tried 1.9.8 and 2.2.1 Keycloak JavaScript clients but given the browsers refuse to accept the server response headers the client is pretty much irrelevant. Did anyone of you ever came across this issue? Cheers, Niels *Request* URL: https://sso.server.com/auth/realms/[redacted]/protocol/openid-connect/token Request Method:POST Status Code:200 OK Remote Address:[redacted]:8080 *Request Headers* POST /auth/realms/[redacted]/protocol/openid-connect/token HTTP/1.1 Host: sso.server.com Connection: keep-alive Content-Length: 205 Pragma: no-cache Cache-Control: no-cache Origin: http://localhost:8080 User-Agent: Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1 Content-type: application/x-www-form-urlencoded Accept: */* Referer: http://localhost:8080/angular-product/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.8,de;q=0.6 Cookie: KEYCLOAK_STATE_CHECKER=[redacted];KC_RESTART=[redacted];KEYCLOAK_IDENTITY=[redacted];KEYCLOAK_SESSION=[redacted] *Form Data* code=[redacted]&grant_type=authorization_code&client_id=example-spa-app&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fangular-product%2F *Response Headers* HTTP/1.1 200 OK Date: Mon, 17 Oct 2016 06:13:24 GMT *Access-Control-Allow-Credentials: true <-- Chrome cannot understand this* *Access-Control-Allow-Credentials: true** <-- Chrome cannot understand this* Access-Control-Allow-Origin: http://localhost:8080 Access-Control-Expose-Headers: Access-Control-Allow-Methods Content-Type: application/json Content-Length: 3795 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive From jblashka at redhat.com Mon Oct 17 08:46:37 2016 From: jblashka at redhat.com (Jared Blashka) Date: Mon, 17 Oct 2016 08:46:37 -0400 Subject: [keycloak-user] Map SAML Subject NameID to user email In-Reply-To: References: Message-ID: No, the saml.persistent name field doesn't need to be a mapper for saml assertion, it's only a user attribute. So you could add this attribute to users when they're created or imported or even afterwards with some Admin API tooling. All that's required on the client end is setting the Name ID format field to "persistent". Jared On Mon, Oct 17, 2016 at 2:25 AM, Niels Bertram wrote: > Hi Jared, > > setting the Name ID Format does not set the NameID field value to the > email address of the user model. Whatever I set it to, the only value I can > see in the SAML response is the realm users username. > > Thanks for pointing to the persistent Name ID configuration. Just to > confirm, to make this work, one will also have to configure a Property > Mapper in the SAML Client configuration with following details: > > Protocol: saml > Name: Swap NameID username for email > Consent Required: off > Mapper Type: User Attribute > User Attribute: email > Friendly Name: Email > SAML Attribute Name: saml.persistent.name.id.for.$clientId > SAML Attribute NameFormat: Unspecified > > > Does that look about right? > > Thanks, > Niels > > > On Sat, Oct 15, 2016 at 12:54 AM, Jared Blashka > wrote: > >> Does setting the 'Name ID Format' option to email in the client settings >> not accomplish what you're looking for? That's supposed to use the user's >> email address as the NameID. >> Failing that, I know that if you use the 'persistent' Name ID format you >> can set an attribute of saml.persistent.name.id.for.$clientId for a user >> adnd the value of that field gets used as the NameID. >> >> Jared >> >> On Thu, Oct 13, 2016 at 10:31 PM, Niels Bertram >> wrote: >> >>> Hi guys, >>> >>> I have a requirement to map a user email to the /saml:Subject/saml:NameID >>> field in a Keycloak SAML client. I can see that someone else is asking >>> for >>> the same at >>> http://stackoverflow.com/questions/39854398/sending-username >>> -emailid-in-the-saml-req-as-nameid-to-keycloak >>> without much luck. The mapper only maps attributes while I need to change >>> the subjects identifier. >>> >>> Could anyone help with a thought on how that can be achieved? >>> >>> Many thanks, >>> Niels >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From sblanc at redhat.com Mon Oct 17 09:34:31 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 17 Oct 2016 15:34:31 +0200 Subject: [keycloak-user] About using Spring Boot adapter In-Reply-To: References: Message-ID: To recap : You have built a WAR with Spring-boot, that uses Spring-security and deployed on EAP 7 , correct ? I don't think we have tried this scenario indeed ;) Could you open a jira adding some more details and log files ? Thx, On Sun, Oct 16, 2016 at 12:47 PM, java_os wrote: > if i switch to spring boot adapter, it works localhost embedded tomcat, > but deployed under jboss/undertow it does not even protect the endpoint. > In spring sec setup at least i can see it protects it but i suspect is > undertow that is the isshe with the too many redirects. The only way i > canget it working is standard jee protecting ir by web.xml, but it's not > what i want to do. > The gus at jboss wondering if they even tried this scenario that Im facing. > thanks > > >I call the rest from a spa front(angular) sending in bearer token > >- Authorization in the http header. I see Keycloak filter configured > through > > spring sec does work , but right after spring sec redirects badly to the > > root context back and forth and getting too many redirects back to the > > front. > > This git ( https://github.com/cternes/slackspace-angular-spring-keycloak > ) > > works ok on mvn spring:boot run on localhost and embedded tomcat. I do > the > > same but deployed in jboss eap 7 with keycloack as separate instance for > > auth. > > > > Anymore ideas? thx > > > >> > > So are you trying to access the rest endpoint using a browser? Try to > >> access it using a dedicated tool like postman. > >> > >> Just grab an access token from the authentication endpoint and use it in > >> the authorization header to access it. > >> > >> I originally had some problems with the browser similar to yours because > >> of my reverse proxy filtering the cookie headers (which I think isn't > >> your case). > >> > >> > >> Nire Sony Xperia??? telefonotik bidalita > >> > >> ---- java_os igorleak idatzi du ---- > >> > >>>Around same context, here in the pain i go through > >>>My rest war is spring boot which i want to protect it through keycloak > >>>spring security adapter with no luck. I can see that keycloak filter > >>> gets > >>>in first, authenticates fine bearer, but then spring sec gets in, it > >>>redirects internally to the root context of my rest end point and starts > >>>the dance getting into too many redirects. This is deployed on jboss eap > >>>7, goa all the adapters installed. > >>>Anyone here got a scenario like mine working, or are we saying spring > >>> sec > >>>not working under jboss eap/ undertow? > >>>thx > >>> > >>>> Hello there, I am using AngularJS client (fronted) and Spring Boot > >>>> with > >>>> Keycloak adapter (backend). In the backend, I am trying to expose a > >>>> unprotected (naked) API for the client to use, so I would like to make > >>>> sure > >>>> that keycloak doesn't try to protect it. So I have the following > >>>> questions > >>>> related to using Keycloak with Spring Boot: > >>>> > >>>> 1) How the Keycloak intercepts incoming HTTP requests: do incoming > >>>> requests > >>>> come the Spring Boot and at what point the Keycloak comes into the > >>>> play? > >>>> Also, how can I make sure that certain Rest applications are left > >>>> unprotected? From the documentation I can see a simple way of > >>>> protecting > >>>> certain URLs, but this brings me to my second question... > >>>> > >>>> 2) Where can I find full documentation about all the configuration > >>>> possibilities for the Spring Boot Adapter? If I'll have to dive into > >>>> the > >>>> code, could some one kindly point a correct starting point and give > >>>> instructions how to learn to extract all of the configuration > >>>> properties > >>>> like "security collections" etc. (see below). The traditional > >>>> "web.xml" > >>>> is > >>>> quite easy the read and understand, but it isn't one-to-one mapping > >>>> with > >>>> "application.properties" file content. With further info it might be > >>>> possible to use Spring Boot's code based configuration methods too. > >>>> > >>>> Thanks in advance, best regards, Jari > >>>> > >>>> --- The current documentation --- > >>>> > >>>> You also need to specify the J2EE security config that would normally > >>>> go > >>>> in > >>>> the web.xml. Here??????s an example configuration: > >>>> > >>>> keycloak.securityConstraints[0].securityCollections[0].name = > insecure > >>>> stuff > >>>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = > >>>> admin > >>>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = > >>>> user > >>>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] = > >>>> /insecure > >>>> > >>>> keycloak.securityConstraints[0].securityCollections[1].name = admin > >>>> stuff > >>>> keycloak.securityConstraints[0].securityCollections[1].authRoles[0] = > >>>> admin > >>>> keycloak.securityConstraints[0].securityCollections[1].patterns[0] = > >>>> /admin > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >>> > >>>_______________________________________________ > >>>keycloak-user mailing list > >>>keycloak-user at lists.jboss.org > >>>https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 11:58:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 17:58:27 +0200 Subject: [keycloak-user] StaleCodeMessage on IDP Initiated SAML SSO In-Reply-To: References: Message-ID: Looks like it might be a bug. Can you create a JIRA please? On 7 October 2016 at 22:43, Chris Brandhorst wrote: > I have two Keycloak instances, A is an IdP for B. From the login screen of > B, this works as it should. > However, I can?t get IDP Initiated SSO from A to B to work. I filled the > "IDP Initiated SSO URL Name? field with a name (say ?bbbbb?) in A. > When I try to navigate to: http://aaaaa/auth/realms/his/ > protocol/saml/clients/bbbbb > i always end up with the following logging: > > 22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization > code is not valid. Code: null > 22:42:02,994 WARN [org.keycloak.events] (default task-23) > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, > userId=null, ipAddress=127.0.0.1, error=staleCodeMessage > 22:42:02,994 ERROR [org.keycloak.services] (default task-23) > staleCodeMessage > > Which in itself is not surprising, because indeed, there is no > Authorization code in play here, but that?s the whole idea of IDP Initiated > SSO, no? > > What must I do to get this to work? > > Thanks, > Chris Brandhorst > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Mon Oct 17 12:00:00 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 18:00:00 +0200 Subject: [keycloak-user] Run locally a Keycloak Server within a Java Maven Project In-Reply-To: References: Message-ID: KeycloakServer is used internally for our own testing. I would recommend just using the Keycloak standalone distribution as it's just a simple zip file and can be installed and started with Maven and even better with Arquillian. On 10 October 2016 at 16:32, Charles Moulliard wrote: > Hi, > > The Keycloak project proposes this class to start locally a Keycloak Server > without the need to install a distribution of KeyCloak > > https://github.com/keycloak/keycloak/blob/2.2.1.Final/ > testsuite/integration/src/test/java/org/keycloak/ > testsuite/KeycloakServer.java#L51 > > Unfortunately, the artefact "keycloak-testsuite-integration" containing > the > class is not published under a maven repository (" > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/"). > > Question : > > Is there an alternative approach that I could follow to run a local > KeycloakServer instance ? > > Best regards > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 12:00:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 18:00:46 +0200 Subject: [keycloak-user] Impersonate User In-Reply-To: References: Message-ID: Not currently, but there's a request for it: https://issues.jboss.org/browse/KEYCLOAK-2339 On 10 October 2016 at 18:20, Chris Stephens wrote: > Hello, > > Is there any info inside the KeycloakAuthenticationToken or > KeycloakPrincipal that will tell you if an admin is currently impersonating > another user? > > Thank you > > > -- > Christopher Stephens > Web Developer | EdLogics > 414.335.6870 | chris.stephens at edlogics.com com> > www.edlogics.com > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From java at neposoft.com Mon Oct 17 12:02:47 2016 From: java at neposoft.com (java_os) Date: Mon, 17 Oct 2016 12:02:47 -0400 Subject: [keycloak-user] About using Spring Boot adapter In-Reply-To: References: Message-ID: <09f49d01c03f6c299c7af9017918e608.squirrel@neposoft.com> It is correct. I am opening a jira now. Thank you. > To recap : > > You have built a WAR with Spring-boot, that uses Spring-security and > deployed on EAP 7 , correct ? > I don't think we have tried this scenario indeed ;) > > Could you open a jira adding some more details and log files ? > > Thx, > > > > On Sun, Oct 16, 2016 at 12:47 PM, java_os wrote: > >> if i switch to spring boot adapter, it works localhost embedded tomcat, >> but deployed under jboss/undertow it does not even protect the endpoint. >> In spring sec setup at least i can see it protects it but i suspect is >> undertow that is the isshe with the too many redirects. The only way i >> canget it working is standard jee protecting ir by web.xml, but it's not >> what i want to do. >> The gus at jboss wondering if they even tried this scenario that Im >> facing. >> thanks >> >> >I call the rest from a spa front(angular) sending in bearer token >> >- Authorization in the http header. I see Keycloak filter configured >> through >> > spring sec does work , but right after spring sec redirects badly to >> the >> > root context back and forth and getting too many redirects back to the >> > front. >> > This git ( >> https://github.com/cternes/slackspace-angular-spring-keycloak >> ) >> > works ok on mvn spring:boot run on localhost and embedded tomcat. I do >> the >> > same but deployed in jboss eap 7 with keycloack as separate instance >> for >> > auth. >> > >> > Anymore ideas? thx >> > >> >> >> > So are you trying to access the rest endpoint using a browser? Try to >> >> access it using a dedicated tool like postman. >> >> >> >> Just grab an access token from the authentication endpoint and use it >> in >> >> the authorization header to access it. >> >> >> >> I originally had some problems with the browser similar to yours >> because >> >> of my reverse proxy filtering the cookie headers (which I think >> isn't >> >> your case). >> >> >> >> >> >> Nire Sony Xperia??????? telefonotik bidalita >> >> >> >> ---- java_os igorleak idatzi du ---- >> >> >> >>>Around same context, here in the pain i go through >> >>>My rest war is spring boot which i want to protect it through >> keycloak >> >>>spring security adapter with no luck. I can see that keycloak filter >> >>> gets >> >>>in first, authenticates fine bearer, but then spring sec gets in, it >> >>>redirects internally to the root context of my rest end point and >> starts >> >>>the dance getting into too many redirects. This is deployed on jboss >> eap >> >>>7, goa all the adapters installed. >> >>>Anyone here got a scenario like mine working, or are we saying spring >> >>> sec >> >>>not working under jboss eap/ undertow? >> >>>thx >> >>> >> >>>> Hello there, I am using AngularJS client (fronted) and Spring Boot >> >>>> with >> >>>> Keycloak adapter (backend). In the backend, I am trying to expose a >> >>>> unprotected (naked) API for the client to use, so I would like to >> make >> >>>> sure >> >>>> that keycloak doesn't try to protect it. So I have the following >> >>>> questions >> >>>> related to using Keycloak with Spring Boot: >> >>>> >> >>>> 1) How the Keycloak intercepts incoming HTTP requests: do incoming >> >>>> requests >> >>>> come the Spring Boot and at what point the Keycloak comes into the >> >>>> play? >> >>>> Also, how can I make sure that certain Rest applications are left >> >>>> unprotected? From the documentation I can see a simple way of >> >>>> protecting >> >>>> certain URLs, but this brings me to my second question... >> >>>> >> >>>> 2) Where can I find full documentation about all the configuration >> >>>> possibilities for the Spring Boot Adapter? If I'll have to dive >> into >> >>>> the >> >>>> code, could some one kindly point a correct starting point and give >> >>>> instructions how to learn to extract all of the configuration >> >>>> properties >> >>>> like "security collections" etc. (see below). The traditional >> >>>> "web.xml" >> >>>> is >> >>>> quite easy the read and understand, but it isn't one-to-one mapping >> >>>> with >> >>>> "application.properties" file content. With further info it might >> be >> >>>> possible to use Spring Boot's code based configuration methods too. >> >>>> >> >>>> Thanks in advance, best regards, Jari >> >>>> >> >>>> --- The current documentation --- >> >>>> >> >>>> You also need to specify the J2EE security config that would >> normally >> >>>> go >> >>>> in >> >>>> the web.xml. Here??????????????s an example configuration: >> >>>> >> >>>> keycloak.securityConstraints[0].securityCollections[0].name = >> insecure >> >>>> stuff >> >>>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] >> = >> >>>> admin >> >>>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0] >> = >> >>>> user >> >>>> keycloak.securityConstraints[0].securityCollections[0].patterns[0] >> = >> >>>> /insecure >> >>>> >> >>>> keycloak.securityConstraints[0].securityCollections[1].name = admin >> >>>> stuff >> >>>> keycloak.securityConstraints[0].securityCollections[1].authRoles[0] >> = >> >>>> admin >> >>>> keycloak.securityConstraints[0].securityCollections[1].patterns[0] >> = >> >>>> /admin >> >>>> _______________________________________________ >> >>>> keycloak-user mailing list >> >>>> keycloak-user at lists.jboss.org >> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>> >> >>> >> >>>_______________________________________________ >> >>>keycloak-user mailing list >> >>>keycloak-user at lists.jboss.org >> >>>https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > >> > >> > >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From sthorger at redhat.com Mon Oct 17 12:04:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 18:04:33 +0200 Subject: [keycloak-user] Keycloak Upgrade to 2.2.1 In-Reply-To: References: Message-ID: 2.3.0.CR1 should be out this week. I'd recommend testing that once it's out. Then upgrade to 2.3.0.Final once it's out. On 17 October 2016 at 12:15, Mustafa Kuru wrote: > Hi, > > We are planning to upgrade Keycloak from 1.8.1 to 2.2.1. Is it a good time > to upgrade or should we better wait for the next release? > > I know we are far behind the current version but to be sure would like to > know if a newer release coming soon. > > > thx. > > Kind regards. > > Mustafa Kuru > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jeremy at jeremysimon.com Mon Oct 17 12:05:02 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Mon, 17 Oct 2016 12:05:02 -0400 Subject: [keycloak-user] Keycloak live in multiple data centers Message-ID: Hi, Has anyone done deployments of Keycloak in multiple data centers? Any thoughts, guidance, lessons learned on synchronization, etc? I'm interested in the whole spectrum from DR and fail-over to other data centers to well...anything. jeremy jeremy at jeremysimon.com From sthorger at redhat.com Mon Oct 17 12:06:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 18:06:49 +0200 Subject: [keycloak-user] Keycloak 2.2.1 Overlay on EAP 6.4.x In-Reply-To: References: <57FFC8DE.9010405@redhat.com> Message-ID: Sure, we'll add it to the overlay zip itself as that can be automated and doesn't require manually updating. On 14 October 2016 at 13:45, Jeremy Simon wrote: > Ok, thank you for the info. Is that some which could be more > specially details in the docs? (a humble compatibility matrix?) > jeremy > jeremy at jeremysimon.com > www.JeremySimon.com > > > On Fri, Oct 14, 2016 at 3:55 AM, Stian Thorgersen > wrote: > > Overlay is only supported on WidlFly 10 and EAP 7. > > > > On 13 October 2016 at 19:48, Stan Silvert wrote: > > > >> I don't know if the overlay dist is meant to run on EAP 6.4 or not. I > >> do admit that I never tested the overlay dist against EAP 6.4 after we > >> got rid of keycloak-server.json. > >> > >> However, to do the upgrade, you don't want to use the > >> keycloak-install.cli. That cli script is only for an overlay onto a > >> server that has never had Keycloak installed before. > >> > >> For an upgrade, the procedure is to migrate your standalone.xml from the > >> old server. Then you can use the migrate-json operation. That is > >> documented in the "Migration from older versions" section of the server > >> admin guide. That guide recommends that you do the operation in > >> embedded mode, but that is not required. > >> > >> Stan > >> > >> On 10/13/2016 1:22 PM, Jeremy Simon wrote: > >> > Hi All, > >> > > >> > Is Keycloak 2.2.1's overlay supported on JBoss EAP 6.4.x (or > >> > thereabouts)? It appears it's more geared solely for Wildfly. We > >> > noticed the overlay is missing the keycloak specific standalone XML > >> > with SPI configurations. And in the bin directory of the overlay, > >> > there's a keycloak-install.cli which has an 'embed-server' command > >> > that EAP doesn't seem recognize. > >> > > >> > Previously we were on 1.7, running on EAP 6.4. We're in the process > >> > of upgrading our custom SPIs and noticed things are a bit different! > >> > Any insight appreciated! > >> > > >> > jeremy > >> > jeremy at jeremysimon.com > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 12:06:56 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 18:06:56 +0200 Subject: [keycloak-user] Keycloak 2.2.1 Overlay on EAP 6.4.x In-Reply-To: References: <57FFC8DE.9010405@redhat.com> Message-ID: https://issues.jboss.org/browse/KEYCLOAK-3726 On 17 October 2016 at 18:06, Stian Thorgersen wrote: > Sure, we'll add it to the overlay zip itself as that can be automated and > doesn't require manually updating. > > On 14 October 2016 at 13:45, Jeremy Simon wrote: > >> Ok, thank you for the info. Is that some which could be more >> specially details in the docs? (a humble compatibility matrix?) >> jeremy >> jeremy at jeremysimon.com >> www.JeremySimon.com >> >> >> On Fri, Oct 14, 2016 at 3:55 AM, Stian Thorgersen >> wrote: >> > Overlay is only supported on WidlFly 10 and EAP 7. >> > >> > On 13 October 2016 at 19:48, Stan Silvert wrote: >> > >> >> I don't know if the overlay dist is meant to run on EAP 6.4 or not. I >> >> do admit that I never tested the overlay dist against EAP 6.4 after we >> >> got rid of keycloak-server.json. >> >> >> >> However, to do the upgrade, you don't want to use the >> >> keycloak-install.cli. That cli script is only for an overlay onto a >> >> server that has never had Keycloak installed before. >> >> >> >> For an upgrade, the procedure is to migrate your standalone.xml from >> the >> >> old server. Then you can use the migrate-json operation. That is >> >> documented in the "Migration from older versions" section of the server >> >> admin guide. That guide recommends that you do the operation in >> >> embedded mode, but that is not required. >> >> >> >> Stan >> >> >> >> On 10/13/2016 1:22 PM, Jeremy Simon wrote: >> >> > Hi All, >> >> > >> >> > Is Keycloak 2.2.1's overlay supported on JBoss EAP 6.4.x (or >> >> > thereabouts)? It appears it's more geared solely for Wildfly. We >> >> > noticed the overlay is missing the keycloak specific standalone XML >> >> > with SPI configurations. And in the bin directory of the overlay, >> >> > there's a keycloak-install.cli which has an 'embed-server' command >> >> > that EAP doesn't seem recognize. >> >> > >> >> > Previously we were on 1.7, running on EAP 6.4. We're in the process >> >> > of upgrading our custom SPIs and noticed things are a bit different! >> >> > Any insight appreciated! >> >> > >> >> > jeremy >> >> > jeremy at jeremysimon.com >> >> > _______________________________________________ >> >> > keycloak-user mailing list >> >> > keycloak-user at lists.jboss.org >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Mon Oct 17 12:07:47 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 18:07:47 +0200 Subject: [keycloak-user] Keycloak 2.2.1 Overlay on EAP 6.4.x In-Reply-To: References: <57FFC8DE.9010405@redhat.com> Message-ID: By the way if you have entitlements to EAP you may also have entitlements to RH-SSO so you should be looking at that instead of Keycloak. See https://access.redhat.com/products/red-hat-single-sign-on for more details. On 17 October 2016 at 18:06, Stian Thorgersen wrote: > https://issues.jboss.org/browse/KEYCLOAK-3726 > > On 17 October 2016 at 18:06, Stian Thorgersen wrote: > >> Sure, we'll add it to the overlay zip itself as that can be automated and >> doesn't require manually updating. >> >> On 14 October 2016 at 13:45, Jeremy Simon wrote: >> >>> Ok, thank you for the info. Is that some which could be more >>> specially details in the docs? (a humble compatibility matrix?) >>> jeremy >>> jeremy at jeremysimon.com >>> www.JeremySimon.com >>> >>> >>> On Fri, Oct 14, 2016 at 3:55 AM, Stian Thorgersen >>> wrote: >>> > Overlay is only supported on WidlFly 10 and EAP 7. >>> > >>> > On 13 October 2016 at 19:48, Stan Silvert wrote: >>> > >>> >> I don't know if the overlay dist is meant to run on EAP 6.4 or not. I >>> >> do admit that I never tested the overlay dist against EAP 6.4 after we >>> >> got rid of keycloak-server.json. >>> >> >>> >> However, to do the upgrade, you don't want to use the >>> >> keycloak-install.cli. That cli script is only for an overlay onto a >>> >> server that has never had Keycloak installed before. >>> >> >>> >> For an upgrade, the procedure is to migrate your standalone.xml from >>> the >>> >> old server. Then you can use the migrate-json operation. That is >>> >> documented in the "Migration from older versions" section of the >>> server >>> >> admin guide. That guide recommends that you do the operation in >>> >> embedded mode, but that is not required. >>> >> >>> >> Stan >>> >> >>> >> On 10/13/2016 1:22 PM, Jeremy Simon wrote: >>> >> > Hi All, >>> >> > >>> >> > Is Keycloak 2.2.1's overlay supported on JBoss EAP 6.4.x (or >>> >> > thereabouts)? It appears it's more geared solely for Wildfly. We >>> >> > noticed the overlay is missing the keycloak specific standalone XML >>> >> > with SPI configurations. And in the bin directory of the overlay, >>> >> > there's a keycloak-install.cli which has an 'embed-server' command >>> >> > that EAP doesn't seem recognize. >>> >> > >>> >> > Previously we were on 1.7, running on EAP 6.4. We're in the process >>> >> > of upgrading our custom SPIs and noticed things are a bit different! >>> >> > Any insight appreciated! >>> >> > >>> >> > jeremy >>> >> > jeremy at jeremysimon.com >>> >> > _______________________________________________ >>> >> > keycloak-user mailing list >>> >> > keycloak-user at lists.jboss.org >>> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From sthorger at redhat.com Mon Oct 17 12:13:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 18:13:26 +0200 Subject: [keycloak-user] Get error when I set https to keycloak and tomcat server. In-Reply-To: References: Message-ID: Looks like a bug in the authorization services when https is used. I assume you're using the authorization services? Can you create a JIRA please. On 13 October 2016 at 06:13, Joey wrote: > Hi Guys, > > I am trying to set SSL for both of keycloak and tomcat server. I apply > a free cer from http://www.cacert.org. I installed cer to my keycloak > server follow document 7.3 and 7.4 > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/v/2.2/topics/network/outgoing.html > > and installed cer to my tomcat server follow > https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html > > I started keycloak server from https, it works fine. But I started > tomcat with my application (It works fine with http, I changed > everything from http to https in all configuation files) > but I saw this error message in tomcat server log. > > Anyone can help me out of this problem, thank you. > > ERROR MESSAGE > > > 2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG > org.springframework.web.servlet.DispatcherServlet - Servlet 'spring' > configured successfully > > > Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase > addChildInternal > > SEVERE: ContainerBase.addChild: start: > > org.apache.catalina.LifecycleException: Failed to start component > [StandardEngine[Catalina].StandardHost[localhost]. > StandardContext[/ec-operation]] > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:162) > > at org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) > > at org.apache.catalina.startup.HostConfig$DeployWar.run( > HostConfig.java:1984) > > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > Caused by: java.lang.RuntimeException: Could not obtain configuration > from server [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c- > sso-test/.well-known/uma-configuration]. > > at org.keycloak.authorization.client.AuthzClient.( > AuthzClient.java:82) > > at org.keycloak.authorization.client.AuthzClient.create( > AuthzClient.java:56) > > at org.keycloak.adapters.authorization.PolicyEnforcer.< > init>(PolicyEnforcer.java:59) > > at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild( > KeycloakDeploymentBuilder.java:118) > > at org.keycloak.adapters.KeycloakDeploymentBuilder.build( > KeycloakDeploymentBuilder.java:127) > > at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) > > at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) > > at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent( > LifecycleSupport.java:117) > > at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent( > LifecycleBase.java:90) > > at org.apache.catalina.util.LifecycleBase.setStateInternal( > LifecycleBase.java:388) > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) > > ... 10 more > > Caused by: java.lang.NullPointerException > > at java.lang.String.(String.java:566) > > at org.keycloak.authorization.client.util.HttpMethod. > execute(HttpMethod.java:103) > > at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute( > HttpMethodResponse.java:48) > > at org.keycloak.authorization.client.AuthzClient.( > AuthzClient.java:80) > > ... 20 more > > > Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig deployWAR > > SEVERE: Error deploying web application archive > /root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war > > java.lang.IllegalStateException: ContainerBase.addChild: start: > org.apache.catalina.LifecycleException: Failed to start component > [StandardEngine[Catalina].StandardHost[localhost]. > StandardContext[/ec-operation]] > > at org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:903) > > at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) > > at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) > > at org.apache.catalina.startup.HostConfig$DeployWar.run( > HostConfig.java:1984) > > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From felipemarcelqs at gmail.com Mon Oct 17 14:25:24 2016 From: felipemarcelqs at gmail.com (Felipe Marcel) Date: Mon, 17 Oct 2016 15:25:24 -0300 Subject: [keycloak-user] Make calls to Admin REST API to bearer-only clients Message-ID: The type of access configured for my client is bearer-only. My question is: it is possible make calls to Admin Rest API to this client? If it's not possible, how could access this API? From sthorger at redhat.com Mon Oct 17 14:30:27 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:30:27 +0200 Subject: [keycloak-user] Keycloak live in multiple data centers In-Reply-To: References: Message-ID: +1 If anyone has setup Keycloak on multiple data centers please share We are currently looking at this for RH-SSO (supported version of Keycloak). The current plan in summary is: * Database replicated synchronously * Cross data center replication of sessions as well as dealing with realm and user invalidations using an external JBoss Data Grid instance (Red Hat JBoss Data Grid) You can also take a look at the excellent write-up from Red Hat IT who are using RH-SSO in multiple data centers, http://developers.redhat.com/blog/2016/10/04/how-red-hat-re-designed-its-single-sign-on-sso-architecture-and-why/ On 17 October 2016 at 18:05, Jeremy Simon wrote: > Hi, > > Has anyone done deployments of Keycloak in multiple data centers? Any > thoughts, guidance, lessons learned on synchronization, etc? I'm > interested in the whole spectrum from DR and fail-over to other data > centers to well...anything. > > jeremy > jeremy at jeremysimon.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 14:31:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:31:41 +0200 Subject: [keycloak-user] Make calls to Admin REST API to bearer-only clients In-Reply-To: References: Message-ID: Not sure what you are asking here. If you want to invoke the admin endpoints you need to obtain a token. Bearer-only clients can only obtain a token if one is sent to them from another client. On 17 October 2016 at 20:25, Felipe Marcel wrote: > The type of access configured for my client is bearer-only. My question is: > it is possible make calls to Admin Rest API to this client? If it's not > possible, how could access this API? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 14:34:49 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:34:49 +0200 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: <226e61db-ac13-a63b-139e-0922f9f8aab4@redhat.com> References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> <226e61db-ac13-a63b-139e-0922f9f8aab4@redhat.com> Message-ID: Just to point out the maybe not so obvious - all realm configuration including clients are cached in an Infinispan invalidation cache. I've got no idea how to setup the Infinispan invalidation caches cross data centers, but that would be required for entries to be re-loaded in one DC when updated in another DC. On 13 October 2016 at 17:08, Marek Posolda wrote: > And are also both Keycloak nodes in the same infinispan cluster? > > Marek > > Dne 12.10.2016 v 23:27 Jared Blashka napsal(a): > > We've got synchronous replication enabled. I've looked in the DB > > tables for both galera nodes and the data is there. e.g. both DB nodes > > have client 'myclient' but the UI for Keycloak node 2 doesn't list a > > 'myclient'. But Keycloak will error if you try to add 'myclient' > > saying it already exists. > > > > On Wed, Oct 12, 2016 at 4:42 PM, Marek Posolda > > wrote: > > > > Then it's probably related to the Galera cluster rather then to > > caching... > > > > Do you have DB configured with synchronous replication (eg. > > inserting some record on DB1 is successfully finished after the > > record is successfully replicated to DB2 too) ? > > > > You can maybe compare with the configuration in my docker image > > https://github.com/mposolda/keycloak-mariadb > > . I can't recall to > > see any issue like this, but not sure about other aspects of my > > configuration (performance etc). > > > > Marek > > > > > > On 12/10/16 19:08, Jared Blashka wrote: > >> We're already running 1.9.8.Final. Our previous configuration was > >> using 2 clustered nodes configured against the same DB node and > >> we didn't run into this issue. > >> > >> On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda > >> > wrote: > >> > >> Which Keycloak version are you using? If it's older than > >> 1.9.8.Final, > >> then it's suggested to upgrade as there were caching fixes > >> meanwhile. > >> > >> There is also possibility to disable caching in > >> keycloak-server.json (or > >> in standalone.xml in latest version). It's mentioned in the > >> docs how to > >> do it. > >> > >> Finally it may also help if you have opportunity to try with > >> 2 Keycloak > >> cluster nodes configured against same DB node. This may help > >> to better > >> isolate the problem and see if it's related to caching or to > >> MariaDB > >> cluster. > >> > >> Marek > >> > >> On 10/10/16 22:31, Josh Cain wrote: > >> > Hi all, > >> > > >> > We're running into a problem with a couple of MariaDB > >> instances + > >> > Galera. When I go to add a client on the first Keycloak > >> node/DB (we'll > >> > call it DB01), it add successfully. I can then go to the > >> second > >> > Keycloak Node/DB (call this one DB02) and do not see the > >> client on the > >> > 'clients' list. However, if I were to add the same client > >> on DB02, I > >> > get the expected 'client with ID already exists' message. > >> What's more, > >> > if I bounce the Keycloak node that talks to DB02, the > >> client list > >> > populates with the new entry added at DB01. > >> > > >> > Was guessing it's some kind of caching issue - is there a > >> setting where > >> > I can alter this behavior? > >> > > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 14:35:31 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:35:31 +0200 Subject: [keycloak-user] ECP example? In-Reply-To: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> References: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> Message-ID: The client adapters doesn't support SAML ECP so you'd need to use a different SAML SP library for that. On 14 October 2016 at 03:59, Carlos Villegas wrote: > I want to secure a servlet REST application. My client is java, so far > I've been using apache httpclient. > The Keycloak docs mention SAML ECP binding is supported, but I don't see > an example. > The admin pages seems to assume only POST or redirect binding. > Does the client adapter support ECP binding. Any pointers or help on how > to go about it? > I need help on both the client adapter and how to use Keycloak as a SAML > ECP IDP. > > Thanks, > Carlos > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 14:36:28 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:36:28 +0200 Subject: [keycloak-user] How to configure OpenID Connect authentication? In-Reply-To: References: Message-ID: The correct URL is http://localhost:8080/auth/realms/master/.well-known/openid-configuration On 13 October 2016 at 10:55, Michael Furman wrote: > Hi all, > I have started to learn Keycloak and I need your help. > I have downloaded the Keycloak Standalone server 2.2.1 distribution from > here http://www.keycloak.org/downloads.html > I am trying to get openid-configuration without success using this URL: > http://localhost:8080/auth/admin/master/console/#/realms/ > master/.well-known/openid-configuration > > I cannot find any glue here: > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/v/2.2/topics/sso-protocols/oidc.html > > Trying to use Demo distribution without success. > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 14:38:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:38:14 +0200 Subject: [keycloak-user] KeycloakSpringBootConfigResolver not firing under eap 7 In-Reply-To: <32ee8b051bed1679de1f458954c6c72c.squirrel@neposoft.com> References: <32ee8b051bed1679de1f458954c6c72c.squirrel@neposoft.com> Message-ID: AFAIK the Spring Boot adapter currently only works on Tomcat. On 13 October 2016 at 15:53, wrote: > Hi group. > Keycloak Spring boot adapter works fine (driven by application.properties) > under embedded tomcat , running off mvn spring-boot:run. > Packaged into a war and deployed under jboss eap 7 (have installed the > adapters) my rest endpoints are not protected anymore since > KeycloakSpringBootConfigResolver is not wiring all that up. > Anyone noticed this behavior? kecloak* ver 2.2.1 > Appreciate > john > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 14:40:47 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:40:47 +0200 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Sounds like you haven't setup things properly as Keycloak should see security.lu, not the internal addresses of the nodes. Take a look at https://keycloak.gitbooks.io/server-installation-and-configuration/content/topics/clustering/load-balancer.html On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) < Dimitrios.Gkazgkas at tangoservices.lu> wrote: > The response from the list on my initial mails was : After content > filtering, the message was empty > > So I try to send the same mail without CC and without attached > > > > =========== > > Hello, > > We are trying to configure a SAML authentication system in a keycloak > cluster. First, with only one node , we are currently managing to > authenticate in SAML way. > > The architecture : > --> we have one apache reverse proxy with a public and unique endpoint for > saml authentication. We can call the pubic url : security.lu< > http://security.lu> > > --> the reverse proxy will load-balance all calls that come on security.lu > to two keycloak nodes : security1.lu< > http://security1.lu> and security2.lu ( the private > urls) . > > The issue that we have : > --> The client that integrates saml has a tomcat and integrates a > keycloak-saml.xml file. Of course, in this file the configuration is > refering to security1.lu ( the private address as > the keycloak node only knows its private address). > --> If we arrive during the load-balancing on the security1.lu< > http://security1.lu> node, it will work. If I arrive on the second > security2.lu node, it will fail. When I dig a little > bit more, it's because in fact, the SAMLRequest that is generated looks > like this : > > Destination="http://security1.lu:8080/realms/xxx/protocol/saml" > ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" > IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" > Version="2.0">xxxxx AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format: > persistent"> > > The error that I get is an invalid_destination because we receive this > SAMLRequest on the security2.lu node : > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > >From what I see there is for saml client, a Clustering tab where I have > currently nothing. Maybe I need to add some host nodes here ? But i don't > know how to proceed. > > Or is there any way to define both security1.lu and > security2.lu on the Saml XML configuration that the client integrates? > > We have set proxy-address-forwarding=true > > Thank you for your help. > > Kr, > > > > > > > Br > > Dimitrios Gkazgkas > IT Solutions Architect > > > > ________________________________ > > **** DISCLAIMER **** > http://www.tango.lu/maildisclaimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 17 14:44:30 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:44:30 +0200 Subject: [keycloak-user] Login to Keycloak using API and create KeycloakPrincipal object In-Reply-To: <8156D771-6895-492D-A0BF-2D69BAA06F8F@edlogics.com> References: <452DD408-1ABF-4241-AF05-FB393D095607@edlogics.com> <8156D771-6895-492D-A0BF-2D69BAA06F8F@edlogics.com> Message-ID: On 13 October 2016 at 21:46, Chris Savory wrote: > Stian, > > We aren?t using the Keycloak registration because our app has been > existing for a couple of years before the current Kc integration. Our > onboarding/registration process is pretty extensive and is about a 10 page > angular flow that uses XHR requests to our server to create the data. > Converting it over to using the Kc page that does a form/post would be > very difficult for us. > Sounds like you have a valid requirement for using an external registration page. We have considered in the past to add the ability to do that, but it was left as just an open idea. One option would be to implement this yourself with a custom authenticator. Once you've completed the registration process you could issue a temporary authentication token then redirect the user to authenticate on Keycloak. The custom authenticator could then verify this token and authenticate the user. > > I?m curious why do you say: ?You need to do the redirect based > authentication and not use direct grant if you want an SSO session.? > Is this a requirement or just a best practice? > Requirement. If you want SSO with a centralized IdP you need to use redirect based authentication. > > I ran a test with this scenario and I?m able to get a password based grant > from our admin_cli client and then go to our app with that token (app is > using a different, confidential client that is has the Spring Security KC > adapter configured) and it will not only recognize that token, but also > establish a session for me. > You will only be authenticated to the application, but not have an SSO session. > > -- > Christopher Savory > > > > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Thursday, October 13, 2016 at 1:11 AM > To: Chris Savory > Cc: "Mariusz Chruscielewski - Info.nl" , " > keycloak-user at lists.jboss.org" , David > Hartfield > Subject: Re: [keycloak-user] Login to Keycloak using API and create > KeycloakPrincipal object > > You need to do the redirect based authentication and not use direct grant > if you want an SSO session. > > Why are you not just using the registration form on the Keycloak server? > It can be changed to match exactly what you need? > > On 10 October 2016 at 15:30, Chris Savory > wrote: > I actually had a similar question for our register user workflow. We are > registering users on our site using our own custom registration form; in > this flow we use the Admin client to create the user in keycloak. Since > the user just gave us their un/pw it doesn?t make sense for us to send them > over to Keycloak to login, but rather we would like to passively log them > in either via the backend or via some ajax call. > > I know I can get a token if I do something like this, but I?m not sure if > it?s going to drop all the right cookies back to the user?s browser to > consider them logged in across all the clients: > > curl -d "client_id=admin-cli" -d "username=chris.savory at edlogics.com" > -d "password=password" -d "grant_type=password" > "/auth/realms//protocol/openid-connect/token" > > -- > > On 10/10/16, 3:23 AM, "keycloak-user-bounces at lists.jboss.org on behalf of > Stian Thorgersen" sthorger at redhat.com> wrote: > > By using token directly I assume you mean exchanging username/password > for > a token directly. I'd strongly recommend against this and it's not > something our adapters support directly. > > On 4 October 2016 at 15:36, Mariusz Chruscielewski - Info.nl < > mariusz at info.nl> wrote: > > > Hi. We are using Keycloak Tomcat Adapter to secure our webapp, after > we > > access protected resource we are redirected to keycloak and after > login we > > go back to our app. After that, we can get KeycloakPrincipal object > from > > web context (request). > > > > Is there a way to create / get this object without using Tomcat > Adapter ? > > We want to make API call (like http://keycloak/auth/realms/ > > vi/protocol/openid-connect/token) and get (or create manually) this > > object using AccessTokenResponse (or any other object we can get > from API). > > > > Ultimate goal is to login to keycloak like adapter does, but > directly from > > Java, without any interaction from user on keycloak forms. > > > > Is it even possible? > > > > Kind Regards, > > > > Mariusz Chruscielewski > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From sthorger at redhat.com Mon Oct 17 14:52:10 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 17 Oct 2016 20:52:10 +0200 Subject: [keycloak-user] Keycloak angular SPA example does not work against an external Keycloak server - browser reject server response XHR In-Reply-To: References: Message-ID: That's really strange. I can't see how Keycloak would add the header twice. By production grade what do you mean? Is there any changes you could have made that affects this? Is there a proxy in front of Keycloak that could affect it? On 17 October 2016 at 12:30, Niels Bertram wrote: > Hi guys, > > I have configured the keycloak angular example > demo-template/angular-product-app> > to utilise a production grade setup Keycloak server and the example ends up > in an endless redirect loop. > > I can see that the Keycloak server POST response in the authorization code > exchange contains 2 identical Access-Control-Allow-Credentials headers, > which the Chrome browser cannot understand and then subsequently fails the > XHR request. I included the full HTTP trace below for reference. > > Keycloak server is 1.9.8 (RH SSO 7.0.0) and I tried 1.9.8 and 2.2.1 > Keycloak JavaScript clients but given the browsers refuse to accept the > server response headers the client is pretty much irrelevant. > > Did anyone of you ever came across this issue? > > Cheers, > Niels > > > > *Request* > URL: > https://sso.server.com/auth/realms/[redacted]/protocol/ > openid-connect/token > Request Method:POST > Status Code:200 OK > Remote Address:[redacted]:8080 > > *Request Headers* > POST /auth/realms/[redacted]/protocol/openid-connect/token HTTP/1.1 > Host: sso.server.com > Connection: keep-alive > Content-Length: 205 > Pragma: no-cache > Cache-Control: no-cache > Origin: http://localhost:8080 > User-Agent: Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) > AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 > Safari/601.1 > Content-type: application/x-www-form-urlencoded > Accept: */* > Referer: http://localhost:8080/angular-product/ > Accept-Encoding: gzip, deflate, br > Accept-Language: en-US,en;q=0.8,de;q=0.6 > Cookie: > KEYCLOAK_STATE_CHECKER=[redacted];KC_RESTART=[ > redacted];KEYCLOAK_IDENTITY=[redacted];KEYCLOAK_SESSION=[redacted] > > *Form Data* > code=[redacted]&grant_type=authorization_code&client_id= > example-spa-app&redirect_uri=http%3A%2F%2Flocalhost%3A8080% > 2Fangular-product%2F > > *Response Headers* > HTTP/1.1 200 OK > Date: Mon, 17 Oct 2016 06:13:24 GMT > *Access-Control-Allow-Credentials: true <-- Chrome cannot understand > this* > *Access-Control-Allow-Credentials: true** <-- Chrome cannot understand > this* > Access-Control-Allow-Origin: http://localhost:8080 > Access-Control-Expose-Headers: Access-Control-Allow-Methods > Content-Type: application/json > Content-Length: 3795 > Keep-Alive: timeout=5, max=97 > Connection: Keep-Alive > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Mon Oct 17 14:52:42 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 17 Oct 2016 20:52:42 +0200 Subject: [keycloak-user] Make calls to Admin REST API to bearer-only clients In-Reply-To: References: Message-ID: On Mon, Oct 17, 2016 at 8:25 PM, Felipe Marcel wrote: > The type of access configured for my client is bearer-only. My question is: > it is possible make calls to Admin Rest API to this client? Do you mean "from this client" instead of "to this client" ? > If it's not > possible, how could access this API? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jblashka at redhat.com Mon Oct 17 14:54:55 2016 From: jblashka at redhat.com (Jared Blashka) Date: Mon, 17 Oct 2016 14:54:55 -0400 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> <226e61db-ac13-a63b-139e-0922f9f8aab4@redhat.com> Message-ID: Both of our keycloak nodes are living in the same physical datacenter+networking space and are the only two nodes in an infinispan cluster; they're just each using a different Galera DB (and these are clustered synchronously together along with a 3rd Galera node). We were trying to validate that DB replication wouldn't break like it did for a similar configuration we were using earlier (using asynchronous DB replication). So the DB replication isn't breaking and appears to be functioning as expected, but it looks like there's data cached by each Keycloak node that doesn't get refreshed from the DB nor corrected by infinispan. So far the only thing we've noticed are changes not appearing in the Admin UI e.g. Realm/Client changes performed on Keycloak01 don't appear in the UI for Keycloak02 but *do* appear in Galera02. The issue doesn't seem to extend to client sessions; we haven't heard any issues of people being asked to log in multiple times. I'd be happy to run any specific tests in our set up if you want additional info. Jared On Mon, Oct 17, 2016 at 2:34 PM, Stian Thorgersen wrote: > Just to point out the maybe not so obvious - all realm configuration > including clients are cached in an Infinispan invalidation cache. I've got > no idea how to setup the Infinispan invalidation caches cross data centers, > but that would be required for entries to be re-loaded in one DC when > updated in another DC. > > On 13 October 2016 at 17:08, Marek Posolda wrote: > >> And are also both Keycloak nodes in the same infinispan cluster? >> >> Marek >> >> Dne 12.10.2016 v 23:27 Jared Blashka napsal(a): >> > We've got synchronous replication enabled. I've looked in the DB >> > tables for both galera nodes and the data is there. e.g. both DB nodes >> > have client 'myclient' but the UI for Keycloak node 2 doesn't list a >> > 'myclient'. But Keycloak will error if you try to add 'myclient' >> > saying it already exists. >> > >> > On Wed, Oct 12, 2016 at 4:42 PM, Marek Posolda > > > wrote: >> > >> > Then it's probably related to the Galera cluster rather then to >> > caching... >> > >> > Do you have DB configured with synchronous replication (eg. >> > inserting some record on DB1 is successfully finished after the >> > record is successfully replicated to DB2 too) ? >> > >> > You can maybe compare with the configuration in my docker image >> > https://github.com/mposolda/keycloak-mariadb >> > . I can't recall to >> > see any issue like this, but not sure about other aspects of my >> > configuration (performance etc). >> > >> > Marek >> > >> > >> > On 12/10/16 19:08, Jared Blashka wrote: >> >> We're already running 1.9.8.Final. Our previous configuration was >> >> using 2 clustered nodes configured against the same DB node and >> >> we didn't run into this issue. >> >> >> >> On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda >> >> > wrote: >> >> >> >> Which Keycloak version are you using? If it's older than >> >> 1.9.8.Final, >> >> then it's suggested to upgrade as there were caching fixes >> >> meanwhile. >> >> >> >> There is also possibility to disable caching in >> >> keycloak-server.json (or >> >> in standalone.xml in latest version). It's mentioned in the >> >> docs how to >> >> do it. >> >> >> >> Finally it may also help if you have opportunity to try with >> >> 2 Keycloak >> >> cluster nodes configured against same DB node. This may help >> >> to better >> >> isolate the problem and see if it's related to caching or to >> >> MariaDB >> >> cluster. >> >> >> >> Marek >> >> >> >> On 10/10/16 22:31, Josh Cain wrote: >> >> > Hi all, >> >> > >> >> > We're running into a problem with a couple of MariaDB >> >> instances + >> >> > Galera. When I go to add a client on the first Keycloak >> >> node/DB (we'll >> >> > call it DB01), it add successfully. I can then go to the >> >> second >> >> > Keycloak Node/DB (call this one DB02) and do not see the >> >> client on the >> >> > 'clients' list. However, if I were to add the same client >> >> on DB02, I >> >> > get the expected 'client with ID already exists' message. >> >> What's more, >> >> > if I bounce the Keycloak node that talks to DB02, the >> >> client list >> >> > populates with the new entry added at DB01. >> >> > >> >> > Was guessing it's some kind of caching issue - is there a >> >> setting where >> >> > I can alter this behavior? >> >> > >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> >> > >> > >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From java at neposoft.com Mon Oct 17 15:22:25 2016 From: java at neposoft.com (java_os) Date: Mon, 17 Oct 2016 15:22:25 -0400 Subject: [keycloak-user] KeycloakSpringBootConfigResolver not firing under eap 7 In-Reply-To: References: <32ee8b051bed1679de1f458954c6c72c.squirrel@neposoft.com> Message-ID: <59fc9cad116fd1f1f601b58efba49221.squirrel@neposoft.com> Thanks Sebastien - good to know. As long as we can do this through spring-security adapter on eap 7 as per my jira request: KEYCLOAK-3725 thanks > AFAIK the Spring Boot adapter currently only works on Tomcat. > > On 13 October 2016 at 15:53, wrote: > >> Hi group. >> Keycloak Spring boot adapter works fine (driven by >> application.properties) >> under embedded tomcat , running off mvn spring-boot:run. >> Packaged into a war and deployed under jboss eap 7 (have installed the >> adapters) my rest endpoints are not protected anymore since >> KeycloakSpringBootConfigResolver is not wiring all that up. >> Anyone noticed this behavior? kecloak* ver 2.2.1 >> Appreciate >> john >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From mposolda at redhat.com Mon Oct 17 15:55:23 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 17 Oct 2016 21:55:23 +0200 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> <226e61db-ac13-a63b-139e-0922f9f8aab4@redhat.com> Message-ID: <21498753-dc3c-1baa-8248-66be990516a1@redhat.com> On 17/10/16 20:54, Jared Blashka wrote: > Both of our keycloak nodes are living in the same physical > datacenter+networking space and are the only two nodes in an > infinispan cluster; they're just each using a different Galera DB (and > these are clustered synchronously together along with a 3rd Galera > node). We were trying to validate that DB replication wouldn't break > like it did for a similar configuration we were using earlier (using > asynchronous DB replication). So the DB replication isn't breaking and > appears to be functioning as expected, but it looks like there's data > cached by each Keycloak node that doesn't get refreshed from the DB > nor corrected by infinispan. So far the only thing we've noticed are > changes not appearing in the Admin UI e.g. Realm/Client changes > performed on Keycloak01 don't appear in the UI for Keycloak02 but *do* > appear in Galera02. The issue doesn't seem to extend to client > sessions; we haven't heard any issues of people being asked to log in > multiple times. > > I'd be happy to run any specific tests in our set up if you want > additional info. Could you try this simple test like: - Create user in admin console on keycloak node1 - Verify that user is visible on keycloak node2 - Then update this user on node2 (For example change his firstName) - Go back to node1 and see if firstName was changed This is the similar test, which I've tried with 2 keycloak cluster nodes configured against 2 MariaDB Galera cluster nodes and it worked fine for me. The automated test is here if you want to take a look : https://github.com/mposolda/keycloak-mariadb/blob/master/mariadb-cluster-test/src/test/java/org/keycloak/test/UsersClusterTest.java . If this scenario works fine for you, then it's maybe just listing clients, which is somehow broken. Then it's high probability that I will reproduce in my environment too. Otherwise if user's scenario is broken for you as well, then it's probably something related to your environment setup though... Marek > Jared > > On Mon, Oct 17, 2016 at 2:34 PM, Stian Thorgersen > wrote: > > Just to point out the maybe not so obvious - all realm > configuration including clients are cached in an Infinispan > invalidation cache. I've got no idea how to setup the Infinispan > invalidation caches cross data centers, but that would be required > for entries to be re-loaded in one DC when updated in another DC. > > On 13 October 2016 at 17:08, Marek Posolda > wrote: > > And are also both Keycloak nodes in the same infinispan cluster? > > Marek > > Dne 12.10.2016 v 23:27 Jared Blashka napsal(a): > > We've got synchronous replication enabled. I've looked in the DB > > tables for both galera nodes and the data is there. e.g. > both DB nodes > > have client 'myclient' but the UI for Keycloak node 2 > doesn't list a > > 'myclient'. But Keycloak will error if you try to add 'myclient' > > saying it already exists. > > > > On Wed, Oct 12, 2016 at 4:42 PM, Marek Posolda > > > >> wrote: > > > > Then it's probably related to the Galera cluster rather > then to > > caching... > > > > Do you have DB configured with synchronous replication (eg. > > inserting some record on DB1 is successfully finished > after the > > record is successfully replicated to DB2 too) ? > > > > You can maybe compare with the configuration in my > docker image > > https://github.com/mposolda/keycloak-mariadb > > > > . I can't > recall to > > see any issue like this, but not sure about other > aspects of my > > configuration (performance etc). > > > > Marek > > > > > > On 12/10/16 19:08, Jared Blashka wrote: > >> We're already running 1.9.8.Final. Our previous > configuration was > >> using 2 clustered nodes configured against the same DB > node and > >> we didn't run into this issue. > >> > >> On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda > >> > >> wrote: > >> > >> Which Keycloak version are you using? If it's older > than > >> 1.9.8.Final, > >> then it's suggested to upgrade as there were > caching fixes > >> meanwhile. > >> > >> There is also possibility to disable caching in > >> keycloak-server.json (or > >> in standalone.xml in latest version). It's > mentioned in the > >> docs how to > >> do it. > >> > >> Finally it may also help if you have opportunity to > try with > >> 2 Keycloak > >> cluster nodes configured against same DB node. This > may help > >> to better > >> isolate the problem and see if it's related to > caching or to > >> MariaDB > >> cluster. > >> > >> Marek > >> > >> On 10/10/16 22:31, Josh Cain wrote: > >> > Hi all, > >> > > >> > We're running into a problem with a couple of MariaDB > >> instances + > >> > Galera. When I go to add a client on the first > Keycloak > >> node/DB (we'll > >> > call it DB01), it add successfully. I can then > go to the > >> second > >> > Keycloak Node/DB (call this one DB02) and do not > see the > >> client on the > >> > 'clients' list. However, if I were to add the > same client > >> on DB02, I > >> > get the expected 'client with ID already exists' > message. > >> What's more, > >> > if I bounce the Keycloak node that talks to DB02, the > >> client list > >> > populates with the new entry added at DB01. > >> > > >> > Was guessing it's some kind of caching issue - is > there a > >> setting where > >> > I can alter this behavior? > >> > > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > > >> > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >> > > >> > >> > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From jblashka at redhat.com Mon Oct 17 16:09:39 2016 From: jblashka at redhat.com (Jared Blashka) Date: Mon, 17 Oct 2016 16:09:39 -0400 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: <21498753-dc3c-1baa-8248-66be990516a1@redhat.com> References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> <226e61db-ac13-a63b-139e-0922f9f8aab4@redhat.com> <21498753-dc3c-1baa-8248-66be990516a1@redhat.com> Message-ID: I made a ReplUser on Keycloak01, was able to search for it and update it on Keycloak02. Set the first name to "blah" using Keycloak02. Refreshed the ReplUser page on Keycloak01 and I don't see a name change. If I search for ReplUser on the search page on Keycloak01 I can see "blah" in the first name column, but the first name inbox box is blank on the user details page. Jared On Mon, Oct 17, 2016 at 3:55 PM, Marek Posolda wrote: > On 17/10/16 20:54, Jared Blashka wrote: > > Both of our keycloak nodes are living in the same physical > datacenter+networking space and are the only two nodes in an infinispan > cluster; they're just each using a different Galera DB (and these are > clustered synchronously together along with a 3rd Galera node). We were > trying to validate that DB replication wouldn't break like it did for a > similar configuration we were using earlier (using asynchronous DB > replication). So the DB replication isn't breaking and appears to be > functioning as expected, but it looks like there's data cached by each > Keycloak node that doesn't get refreshed from the DB nor corrected by > infinispan. So far the only thing we've noticed are changes not appearing > in the Admin UI e.g. Realm/Client changes performed on Keycloak01 don't > appear in the UI for Keycloak02 but *do* appear in Galera02. The issue > doesn't seem to extend to client sessions; we haven't heard any issues of > people being asked to log in multiple times. > > I'd be happy to run any specific tests in our set up if you want > additional info. > > Could you try this simple test like: > > - Create user in admin console on keycloak node1 > - Verify that user is visible on keycloak node2 > - Then update this user on node2 (For example change his firstName) > - Go back to node1 and see if firstName was changed > > This is the similar test, which I've tried with 2 keycloak cluster nodes > configured against 2 MariaDB Galera cluster nodes and it worked fine for > me. The automated test is here if you want to take a look : > https://github.com/mposolda/keycloak-mariadb/blob/master/ > mariadb-cluster-test/src/test/java/org/keycloak/test/UsersClusterTest.java > . > > If this scenario works fine for you, then it's maybe just listing clients, > which is somehow broken. Then it's high probability that I will reproduce > in my environment too. Otherwise if user's scenario is broken for you as > well, then it's probably something related to your environment setup > though... > > Marek > > Jared > > On Mon, Oct 17, 2016 at 2:34 PM, Stian Thorgersen > wrote: > >> Just to point out the maybe not so obvious - all realm configuration >> including clients are cached in an Infinispan invalidation cache. I've got >> no idea how to setup the Infinispan invalidation caches cross data centers, >> but that would be required for entries to be re-loaded in one DC when >> updated in another DC. >> >> On 13 October 2016 at 17:08, Marek Posolda wrote: >> >>> And are also both Keycloak nodes in the same infinispan cluster? >>> >>> Marek >>> >>> Dne 12.10.2016 v 23:27 Jared Blashka napsal(a): >>> > We've got synchronous replication enabled. I've looked in the DB >>> > tables for both galera nodes and the data is there. e.g. both DB nodes >>> > have client 'myclient' but the UI for Keycloak node 2 doesn't list a >>> > 'myclient'. But Keycloak will error if you try to add 'myclient' >>> > saying it already exists. >>> > >>> > On Wed, Oct 12, 2016 at 4:42 PM, Marek Posolda >> > > wrote: >>> > >>> > Then it's probably related to the Galera cluster rather then to >>> > caching... >>> > >>> > Do you have DB configured with synchronous replication (eg. >>> > inserting some record on DB1 is successfully finished after the >>> > record is successfully replicated to DB2 too) ? >>> > >>> > You can maybe compare with the configuration in my docker image >>> > https://github.com/mposolda/keycloak-mariadb >>> > . I can't recall to >>> > see any issue like this, but not sure about other aspects of my >>> > configuration (performance etc). >>> > >>> > Marek >>> > >>> > >>> > On 12/10/16 19:08, Jared Blashka wrote: >>> >> We're already running 1.9.8.Final. Our previous configuration was >>> >> using 2 clustered nodes configured against the same DB node and >>> >> we didn't run into this issue. >>> >> >>> >> On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda >>> >> > wrote: >>> >> >>> >> Which Keycloak version are you using? If it's older than >>> >> 1.9.8.Final, >>> >> then it's suggested to upgrade as there were caching fixes >>> >> meanwhile. >>> >> >>> >> There is also possibility to disable caching in >>> >> keycloak-server.json (or >>> >> in standalone.xml in latest version). It's mentioned in the >>> >> docs how to >>> >> do it. >>> >> >>> >> Finally it may also help if you have opportunity to try with >>> >> 2 Keycloak >>> >> cluster nodes configured against same DB node. This may help >>> >> to better >>> >> isolate the problem and see if it's related to caching or to >>> >> MariaDB >>> >> cluster. >>> >> >>> >> Marek >>> >> >>> >> On 10/10/16 22:31, Josh Cain wrote: >>> >> > Hi all, >>> >> > >>> >> > We're running into a problem with a couple of MariaDB >>> >> instances + >>> >> > Galera. When I go to add a client on the first Keycloak >>> >> node/DB (we'll >>> >> > call it DB01), it add successfully. I can then go to the >>> >> second >>> >> > Keycloak Node/DB (call this one DB02) and do not see the >>> >> client on the >>> >> > 'clients' list. However, if I were to add the same client >>> >> on DB02, I >>> >> > get the expected 'client with ID already exists' message. >>> >> What's more, >>> >> > if I bounce the Keycloak node that talks to DB02, the >>> >> client list >>> >> > populates with the new entry added at DB01. >>> >> > >>> >> > Was guessing it's some kind of caching issue - is there a >>> >> setting where >>> >> > I can alter this behavior? >>> >> > >>> >> >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> >> >>> >> >>> > >>> > >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > From cav at uniscope.jp Mon Oct 17 22:07:01 2016 From: cav at uniscope.jp (Carlos Villegas) Date: Tue, 18 Oct 2016 11:07:01 +0900 Subject: [keycloak-user] ECP example? In-Reply-To: References: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> Message-ID: Hmm... I saw some classes in the adapters 2.2.1 code about ECP so I did some experiments. If I set the adapter as a regular POST binding and then send the headers Accept: application/vnd.paos+xml PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp the SP seems to respond the right way with a SOAP message that looks about right. Except it's not sending the Content-type header and then the Shibboleth java client I'm using to test doesn't react. I then patched the o.k.adapters.saml.profile.ecp.EcpAuthenticationHandler to set Content-Type: application/vnd.paos+xml and I get I little bit further. The client logins to the IDP and gets the tokens but after that it's not working. But at this point I don't know where the fault is, in the client or the SP. The client was not sending the right content type either to the IDP, which according to some other post, should be text/xml. I fixed that also on the client and seems to do the login now, I see the correct user attributes in the response. But after that it seems to get into some loop and I get some authentication error. Are you saying the adapters' ECP support is not completely functional? Thanks, Carlos On 10/18/2016 3:35 AM, Stian Thorgersen wrote: > The client adapters doesn't support SAML ECP so you'd need to use a > different SAML SP library for that. > > On 14 October 2016 at 03:59, Carlos Villegas > wrote: > > I want to secure a servlet REST application. My client is java, so far > I've been using apache httpclient. > The Keycloak docs mention SAML ECP binding is supported, but I > don't see > an example. > The admin pages seems to assume only POST or redirect binding. > Does the client adapter support ECP binding. Any pointers or help > on how > to go about it? > I need help on both the client adapter and how to use Keycloak as > a SAML > ECP IDP. > > Thanks, > Carlos > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sthorger at redhat.com Tue Oct 18 01:21:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Oct 2016 07:21:24 +0200 Subject: [keycloak-user] ECP example? In-Reply-To: References: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> Message-ID: AFAIK we have no support for ECP in the adapters. Pedro can you comment? On 18 October 2016 at 04:07, Carlos Villegas wrote: > Hmm... I saw some classes in the adapters 2.2.1 code about ECP so I did > some experiments. > > If I set the adapter as a regular POST binding and then send the headers > > Accept: application/vnd.paos+xml > > PAOS: > ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0: > profiles:SSO:ecp > > the SP seems to respond the right way with a SOAP message that looks > about right. Except it's not sending the Content-type header and then > the Shibboleth java client I'm using to test doesn't react. I then > patched the o.k.adapters.saml.profile.ecp.EcpAuthenticationHandler to > set Content-Type: application/vnd.paos+xml and I get I little bit > further. The client logins to the IDP and gets the tokens but after that > it's not working. But at this point I don't know where the fault is, in > the client or the SP. The client was not sending the right content type > either to the IDP, which according to some other post, should be > text/xml. I fixed that also on the client and seems to do the login now, > I see the correct user attributes in the response. But after that it > seems to get into some loop and I get some authentication error. > > Are you saying the adapters' ECP support is not completely functional? > > Thanks, > Carlos > > On 10/18/2016 3:35 AM, Stian Thorgersen wrote: > > The client adapters doesn't support SAML ECP so you'd need to use a > > different SAML SP library for that. > > > > On 14 October 2016 at 03:59, Carlos Villegas > > wrote: > > > > I want to secure a servlet REST application. My client is java, so > far > > I've been using apache httpclient. > > The Keycloak docs mention SAML ECP binding is supported, but I > > don't see > > an example. > > The admin pages seems to assume only POST or redirect binding. > > Does the client adapter support ECP binding. Any pointers or help > > on how > > to go about it? > > I need help on both the client adapter and how to use Keycloak as > > a SAML > > ECP IDP. > > > > Thanks, > > Carlos > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Oct 18 01:23:28 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Oct 2016 07:23:28 +0200 Subject: [keycloak-user] Galera Replication and Caching In-Reply-To: References: <1476131481.5614.17.camel@redhat.com> <8642a0ea-d63e-8494-73d8-2dedcbaa3a93@redhat.com> <226e61db-ac13-a63b-139e-0922f9f8aab4@redhat.com> <21498753-dc3c-1baa-8248-66be990516a1@redhat.com> Message-ID: Search for users aren't cached, but the user itself is. It sounds like you don't have working Infinispan clustering setup and that the two nodes don't see each other. On 17 October 2016 at 22:09, Jared Blashka wrote: > I made a ReplUser on Keycloak01, was able to search for it and update it > on Keycloak02. Set the first name to "blah" using Keycloak02. Refreshed the > ReplUser page on Keycloak01 and I don't see a name change. If I search for > ReplUser on the search page on Keycloak01 I can see "blah" in the first > name column, but the first name inbox box is blank on the user details page. > > Jared > > On Mon, Oct 17, 2016 at 3:55 PM, Marek Posolda > wrote: > >> On 17/10/16 20:54, Jared Blashka wrote: >> >> Both of our keycloak nodes are living in the same physical >> datacenter+networking space and are the only two nodes in an infinispan >> cluster; they're just each using a different Galera DB (and these are >> clustered synchronously together along with a 3rd Galera node). We were >> trying to validate that DB replication wouldn't break like it did for a >> similar configuration we were using earlier (using asynchronous DB >> replication). So the DB replication isn't breaking and appears to be >> functioning as expected, but it looks like there's data cached by each >> Keycloak node that doesn't get refreshed from the DB nor corrected by >> infinispan. So far the only thing we've noticed are changes not appearing >> in the Admin UI e.g. Realm/Client changes performed on Keycloak01 don't >> appear in the UI for Keycloak02 but *do* appear in Galera02. The issue >> doesn't seem to extend to client sessions; we haven't heard any issues of >> people being asked to log in multiple times. >> >> I'd be happy to run any specific tests in our set up if you want >> additional info. >> >> Could you try this simple test like: >> >> - Create user in admin console on keycloak node1 >> - Verify that user is visible on keycloak node2 >> - Then update this user on node2 (For example change his firstName) >> - Go back to node1 and see if firstName was changed >> >> This is the similar test, which I've tried with 2 keycloak cluster nodes >> configured against 2 MariaDB Galera cluster nodes and it worked fine for >> me. The automated test is here if you want to take a look : >> https://github.com/mposolda/keycloak-mariadb/blob/master/mar >> iadb-cluster-test/src/test/java/org/keycloak/test/UsersClusterTest.java >> . >> >> If this scenario works fine for you, then it's maybe just listing >> clients, which is somehow broken. Then it's high probability that I will >> reproduce in my environment too. Otherwise if user's scenario is broken for >> you as well, then it's probably something related to your environment setup >> though... >> >> Marek >> >> Jared >> >> On Mon, Oct 17, 2016 at 2:34 PM, Stian Thorgersen >> wrote: >> >>> Just to point out the maybe not so obvious - all realm configuration >>> including clients are cached in an Infinispan invalidation cache. I've got >>> no idea how to setup the Infinispan invalidation caches cross data centers, >>> but that would be required for entries to be re-loaded in one DC when >>> updated in another DC. >>> >>> On 13 October 2016 at 17:08, Marek Posolda wrote: >>> >>>> And are also both Keycloak nodes in the same infinispan cluster? >>>> >>>> Marek >>>> >>>> Dne 12.10.2016 v 23:27 Jared Blashka napsal(a): >>>> > We've got synchronous replication enabled. I've looked in the DB >>>> > tables for both galera nodes and the data is there. e.g. both DB nodes >>>> > have client 'myclient' but the UI for Keycloak node 2 doesn't list a >>>> > 'myclient'. But Keycloak will error if you try to add 'myclient' >>>> > saying it already exists. >>>> > >>>> > On Wed, Oct 12, 2016 at 4:42 PM, Marek Posolda >>> > > wrote: >>>> > >>>> > Then it's probably related to the Galera cluster rather then to >>>> > caching... >>>> > >>>> > Do you have DB configured with synchronous replication (eg. >>>> > inserting some record on DB1 is successfully finished after the >>>> > record is successfully replicated to DB2 too) ? >>>> > >>>> > You can maybe compare with the configuration in my docker image >>>> > https://github.com/mposolda/keycloak-mariadb >>>> > . I can't recall >>>> to >>>> > see any issue like this, but not sure about other aspects of my >>>> > configuration (performance etc). >>>> > >>>> > Marek >>>> > >>>> > >>>> > On 12/10/16 19:08, Jared Blashka wrote: >>>> >> We're already running 1.9.8.Final. Our previous configuration was >>>> >> using 2 clustered nodes configured against the same DB node and >>>> >> we didn't run into this issue. >>>> >> >>>> >> On Wed, Oct 12, 2016 at 2:45 AM, Marek Posolda >>>> >> > wrote: >>>> >> >>>> >> Which Keycloak version are you using? If it's older than >>>> >> 1.9.8.Final, >>>> >> then it's suggested to upgrade as there were caching fixes >>>> >> meanwhile. >>>> >> >>>> >> There is also possibility to disable caching in >>>> >> keycloak-server.json (or >>>> >> in standalone.xml in latest version). It's mentioned in the >>>> >> docs how to >>>> >> do it. >>>> >> >>>> >> Finally it may also help if you have opportunity to try with >>>> >> 2 Keycloak >>>> >> cluster nodes configured against same DB node. This may help >>>> >> to better >>>> >> isolate the problem and see if it's related to caching or to >>>> >> MariaDB >>>> >> cluster. >>>> >> >>>> >> Marek >>>> >> >>>> >> On 10/10/16 22:31, Josh Cain wrote: >>>> >> > Hi all, >>>> >> > >>>> >> > We're running into a problem with a couple of MariaDB >>>> >> instances + >>>> >> > Galera. When I go to add a client on the first Keycloak >>>> >> node/DB (we'll >>>> >> > call it DB01), it add successfully. I can then go to the >>>> >> second >>>> >> > Keycloak Node/DB (call this one DB02) and do not see the >>>> >> client on the >>>> >> > 'clients' list. However, if I were to add the same client >>>> >> on DB02, I >>>> >> > get the expected 'client with ID already exists' message. >>>> >> What's more, >>>> >> > if I bounce the Keycloak node that talks to DB02, the >>>> >> client list >>>> >> > populates with the new entry added at DB01. >>>> >> > >>>> >> > Was guessing it's some kind of caching issue - is there a >>>> >> setting where >>>> >> > I can alter this behavior? >>>> >> > >>>> >> >>>> >> _______________________________________________ >>>> >> keycloak-user mailing list >>>> >> keycloak-user at lists.jboss.org >>>> >> >>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >>>> >> >>>> >> >>>> > >>>> > >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >> > From Chris.Brandhorst at topicus.nl Tue Oct 18 03:09:28 2016 From: Chris.Brandhorst at topicus.nl (Chris Brandhorst) Date: Tue, 18 Oct 2016 07:09:28 +0000 Subject: [keycloak-user] StaleCodeMessage on IDP Initiated SAML SSO In-Reply-To: References: Message-ID: <0E95A449-0E71-4194-9656-21A8281597B8@topicus.nl> Done, see: https://issues.jboss.org/browse/KEYCLOAK-3731 On 17 Oct 2016, at 17:58, Stian Thorgersen > wrote: Looks like it might be a bug. Can you create a JIRA please? On 7 October 2016 at 22:43, Chris Brandhorst > wrote: I have two Keycloak instances, A is an IdP for B. From the login screen of B, this works as it should. However, I can?t get IDP Initiated SSO from A to B to work. I filled the "IDP Initiated SSO URL Name? field with a name (say ?bbbbb?) in A. When I try to navigate to: http://aaaaa/auth/realms/his/protocol/saml/clients/bbbbb i always end up with the following logging: 22:42:02,993 DEBUG [org.keycloak.services] (default task-23) Authorization code is not valid. Code: null 22:42:02,994 WARN [org.keycloak.events] (default task-23) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=127.0.0.1, error=staleCodeMessage 22:42:02,994 ERROR [org.keycloak.services] (default task-23) staleCodeMessage Which in itself is not surprising, because indeed, there is no Authorization code in play here, but that?s the whole idea of IDP Initiated SSO, no? What must I do to get this to work? Thanks, Chris Brandhorst _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Oct 18 07:12:05 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Tue, 18 Oct 2016 09:12:05 -0200 Subject: [keycloak-user] ECP example? In-Reply-To: References: <2a3485ca-c37a-0c55-9ae3-0cee700174df@uniscope.jp> Message-ID: <1476789125.2477.59.camel@redhat.com> We do have some very basic support for ECP on the SP side. The implementation is really specific to Openstack use case and requirements. This capability is not advertised in any doc as we don't want people using it. In Keycloak we have some tests [1] for SAML ECP that use this stuff, but that is all. Just to make sure our IdP is aligned with Openstack. [1]?https://github.com/keycloak/keycloak/blob/master/testsuite/integrat ion/src/test/java/org/keycloak/testsuite/saml/SamlEcpProfileTest.java#L 91 On Tue, 2016-10-18 at 07:21 +0200, Stian Thorgersen wrote: > AFAIK we have no support for ECP in the adapters. Pedro can you > comment? > > On 18 October 2016 at 04:07, Carlos Villegas wrote: > > Hmm... I saw some classes in the adapters 2.2.1 code about ECP so I > > did > > some experiments. > > > > If I set the adapter as a regular POST binding and then send the > > headers > > > > Accept: application/vnd.paos+xml > > > > PAOS: > > ver="urn:liberty:paos:2003- > > 08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp > > > > the SP seems to respond the right way with a? SOAP message that > > looks > > about right. Except it's not sending the Content-type header and > > then > > the Shibboleth java client I'm using to test doesn't react. I then > > patched the o.k.adapters.saml.profile.ecp.EcpAuthenticationHandler > > to > > set Content-Type: application/vnd.paos+xml and I get I little bit > > further. The client logins to the IDP and gets the tokens but after > > that > > it's not working. But at this point I don't know where the fault > > is, in > > the client or the SP. The client was not sending the right content > > type > > either to the IDP, which according to some other post, should be > > text/xml. I fixed that also on the client and seems to do the login > > now, > > I see the correct user attributes in the response. But after that > > it > > seems to get into some loop and I get some authentication error. > > > > Are you saying the adapters' ECP support is not completely > > functional? > > > > Thanks, > > Carlos > > > > On 10/18/2016 3:35 AM, Stian Thorgersen wrote: > > > The client adapters doesn't support SAML ECP so you'd need to use > > a > > > different SAML SP library for that. > > > > > > On 14 October 2016 at 03:59, Carlos Villegas > > > wrote: > > > > > >? ? ?I want to secure a servlet REST application. My client is > > java, so far > > >? ? ?I've been using apache httpclient. > > >? ? ?The Keycloak docs mention SAML ECP binding is supported, but > > I > > >? ? ?don't see > > >? ? ?an example. > > >? ? ?The admin pages seems to assume only POST or redirect > > binding. > > >? ? ?Does the client adapter support ECP binding. Any pointers or > > help > > >? ? ?on how > > >? ? ?to go about it? > > >? ? ?I need help on both the client adapter and how to use > > Keycloak as > > >? ? ?a SAML > > >? ? ?ECP IDP. > > > > > >? ? ?Thanks, > > >? ? ?Carlos > > > > > > > > > > > > > > > > > >? ? ?_______________________________________________ > > >? ? ?keycloak-user mailing list > > >? ? ?keycloak-user at lists.jboss.org > ss.org> > > >? ? ?https://lists.jboss.org/mailman/listinfo/keycloak-user > > >? ? ? > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Pedro Igor From bmcwhirt at redhat.com Tue Oct 18 08:04:44 2016 From: bmcwhirt at redhat.com (Bob McWhirter) Date: Tue, 18 Oct 2016 08:04:44 -0400 Subject: [keycloak-user] Run locally a Keycloak Server within a Java Maven Project In-Reply-To: References: Message-ID: Though not always the latest, we also distribute a -swarm.jar of the keycloak server from WildFly Swarm. On Monday, October 17, 2016, Stian Thorgersen wrote: > KeycloakServer is used internally for our own testing. I would recommend > just using the Keycloak standalone distribution as it's just a simple zip > file and can be installed and started with Maven and even better with > Arquillian. > > On 10 October 2016 at 16:32, Charles Moulliard > wrote: > > > Hi, > > > > The Keycloak project proposes this class to start locally a Keycloak > Server > > without the need to install a distribution of KeyCloak > > > > https://github.com/keycloak/keycloak/blob/2.2.1.Final/ > > testsuite/integration/src/test/java/org/keycloak/ > > testsuite/KeycloakServer.java#L51 > > > > Unfortunately, the artefact "keycloak-testsuite-integration" containing > > the > > class is not published under a maven repository (" > > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/ > "). > > > > Question : > > > > Is there an alternative approach that I could follow to run a local > > KeycloakServer instance ? > > > > Best regards > > > > Charles > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Tue Oct 18 08:35:45 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 18 Oct 2016 14:35:45 +0200 Subject: [keycloak-user] Run locally a Keycloak Server within a Java Maven Project In-Reply-To: References: Message-ID: Hello Charles, you could also try running Keycloak embedded in a Spring Boot app: https://github.com/thomasdarimont/spring-boot-keycloak-server-example Cheers, Thomas 2016-10-18 14:04 GMT+02:00 Bob McWhirter : > Though not always the latest, we also distribute a -swarm.jar of the > keycloak server from WildFly Swarm. > > On Monday, October 17, 2016, Stian Thorgersen wrote: > > > KeycloakServer is used internally for our own testing. I would recommend > > just using the Keycloak standalone distribution as it's just a simple zip > > file and can be installed and started with Maven and even better with > > Arquillian. > > > > On 10 October 2016 at 16:32, Charles Moulliard > > wrote: > > > > > Hi, > > > > > > The Keycloak project proposes this class to start locally a Keycloak > > Server > > > without the need to install a distribution of KeyCloak > > > > > > https://github.com/keycloak/keycloak/blob/2.2.1.Final/ > > > testsuite/integration/src/test/java/org/keycloak/ > > > testsuite/KeycloakServer.java#L51 > > > > > > Unfortunately, the artefact "keycloak-testsuite-integration" > containing > > > the > > > class is not published under a maven repository (" > > > https://repository.jboss.org/nexus/content/groups/public/org/keycloak/ > > "). > > > > > > Question : > > > > > > Is there an alternative approach that I could follow to run a local > > > KeycloakServer instance ? > > > > > > Best regards > > > > > > Charles > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From glavoie at gmail.com Tue Oct 18 09:49:20 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Tue, 18 Oct 2016 09:49:20 -0400 Subject: [keycloak-user] Performance issues with large number of realms (500+) Message-ID: Hi, our Keycloak setup is being used in a multi-tenant fashion with a large number of realms assigned to different instances of our application (multiple customers). We are now seeing a few performance issues with the startup and administration. First question: Do you have guidelines on a maximum number of realms that Keycloak should support before we split in smaller clusters? I traced at least 2 things in the KC code that could be improved. Should I open tickets for both? 1 - Slow startup (5 minutes with 500 realms): In the KeycloakApplication class constructor, the "isNewInstall()" test to check if the master realm must be created triggers the loading and caching of all realms. This loading seems to be hit with a similar issue that I had in the past with realm export: https://issues.jboss.org/browse/KEYCLOAK-2413 The named query that gets executed a lot of times in RealmAdapter.getAuthenticationExecution() triggers a flush within Hibernate every times. If the flush mode gets set to "COMMIT" (can't be changed by default but I tested it), the loading time goes down to approximately 30 secs which is acceptable. It would likely be a good idea to create a read-only transaction with the flush mode set to COMMIT during startup to pre-fill the cache, then continue with the rest of the initialization. When the cache is filled, accessing info on all realms seems to be fine. 2 - Slow display of the master realm admin screen. When accessing the admin screen, AdminConsole.whoAmI() eventually process all the roles on all the realm for the admin user. KeycloakModelUtils.searchFor() gets called a lot of times to navigate through all the composite permissions. With 500 realms, the user has about 6500 total permissions available. This part of the code would likely benefit a lot from a cache of the exploded composite permissions. Thanks, Gabriel -- Gabriel Lavoie glavoie at gmail.com From sthorger at redhat.com Tue Oct 18 10:04:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Oct 2016 16:04:51 +0200 Subject: [keycloak-user] Performance issues with large number of realms (500+) In-Reply-To: References: Message-ID: Keycloak was not designed to support multi-tenancy directly. We made the decision early on that we can't support true multi-tenancy and that has to be done through separate instances. This is for security reasons as well as the fact that we can't sandbox everything (like custom providers, custom themes, etc.). In that regards we have never tested with high amounts of realms as we expect there to be few realms (up to 10 most likely). Nor will we test this. We won't fix any issues related to high number of realms for this reason either. I'm not saying that we don't appreciate your case, but we have other priorities that we need to work on. However, if you are able to provide PRs that do not have any side effects (and also doesn't significantly complicate things) we would be happy to accept them. On 18 October 2016 at 15:49, Gabriel Lavoie wrote: > Hi, > our Keycloak setup is being used in a multi-tenant fashion with a > large number of realms assigned to different instances of our application > (multiple customers). We are now seeing a few performance issues with the > startup and administration. > > First question: Do you have guidelines on a maximum number of realms that > Keycloak should support before we split in smaller clusters? > > I traced at least 2 things in the KC code that could be improved. Should I > open tickets for both? > > 1 - Slow startup (5 minutes with 500 realms): > In the KeycloakApplication class constructor, the "isNewInstall()" test to > check if the master realm must be created triggers the loading and caching > of all realms. This loading seems to be hit with a similar issue that I had > in the past with realm export: https://issues.jboss.org/ > browse/KEYCLOAK-2413 > > The named query that gets executed a lot of times in > RealmAdapter.getAuthenticationExecution() triggers a flush within > Hibernate > every times. If the flush mode gets set to "COMMIT" (can't be changed by > default but I tested it), the loading time goes down to approximately 30 > secs which is acceptable. > > It would likely be a good idea to create a read-only transaction with the > flush mode set to COMMIT during startup to pre-fill the cache, then > continue with the rest of the initialization. When the cache is filled, > accessing info on all realms seems to be fine. > > 2 - Slow display of the master realm admin screen. > When accessing the admin screen, AdminConsole.whoAmI() eventually process > all the roles on all the realm for the admin > user. KeycloakModelUtils.searchFor() gets called a lot of times to navigate > through all the composite permissions. With 500 realms, the user has about > 6500 total permissions available. This part of the code would likely > benefit a lot from a cache of the exploded composite permissions. > > Thanks, > > Gabriel > > -- > Gabriel Lavoie > glavoie at gmail.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Christian.FREIMUELLER at frequentis.com Tue Oct 18 10:11:20 2016 From: Christian.FREIMUELLER at frequentis.com (FREIMUELLER Christian) Date: Tue, 18 Oct 2016 14:11:20 +0000 Subject: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API Message-ID: Dear all, I've a question regarding the authZ client. Is there a way to connect the resources created with the client with policies/permissions via the API, or is there only the HMI (Admin Console) to make this connection? The thing is we would like to use Keycloak for defining the access rights on thousands of resources (objects like database entries, files) and it would be very cumbersome to do this by hand for each single resource. Or is this authorization service meant to be used in another way (protecting URI for applications) only? Best regards, Christian From psilva at redhat.com Tue Oct 18 10:34:16 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Tue, 18 Oct 2016 12:34:16 -0200 Subject: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API In-Reply-To: References: Message-ID: <1476801256.2477.85.camel@redhat.com> Hi?Christian. Currently we don't support that, but we have KEYCLOAK-3135 [1] which I think is related with what you are looking for. Actually, you can already do that via Keycloak Admin Client API, but we would like to come up with a better Client API and REST API for that. Our roadmap includes not only URI protection, but also other uses cases supported by UMA. [1]?https://issues.jboss.org/browse/KEYCLOAK-3135 On Tue, 2016-10-18 at 14:11 +0000, FREIMUELLER Christian wrote: > Dear all, > > I've a question regarding the authZ client. > > Is there a way to connect the resources created with the client with > policies/permissions via the API, or is there only the HMI (Admin > Console) to make this connection? > > The thing is we would like to use Keycloak for defining the access > rights on thousands of resources (objects like database entries, > files) and it would be very cumbersome to do this by hand for each > single resource. > > Or is this authorization service meant to be used in another way > (protecting URI for applications) only? > > Best regards, > Christian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Pedro Igor From Dimitrios.Gkazgkas at tangoservices.lu Tue Oct 18 10:57:18 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Tue, 18 Oct 2016 14:57:18 +0000 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Hello Stian, Thank you for your response. Could you explain a bit more what you mean by saying ?as Keycloak should see security.lu, not the internal addresses of the nodes? ? According to our understanding the Keycloak servers in the internal network is behind reverse proxy and thus they do not know that they are called ?security.lu?, they just know that they are either security1.lu or security2.lu. When we tried to overwite the Saml XML configuration (that client uses for integration) and put the public address ?security.lu? we again had the same ERROR in Keycloak logs ?reason=invalid_destination? probably due to same root cause, the destination in the Saml AuthRequest was ?Service.lu?, an address unknown for keycloack inside the private network. xxxxx The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Oct 18 14:12:24 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 18 Oct 2016 20:12:24 +0200 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Please look at the documentation. It explains this. On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) < Dimitrios.Gkazgkas at tangoservices.lu> wrote: > Hello Stian, > > > > Thank you for your response. > > > > Could you explain a bit more what you mean by saying ?*as Keycloak should > see security.lu , not the internal addresses of the > nodes*? ? According to our understanding the Keycloak servers in the > internal network is behind reverse proxy and thus they do not know that > they are called ?security.lu?, they just know that they are either > security1.lu or security2.lu . > > > > When we tried to overwite the Saml XML configuration (that client uses > for integration) and put the public address ?security.lu? we again had > the same ERROR in Keycloak logs ?reason=invalid_destination? probably due > to same root cause, the destination in the Saml AuthRequest was > ?Service.lu?, an address unknown for keycloack inside the private network. > > Destination=" > > > > I attach our HA configuration. We do not use the build in Load Balancer > but an Appache Reverse Proxy which actually rewrites all internall URLs to > Publics for outgoing trafiif and the oposite for the incoming traffic. Thus > there is not much left in the page you sent to be configured in our > Keycloak. > > > > I hope I was clear. Any help would be highly appreciated. > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 17 October 2016 20:41 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Sounds like you haven't setup things properly as Keycloak should see > security.lu, not the internal addresses of the nodes. Take a look at > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html > > > > On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > The response from the list on my initial mails was : After content > filtering, the message was empty > > So I try to send the same mail without CC and without attached > > > > =========== > > Hello, > > We are trying to configure a SAML authentication system in a keycloak > cluster. First, with only one node , we are currently managing to > authenticate in SAML way. > > The architecture : > --> we have one apache reverse proxy with a public and unique endpoint for > saml authentication. We can call the pubic url : security.lu< > http://security.lu> > > --> the reverse proxy will load-balance all calls that come on security.lu > to two keycloak nodes : security1.lu< > http://security1.lu> and security2.lu ( the private > urls) . > > The issue that we have : > --> The client that integrates saml has a tomcat and integrates a > keycloak-saml.xml file. Of course, in this file the configuration is > refering to security1.lu ( the private address as > the keycloak node only knows its private address). > --> If we arrive during the load-balancing on the security1.lu< > http://security1.lu> node, it will work. If I arrive on the second > security2.lu node, it will fail. When I dig a little > bit more, it's because in fact, the SAMLRequest that is generated looks > like this : > > Destination="http://security1.lu:8080/realms/xxx/protocol/saml" > ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" > IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" > Version="2.0">xxxxx AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format: > persistent"> > > The error that I get is an invalid_destination because we receive this > SAMLRequest on the security2.lu node : > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > >From what I see there is for saml client, a Clustering tab where I have > currently nothing. Maybe I need to add some host nodes here ? But i don't > know how to proceed. > > Or is there any way to define both security1.lu and > security2.lu on the Saml XML configuration that the client integrates? > > We have set proxy-address-forwarding=true > > Thank you for your help. > > Kr, > > > > > > > Br > > Dimitrios Gkazgkas > IT Solutions Architect > > > > ________________________________ > > **** DISCLAIMER **** > http://www.tango.lu/maildisclaimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From Benjamin.Stadin at heidelberg-mobil.com Tue Oct 18 17:33:32 2016 From: Benjamin.Stadin at heidelberg-mobil.com (Stadin, Benjamin) Date: Tue, 18 Oct 2016 21:33:32 +0000 Subject: [keycloak-user] Scope based roles Message-ID: Hi, I want to keep my roles and permissions simple, but I have some specific requirements and I?m struggling to map these to Keycloak groups or roles. For an example, I need to assign users to predefined roles based on their current ?location?. Instead of describing the actual roles of my portal, I?ll use a student portal to give an example of what I?m looking for. It should be more self-explanatory. Think of a student portal where there is a ?global? area where students can see the courses they are enrolled in, and ?course? areas for each of the courses with course material etc: * Students can sign in to the student portal with their student id. They can see their courses on the ?global? page, but not others. * Students can?t create courses, but they can be administrators within selected courses (think of tutors which get another role assigned by a course?s professor) * Professors can see all courses, and create new ones. They can enroll students into courses and assign them a specific role for this course (e.g. tutor, guest, ?normal student?). * Professors have no permissions to courses they don?t own Roles and permissions. As mentioned above, there are two scopes global and course. A user has one role at a time, depending on his/her current location. * GLOBAL_PROFESSOR: This is the role a professor has on the global scope. Here she/he can create new courses, and administer (create, delete, open, close) his own courses. Has otherwise no permissions for courses of other professors. * COURSE_PROFSSOR: This is the role a professor has on the course scope. Here she/he has admin rights, can assign course roles to students etc. as explained above. * GLOBAL_STUDENT: The role a student has on the global scope. Here she/he can see courses, but can?t do much else. * COURSE_STUDENT: The role a student has within the scope of a particular course. E.g. See all course materials, upload new stuff, post messages in a course forum, etc. * COURSE_TUTOR: Same as student, plus they can e.g. Enroll students to the course, delete assets of other students of this course, etc. * COURSE_GUEST: Can view course content, but can?t upload files or do much else but view and download stuff I could create groups for each of the courses and each role ? but that is actually what I?d rather want to avoid for maintenance reasons and simplicity. What group and role definition model would you suggest me with Keycloak? Cheers Ben From java at neposoft.com Tue Oct 18 20:55:10 2016 From: java at neposoft.com (java_os) Date: Tue, 18 Oct 2016 20:55:10 -0400 Subject: [keycloak-user] method level role based authorization Message-ID: <5b05635203f01ca463aa976ff5a3ff27.squirrel@neposoft.com> Question to the group, I want to do method level role based authorization (aka @RolesAllowed) with the constraint that i cannot use sprig security(broken in jboss eap7). Anyone has done this ? I want to do it by annotations at method level, instead of cluttring the code checking the role and send 403 if role not allowed,ugly. Thanks From sthorger at redhat.com Wed Oct 19 00:28:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 06:28:46 +0200 Subject: [keycloak-user] method level role based authorization In-Reply-To: <5b05635203f01ca463aa976ff5a3ff27.squirrel@neposoft.com> References: <5b05635203f01ca463aa976ff5a3ff27.squirrel@neposoft.com> Message-ID: You can do this with the regular EAP7 adapter, but you need to make sure the security context is propagated correctly. Check the https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/jboss-adapter.html it describes how to do it. Search that page for KeycloakLoginModule to quickly find it. On 19 October 2016 at 02:55, java_os wrote: > Question to the group, > I want to do method level role based authorization (aka @RolesAllowed) > with the constraint that i cannot use sprig security(broken in jboss > eap7). > Anyone has done this ? I want to do it by annotations at method level, > instead of cluttring the code checking the role and send 403 if role not > allowed,ugly. > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From nielsbne at gmail.com Wed Oct 19 01:26:20 2016 From: nielsbne at gmail.com (Niels Bertram) Date: Wed, 19 Oct 2016 15:26:20 +1000 Subject: [keycloak-user] Keycloak angular SPA example does not work against an external Keycloak server - browser reject server response XHR In-Reply-To: References: Message-ID: Hi Stian, yes the kc server was setup with an apache reverse proxy in front of it. After I could not replicate the problem in comparable vagrant build I took the test server appart and discovered that some smart cookie added a "Header always set Access-Control-Allow-Credentials true" to the apache reverse proxy configuration, which obviously will double up with what kc server returns. The devs had issues with a custom jQuery implementation of "sso session exists" check ( ... yes the one already implemented in the keycloak.js adapter ... ). Really sorry I wasted everyones time. On Tue, Oct 18, 2016 at 4:52 AM, Stian Thorgersen wrote: > That's really strange. I can't see how Keycloak would add the header twice. > > By production grade what do you mean? Is there any changes you could have > made that affects this? Is there a proxy in front of Keycloak that could > affect it? > > On 17 October 2016 at 12:30, Niels Bertram wrote: > >> Hi guys, >> >> I have configured the keycloak angular example >> > emo-template/angular-product-app> >> to utilise a production grade setup Keycloak server and the example ends >> up >> in an endless redirect loop. >> >> I can see that the Keycloak server POST response in the authorization code >> exchange contains 2 identical Access-Control-Allow-Credentials headers, >> which the Chrome browser cannot understand and then subsequently fails the >> XHR request. I included the full HTTP trace below for reference. >> >> Keycloak server is 1.9.8 (RH SSO 7.0.0) and I tried 1.9.8 and 2.2.1 >> Keycloak JavaScript clients but given the browsers refuse to accept the >> server response headers the client is pretty much irrelevant. >> >> Did anyone of you ever came across this issue? >> >> Cheers, >> Niels >> >> >> >> *Request* >> URL: >> https://sso.server.com/auth/realms/[redacted]/protocol/openi >> d-connect/token >> Request Method:POST >> Status Code:200 OK >> Remote Address:[redacted]:8080 >> >> *Request Headers* >> POST /auth/realms/[redacted]/protocol/openid-connect/token HTTP/1.1 >> Host: sso.server.com >> Connection: keep-alive >> Content-Length: 205 >> Pragma: no-cache >> Cache-Control: no-cache >> Origin: http://localhost:8080 >> User-Agent: Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) >> AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 >> Safari/601.1 >> Content-type: application/x-www-form-urlencoded >> Accept: */* >> Referer: http://localhost:8080/angular-product/ >> Accept-Encoding: gzip, deflate, br >> Accept-Language: en-US,en;q=0.8,de;q=0.6 >> Cookie: >> KEYCLOAK_STATE_CHECKER=[redacted];KC_RESTART=[redacted]; >> KEYCLOAK_IDENTITY=[redacted];KEYCLOAK_SESSION=[redacted] >> >> *Form Data* >> code=[redacted]&grant_type=authorization_code&client_id=exam >> ple-spa-app&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fang >> ular-product%2F >> >> *Response Headers* >> HTTP/1.1 200 OK >> Date: Mon, 17 Oct 2016 06:13:24 GMT >> *Access-Control-Allow-Credentials: true <-- Chrome cannot understand >> this* >> *Access-Control-Allow-Credentials: true** <-- Chrome cannot understand >> this* >> Access-Control-Allow-Origin: http://localhost:8080 >> Access-Control-Expose-Headers: Access-Control-Allow-Methods >> Content-Type: application/json >> Content-Length: 3795 >> Keep-Alive: timeout=5, max=97 >> Connection: Keep-Alive >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Wed Oct 19 01:36:55 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 07:36:55 +0200 Subject: [keycloak-user] Keycloak angular SPA example does not work against an external Keycloak server - browser reject server response XHR In-Reply-To: References: Message-ID: Np, pleased it's sorted On 19 October 2016 at 07:26, Niels Bertram wrote: > Hi Stian, yes the kc server was setup with an apache reverse proxy in > front of it. After I could not replicate the problem in comparable vagrant > build I took the test server appart and discovered that some smart cookie > added a "Header always set Access-Control-Allow-Credentials true" to the > apache reverse proxy configuration, which obviously will double up with > what kc server returns. > > The devs had issues with a custom jQuery implementation of "sso session > exists" check ( ... yes the one already implemented in the keycloak.js > adapter ... ). > > Really sorry I wasted everyones time. > > > On Tue, Oct 18, 2016 at 4:52 AM, Stian Thorgersen > wrote: > >> That's really strange. I can't see how Keycloak would add the header >> twice. >> >> By production grade what do you mean? Is there any changes you could have >> made that affects this? Is there a proxy in front of Keycloak that could >> affect it? >> >> On 17 October 2016 at 12:30, Niels Bertram wrote: >> >>> Hi guys, >>> >>> I have configured the keycloak angular example >>> >> emo-template/angular-product-app> >>> to utilise a production grade setup Keycloak server and the example ends >>> up >>> in an endless redirect loop. >>> >>> I can see that the Keycloak server POST response in the authorization >>> code >>> exchange contains 2 identical Access-Control-Allow-Credentials headers, >>> which the Chrome browser cannot understand and then subsequently fails >>> the >>> XHR request. I included the full HTTP trace below for reference. >>> >>> Keycloak server is 1.9.8 (RH SSO 7.0.0) and I tried 1.9.8 and 2.2.1 >>> Keycloak JavaScript clients but given the browsers refuse to accept the >>> server response headers the client is pretty much irrelevant. >>> >>> Did anyone of you ever came across this issue? >>> >>> Cheers, >>> Niels >>> >>> >>> >>> *Request* >>> URL: >>> https://sso.server.com/auth/realms/[redacted]/protocol/openi >>> d-connect/token >>> Request Method:POST >>> Status Code:200 OK >>> Remote Address:[redacted]:8080 >>> >>> *Request Headers* >>> POST /auth/realms/[redacted]/protocol/openid-connect/token HTTP/1.1 >>> Host: sso.server.com >>> Connection: keep-alive >>> Content-Length: 205 >>> Pragma: no-cache >>> Cache-Control: no-cache >>> Origin: http://localhost:8080 >>> User-Agent: Mozilla/5.0 (iPad; CPU OS 9_1 like Mac OS X) >>> AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 >>> Safari/601.1 >>> Content-type: application/x-www-form-urlencoded >>> Accept: */* >>> Referer: http://localhost:8080/angular-product/ >>> Accept-Encoding: gzip, deflate, br >>> Accept-Language: en-US,en;q=0.8,de;q=0.6 >>> Cookie: >>> KEYCLOAK_STATE_CHECKER=[redacted];KC_RESTART=[redacted];KEYC >>> LOAK_IDENTITY=[redacted];KEYCLOAK_SESSION=[redacted] >>> >>> *Form Data* >>> code=[redacted]&grant_type=authorization_code&client_id=exam >>> ple-spa-app&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fang >>> ular-product%2F >>> >>> *Response Headers* >>> HTTP/1.1 200 OK >>> Date: Mon, 17 Oct 2016 06:13:24 GMT >>> *Access-Control-Allow-Credentials: true <-- Chrome cannot understand >>> this* >>> *Access-Control-Allow-Credentials: true** <-- Chrome cannot understand >>> this* >>> Access-Control-Allow-Origin: http://localhost:8080 >>> Access-Control-Expose-Headers: Access-Control-Allow-Methods >>> Content-Type: application/json >>> Content-Length: 3795 >>> Keep-Alive: timeout=5, max=97 >>> Connection: Keep-Alive >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From Christian.FREIMUELLER at frequentis.com Wed Oct 19 02:26:58 2016 From: Christian.FREIMUELLER at frequentis.com (FREIMUELLER Christian) Date: Wed, 19 Oct 2016 06:26:58 +0000 Subject: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API In-Reply-To: <1476801256.2477.85.camel@redhat.com> References: <1476801256.2477.85.camel@redhat.com> Message-ID: Thanks, Pedro for the information - that helped me a lot. I will try to achieve this with the Admin Client API - I think you are referring to the clients CRUD API, aren't you? When is the improvement on the client API and REST API planned? -> the mentioned ticket below is currently without a proposed fix version... Kind regards, Christian -----Original Message----- From: Pedro Igor Craveiro e Silva [mailto:psilva at redhat.com] Sent: 18 October 2016 16:34 To: FREIMUELLER Christian; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API Hi?Christian. Currently we don't support that, but we have KEYCLOAK-3135 [1] which I think is related with what you are looking for. Actually, you can already do that via Keycloak Admin Client API, but we would like to come up with a better Client API and REST API for that. Our roadmap includes not only URI protection, but also other uses cases supported by UMA. [1]?https://issues.jboss.org/browse/KEYCLOAK-3135 On Tue, 2016-10-18 at 14:11 +0000, FREIMUELLER Christian wrote: > Dear all, > > I've a question regarding the authZ client. > > Is there a way to connect the resources created with the client with > policies/permissions via the API, or is there only the HMI (Admin > Console) to make this connection? > > The thing is we would like to use Keycloak for defining the access > rights on thousands of resources (objects like database entries, > files) and it would be very cumbersome to do this by hand for each > single resource. > > Or is this authorization service meant to be used in another way > (protecting URI for applications) only? > > Best regards, > Christian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Pedro Igor From pulgupta at redhat.com Wed Oct 19 03:03:10 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Wed, 19 Oct 2016 12:33:10 +0530 Subject: [keycloak-user] Spring security adapter for SAML Message-ID: Hi Team, I have a application with Spring security configured. We are trying to migrate the same to keycloak. Do we have a spring security adapter for keycloak with SAML. I went through the documentation and can see that we have a spring adapter but that is for open ID connect. -- Thanks, Pulkit AMS From pulgupta at redhat.com Wed Oct 19 03:21:23 2016 From: pulgupta at redhat.com (Pulkit Gupta) Date: Wed, 19 Oct 2016 12:51:23 +0530 Subject: [keycloak-user] Null pointer in keycloak saml adapter Message-ID: Hi Everyone, I am seeing something unusual. We have multiple Keycloak configured applications on a 2 LB Jboss boxes. One application is working perfectly fine. However in the other application I am getting the below error. As per the resolution on access.redhat.com it seems that this issue is related to some Jboss version and needs an upgrade. However I am not convinced as if this is the case then how the other application is working fine. >From the below code it seems this is a bug in the keycloak itself. Can you please check if indeed this is correct. Also in case this is a bug then how can we proceed. **CODE SNIPPET** org.keycloak.adapters.saml.CatalinaSamlSessionStore Line number 155-156 GenericPrincipal principal = (GenericPrincipal) session.getPrincipal(); if (samlSession.getPrincipal().getName().equals(*principal.getName()*)) // in clustered environment in JBossWeb, principal is not serialized or saved if (principal == null) {... We are first using principle to get the name and then checking if the principle is null. **ERROR** 2016-10-18 23:11:37,695 [ajp-/10.7.24.224:8009-21] ERROR [org.apache.catalina.connector] JBWEB001018: An exception or error occurred in the container during the request processing: java.lang.NullPointerException at org.keycloak.adapters.saml.CatalinaSamlSessionStore.isLogged In(CatalinaSamlSessionStore.java:156) at org.keycloak.adapters.saml.AbstractSamlAuthenticatorValve. invoke(AbstractSamlAuthenticatorValve.java:183) at org.jboss.as.web.security.SecurityContextAssociationValve. invoke(SecurityContextAssociationValve.java:169) at org.apache.catalina.core.StandardHostValve.invoke(StandardHo stValve.java:145) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo rtValve.java:97) at org.jboss.as.web.sso.ClusteredSingleSignOn.invoke(ClusteredS ingleSignOn.java:356) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:559) at org.apache.catalina.core.StandardEngineValve.invoke(Standard EngineValve.java:102) at com.redhat.container.UTF8Valve.invoke(UTF8Valve.java:26) at com.redhat.container.redirect.RedirectToInternalValve.invoke (RedirectToInternalValve.java:61) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd apter.java:336) at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler. process(AjpProtocol.java:420) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) at java.lang.Thread.run(Thread.java:745) -- Thanks, Pulkit AMS From Christian.FREIMUELLER at frequentis.com Wed Oct 19 05:35:55 2016 From: Christian.FREIMUELLER at frequentis.com (FREIMUELLER Christian) Date: Wed, 19 Oct 2016 09:35:55 +0000 Subject: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API References: <1476801256.2477.85.camel@redhat.com> Message-ID: Hi, me again on the same topic. I?ve created a test realm called ?test-realm? with a test client called ?MyClient? and turned that one into a resource server via HMI and allowed remote resource creation. I tried to keep it simple for the test and created a ClientRepresentation instance with one resource and on policy. When I try to update the client using the Admin Client API "/admin/realms/{realm}/clients/{id}" In particular: /admin/realms/test-realm/clients/9d274eb7-e01e-4e6d-b9e9-eb384fa30170 The client object is transformed into the following JSON and sent to the Keycloak server { "name" : "MyClient", "authorizationServicesEnabled" : true, "authorizationSettings" : { "allowRemoteResourceManagement" : true, "policyEnforcementMode" : "ENFORCING", "resources" : [ { "name" : "ResourceName1", "policies" : [ { "id" : "PolicyId1", "name" : "PolicyName1", "logic" : "POSITIVE", "decisionStrategy" : "AFFIRMATIVE", "config" : { } } ], "_id" : "ResourceID1" } ], "policies" : [ { "id" : "PolicyId1", "name" : "PolicyName1", "logic" : "POSITIVE", "decisionStrategy" : "AFFIRMATIVE", "config" : { } } ], "scopes" : [ ] } } I receive a "400 Bad Request" response on the client side and on the server the following exception is thrown (detailed stack trace below): com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "authorizationSettings" I also tried remote debugging and indeed, this property of Client Representation is not in the known properties list when Jackson tries to deserialize the JSON. Am I using the correct API for providing the policy/resource information? How can I make Jackson aware of the field ?authorizationSettings?? Any other suggestions for managing the resources remotely? Kind regards, Christian 2016-10-19 10:13:12,258 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-38) RESTEASY002005: Failed executing PUT /admin/realms/test-realm/clients/9d274eb7-e01e-4e6d-b9e9-eb384fa30170: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "authorizationSettings" (class org.keycloak.representations.idm.ClientRepresentation), not marked as ignorable (36 known properties: "enabled", "clientAuthenticatorType", "redirectUris", "useTemplateConfig", "clientId", "serviceAccountsEnabled", "authorizationServicesEnabled", "name", "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", "publicClient", "attributes", "protocol", "webOrigins", "consentRequired", "protocolMappers", "id", "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed", "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", "bearerOnly", "secret", "useTemplateMappers", "notBefore", "useTemplateScope", "standardFlowEnabled", "description", "defaultRoles", "registrationAccessToken", "directAccessGrantsEnabled"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1f8c2096; line: 1, column: 84] (through reference chain: org.keycloak.representations.idm.ClientRepresentation["authorizationSettings"]) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184) at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "authorizationSettings" (class org.keycloak.representations.idm.ClientRepresentation), not marked as ignorable (36 known properties: "enabled", "clientAuthenticatorType", "redirectUris", "useTemplateConfig", "clientId", "serviceAccountsEnabled", "authorizationServicesEnabled", "name", "implicitFlowEnabled", "registeredNodes", "nodeReRegistrationTimeout", "publicClient", "attributes", "protocol", "webOrigins", "consentRequired", "protocolMappers", "id", "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed", "frontchannelLogout", "clientTemplate", "directGrantsOnly", "rootUrl", "bearerOnly", "secret", "useTemplateMappers", "notBefore", "useTemplateScope", "standardFlowEnabled", "description", "defaultRoles", "registrationAccessToken", "directAccessGrantsEnabled"]) at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1f8c2096; line: 1, column: 84] (through reference chain: org.keycloak.representations.idm.ClientRepresentation["authorizationSettings"]) at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:51) at com.fasterxml.jackson.databind.DeserializationContext.reportUnknownProperty(DeserializationContext.java:817) at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:958) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1324) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownVanilla(BeanDeserializerBase.java:1302) at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:249) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61) at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) ... 50 more -----Original Message----- From: FREIMUELLER Christian Sent: 19 October 2016 08:27 To: 'Pedro Igor Craveiro e Silva' Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API Thanks, Pedro for the information - that helped me a lot. I will try to achieve this with the Admin Client API - I think you are referring to the clients CRUD API, aren't you? When is the improvement on the client API and REST API planned? -> the mentioned ticket below is currently without a proposed fix version... Kind regards, Christian -----Original Message----- From: Pedro Igor Craveiro e Silva [mailto:psilva at redhat.com] Sent: 18 October 2016 16:34 To: FREIMUELLER Christian; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API Hi?Christian. Currently we don't support that, but we have KEYCLOAK-3135 [1] which I think is related with what you are looking for. Actually, you can already do that via Keycloak Admin Client API, but we would like to come up with a better Client API and REST API for that. Our roadmap includes not only URI protection, but also other uses cases supported by UMA. [1]?https://issues.jboss.org/browse/KEYCLOAK-3135 On Tue, 2016-10-18 at 14:11 +0000, FREIMUELLER Christian wrote: > Dear all, > > I've a question regarding the authZ client. > > Is there a way to connect the resources created with the client with > policies/permissions via the API, or is there only the HMI (Admin > Console) to make this connection? > > The thing is we would like to use Keycloak for defining the access > rights on thousands of resources (objects like database entries, > files) and it would be very cumbersome to do this by hand for each > single resource. > > Or is this authorization service meant to be used in another way > (protecting URI for applications) only? > > Best regards, > Christian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Pedro Igor From psilva at redhat.com Wed Oct 19 07:05:48 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Wed, 19 Oct 2016 09:05:48 -0200 Subject: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API In-Reply-To: References: <1476801256.2477.85.camel@redhat.com> Message-ID: <1476875148.2171.31.camel@redhat.com> For resource management you should use AuthZ Client API. Here are some examples [1] about how to use this API and manage resources. Remote Resource Management is achieved by using our Protection API [2]. Which is basically a UMA compliant endpoint for resource management operations. You can also look at PhotoZ Example [3] and see how we are using AuthZ Client + Protection API (Resource Registration) to manage resources remotely. Regarding the 400 error, you are not using the API correctly. When using Keycloak Admin Client, the first thing you need to do is obtain a AuthorizationResource for a given client/resource server: // get the client ClientRepresentation foo = realm.clients().findByClientId("foo- authz").get(0); // get the AuthorizationResource AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization(); >From AuthorizationResource you have access to the same operations used by Keycloak Admin Console in order to manage authorization settings for a specific client/resource server. For some real examples about how to use AuthorizationResource, you may want to look at this test [4]. There we manage resources, scopes, permissions, policies, etc.? Like I said, we are lacking policy management via Authz Client API. That is the right way to do it.? For now the only way to achieve that is using Keycloak Admin Client. If you really want to use Keycloak Admin Client for such operations, please do it in a way that you can easily replace the code once we update Authz Client API. Regards. Pedro Igor [1]?https://keycloak.gitbooks.io/authorization-services-guide/content/t opics/service/client-api.html [2]?https://keycloak.gitbooks.io/authorization-services-guide/content/t opics/service/protection/resources-api-papi.html [3]?https://github.com/keycloak/keycloak/blob/master/examples/authz/pho toz/photoz-restful- api/src/main/java/org/keycloak/example/photoz/album/AlbumService.java#L 110 [4]?https://github.com/keycloak/keycloak/blob/master/testsuite/integrat ion- arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/exam ple/authorization/AbstractPhotozExampleAdapterTest.java On Wed, 2016-10-19 at 09:35 +0000, FREIMUELLER Christian wrote: > Hi, > > me again on the same topic. > > I?ve created a test realm called ?test-realm? with a test client > called ?MyClient? and turned that one into a resource server via HMI > and allowed remote resource creation. > > I tried to keep it simple for the test and created a > ClientRepresentation instance with one resource and on policy. > When I try to update the client using the Admin Client API > "/admin/realms/{realm}/clients/{id}" > > In particular: /admin/realms/test-realm/clients/9d274eb7-e01e-4e6d- > b9e9-eb384fa30170 > > The client object is transformed into the following JSON and sent to > the Keycloak server? > > { > ? "name" : "MyClient", > ? "authorizationServicesEnabled" : true, > ? "authorizationSettings" : { > ????"allowRemoteResourceManagement" : true, > ????"policyEnforcementMode" : "ENFORCING", > ????"resources" : [ { > ??????"name" : "ResourceName1", > ??????"policies" : [ { > ????????"id" : "PolicyId1", > ????????"name" : "PolicyName1", > ????????"logic" : "POSITIVE", > ????????"decisionStrategy" : "AFFIRMATIVE", > ????????"config" : { } > ??????} ], > ??????"_id" : "ResourceID1" > ????} ], > ????"policies" : [ { > ??????"id" : "PolicyId1", > ??????"name" : "PolicyName1", > ??????"logic" : "POSITIVE", > ??????"decisionStrategy" : "AFFIRMATIVE", > ??????"config" : { } > ????} ], > ????"scopes" : [ ] > ? } > } > > I receive a "400 Bad Request" response on the client side and on the > server the following exception is thrown (detailed stack trace > below): > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "authorizationSettings" > > I also tried remote debugging and indeed, this property of Client > Representation is not in the known properties list when Jackson tries > to deserialize the JSON. > > Am I using the correct API for providing the policy/resource > information? > > How can I make Jackson aware of the field ?authorizationSettings?? > > Any other suggestions for managing the resources remotely? > > Kind regards, > Christian > > > > > > 2016-10-19 10:13:12,258 ERROR > [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-38) > RESTEASY002005: Failed executing PUT /admin/realms/test- > realm/clients/9d274eb7-e01e-4e6d-b9e9-eb384fa30170: > org.jboss.resteasy.spi.ReaderException: > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "authorizationSettings" (class > org.keycloak.representations.idm.ClientRepresentation), not marked as > ignorable (36 known properties: "enabled", "clientAuthenticatorType", > "redirectUris", "useTemplateConfig", "clientId", > "serviceAccountsEnabled", "authorizationServicesEnabled", "name", > "implicitFlowEnabled", "registeredNodes", > "nodeReRegistrationTimeout", "publicClient", "attributes", > "protocol", "webOrigins", "consentRequired", "protocolMappers", "id", > "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed", > "frontchannelLogout", "clientTemplate", "directGrantsOnly", > "rootUrl", "bearerOnly", "secret", "useTemplateMappers", "notBefore", > "useTemplateScope", "standardFlowEnabled", "description", > "defaultRoles", "registrationAccessToken", > "directAccessGrantsEnabled"]) > ?at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1f8c2096 > ; line: 1, column: 84] (through reference chain: > org.keycloak.representations.idm.ClientRepresentation["authorizationS > ettings"]) > at > org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBo > dyParameterInjector.java:184) > at > org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInje > ctorImpl.java:91) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl. > java:114) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource > MethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn > voker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R > esourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator > Invoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R > esourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator > Invoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R > esourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator > Invoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R > esourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator > Invoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa > tcher.java:395) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa > tcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi > ce(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi > ce(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHand > ler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F > ilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(K > eycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60 > ) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F > ilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandle > r.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.hand > leRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHan > dler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH > andler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandle > r.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandle > r.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH > andler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRe > quest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrain > tHandler.handleRequest(ServletConfidentialityConstraintHandler.java:6 > 4) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleR > equest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandl > er.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleReque > st(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandl > er.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH > andler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.han > dleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH > andler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH > andler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest > (ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Se > rvletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servlet > InitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Se > rvletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:7 > 93) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. > java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor > .java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: > Unrecognized field "authorizationSettings" (class > org.keycloak.representations.idm.ClientRepresentation), not marked as > ignorable (36 known properties: "enabled", "clientAuthenticatorType", > "redirectUris", "useTemplateConfig", "clientId", > "serviceAccountsEnabled", "authorizationServicesEnabled", "name", > "implicitFlowEnabled", "registeredNodes", > "nodeReRegistrationTimeout", "publicClient", "attributes", > "protocol", "webOrigins", "consentRequired", "protocolMappers", "id", > "baseUrl", "surrogateAuthRequired", "adminUrl", "fullScopeAllowed", > "frontchannelLogout", "clientTemplate", "directGrantsOnly", > "rootUrl", "bearerOnly", "secret", "useTemplateMappers", "notBefore", > "useTemplateScope", "standardFlowEnabled", "description", > "defaultRoles", "registrationAccessToken", > "directAccessGrantsEnabled"]) > ?at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1f8c2096 > ; line: 1, column: 84] (through reference chain: > org.keycloak.representations.idm.ClientRepresentation["authorizationS > ettings"]) > at > com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from > (UnrecognizedPropertyException.java:51) > at > com.fasterxml.jackson.databind.DeserializationContext.reportUnknownPr > operty(DeserializationContext.java:817) > at > com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknow > nProperty(StdDeserializer.java:958) > at > com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnkno > wnProperty(BeanDeserializerBase.java:1324) > at > com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnkno > wnVanilla(BeanDeserializerBase.java:1302) > at > com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserial > ize(BeanDeserializer.java:249) > at > com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(Bea > nDeserializer.java:136) > at > com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1 > 410) > at > com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.ja > va:860) > at > org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider > .readFrom(ResteasyJackson2Provider.java:121) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext > .readFrom(AbstractReaderInterceptorContext.java:61) > at > org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.r > eadFrom(ServerReaderInterceptorContext.java:60) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext > .proceed(AbstractReaderInterceptorContext.java:53) > at > org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aro > undReadFrom(DigitalVerificationInterceptor.java:34) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext > .proceed(AbstractReaderInterceptorContext.java:55) > at > org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingIntercep > tor.aroundReadFrom(GZIPDecodingInterceptor.java:59) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext > .proceed(AbstractReaderInterceptorContext.java:55) > at > org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBo > dyParameterInjector.java:151) > ... 50 more > > -----Original Message----- > From: FREIMUELLER Christian? > Sent: 19 October 2016 08:27 > To: 'Pedro Igor Craveiro e Silva' > Cc: keycloak-user at lists.jboss.org > Subject: RE: [keycloak-user] Keycloak AuthZ Client - Link > resource/scope to policy/permission via API > > Thanks, Pedro for the information - that helped me a lot.? > > I will try to achieve this with the Admin Client API - I think you > are referring to the clients CRUD API, aren't you? > > When is the improvement on the client API and REST API planned? -> > the mentioned ticket below is currently without a proposed fix > version... > > Kind regards, > Christian > > -----Original Message----- > From: Pedro Igor Craveiro e Silva [mailto:psilva at redhat.com]? > Sent: 18 October 2016 16:34 > To: FREIMUELLER Christian; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak AuthZ Client - Link > resource/scope to policy/permission via API > > Hi?Christian. > > Currently we don't support that, but we have KEYCLOAK-3135 [1] which > I > think is related with what you are looking for. > > Actually, you can already do that via Keycloak Admin Client API, but > we > would like to come up with a better Client API and REST API for that. > > Our roadmap includes not only URI protection, but also other uses > cases > supported by UMA. > > [1]?https://issues.jboss.org/browse/KEYCLOAK-3135 > > On Tue, 2016-10-18 at 14:11 +0000, FREIMUELLER Christian wrote: > > > > Dear all, > > > > I've a question regarding the authZ client. > > > > Is there a way to connect the resources created with the client > > with > > policies/permissions via the API, or is there only the HMI (Admin > > Console) to make this connection? > > > > The thing is we would like to use Keycloak for defining the access > > rights on thousands of resources (objects like database entries, > > files) and it would be very cumbersome to do this by hand for each > > single resource. > > > > Or is this authorization service meant to be used in another way > > (protecting URI for applications) only? > > > > Best regards, > > Christian > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > --? > Pedro Igor -- Pedro Igor From psilva at redhat.com Wed Oct 19 07:08:16 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Wed, 19 Oct 2016 09:08:16 -0200 Subject: [keycloak-user] Keycloak AuthZ Client - Link resource/scope to policy/permission via API In-Reply-To: References: <1476801256.2477.85.camel@redhat.com> Message-ID: <1476875296.2171.35.camel@redhat.com> On Wed, 2016-10-19 at 06:26 +0000, FREIMUELLER Christian wrote: > Thanks, Pedro for the information - that helped me a lot.? > > I will try to achieve this with the Admin Client API - I think you > are referring to the clients CRUD API, aren't you? > > When is the improvement on the client API and REST API planned? -> > the mentioned ticket below is currently without a proposed fix > version... No dates yet. Need to talk with Stian and review the roadmap for Authz Services ... It is a priority, but we do have other things going on right now. > > Kind regards, > Christian > > -----Original Message----- > From: Pedro Igor Craveiro e Silva [mailto:psilva at redhat.com]? > Sent: 18 October 2016 16:34 > To: FREIMUELLER Christian; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Keycloak AuthZ Client - Link > resource/scope to policy/permission via API > > Hi?Christian. > > Currently we don't support that, but we have KEYCLOAK-3135 [1] which > I > think is related with what you are looking for. > > Actually, you can already do that via Keycloak Admin Client API, but > we > would like to come up with a better Client API and REST API for that. > > Our roadmap includes not only URI protection, but also other uses > cases > supported by UMA. > > [1]?https://issues.jboss.org/browse/KEYCLOAK-3135 > > On Tue, 2016-10-18 at 14:11 +0000, FREIMUELLER Christian wrote: > > > > Dear all, > > > > I've a question regarding the authZ client. > > > > Is there a way to connect the resources created with the client > > with > > policies/permissions via the API, or is there only the HMI (Admin > > Console) to make this connection? > > > > The thing is we would like to use Keycloak for defining the access > > rights on thousands of resources (objects like database entries, > > files) and it would be very cumbersome to do this by hand for each > > single resource. > > > > Or is this authorization service meant to be used in another way > > (protecting URI for applications) only? > > > > Best regards, > > Christian > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > --? > Pedro Igor -- Pedro Igor From java at neposoft.com Wed Oct 19 07:35:20 2016 From: java at neposoft.com (java_os) Date: Wed, 19 Oct 2016 07:35:20 -0400 Subject: [keycloak-user] method level role based authorization In-Reply-To: References: <5b05635203f01ca463aa976ff5a3ff27.squirrel@neposoft.com> Message-ID: Thanks Stian, this is one approach which ties into jboss. Would it be possible to , once authenticated by keycloak , propagate the authentication into a spring security context and have spring handle the role based authorization? I am not suggesting using spring-security keycloak's adapter, but use spring security framework do the authorization behind the scenes. Anyone has done this crazy setup - anyone has a pointer into this? Thanks > You can do this with the regular EAP7 adapter, but you need to make sure > the security context is propagated correctly. Check the > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/jboss-adapter.html > it describes how to do it. Search that page for KeycloakLoginModule to > quickly find it. > > On 19 October 2016 at 02:55, java_os wrote: > >> Question to the group, >> I want to do method level role based authorization (aka @RolesAllowed) >> with the constraint that i cannot use sprig security(broken in jboss >> eap7). >> Anyone has done this ? I want to do it by annotations at method level, >> instead of cluttring the code checking the role and send 403 if role not >> allowed,ugly. >> Thanks >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From glavoie at gmail.com Wed Oct 19 08:04:35 2016 From: glavoie at gmail.com (Gabriel Lavoie) Date: Wed, 19 Oct 2016 08:04:35 -0400 Subject: [keycloak-user] Performance issues with large number of realms (500+) In-Reply-To: References: Message-ID: Hi Stian, your answer does surprise me (and my team) a bit as the Keycloak usage examples, documentation, some blog post points to multi-tenancy with the realm concept. We did not find any documentation that would discourage it. I was curious about possible guidelines and 10 realms seems to be a very low number. This said, we took time almost a year ago to evaluate the architectural limits (custom themes/providers are not an issue) and did load tests (with large number of users and realms) on the different authentication endpoints we needed to use and no big issue appeared at that time. We did expect to find issues when ramping up the usage in QA/Production. Keycloak is secured internally in our SaaS environment (only the necessary paths/realms are exposed) and we automate the whole realm creation/management to effectively manage security concerns. All we are doing is creating a realm with a very specific configuration and repeating the operation N times. For the two issues I found, I already have ideas of how to fix them (and 1 fix proposal almost ready). In the meantime, we will consider different deployment/provisioning options as workarounds. Regards, Gabriel 2016-10-18 10:04 GMT-04:00 Stian Thorgersen : > Keycloak was not designed to support multi-tenancy directly. We made the > decision early on that we can't support true multi-tenancy and that has to > be done through separate instances. This is for security reasons as well as > the fact that we can't sandbox everything (like custom providers, custom > themes, etc.). > > In that regards we have never tested with high amounts of realms as we > expect there to be few realms (up to 10 most likely). Nor will we test > this. We won't fix any issues related to high number of realms for this > reason either. > > I'm not saying that we don't appreciate your case, but we have other > priorities that we need to work on. > > However, if you are able to provide PRs that do not have any side effects > (and also doesn't significantly complicate things) we would be happy to > accept them. > > On 18 October 2016 at 15:49, Gabriel Lavoie wrote: > >> Hi, >> our Keycloak setup is being used in a multi-tenant fashion with a >> large number of realms assigned to different instances of our application >> (multiple customers). We are now seeing a few performance issues with the >> startup and administration. >> >> First question: Do you have guidelines on a maximum number of realms that >> Keycloak should support before we split in smaller clusters? >> >> I traced at least 2 things in the KC code that could be improved. Should I >> open tickets for both? >> >> 1 - Slow startup (5 minutes with 500 realms): >> In the KeycloakApplication class constructor, the "isNewInstall()" test to >> check if the master realm must be created triggers the loading and caching >> of all realms. This loading seems to be hit with a similar issue that I >> had >> in the past with realm export: https://issues.jboss.org/brows >> e/KEYCLOAK-2413 >> >> The named query that gets executed a lot of times in >> RealmAdapter.getAuthenticationExecution() triggers a flush within >> Hibernate >> every times. If the flush mode gets set to "COMMIT" (can't be changed by >> default but I tested it), the loading time goes down to approximately 30 >> secs which is acceptable. >> >> It would likely be a good idea to create a read-only transaction with the >> flush mode set to COMMIT during startup to pre-fill the cache, then >> continue with the rest of the initialization. When the cache is filled, >> accessing info on all realms seems to be fine. >> >> 2 - Slow display of the master realm admin screen. >> When accessing the admin screen, AdminConsole.whoAmI() eventually process >> all the roles on all the realm for the admin >> user. KeycloakModelUtils.searchFor() gets called a lot of times to >> navigate >> through all the composite permissions. With 500 realms, the user has about >> 6500 total permissions available. This part of the code would likely >> benefit a lot from a cache of the exploded composite permissions. >> >> Thanks, >> >> Gabriel >> >> -- >> Gabriel Lavoie >> glavoie at gmail.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Gabriel Lavoie glavoie at gmail.com From palermo at pobox.com Wed Oct 19 08:09:28 2016 From: palermo at pobox.com (Bruno Palermo) Date: Wed, 19 Oct 2016 12:09:28 -0000 Subject: [keycloak-user] Custom Registration Form Message-ID: Hi, I'm developing a custom theme for Keycloak, and would like to know if it's possible to bring the registration form pre-filled with some information, like an affiliation code, from the query string? Thanks, Bruno Palermo From Dimitrios.Gkazgkas at tangoservices.lu Wed Oct 19 08:29:11 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Wed, 19 Oct 2016 12:29:11 +0000 Subject: [keycloak-user] SAML in a keycloak cluster References: Message-ID: ======Sent again without the picture===== Hello, Could you please be more specific ? In the documentation proposed it is referred how to FW the original client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. We get the following error: 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination It seems to come from the following part of the code of Keycloack project. package org.keycloak.protocol.saml; public class SamlService extends AuthorizationEndpointBase protected Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) { SamlClient samlClient = new SamlClient(client); // validate destination if (requestAbstractType.getDestination() != null && !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) { event.detail(Details.REASON, "invalid_destination"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); return ErrorPage.error(session, Messages.INVALID_REQUEST); } The destination check simply do not much , request destination is always the internal keyclaock address ?security1.lu? and it fails when saml requests end up to the second keycloack ?securty2.lu?. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 18 October 2016 20:12 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster Please look at the documentation. It explains this. On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello Stian, Thank you for your response. Could you explain a bit more what you mean by saying ?as Keycloak should see security.lu, not the internal addresses of the nodes? ? According to our understanding the Keycloak servers in the internal network is behind reverse proxy and thus they do not know that they are called ?security.lu?, they just know that they are either security1.lu or security2.lu. When we tried to overwite the Saml XML configuration (that client uses for integration) and put the public address ?security.lu? we again had the same ERROR in Keycloak logs ?reason=invalid_destination? probably due to same root cause, the destination in the Saml AuthRequest was ?Service.lu?, an address unknown for keycloack inside the private network. xxxxx The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Oct 19 08:35:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 14:35:41 +0200 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: If you configure your reverse proxy correct as well as configure it on the Keycloak side. Keycloak will see it's URL as security.lu and not the URL used by the reverse proxy to access it. The steps to do this is explained in the documentation I sent you. On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) < Dimitrios.Gkazgkas at tangoservices.lu> wrote: > ======Sent again without the picture===== > > > > Hello, > > > > Could you please be more specific ? > > > > In the documentation proposed it is referred how to FW the original > client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. > > > > > > > We get the following error: > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > It seems to come from the following part of the code of Keycloack project. > > > > package org.keycloak.protocol.saml; > > public class SamlService extends AuthorizationEndpointBase > > > > *protected Response loginRequest(String relayState, AuthnRequestType > requestAbstractType, ClientModel client) {* > > * SamlClient samlClient = new SamlClient(client);* > > * // validate destination* > > * if (requestAbstractType.getDestination() != null && > !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) {* > > * event.detail(Details.REASON, "invalid_destination");* > > * event.error(Errors.INVALID_SAML_AUTHN_REQUEST);* > > * return ErrorPage.error(session, > Messages.INVALID_REQUEST);* > > * }* > > > > The destination check simply do not much , request destination is always > the internal keyclaock address ?security1.lu? and it fails when saml > requests end up to the second keycloack ?securty2.lu?. > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* 18 October 2016 20:12 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Please look at the documentation. It explains this. > > > > On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello Stian, > > > > Thank you for your response. > > > > Could you explain a bit more what you mean by saying ?*as Keycloak should > see security.lu , not the internal addresses of the > nodes*? ? According to our understanding the Keycloak servers in the > internal network is behind reverse proxy and thus they do not know that > they are called ?security.lu?, they just know that they are either > security1.lu or security2.lu . > > > > When we tried to overwite the Saml XML configuration (that client uses > for integration) and put the public address ?security.lu? we again had > the same ERROR in Keycloak logs ?reason=invalid_destination? probably due > to same root cause, the destination in the Saml AuthRequest was > ?Service.lu?, an address unknown for keycloack inside the private network. > > Destination=" > > > > I attach our HA configuration. We do not use the build in Load Balancer > but an Appache Reverse Proxy which actually rewrites all internall URLs to > Publics for outgoing trafiif and the oposite for the incoming traffic. Thus > there is not much left in the page you sent to be configured in our > Keycloak. > > > > I hope I was clear. Any help would be highly appreciated. > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 17 October 2016 20:41 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Sounds like you haven't setup things properly as Keycloak should see > security.lu, not the internal addresses of the nodes. Take a look at > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html > > > > On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > The response from the list on my initial mails was : After content > filtering, the message was empty > > So I try to send the same mail without CC and without attached > > > > =========== > > Hello, > > We are trying to configure a SAML authentication system in a keycloak > cluster. First, with only one node , we are currently managing to > authenticate in SAML way. > > The architecture : > --> we have one apache reverse proxy with a public and unique endpoint for > saml authentication. We can call the pubic url : security.lu< > http://security.lu> > > --> the reverse proxy will load-balance all calls that come on security.lu > to two keycloak nodes : security1.lu< > http://security1.lu> and security2.lu ( the private > urls) . > > The issue that we have : > --> The client that integrates saml has a tomcat and integrates a > keycloak-saml.xml file. Of course, in this file the configuration is > refering to security1.lu ( the private address as > the keycloak node only knows its private address). > --> If we arrive during the load-balancing on the security1.lu< > http://security1.lu> node, it will work. If I arrive on the second > security2.lu node, it will fail. When I dig a little > bit more, it's because in fact, the SAMLRequest that is generated looks > like this : > > Destination="http://security1.lu:8080/realms/xxx/protocol/saml" > ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" > IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" > Version="2.0">xxxxx AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format: > persistent"> > > The error that I get is an invalid_destination because we receive this > SAMLRequest on the security2.lu node : > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > >From what I see there is for saml client, a Clustering tab where I have > currently nothing. Maybe I need to add some host nodes here ? But i don't > know how to proceed. > > Or is there any way to define both security1.lu and > security2.lu on the Saml XML configuration that the client integrates? > > We have set proxy-address-forwarding=true > > Thank you for your help. > > Kr, > > > > > > > Br > > Dimitrios Gkazgkas > IT Solutions Architect > > > > ________________________________ > > **** DISCLAIMER **** > http://www.tango.lu/maildisclaimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From sthorger at redhat.com Wed Oct 19 08:36:37 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 14:36:37 +0200 Subject: [keycloak-user] Custom Registration Form In-Reply-To: References: Message-ID: Pretty sure it's not currently possible On 11 July 2017 at 02:07, Bruno Palermo wrote: > Hi, > > I'm developing a custom theme for Keycloak, and would like to know if it's > possible to bring the registration form pre-filled with some information, > like an affiliation code, from the query string? > > Thanks, > Bruno Palermo > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Oct 19 08:41:53 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 14:41:53 +0200 Subject: [keycloak-user] Performance issues with large number of realms (500+) In-Reply-To: References: Message-ID: I can appreciate that the multi-tenancy concept does conflict with what I'm saying here, but that was contributed by community and in that use-case they only had a few realms. We've been asked this questions a few times on the mailing list though and we have responded with it may work, but we haven't tested it, nor have we planned for it to be used that way. I'm not saying it'll be a problem with more than 10, just saying that's what we had in mind as what the maximum people would have. Unless of course you're building out a SaaS or something on top of Keycloak. In that case I would believe you're probably making money out of what you are doing and you should be able to afford to spend some time contributing to Keycloak. We simply don't have the resources to test this scenario and improve the performance around it. On 19 October 2016 at 14:04, Gabriel Lavoie wrote: > Hi Stian, > your answer does surprise me (and my team) a bit as the Keycloak > usage examples, documentation, some blog post points to multi-tenancy with > the realm concept. We did not find any documentation that would discourage > it. I was curious about possible guidelines and 10 realms seems to be a > very low number. > > This said, we took time almost a year ago to evaluate the architectural > limits (custom themes/providers are not an issue) and did load tests (with > large number of users and realms) on the different authentication endpoints > we needed to use and no big issue appeared at that time. We did expect to > find issues when ramping up the usage in QA/Production. > > Keycloak is secured internally in our SaaS environment (only the necessary > paths/realms are exposed) and we automate the whole realm > creation/management to effectively manage security concerns. All we are > doing is creating a realm with a very specific configuration and repeating > the operation N times. > > For the two issues I found, I already have ideas of how to fix them (and 1 > fix proposal almost ready). In the meantime, we will consider different > deployment/provisioning options as workarounds. > > Regards, > > Gabriel > > 2016-10-18 10:04 GMT-04:00 Stian Thorgersen : > >> Keycloak was not designed to support multi-tenancy directly. We made the >> decision early on that we can't support true multi-tenancy and that has to >> be done through separate instances. This is for security reasons as well as >> the fact that we can't sandbox everything (like custom providers, custom >> themes, etc.). >> >> In that regards we have never tested with high amounts of realms as we >> expect there to be few realms (up to 10 most likely). Nor will we test >> this. We won't fix any issues related to high number of realms for this >> reason either. >> >> I'm not saying that we don't appreciate your case, but we have other >> priorities that we need to work on. >> >> However, if you are able to provide PRs that do not have any side effects >> (and also doesn't significantly complicate things) we would be happy to >> accept them. >> >> On 18 October 2016 at 15:49, Gabriel Lavoie wrote: >> >>> Hi, >>> our Keycloak setup is being used in a multi-tenant fashion with a >>> large number of realms assigned to different instances of our application >>> (multiple customers). We are now seeing a few performance issues with the >>> startup and administration. >>> >>> First question: Do you have guidelines on a maximum number of realms that >>> Keycloak should support before we split in smaller clusters? >>> >>> I traced at least 2 things in the KC code that could be improved. Should >>> I >>> open tickets for both? >>> >>> 1 - Slow startup (5 minutes with 500 realms): >>> In the KeycloakApplication class constructor, the "isNewInstall()" test >>> to >>> check if the master realm must be created triggers the loading and >>> caching >>> of all realms. This loading seems to be hit with a similar issue that I >>> had >>> in the past with realm export: https://issues.jboss.org/brows >>> e/KEYCLOAK-2413 >>> >>> The named query that gets executed a lot of times in >>> RealmAdapter.getAuthenticationExecution() triggers a flush within >>> Hibernate >>> every times. If the flush mode gets set to "COMMIT" (can't be changed by >>> default but I tested it), the loading time goes down to approximately 30 >>> secs which is acceptable. >>> >>> It would likely be a good idea to create a read-only transaction with the >>> flush mode set to COMMIT during startup to pre-fill the cache, then >>> continue with the rest of the initialization. When the cache is filled, >>> accessing info on all realms seems to be fine. >>> >>> 2 - Slow display of the master realm admin screen. >>> When accessing the admin screen, AdminConsole.whoAmI() eventually process >>> all the roles on all the realm for the admin >>> user. KeycloakModelUtils.searchFor() gets called a lot of times to >>> navigate >>> through all the composite permissions. With 500 realms, the user has >>> about >>> 6500 total permissions available. This part of the code would likely >>> benefit a lot from a cache of the exploded composite permissions. >>> >>> Thanks, >>> >>> Gabriel >>> >>> -- >>> Gabriel Lavoie >>> glavoie at gmail.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > Gabriel Lavoie > glavoie at gmail.com > From Dimitrios.Gkazgkas at tangoservices.lu Wed Oct 19 09:51:21 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Wed, 19 Oct 2016 13:51:21 +0000 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Hello, I suppose that you are talking about the part : Using the Built-In Load Balancer The thing is that if i understand well is that we can do this configuration for a domain clustered mode. Our configuration is currently a standalone clustered mode. This configuration can be also applied in this case ? Thanks for your reply, Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 19 October 2016 14:36 To: GKAZGKAS Dimitrios (TAN/MST) Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster If you configure your reverse proxy correct as well as configure it on the Keycloak side. Keycloak will see it's URL as security.lu and not the URL used by the reverse proxy to access it. The steps to do this is explained in the documentation I sent you. On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) > wrote: ======Sent again without the picture===== Hello, Could you please be more specific ? In the documentation proposed it is referred how to FW the original client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. We get the following error: 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination It seems to come from the following part of the code of Keycloack project. package org.keycloak.protocol.saml; public class SamlService extends AuthorizationEndpointBase protected Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) { SamlClient samlClient = new SamlClient(client); // validate destination if (requestAbstractType.getDestination() != null && !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) { event.detail(Details.REASON, "invalid_destination"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); return ErrorPage.error(session, Messages.INVALID_REQUEST); } The destination check simply do not much , request destination is always the internal keyclaock address ?security1.lu? and it fails when saml requests end up to the second keycloack ?securty2.lu?. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 18 October 2016 20:12 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster Please look at the documentation. It explains this. On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello Stian, Thank you for your response. Could you explain a bit more what you mean by saying ?as Keycloak should see security.lu, not the internal addresses of the nodes? ? According to our understanding the Keycloak servers in the internal network is behind reverse proxy and thus they do not know that they are called ?security.lu?, they just know that they are either security1.lu or security2.lu. When we tried to overwite the Saml XML configuration (that client uses for integration) and put the public address ?security.lu? we again had the same ERROR in Keycloak logs ?reason=invalid_destination? probably due to same root cause, the destination in the Saml AuthRequest was ?Service.lu?, an address unknown for keycloack inside the private network. xxxxx The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.savory at edlogics.com Wed Oct 19 09:55:30 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 19 Oct 2016 13:55:30 +0000 Subject: [keycloak-user] Performance issues with large number of realms (500+) In-Reply-To: References: Message-ID: <26E574D5-3921-4735-A4B9-873820301A8E@edlogics.com> Stain, I completely understand your position regarding multi-tenancy and Keycloak; that you would like the community to contribute back on identifying issues and improving the performance for 10+ realms configuration. Out of curiosity, does the same apply to Redhat SSO customers who are already paying for support? -- Christopher Savory On 10/19/16, 7:41 AM, "Stian Thorgersen" wrote: I can appreciate that the multi-tenancy concept does conflict with what I'm saying here, but that was contributed by community and in that use-case they only had a few realms. We've been asked this questions a few times on the mailing list though and we have responded with it may work, but we haven't tested it, nor have we planned for it to be used that way. I'm not saying it'll be a problem with more than 10, just saying that's what we had in mind as what the maximum people would have. Unless of course you're building out a SaaS or something on top of Keycloak. In that case I would believe you're probably making money out of what you are doing and you should be able to afford to spend some time contributing to Keycloak. We simply don't have the resources to test this scenario and improve the performance around it. On 19 October 2016 at 14:04, Gabriel Lavoie wrote: > Hi Stian, > your answer does surprise me (and my team) a bit as the Keycloak > usage examples, documentation, some blog post points to multi-tenancy with > the realm concept. We did not find any documentation that would discourage > it. I was curious about possible guidelines and 10 realms seems to be a > very low number. > > This said, we took time almost a year ago to evaluate the architectural > limits (custom themes/providers are not an issue) and did load tests (with > large number of users and realms) on the different authentication endpoints > we needed to use and no big issue appeared at that time. We did expect to > find issues when ramping up the usage in QA/Production. > > Keycloak is secured internally in our SaaS environment (only the necessary > paths/realms are exposed) and we automate the whole realm > creation/management to effectively manage security concerns. All we are > doing is creating a realm with a very specific configuration and repeating > the operation N times. > > For the two issues I found, I already have ideas of how to fix them (and 1 > fix proposal almost ready). In the meantime, we will consider different > deployment/provisioning options as workarounds. > > Regards, > > Gabriel > > 2016-10-18 10:04 GMT-04:00 Stian Thorgersen : > >> Keycloak was not designed to support multi-tenancy directly. We made the >> decision early on that we can't support true multi-tenancy and that has to >> be done through separate instances. This is for security reasons as well as >> the fact that we can't sandbox everything (like custom providers, custom >> themes, etc.). >> >> In that regards we have never tested with high amounts of realms as we >> expect there to be few realms (up to 10 most likely). Nor will we test >> this. We won't fix any issues related to high number of realms for this >> reason either. >> >> I'm not saying that we don't appreciate your case, but we have other >> priorities that we need to work on. >> >> However, if you are able to provide PRs that do not have any side effects >> (and also doesn't significantly complicate things) we would be happy to >> accept them. >> >> On 18 October 2016 at 15:49, Gabriel Lavoie wrote: >> >>> Hi, >>> our Keycloak setup is being used in a multi-tenant fashion with a >>> large number of realms assigned to different instances of our application >>> (multiple customers). We are now seeing a few performance issues with the >>> startup and administration. >>> >>> First question: Do you have guidelines on a maximum number of realms that >>> Keycloak should support before we split in smaller clusters? >>> >>> I traced at least 2 things in the KC code that could be improved. Should >>> I >>> open tickets for both? >>> >>> 1 - Slow startup (5 minutes with 500 realms): >>> In the KeycloakApplication class constructor, the "isNewInstall()" test >>> to >>> check if the master realm must be created triggers the loading and >>> caching >>> of all realms. This loading seems to be hit with a similar issue that I >>> had >>> in the past with realm export: https://issues.jboss.org/brows >>> e/KEYCLOAK-2413 >>> >>> The named query that gets executed a lot of times in >>> RealmAdapter.getAuthenticationExecution() triggers a flush within >>> Hibernate >>> every times. If the flush mode gets set to "COMMIT" (can't be changed by >>> default but I tested it), the loading time goes down to approximately 30 >>> secs which is acceptable. >>> >>> It would likely be a good idea to create a read-only transaction with the >>> flush mode set to COMMIT during startup to pre-fill the cache, then >>> continue with the rest of the initialization. When the cache is filled, >>> accessing info on all realms seems to be fine. >>> >>> 2 - Slow display of the master realm admin screen. >>> When accessing the admin screen, AdminConsole.whoAmI() eventually process >>> all the roles on all the realm for the admin >>> user. KeycloakModelUtils.searchFor() gets called a lot of times to >>> navigate >>> through all the composite permissions. With 500 realms, the user has >>> about >>> 6500 total permissions available. This part of the code would likely >>> benefit a lot from a cache of the exploded composite permissions. >>> >>> Thanks, >>> >>> Gabriel >>> >>> -- >>> Gabriel Lavoie >>> glavoie at gmail.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > Gabriel Lavoie > glavoie at gmail.com > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Oct 19 10:07:20 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 16:07:20 +0200 Subject: [keycloak-user] Performance issues with large number of realms (500+) In-Reply-To: <26E574D5-3921-4735-A4B9-873820301A8E@edlogics.com> References: <26E574D5-3921-4735-A4B9-873820301A8E@edlogics.com> Message-ID: On 19 October 2016 at 15:55, Chris Savory wrote: > Stain, > > I completely understand your position regarding multi-tenancy and > Keycloak; that you would like the community to contribute back on > identifying issues and improving the performance for 10+ realms > configuration. > > Out of curiosity, does the same apply to Redhat SSO customers who are > already paying for support? > I could have asked you to create Keycloak JIRA issues for your issues, but as I know it wouldn't be prioritized I'd rather tell you outright that we wouldn't work on it. Customers have separate channels to report issues and these are prioritized higher than community request. > > -- > Christopher Savory > > > > On 10/19/16, 7:41 AM, "Stian Thorgersen" wrote: > > I can appreciate that the multi-tenancy concept does conflict with > what I'm > saying here, but that was contributed by community and in that use-case > they only had a few realms. We've been asked this questions a few > times on > the mailing list though and we have responded with it may work, but we > haven't tested it, nor have we planned for it to be used that way. > > I'm not saying it'll be a problem with more than 10, just saying that's > what we had in mind as what the maximum people would have. Unless of > course > you're building out a SaaS or something on top of Keycloak. In that > case I > would believe you're probably making money out of what you are doing > and > you should be able to afford to spend some time contributing to > Keycloak. > > We simply don't have the resources to test this scenario and improve > the > performance around it. > > On 19 October 2016 at 14:04, Gabriel Lavoie wrote: > > > Hi Stian, > > your answer does surprise me (and my team) a bit as the Keycloak > > usage examples, documentation, some blog post points to > multi-tenancy with > > the realm concept. We did not find any documentation that would > discourage > > it. I was curious about possible guidelines and 10 realms seems to > be a > > very low number. > > > > This said, we took time almost a year ago to evaluate the > architectural > > limits (custom themes/providers are not an issue) and did load tests > (with > > large number of users and realms) on the different authentication > endpoints > > we needed to use and no big issue appeared at that time. We did > expect to > > find issues when ramping up the usage in QA/Production. > > > > Keycloak is secured internally in our SaaS environment (only the > necessary > > paths/realms are exposed) and we automate the whole realm > > creation/management to effectively manage security concerns. All we > are > > doing is creating a realm with a very specific configuration and > repeating > > the operation N times. > > > > For the two issues I found, I already have ideas of how to fix them > (and 1 > > fix proposal almost ready). In the meantime, we will consider > different > > deployment/provisioning options as workarounds. > > > > Regards, > > > > Gabriel > > > > 2016-10-18 10:04 GMT-04:00 Stian Thorgersen : > > > >> Keycloak was not designed to support multi-tenancy directly. We > made the > >> decision early on that we can't support true multi-tenancy and that > has to > >> be done through separate instances. This is for security reasons as > well as > >> the fact that we can't sandbox everything (like custom providers, > custom > >> themes, etc.). > >> > >> In that regards we have never tested with high amounts of realms as > we > >> expect there to be few realms (up to 10 most likely). Nor will we > test > >> this. We won't fix any issues related to high number of realms for > this > >> reason either. > >> > >> I'm not saying that we don't appreciate your case, but we have other > >> priorities that we need to work on. > >> > >> However, if you are able to provide PRs that do not have any side > effects > >> (and also doesn't significantly complicate things) we would be > happy to > >> accept them. > >> > >> On 18 October 2016 at 15:49, Gabriel Lavoie > wrote: > >> > >>> Hi, > >>> our Keycloak setup is being used in a multi-tenant fashion > with a > >>> large number of realms assigned to different instances of our > application > >>> (multiple customers). We are now seeing a few performance issues > with the > >>> startup and administration. > >>> > >>> First question: Do you have guidelines on a maximum number of > realms that > >>> Keycloak should support before we split in smaller clusters? > >>> > >>> I traced at least 2 things in the KC code that could be improved. > Should > >>> I > >>> open tickets for both? > >>> > >>> 1 - Slow startup (5 minutes with 500 realms): > >>> In the KeycloakApplication class constructor, the "isNewInstall()" > test > >>> to > >>> check if the master realm must be created triggers the loading and > >>> caching > >>> of all realms. This loading seems to be hit with a similar issue > that I > >>> had > >>> in the past with realm export: https://issues.jboss.org/brows > >>> e/KEYCLOAK-2413 > >>> > >>> The named query that gets executed a lot of times in > >>> RealmAdapter.getAuthenticationExecution() triggers a flush within > >>> Hibernate > >>> every times. If the flush mode gets set to "COMMIT" (can't be > changed by > >>> default but I tested it), the loading time goes down to > approximately 30 > >>> secs which is acceptable. > >>> > >>> It would likely be a good idea to create a read-only transaction > with the > >>> flush mode set to COMMIT during startup to pre-fill the cache, then > >>> continue with the rest of the initialization. When the cache is > filled, > >>> accessing info on all realms seems to be fine. > >>> > >>> 2 - Slow display of the master realm admin screen. > >>> When accessing the admin screen, AdminConsole.whoAmI() eventually > process > >>> all the roles on all the realm for the admin > >>> user. KeycloakModelUtils.searchFor() gets called a lot of times to > >>> navigate > >>> through all the composite permissions. With 500 realms, the user > has > >>> about > >>> 6500 total permissions available. This part of the code would > likely > >>> benefit a lot from a cache of the exploded composite permissions. > >>> > >>> Thanks, > >>> > >>> Gabriel > >>> > >>> -- > >>> Gabriel Lavoie > >>> glavoie at gmail.com > >>> _______________________________________________ > >>> keycloak-user mailing list > >>> keycloak-user at lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >> > >> > > > > > > -- > > Gabriel Lavoie > > glavoie at gmail.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sthorger at redhat.com Wed Oct 19 10:12:03 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 16:12:03 +0200 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Hm.. Just reviewing that doc and it's not far from obvious. "Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a Reverse Proxy" are both relevant. On 19 October 2016 at 15:51, GKAZGKAS Dimitrios (TAN/MST) < Dimitrios.Gkazgkas at tangoservices.lu> wrote: > Hello, > > > > I suppose that you are talking about the part : > Using the Built-In Load Balancer > > > > The thing is that if i understand well is that we can do this > configuration for a domain clustered mode. Our configuration is currently a > standalone clustered mode. This configuration can be also applied in this > case ? > > > > Thanks for your reply, > > > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 19 October 2016 14:36 > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > If you configure your reverse proxy correct as well as configure it on the > Keycloak side. Keycloak will see it's URL as security.lu and not the URL > used by the reverse proxy to access it. The steps to do this is explained > in the documentation I sent you. > > > > On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > ======Sent again without the picture===== > > > > Hello, > > > > Could you please be more specific ? > > > > In the documentation proposed it is referred how to FW the original > client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. > > > > > > > We get the following error: > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > It seems to come from the following part of the code of Keycloack project. > > > > package org.keycloak.protocol.saml; > > public class SamlService extends AuthorizationEndpointBase > > > > *protected Response loginRequest(String relayState, AuthnRequestType > requestAbstractType, ClientModel client) {* > > * SamlClient samlClient = new SamlClient(client);* > > * // validate destination* > > * if (requestAbstractType.getDestination() != null && > !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) {* > > * event.detail(Details.REASON, "invalid_destination");* > > * event.error(Errors.INVALID_SAML_AUTHN_REQUEST);* > > * return ErrorPage.error(session, > Messages.INVALID_REQUEST);* > > * }* > > > > The destination check simply do not much , request destination is always > the internal keyclaock address ?security1.lu? and it fails when saml > requests end up to the second keycloack ?securty2.lu?. > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* 18 October 2016 20:12 > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Please look at the documentation. It explains this. > > > > On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello Stian, > > > > Thank you for your response. > > > > Could you explain a bit more what you mean by saying ?*as Keycloak should > see security.lu , not the internal addresses of the > nodes*? ? According to our understanding the Keycloak servers in the > internal network is behind reverse proxy and thus they do not know that > they are called ?security.lu?, they just know that they are either > security1.lu or security2.lu . > > > > When we tried to overwite the Saml XML configuration (that client uses > for integration) and put the public address ?security.lu? we again had > the same ERROR in Keycloak logs ?reason=invalid_destination? probably due > to same root cause, the destination in the Saml AuthRequest was > ?Service.lu?, an address unknown for keycloack inside the private network. > > Destination=" > > > > I attach our HA configuration. We do not use the build in Load Balancer > but an Appache Reverse Proxy which actually rewrites all internall URLs to > Publics for outgoing trafiif and the oposite for the incoming traffic. Thus > there is not much left in the page you sent to be configured in our > Keycloak. > > > > I hope I was clear. Any help would be highly appreciated. > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 17 October 2016 20:41 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Sounds like you haven't setup things properly as Keycloak should see > security.lu, not the internal addresses of the nodes. Take a look at > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html > > > > On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > The response from the list on my initial mails was : After content > filtering, the message was empty > > So I try to send the same mail without CC and without attached > > > > =========== > > Hello, > > We are trying to configure a SAML authentication system in a keycloak > cluster. First, with only one node , we are currently managing to > authenticate in SAML way. > > The architecture : > --> we have one apache reverse proxy with a public and unique endpoint for > saml authentication. We can call the pubic url : security.lu< > http://security.lu> > > --> the reverse proxy will load-balance all calls that come on security.lu > to two keycloak nodes : security1.lu< > http://security1.lu> and security2.lu ( the private > urls) . > > The issue that we have : > --> The client that integrates saml has a tomcat and integrates a > keycloak-saml.xml file. Of course, in this file the configuration is > refering to security1.lu ( the private address as > the keycloak node only knows its private address). > --> If we arrive during the load-balancing on the security1.lu< > http://security1.lu> node, it will work. If I arrive on the second > security2.lu node, it will fail. When I dig a little > bit more, it's because in fact, the SAMLRequest that is generated looks > like this : > > Destination="http://security1.lu:8080/realms/xxx/protocol/saml" > ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" > IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" > Version="2.0">xxxxx AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format: > persistent"> > > The error that I get is an invalid_destination because we receive this > SAMLRequest on the security2.lu node : > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > >From what I see there is for saml client, a Clustering tab where I have > currently nothing. Maybe I need to add some host nodes here ? But i don't > know how to proceed. > > Or is there any way to define both security1.lu and > security2.lu on the Saml XML configuration that the client integrates? > > We have set proxy-address-forwarding=true > > Thank you for your help. > > Kr, > > > > > > > Br > > Dimitrios Gkazgkas > IT Solutions Architect > > > > ________________________________ > > **** DISCLAIMER **** > http://www.tango.lu/maildisclaimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > From musti.kuru at gmail.com Wed Oct 19 10:26:43 2016 From: musti.kuru at gmail.com (Mustafa Kuru) Date: Wed, 19 Oct 2016 16:26:43 +0200 Subject: [keycloak-user] Keycloak 1.8.1 JMeter Performance Test - Login, Refresh Token Message-ID: Hi, I am testing Keycloak's Login and Refresh Token with JMeter but getting errors (~1.50% of responses) by refreshing token. Login responses are ok. Path:{server}:8080/auth/realms/customer/protocol/openid-connect/token The JMeter configuration: 20 Threads, Ramp-Up Period: 5 Responses looks like: {"error_description":"Client session not active","error":"invalid_grant"} {"error_description":"Session not active","error":"invalid_grant"} Keycloak is clustered on the server and has 3 nodes. Do you have any idea? Thanks, Kind regards Mustafa Kuru From chris.savory at edlogics.com Wed Oct 19 10:47:33 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 19 Oct 2016 14:47:33 +0000 Subject: [keycloak-user] Performance issues with large number of realms (500+) In-Reply-To: References: <26E574D5-3921-4735-A4B9-873820301A8E@edlogics.com> Message-ID: I?d rather you be honest about it. Thanks for the update. -- Christopher Savory ? From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Wednesday, October 19, 2016 at 9:07 AM To: Chris Savory Cc: Gabriel Lavoie , keycloak-user Subject: Re: [keycloak-user] Performance issues with large number of realms (500+) On 19 October 2016 at 15:55, Chris Savory wrote: Stain, I completely understand your position regarding multi-tenancy and Keycloak; that you would like the community to contribute back on identifying issues and improving the performance for 10+ realms configuration. Out of curiosity, does the same apply to Redhat SSO customers who are already paying for support? I could have asked you to create Keycloak JIRA issues for your issues, but as I know it wouldn't be prioritized I'd rather tell you outright that we wouldn't work on it. Customers have separate channels to report issues and these are prioritized higher than community request. ? -- Christopher Savory ? On 10/19/16, 7:41 AM, "Stian Thorgersen" wrote: ? ? I can appreciate that the multi-tenancy concept does conflict with what I'm ? ? saying here, but that was contributed by community and in that use-case ? ? they only had a few realms. We've been asked this questions a few times on ? ? the mailing list though and we have responded with it may work, but we ? ? haven't tested it, nor have we planned for it to be used that way. ? ? I'm not saying it'll be a problem with more than 10, just saying that's ? ? what we had in mind as what the maximum people would have. Unless of course ? ? you're building out a SaaS or something on top of Keycloak. In that case I ? ? would believe you're probably making money out of what you are doing and ? ? you should be able to afford to spend some time contributing to Keycloak. ? ? We simply don't have the resources to test this scenario and improve the ? ? performance around it. ? ? On 19 October 2016 at 14:04, Gabriel Lavoie wrote: ? ? > Hi Stian, ? ? >? ? ? your answer does surprise me (and my team) a bit as the Keycloak ? ? > usage examples, documentation, some blog post points to multi-tenancy with ? ? > the realm concept. We did not find any documentation that would discourage ? ? > it. I was curious about possible guidelines and 10 realms seems to be a ? ? > very low number. ? ? > ? ? > This said, we took time almost a year ago to evaluate the architectural ? ? > limits (custom themes/providers are not an issue) and did load tests (with ? ? > large number of users and realms) on the different authentication endpoints ? ? > we needed to use and no big issue appeared at that time. We did expect to ? ? > find issues when ramping up the usage in QA/Production. ? ? > ? ? > Keycloak is secured internally in our SaaS environment (only the necessary ? ? > paths/realms are exposed) and we automate the whole realm ? ? > creation/management to effectively manage security concerns. All we are ? ? > doing is creating a realm with a very specific configuration and repeating ? ? > the operation N times. ? ? > ? ? > For the two issues I found, I already have ideas of how to fix them (and 1 ? ? > fix proposal almost ready). In the meantime, we will consider different ? ? > deployment/provisioning options as workarounds. ? ? > ? ? > Regards, ? ? > ? ? > Gabriel ? ? > ? ? > 2016-10-18 10:04 GMT-04:00 Stian Thorgersen : ? ? > ? ? >> Keycloak was not designed to support multi-tenancy directly. We made the ? ? >> decision early on that we can't support true multi-tenancy and that has to ? ? >> be done through separate instances. This is for security reasons as well as ? ? >> the fact that we can't sandbox everything (like custom providers, custom ? ? >> themes, etc.). ? ? >> ? ? >> In that regards we have never tested with high amounts of realms as we ? ? >> expect there to be few realms (up to 10 most likely). Nor will we test ? ? >> this. We won't fix any issues related to high number of realms for this ? ? >> reason either. ? ? >> ? ? >> I'm not saying that we don't appreciate your case, but we have other ? ? >> priorities that we need to work on. ? ? >> ? ? >> However, if you are able to provide PRs that do not have any side effects ? ? >> (and also doesn't significantly complicate things) we would be happy to ? ? >> accept them. ? ? >> ? ? >> On 18 October 2016 at 15:49, Gabriel Lavoie wrote: ? ? >> ? ? >>> Hi, ? ? >>>? ? ? our Keycloak setup is being used in a multi-tenant fashion with a ? ? >>> large number of realms assigned to different instances of our application ? ? >>> (multiple customers). We are now seeing a few performance issues with the ? ? >>> startup and administration. ? ? >>> ? ? >>> First question: Do you have guidelines on a maximum number of realms that ? ? >>> Keycloak should support before we split in smaller clusters? ? ? >>> ? ? >>> I traced at least 2 things in the KC code that could be improved. Should ? ? >>> I ? ? >>> open tickets for both? ? ? >>> ? ? >>> 1 - Slow startup (5 minutes with 500 realms): ? ? >>> In the KeycloakApplication class constructor, the "isNewInstall()" test ? ? >>> to ? ? >>> check if the master realm must be created triggers the loading and ? ? >>> caching ? ? >>> of all realms. This loading seems to be hit with a similar issue that I ? ? >>> had ? ? >>> in the past with realm export: https://issues.jboss.org/brows ? ? >>> e/KEYCLOAK-2413 ? ? >>> ? ? >>> The named query that gets executed a lot of times in ? ? >>> RealmAdapter.getAuthenticationExecution() triggers a flush within ? ? >>> Hibernate ? ? >>> every times. If the flush mode gets set to "COMMIT" (can't be changed by ? ? >>> default but I tested it), the loading time goes down to approximately 30 ? ? >>> secs which is acceptable. ? ? >>> ? ? >>> It would likely be a good idea to create a read-only transaction with the ? ? >>> flush mode set to COMMIT during startup to pre-fill the cache, then ? ? >>> continue with the rest of the initialization. When the cache is filled, ? ? >>> accessing info on all realms seems to be fine. ? ? >>> ? ? >>> 2 - Slow display of the master realm admin screen. ? ? >>> When accessing the admin screen, AdminConsole.whoAmI() eventually process ? ? >>> all the roles on all the realm for the admin ? ? >>> user. KeycloakModelUtils.searchFor() gets called a lot of times to ? ? >>> navigate ? ? >>> through all the composite permissions. With 500 realms, the user has ? ? >>> about ? ? >>> 6500 total permissions available. This part of the code would likely ? ? >>> benefit a lot from a cache of the exploded composite permissions. ? ? >>> ? ? >>> Thanks, ? ? >>> ? ? >>> Gabriel ? ? >>> ? ? >>> -- ? ? >>> Gabriel Lavoie ? ? >>> glavoie at gmail.com ? ? >>> _______________________________________________ ? ? >>> keycloak-user mailing list ? ? >>> keycloak-user at lists.jboss.org ? ? >>> https://lists.jboss.org/mailman/listinfo/keycloak-user ? ? >>> ? ? >> ? ? >> ? ? > ? ? > ? ? > -- ? ? > Gabriel Lavoie ? ? > glavoie at gmail.com ? ? > ? ? _______________________________________________ ? ? keycloak-user mailing list ? ? keycloak-user at lists.jboss.org ? ? https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Oct 19 11:26:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 17:26:13 +0200 Subject: [keycloak-user] Keycloak 1.8.1 JMeter Performance Test - Login, Refresh Token In-Reply-To: References: Message-ID: Please upgrade and check if it works after that On 19 October 2016 at 16:26, Mustafa Kuru wrote: > Hi, > > I am testing Keycloak's Login and Refresh Token with JMeter but getting > errors (~1.50% of responses) by refreshing token. > > Login responses are ok. > > Path:{server}:8080/auth/realms/customer/protocol/openid-connect/token > > The JMeter configuration: 20 Threads, Ramp-Up Period: 5 > > Responses looks like: > > {"error_description":"Client session not active","error":"invalid_grant"} > {"error_description":"Session not active","error":"invalid_grant"} > > Keycloak is clustered on the server and has 3 nodes. > > Do you have any idea? > > Thanks, > > Kind regards > Mustafa Kuru > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Oct 19 11:31:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 19 Oct 2016 17:31:51 +0200 Subject: [keycloak-user] Bug squashing time!! Message-ID: Let the race begin! Who can squash the most about of bugs for 2.4! Anyone from the community that'd like to help us out? There's plenty to pick from: https://issues.jboss.org/issues/?jql=project%20%3D%20KEYCLOAK%20and%20issuetype%20%3D%20bug%20and%20resolution%20%3D%20unresolved%20and%20assignee%20is%20empty From Dimitrios.Gkazgkas at tangoservices.lu Thu Oct 20 05:47:53 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Thu, 20 Oct 2016 09:47:53 +0000 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Hello, This part of the configuration (Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a Reverse Proxy") is already in place in our system but still it does not work. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 19 October 2016 16:12 To: GKAZGKAS Dimitrios (TAN/MST) Cc: keycloak-user at lists.jboss.org; Beno?t Reny Subject: Re: [keycloak-user] SAML in a keycloak cluster Hm.. Just reviewing that doc and it's not far from obvious. "Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a Reverse Proxy" are both relevant. On 19 October 2016 at 15:51, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello, I suppose that you are talking about the part : Using the Built-In Load Balancer The thing is that if i understand well is that we can do this configuration for a domain clustered mode. Our configuration is currently a standalone clustered mode. This configuration can be also applied in this case ? Thanks for your reply, Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 19 October 2016 14:36 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster If you configure your reverse proxy correct as well as configure it on the Keycloak side. Keycloak will see it's URL as security.lu and not the URL used by the reverse proxy to access it. The steps to do this is explained in the documentation I sent you. On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) > wrote: ======Sent again without the picture===== Hello, Could you please be more specific ? In the documentation proposed it is referred how to FW the original client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. We get the following error: 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination It seems to come from the following part of the code of Keycloack project. package org.keycloak.protocol.saml; public class SamlService extends AuthorizationEndpointBase protected Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) { SamlClient samlClient = new SamlClient(client); // validate destination if (requestAbstractType.getDestination() != null && !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) { event.detail(Details.REASON, "invalid_destination"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); return ErrorPage.error(session, Messages.INVALID_REQUEST); } The destination check simply do not much , request destination is always the internal keyclaock address ?security1.lu? and it fails when saml requests end up to the second keycloack ?securty2.lu?. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 18 October 2016 20:12 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster Please look at the documentation. It explains this. On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello Stian, Thank you for your response. Could you explain a bit more what you mean by saying ?as Keycloak should see security.lu, not the internal addresses of the nodes? ? According to our understanding the Keycloak servers in the internal network is behind reverse proxy and thus they do not know that they are called ?security.lu?, they just know that they are either security1.lu or security2.lu. When we tried to overwite the Saml XML configuration (that client uses for integration) and put the public address ?security.lu? we again had the same ERROR in Keycloak logs ?reason=invalid_destination? probably due to same root cause, the destination in the Saml AuthRequest was ?Service.lu?, an address unknown for keycloack inside the private network. xxxxx The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Thu Oct 20 07:19:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 20 Oct 2016 13:19:38 +0200 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Check the urls in http://security.lu/auth/realms/master/protocol/saml/descriptor. The URLs should contain security.lu and not URLs for the individual nodes. If that's not working, then you don't have the reverse proxy parts configured correctly. On 20 October 2016 at 11:47, GKAZGKAS Dimitrios (TAN/MST) < Dimitrios.Gkazgkas at tangoservices.lu> wrote: > Hello, > > > > This part of the configuration (Identifying Client IP Addresses" as well > as "Enable HTTPS/SSL with a Reverse Proxy") is already in place in our > system but still it does not work. > > > > > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 19 October 2016 16:12 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org; Beno?t Reny > > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Hm.. Just reviewing that doc and it's not far from obvious. > > > > "Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a > Reverse Proxy" are both relevant. > > > > On 19 October 2016 at 15:51, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello, > > > > I suppose that you are talking about the part : > Using the Built-In Load Balancer > > > > The thing is that if i understand well is that we can do this > configuration for a domain clustered mode. Our configuration is currently a > standalone clustered mode. This configuration can be also applied in this > case ? > > > > Thanks for your reply, > > > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 19 October 2016 14:36 > > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > If you configure your reverse proxy correct as well as configure it on the > Keycloak side. Keycloak will see it's URL as security.lu and not the URL > used by the reverse proxy to access it. The steps to do this is explained > in the documentation I sent you. > > > > On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > ======Sent again without the picture===== > > > > Hello, > > > > Could you please be more specific ? > > > > In the documentation proposed it is referred how to FW the original > client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. > > > > > > > We get the following error: > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > It seems to come from the following part of the code of Keycloack project. > > > > package org.keycloak.protocol.saml; > > public class SamlService extends AuthorizationEndpointBase > > > > *protected Response loginRequest(String relayState, AuthnRequestType > requestAbstractType, ClientModel client) {* > > * SamlClient samlClient = new SamlClient(client);* > > * // validate destination* > > * if (requestAbstractType.getDestination() != null && > !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) {* > > * event.detail(Details.REASON, "invalid_destination");* > > * event.error(Errors.INVALID_SAML_AUTHN_REQUEST);* > > * return ErrorPage.error(session, > Messages.INVALID_REQUEST);* > > * }* > > > > The destination check simply do not much , request destination is always > the internal keyclaock address ?security1.lu? and it fails when saml > requests end up to the second keycloack ?securty2.lu?. > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* 18 October 2016 20:12 > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Please look at the documentation. It explains this. > > > > On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello Stian, > > > > Thank you for your response. > > > > Could you explain a bit more what you mean by saying ?*as Keycloak should > see security.lu , not the internal addresses of the > nodes*? ? According to our understanding the Keycloak servers in the > internal network is behind reverse proxy and thus they do not know that > they are called ?security.lu?, they just know that they are either > security1.lu or security2.lu . > > > > When we tried to overwite the Saml XML configuration (that client uses > for integration) and put the public address ?security.lu? we again had > the same ERROR in Keycloak logs ?reason=invalid_destination? probably due > to same root cause, the destination in the Saml AuthRequest was > ?Service.lu?, an address unknown for keycloack inside the private network. > > Destination=" > > > > I attach our HA configuration. We do not use the build in Load Balancer > but an Appache Reverse Proxy which actually rewrites all internall URLs to > Publics for outgoing trafiif and the oposite for the incoming traffic. Thus > there is not much left in the page you sent to be configured in our > Keycloak. > > > > I hope I was clear. Any help would be highly appreciated. > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 17 October 2016 20:41 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Sounds like you haven't setup things properly as Keycloak should see > security.lu, not the internal addresses of the nodes. Take a look at > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html > > > > On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > The response from the list on my initial mails was : After content > filtering, the message was empty > > So I try to send the same mail without CC and without attached > > > > =========== > > Hello, > > We are trying to configure a SAML authentication system in a keycloak > cluster. First, with only one node , we are currently managing to > authenticate in SAML way. > > The architecture : > --> we have one apache reverse proxy with a public and unique endpoint for > saml authentication. We can call the pubic url : security.lu< > http://security.lu> > > --> the reverse proxy will load-balance all calls that come on security.lu > to two keycloak nodes : security1.lu< > http://security1.lu> and security2.lu ( the private > urls) . > > The issue that we have : > --> The client that integrates saml has a tomcat and integrates a > keycloak-saml.xml file. Of course, in this file the configuration is > refering to security1.lu ( the private address as > the keycloak node only knows its private address). > --> If we arrive during the load-balancing on the security1.lu< > http://security1.lu> node, it will work. If I arrive on the second > security2.lu node, it will fail. When I dig a little > bit more, it's because in fact, the SAMLRequest that is generated looks > like this : > > Destination="http://security1.lu:8080/realms/xxx/protocol/saml" > ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" > IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" > Version="2.0">xxxxx AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format: > persistent"> > > The error that I get is an invalid_destination because we receive this > SAMLRequest on the security2.lu node : > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > >From what I see there is for saml client, a Clustering tab where I have > currently nothing. Maybe I need to add some host nodes here ? But i don't > know how to proceed. > > Or is there any way to define both security1.lu and > security2.lu on the Saml XML configuration that the client integrates? > > We have set proxy-address-forwarding=true > > Thank you for your help. > > Kr, > > > > > > > Br > > Dimitrios Gkazgkas > IT Solutions Architect > > > > ________________________________ > > **** DISCLAIMER **** > http://www.tango.lu/maildisclaimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > From huazonglin at gmail.com Thu Oct 20 07:59:51 2016 From: huazonglin at gmail.com (Joey) Date: Thu, 20 Oct 2016 19:59:51 +0800 Subject: [keycloak-user] Resource match bug? Message-ID: Hi Guys, I found something is weird, not sure is it a bug? If I create a Resource like "/resources/images/bg.png", and visit this URL from tomcat. but I got 403 error. I turn on debug message for keyclock, and I saw this debug message. ------------------- DEBUG: AuthenticatedActionsValve.invoke http://operation.iishang-intr.com:9111/resources/images/bg.png Oct 20, 2016 6:40:01 PM org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Policy enforcement is enable. Enforcing policy decisions for path [http://operation.iishang-intr.com:9111/resources/images/bg.png]. Oct 20, 2016 6:40:01 PM org.keycloak.adapters.authorization.AbstractPolicyEnforcer authorize DEBUG: Checking permissions for path [http://operation.iishang-intr.com:9111/resources/images/bg.png] with config [null]. Oct 20, 2016 6:40:01 PM org.keycloak.adapters.authorization.AbstractPolicyEnforcer authorize DEBUG: Could not find a configuration for path [/images/bg.png] ------------------- then if I change "Resource" of client URL to "/images/bg.png", it works. and I tried "/resources/*", it doesn't work either. My Keycloak version is 2.2.0. Joey From sthorger at redhat.com Thu Oct 20 09:07:26 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 20 Oct 2016 15:07:26 +0200 Subject: [keycloak-user] Resource match bug? In-Reply-To: References: Message-ID: Pedro - can you take a look? On 20 October 2016 at 13:59, Joey wrote: > Hi Guys, > > > I found something is weird, not sure is it a bug? > > If I create a Resource like "/resources/images/bg.png", and visit this > URL from tomcat. > but I got 403 error. I turn on debug message for keyclock, and I saw > this debug message. > > > > ------------------- > DEBUG: AuthenticatedActionsValve.invoke > http://operation.iishang-intr.com:9111/resources/images/bg.png > > Oct 20, 2016 6:40:01 PM > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > DEBUG: Policy enforcement is enable. Enforcing policy decisions for > path [http://operation.iishang-intr.com:9111/resources/images/bg.png]. > > Oct 20, 2016 6:40:01 PM > org.keycloak.adapters.authorization.AbstractPolicyEnforcer authorize > > DEBUG: Checking permissions for path > [http://operation.iishang-intr.com:9111/resources/images/bg.png] with > config [null]. > > Oct 20, 2016 6:40:01 PM > org.keycloak.adapters.authorization.AbstractPolicyEnforcer authorize > > DEBUG: Could not find a configuration for path [/images/bg.png] > > ------------------- > > then if I change "Resource" of client URL to "/images/bg.png", it > works. and I tried "/resources/*", it doesn't work either. > My Keycloak version is 2.2.0. > > > Joey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Thu Oct 20 09:24:59 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Thu, 20 Oct 2016 13:24:59 +0000 Subject: [keycloak-user] How to configure OpenID Connect authentication? In-Reply-To: References: , Message-ID: Hi Stian, Thank you for your help! I was able to access to the OIDC configuration. Now I want to configure OIDC client using the static registration. I have opened the client configuration screen (at http://localhost:8080/auth/admin/master/console/#/realms/master/clients) and added client with openid-connect protocol. Unfortunately I can not find a way for the configuration of the client secret. How can I do it? Best regards, Michael ________________________________ From: Stian Thorgersen Sent: Monday, October 17, 2016 9:36 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to configure OpenID Connect authentication? The correct URL is http://localhost:8080/auth/realms/master/.well-known/openid-configuration On 13 October 2016 at 10:55, Michael Furman > wrote: Hi all, I have started to learn Keycloak and I need your help. I have downloaded the Keycloak Standalone server 2.2.1 distribution from here http://www.keycloak.org/downloads.html I am trying to get openid-configuration without success using this URL: http://localhost:8080/auth/admin/master/console/#/realms/master/.well-known/openid-configuration I cannot find any glue here: https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/sso-protocols/oidc.html Trying to use Demo distribution without success. Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Thu Oct 20 09:29:58 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Thu, 20 Oct 2016 11:29:58 -0200 Subject: [keycloak-user] Resource match bug? In-Reply-To: References: Message-ID: <1476970198.5657.1.camel@redhat.com> I think this is related with KEYCLOAK-3261 [1]. Can you try setting a context to your deployment instead of using ROOT ?? [1]https://issues.jboss.org/browse/KEYCLOAK-3261 On Thu, 2016-10-20 at 19:59 +0800, Joey wrote: > Hi Guys, > > > I found something is weird, not sure is it a bug? > > If I create a Resource like "/resources/images/bg.png", and visit > this > URL from tomcat. > but I got 403 error. I turn on debug message for keyclock, and I saw > this debug message. > > > > ------------------- > DEBUG: AuthenticatedActionsValve.invoke > http://operation.iishang-intr.com:9111/resources/images/bg.png > > Oct 20, 2016 6:40:01 PM > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > DEBUG: Policy enforcement is enable. Enforcing policy decisions for > path [http://operation.iishang-intr.com:9111/resources/images/bg.png] > . > > Oct 20, 2016 6:40:01 PM > org.keycloak.adapters.authorization.AbstractPolicyEnforcer authorize > > DEBUG: Checking permissions for path > [http://operation.iishang-intr.com:9111/resources/images/bg.png] with > config [null]. > > Oct 20, 2016 6:40:01 PM > org.keycloak.adapters.authorization.AbstractPolicyEnforcer authorize > > DEBUG: Could not find a configuration for path [/images/bg.png] > > ------------------- > > then if I change "Resource" of client URL to "/images/bg.png", it > works.??and I tried "/resources/*",??it doesn't work either. > My Keycloak version is 2.2.0. > > > Joey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Pedro Igor From abhi.raghav007 at gmail.com Thu Oct 20 11:02:58 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Thu, 20 Oct 2016 20:32:58 +0530 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API Message-ID: Hey I am writing to create user by calling keycloak rest APIs through my own REST api's. I am able to set all other properties of a user and create a user, but when i try assigning the credentials , I get stuck. First of all Is it possible to do it externally create such scenario..? If yes, how can i do that. Cheers Abhishek From mposolda at redhat.com Thu Oct 20 11:40:07 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 20 Oct 2016 17:40:07 +0200 Subject: [keycloak-user] How to configure OpenID Connect authentication? In-Reply-To: References: Message-ID: <4b77c388-a43a-eb75-42ea-ed8a7245eb6f@redhat.com> On 20/10/16 15:24, Michael Furman wrote: > Hi Stian, > Thank you for your help! > I was able to access to the OIDC configuration. > Now I want to configure OIDC client using the static registration. > I have opened the client configuration screen (at http://localhost:8080/auth/admin/master/console/#/realms/master/clients) and added client with openid-connect protocol. > > Unfortunately I can not find a way for the configuration of the client secret. If you set "Access Type" -> "confidential" and then go to tabs "Credentials" you will see client secret. Marek > How can I do it? > Best regards, > Michael > > > ________________________________ > From: Stian Thorgersen > Sent: Monday, October 17, 2016 9:36 PM > To: Michael Furman > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to configure OpenID Connect authentication? > > The correct URL is http://localhost:8080/auth/realms/master/.well-known/openid-configuration > > On 13 October 2016 at 10:55, Michael Furman > wrote: > Hi all, > I have started to learn Keycloak and I need your help. > I have downloaded the Keycloak Standalone server 2.2.1 distribution from here http://www.keycloak.org/downloads.html > I am trying to get openid-configuration without success using this URL: > http://localhost:8080/auth/admin/master/console/#/realms/master/.well-known/openid-configuration > > I cannot find any glue here: > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/sso-protocols/oidc.html > > Trying to use Demo distribution without success. > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Oct 20 11:41:53 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 20 Oct 2016 17:41:53 +0200 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: References: Message-ID: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Yes, but we have separate endpoint for manage (reset) user password and other credentials. See for example admin console and check with some plugin (like FF firebug for example) what REST endpoints are called when you reset password for some user. Marek On 20/10/16 17:02, abhishek raghav wrote: > Hey > > I am writing to create user by calling keycloak rest APIs through my own > REST api's. I am able to set all other properties of a user and create a > user, but when i try assigning the credentials , I get stuck. > > First of all Is it possible to do it externally create such scenario..? > > If yes, how can i do that. > > > Cheers > Abhishek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From rajkirankurapati at gmail.com Thu Oct 20 11:52:12 2016 From: rajkirankurapati at gmail.com (Raj Kiran K) Date: Thu, 20 Oct 2016 21:22:12 +0530 Subject: [keycloak-user] Need help with keycloak realm template Message-ID: I want to create Multiple realms which has only change in urls of clients. How can i use a template (realm) for achieving this requirement. Also let me know any automated feature (realm template getting inputs from properties file) is available in keycloak. *Regards,Raj Kiran* From mail at futureofwebtechnology.com Thu Oct 20 12:26:52 2016 From: mail at futureofwebtechnology.com (Hendrik) Date: Thu, 20 Oct 2016 18:26:52 +0200 Subject: [keycloak-user] Keycloak import realm/clients for integration testing Message-ID: <30af96b0-898a-8e6f-305d-b7c11b20ff6c@futureofwebtechnology.com> Hi everybody, we are evaluating Keycloak as central security solution right now and would like to write some integration tests against it. We would therefore need a *reproducible* preconfigured instance of KC. We tried using the Import/Export function of standalone.sh but the server is not responding after a (seemingly) successful import. We used: -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=master-realm.json and -Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=master-realm.json Is it expected behaviour that the server is not responding after an import ? What could cause this behaviour ? Any hints would be appreciated. Regads, Hendrik From mposolda at redhat.com Thu Oct 20 15:40:39 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 20 Oct 2016 21:40:39 +0200 Subject: [keycloak-user] Keycloak import realm/clients for integration testing In-Reply-To: <30af96b0-898a-8e6f-305d-b7c11b20ff6c@futureofwebtechnology.com> References: <30af96b0-898a-8e6f-305d-b7c11b20ff6c@futureofwebtechnology.com> Message-ID: <1ac78e39-0bfd-0431-8522-9e9d3c744310@redhat.com> No, that is not expected. Which Keycloak version are you using? And which DB? How many realms and/or users and other objects (clients etc) you have in exported JSON file? Also are you sure that server was fully started when you did export and also import? Marek On 20/10/16 18:26, Hendrik wrote: > Hi everybody, > > we are evaluating Keycloak as central security solution right now and > would like to write some integration tests against it. > We would therefore need a *reproducible* preconfigured instance of KC. > > We tried using the Import/Export function of standalone.sh but the > server is not responding after a (seemingly) successful import. > > We used: > -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=master-realm.json > and > -Dkeycloak.migration.action=import > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=master-realm.json > > Is it expected behaviour that the server is not responding after an import ? > What could cause this behaviour ? > > Any hints would be appreciated. > > Regads, > Hendrik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Oct 20 15:45:17 2016 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 20 Oct 2016 21:45:17 +0200 Subject: [keycloak-user] Need help with keycloak realm template In-Reply-To: References: Message-ID: <1208f3a4-a6d3-725d-a687-65efcc581d79@redhat.com> We don't have any direct support for this. However what you can do is for example: - Export some existing realm - Delete the realmID in exported JSON file and probably also delete some IDs of other objects too. - Change the client URLs you want - Import realm again either through admin console or through the Export/Import functionality Thing is, that with multiple realms will be also all other objects (users etc) duplicated in DB. Maybe there is even better solution for your use-case. Depends what exactly you want to achieve? Marek On 20/10/16 17:52, Raj Kiran K wrote: > I want to create Multiple realms which has only change in urls of clients. > How can i use a template (realm) for achieving this requirement. Also let > me know any automated feature (realm template getting inputs from > properties file) is available in keycloak. > > > > *Regards,Raj Kiran* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From abhi.raghav007 at gmail.com Thu Oct 20 15:55:43 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Fri, 21 Oct 2016 01:25:43 +0530 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> References: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Message-ID: I am able to set the user credentials by calling a different endpoint as suggested by you. but still when I am inspecting the returned UserRepresentation Object, credentials are coming as null. I am actually trying to create a email template theme, where I am sending the temporary created user password to the user to his registered email. So I am able to introduce username like this : ${msg("executeActionsBodyHtml",link, linkExpiration, realmName, user.getUsername())} But when I am trying to do same for credentials, user.getCredentials().get(0).getValue() I am getting a Null pointer as credentials were not set in the user. I know its kind of absurd. Please suggest. What I am doing wrong. Cheers Abhishek On Thu, Oct 20, 2016 at 9:11 PM, Marek Posolda wrote: > Yes, but we have separate endpoint for manage (reset) user password and > other credentials. > > See for example admin console and check with some plugin (like FF firebug > for example) what REST endpoints are called when you reset password for > some user. > > Marek > > > On 20/10/16 17:02, abhishek raghav wrote: > >> Hey >> >> I am writing to create user by calling keycloak rest APIs through my own >> REST api's. I am able to set all other properties of a user and create a >> user, but when i try assigning the credentials , I get stuck. >> >> First of all Is it possible to do it externally create such scenario..? >> >> If yes, how can i do that. >> >> >> Cheers >> Abhishek >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From sthorger at redhat.com Fri Oct 21 00:49:18 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 21 Oct 2016 06:49:18 +0200 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: References: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Message-ID: We'll never expose user credentials over the rest endpoints. We don't even know them as they are hashed. Instead of sending a temporary password you should send the user a reset password link. That's a special code that let's the user set the password. On 20 October 2016 at 21:55, abhishek raghav wrote: > I am able to set the user credentials by calling a different endpoint as > suggested by you. but still when I am inspecting the returned > UserRepresentation Object, credentials are coming as null. > > I am actually trying to create a email template theme, where I am sending > the temporary created user password to the user to his registered email. So > I am able to introduce username like this : > > ${msg("executeActionsBodyHtml",link, linkExpiration, realmName, > user.getUsername())} > > But when I am trying to do same for > credentials, user.getCredentials().get(0).getValue() I am getting a Null > pointer as credentials were not set in the user. > > I know its kind of absurd. > > Please suggest. What I am doing wrong. > > Cheers > Abhishek > > > > > > > > On Thu, Oct 20, 2016 at 9:11 PM, Marek Posolda > wrote: > > > Yes, but we have separate endpoint for manage (reset) user password and > > other credentials. > > > > See for example admin console and check with some plugin (like FF firebug > > for example) what REST endpoints are called when you reset password for > > some user. > > > > Marek > > > > > > On 20/10/16 17:02, abhishek raghav wrote: > > > >> Hey > >> > >> I am writing to create user by calling keycloak rest APIs through my own > >> REST api's. I am able to set all other properties of a user and create a > >> user, but when i try assigning the credentials , I get stuck. > >> > >> First of all Is it possible to do it externally create such scenario..? > >> > >> If yes, how can i do that. > >> > >> > >> Cheers > >> Abhishek > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Oct 21 05:21:23 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 21 Oct 2016 11:21:23 +0200 Subject: [keycloak-user] Keycloak 2.3.0.CR1 is out Message-ID: We've just released Keycloak 2.3.0.CR1. This release brings a number of new existing features! Highlights of the release includes: - *OpenID Connect certification* - We've now completed the work on making our OpenID Connect implementation pass the OpenID Connect certification and we're currently passing all 5 profiles! - *User SPI* - We now have a new simpler User SPI. This will make it easier to implement a custom user provider to pull in users from any external user store. In the next release we'll port our LDAP provider to this SPI, which will make it possible to pull in users from LDAP without syncing data to the Keycloak database. Once this work is completed we'll remove the old User Federation SPI. - *Realm Key Rotation* - We now support multiple keys in a realm. This makes it possible to seamlessly rotate keys without any impact to applications and users. - *Client Registration CLI* - A while back we added dynamic client registration capabilities, we've now created a CLI that makes it easy to register and update clients from the command-line. - *Dynamic Client Registration Policies* - We've introduced a mechanism to control what clients can be dynamically created. This includes the ability to define policies to allow clients to register without the need to authenticate. - *Node.js Adapter* - We've had a Node.js adapter a while, but we've now polished it a lot and made it a first class citizen. For the full list of issues resolved check out JIRA and to download the release go to the Keycloak homepage . From keith.hudson at hudzinga.com Fri Oct 21 06:37:26 2016 From: keith.hudson at hudzinga.com (keith.hudson at hudzinga.com) Date: Fri, 21 Oct 2016 06:37:26 -0400 (EDT) Subject: [keycloak-user] =?utf-8?q?Restrict_Administration_Console_to_loca?= =?utf-8?q?l_interface_only=3F?= Message-ID: <1477046246.86497803@apps.rackspace.com> I'm currently running 2.2.1.Final of Keycloak server and I was curious if it is possible to restrict access to the Administration Console to the local network only? Basically, I want to set it up similarly to how I have the Wildfly Admin Console secured (local access only). Thanks, Keith From abhi.raghav007 at gmail.com Fri Oct 21 09:10:25 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Fri, 21 Oct 2016 18:40:25 +0530 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: References: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Message-ID: Hey Thanks for explaining how the user credential are setting. I guess the problem which I facing can be solved by using KEYCLOAK- 1835 *https://issues.jboss.org/browse/KEYCLOAK-1835 * When can we expect this to be released..? And if it is not going to be released in the future, what should be the strategy to activate the user where they can set there password. Keycloak send a link to update the password to the user at the time of user creation. Now this link have very small life time. Now I cant expect my users to respond that quickly. (Say 5 minutes) So by then they click on it, it gets expired. This isn't a problem with self registration. Just when administrator is creating account for the user. Please suggest any strategy to come-over this scenario or whats the standard way IDM does to activate the user account / Provision the users first time. Cheers Abhishek On Fri, Oct 21, 2016 at 10:19 AM, Stian Thorgersen wrote: > We'll never expose user credentials over the rest endpoints. We don't even > know them as they are hashed. > > Instead of sending a temporary password you should send the user a reset > password link. That's a special code that let's the user set the password. > > On 20 October 2016 at 21:55, abhishek raghav > wrote: > >> I am able to set the user credentials by calling a different endpoint as >> suggested by you. but still when I am inspecting the returned >> UserRepresentation Object, credentials are coming as null. >> >> I am actually trying to create a email template theme, where I am sending >> the temporary created user password to the user to his registered email. >> So >> I am able to introduce username like this : >> >> ${msg("executeActionsBodyHtml",link, linkExpiration, realmName, >> user.getUsername())} >> >> But when I am trying to do same for >> credentials, user.getCredentials().get(0).getValue() I am getting a Null >> pointer as credentials were not set in the user. >> >> I know its kind of absurd. >> >> Please suggest. What I am doing wrong. >> >> Cheers >> Abhishek >> >> >> >> >> >> >> >> On Thu, Oct 20, 2016 at 9:11 PM, Marek Posolda >> wrote: >> >> > Yes, but we have separate endpoint for manage (reset) user password and >> > other credentials. >> > >> > See for example admin console and check with some plugin (like FF >> firebug >> > for example) what REST endpoints are called when you reset password for >> > some user. >> > >> > Marek >> > >> > >> > On 20/10/16 17:02, abhishek raghav wrote: >> > >> >> Hey >> >> >> >> I am writing to create user by calling keycloak rest APIs through my >> own >> >> REST api's. I am able to set all other properties of a user and create >> a >> >> user, but when i try assigning the credentials , I get stuck. >> >> >> >> First of all Is it possible to do it externally create such scenario..? >> >> >> >> If yes, how can i do that. >> >> >> >> >> >> Cheers >> >> Abhishek >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From jcain at redhat.com Fri Oct 21 09:27:05 2016 From: jcain at redhat.com (Josh Cain) Date: Fri, 21 Oct 2016 08:27:05 -0500 Subject: [keycloak-user] Keycloak 2.3.0.CR1 is out In-Reply-To: References: Message-ID: <1477056425.7299.3.camel@redhat.com> Nice work all, looking forward to getting my hands on the client registration CLI! On Fri, 2016-10-21 at 11:21 +0200, Stian Thorgersen wrote: > We've just released Keycloak 2.3.0.CR1. This release brings a number > of new > existing features! > > Highlights of the release includes: > > > ???- *OpenID Connect certification* - We've now completed the work on > ???making our OpenID Connect implementation pass the OpenID Connect > ???certification and we're currently passing all 5 profiles! > ???- *User SPI* - We now have a new simpler User SPI. This will make > it > ???easier to implement a custom user provider to pull in users from > any > ???external user store. In the next release we'll port our LDAP > provider to > ???this SPI, which will make it possible to pull in users from LDAP > without > ???syncing data to the Keycloak database. Once this work is completed > we'll > ???remove the old User Federation SPI. > ???- *Realm Key Rotation* - We now support multiple keys in a realm. > This > ???makes it possible to seamlessly rotate keys without any impact to > ???applications and users. > ???- *Client Registration CLI* - A while back we added dynamic client > ???registration capabilities, we've now created a CLI that makes it > easy to > ???register and update clients from the command-line. > ???- *Dynamic Client Registration Policies* - We've introduced a > mechanism > ???to control what clients can be dynamically created. This includes > the > ???ability to define policies to allow clients to register without > the need to > ???authenticate. > ???- *Node.js Adapter* - We've had a Node.js adapter a while, but > we've now > ???polished it a lot and made it a first class citizen. > > For the full list of issues resolved check out JIRA > 20fixVersion%20%3D%202.3.0.CR1> > and > to download the release go to the Keycloak homepage > . > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From keith.hudson at hudzinga.com Fri Oct 21 09:36:39 2016 From: keith.hudson at hudzinga.com (keith.hudson at hudzinga.com) Date: Fri, 21 Oct 2016 09:36:39 -0400 (EDT) Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: References: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Message-ID: <1477056999.037815480@apps.rackspace.com> If I understand your question correctly and your trying to reset or change a user's password within your own service, you can do this now. Example: Keycloak kc = Keycloak.getInstance( KEYCLOAK_URL, REALM, USER, PASS, "admin-cli"); List users = kc.realm("MYREALM").users().search(login, null, null, null, 0, 12); UserRepresentation userCheck = users.get(0); String userID = userCheck.getId(); UserResource userResource = kc.realm("MYREALM").users().get(userID); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue(someMethod.generatePassword()); credential.setTemporary(false); logger.info("Updating user"); userResource.update(userCheck); // if you changed any other values on the user userResource.resetPassword(credential); // resets the password We use this approach to allow the user to update settings via our own service layer and change the appropriate credentials in Keycloak within our own service layer. -----Original Message----- From: "abhishek raghav" Sent: Friday, October 21, 2016 9:10am To: stian at redhat.com Cc: "keycloak-user" Subject: Re: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API Hey Thanks for explaining how the user credential are setting. I guess the problem which I facing can be solved by using KEYCLOAK- 1835 *https://issues.jboss.org/browse/KEYCLOAK-1835 * When can we expect this to be released..? And if it is not going to be released in the future, what should be the strategy to activate the user where they can set there password. Keycloak send a link to update the password to the user at the time of user creation. Now this link have very small life time. Now I cant expect my users to respond that quickly. (Say 5 minutes) So by then they click on it, it gets expired. This isn't a problem with self registration. Just when administrator is creating account for the user. Please suggest any strategy to come-over this scenario or whats the standard way IDM does to activate the user account / Provision the users first time. Cheers Abhishek On Fri, Oct 21, 2016 at 10:19 AM, Stian Thorgersen wrote: > We'll never expose user credentials over the rest endpoints. We don't even > know them as they are hashed. > > Instead of sending a temporary password you should send the user a reset > password link. That's a special code that let's the user set the password. > > On 20 October 2016 at 21:55, abhishek raghav > wrote: > >> I am able to set the user credentials by calling a different endpoint as >> suggested by you. but still when I am inspecting the returned >> UserRepresentation Object, credentials are coming as null. >> >> I am actually trying to create a email template theme, where I am sending >> the temporary created user password to the user to his registered email. >> So >> I am able to introduce username like this : >> >> ${msg("executeActionsBodyHtml",link, linkExpiration, realmName, >> user.getUsername())} >> >> But when I am trying to do same for >> credentials, user.getCredentials().get(0).getValue() I am getting a Null >> pointer as credentials were not set in the user. >> >> I know its kind of absurd. >> >> Please suggest. What I am doing wrong. >> >> Cheers >> Abhishek >> >> >> >> >> >> >> >> On Thu, Oct 20, 2016 at 9:11 PM, Marek Posolda >> wrote: >> >> > Yes, but we have separate endpoint for manage (reset) user password and >> > other credentials. >> > >> > See for example admin console and check with some plugin (like FF >> firebug >> > for example) what REST endpoints are called when you reset password for >> > some user. >> > >> > Marek >> > >> > >> > On 20/10/16 17:02, abhishek raghav wrote: >> > >> >> Hey >> >> >> >> I am writing to create user by calling keycloak rest APIs through my >> own >> >> REST api's. I am able to set all other properties of a user and create >> a >> >> user, but when i try assigning the credentials , I get stuck. >> >> >> >> First of all Is it possible to do it externally create such scenario..? >> >> >> >> If yes, how can i do that. >> >> >> >> >> >> Cheers >> >> Abhishek >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.darimont at googlemail.com Fri Oct 21 16:29:44 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 21 Oct 2016 22:29:44 +0200 Subject: [keycloak-user] Keycloak 2.3.0.CR1 is out In-Reply-To: <1477056425.7299.3.camel@redhat.com> References: <1477056425.7299.3.camel@redhat.com> Message-ID: Awesome! Congratulations for another feature-rich release! Cheers, Thomas 2016-10-21 15:27 GMT+02:00 Josh Cain : > Nice work all, looking forward to getting my hands on the client > registration CLI! > On Fri, 2016-10-21 at 11:21 +0200, Stian Thorgersen wrote: > > We've just released Keycloak 2.3.0.CR1. This release brings a number > > of new > > existing features! > > > > Highlights of the release includes: > > > > > > - *OpenID Connect certification* - We've now completed the work on > > making our OpenID Connect implementation pass the OpenID Connect > > certification and we're currently passing all 5 profiles! > > - *User SPI* - We now have a new simpler User SPI. This will make > > it > > easier to implement a custom user provider to pull in users from > > any > > external user store. In the next release we'll port our LDAP > > provider to > > this SPI, which will make it possible to pull in users from LDAP > > without > > syncing data to the Keycloak database. Once this work is completed > > we'll > > remove the old User Federation SPI. > > - *Realm Key Rotation* - We now support multiple keys in a realm. > > This > > makes it possible to seamlessly rotate keys without any impact to > > applications and users. > > - *Client Registration CLI* - A while back we added dynamic client > > registration capabilities, we've now created a CLI that makes it > > easy to > > register and update clients from the command-line. > > - *Dynamic Client Registration Policies* - We've introduced a > > mechanism > > to control what clients can be dynamically created. This includes > > the > > ability to define policies to allow clients to register without > > the need to > > authenticate. > > - *Node.js Adapter* - We've had a Node.js adapter a while, but > > we've now > > polished it a lot and made it a first class citizen. > > > > For the full list of issues resolved check out JIRA > > > 20fixVersion%20%3D%202.3.0.CR1> > > and > > to download the release go to the Keycloak homepage > > . > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From niko at n-k.de Sat Oct 22 03:23:52 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Sat, 22 Oct 2016 09:23:52 +0200 Subject: [keycloak-user] Keycloak 2.3.0.CR1 is out In-Reply-To: References: Message-ID: Great work, thank for all the effort! > - *User SPI* - We now have a new simpler User SPI. Is there already some documentation and/or examples available? We are running a system with some custom User Federation Providers and I need to update our Keycloak servers to 2.3.0 b/c of other issues/fixes, I just want to know, how to change my Federation Providers. And is there a necessary migration path for users imported by a custom Federation Provider, now using the User SPI? Would be great to get some more information on this! Cheers, - Niko From sourin-v at bridgestone-bae.com Sat Oct 22 07:19:23 2016 From: sourin-v at bridgestone-bae.com (Vincent Sourin) Date: Sat, 22 Oct 2016 11:19:23 +0000 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Message-ID: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : [...] [...] [...] [...] [...] Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. From sthorger at redhat.com Mon Oct 24 00:28:28 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 24 Oct 2016 06:28:28 +0200 Subject: [keycloak-user] Restrict Administration Console to local interface only? In-Reply-To: <1477046246.86497803@apps.rackspace.com> References: <1477046246.86497803@apps.rackspace.com> Message-ID: Afraid no. It's something we've wanted to do, but haven't had time to. You'd have to use a proxy/firewall in front of Keycloak to achieve that. On 21 October 2016 at 12:37, wrote: > I'm currently running 2.2.1.Final of Keycloak server and I was curious if > it is possible to restrict access to the Administration Console to the > local network only? Basically, I want to set it up similarly to how I have > the Wildfly Admin Console secured (local access only). > > Thanks, > > Keith > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 24 00:31:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 24 Oct 2016 06:31:07 +0200 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: References: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Message-ID: Welcome mail is not probably covering your use-case. AFAIK that issue is more about a "hello welcome aboard" rather than a activate your account mail. You can add a comment to the issue to be able to send a welcome mail with the ability to initialize the password. On 21 October 2016 at 15:10, abhishek raghav wrote: > Hey > > Thanks for explaining how the user credential are setting. > I guess the problem which I facing can be solved by using KEYCLOAK- 1835 > > *https://issues.jboss.org/browse/KEYCLOAK-1835 > * > > When can we expect this to be released..? > > And if it is not going to be released in the future, what should be the > strategy to activate the user where they can set there password. > > Keycloak send a link to update the password to the user at the time of > user creation. Now this link have very small life time. Now I cant expect > my users to respond that quickly. (Say 5 minutes) So by then they click on > it, it gets expired. > > This isn't a problem with self registration. Just when administrator is > creating account for the user. > > Please suggest any strategy to come-over this scenario or whats the > standard way IDM does to activate the user account / Provision the users > first time. > > Cheers > Abhishek > > > > > > On Fri, Oct 21, 2016 at 10:19 AM, Stian Thorgersen > wrote: > >> We'll never expose user credentials over the rest endpoints. We don't >> even know them as they are hashed. >> >> Instead of sending a temporary password you should send the user a reset >> password link. That's a special code that let's the user set the password. >> >> On 20 October 2016 at 21:55, abhishek raghav >> wrote: >> >>> I am able to set the user credentials by calling a different endpoint as >>> suggested by you. but still when I am inspecting the returned >>> UserRepresentation Object, credentials are coming as null. >>> >>> I am actually trying to create a email template theme, where I am sending >>> the temporary created user password to the user to his registered email. >>> So >>> I am able to introduce username like this : >>> >>> ${msg("executeActionsBodyHtml",link, linkExpiration, realmName, >>> user.getUsername())} >>> >>> But when I am trying to do same for >>> credentials, user.getCredentials().get(0).getValue() I am getting a Null >>> pointer as credentials were not set in the user. >>> >>> I know its kind of absurd. >>> >>> Please suggest. What I am doing wrong. >>> >>> Cheers >>> Abhishek >>> >>> >>> >>> >>> >>> >>> >>> On Thu, Oct 20, 2016 at 9:11 PM, Marek Posolda >>> wrote: >>> >>> > Yes, but we have separate endpoint for manage (reset) user password and >>> > other credentials. >>> > >>> > See for example admin console and check with some plugin (like FF >>> firebug >>> > for example) what REST endpoints are called when you reset password for >>> > some user. >>> > >>> > Marek >>> > >>> > >>> > On 20/10/16 17:02, abhishek raghav wrote: >>> > >>> >> Hey >>> >> >>> >> I am writing to create user by calling keycloak rest APIs through my >>> own >>> >> REST api's. I am able to set all other properties of a user and >>> create a >>> >> user, but when i try assigning the credentials , I get stuck. >>> >> >>> >> First of all Is it possible to do it externally create such >>> scenario..? >>> >> >>> >> If yes, how can i do that. >>> >> >>> >> >>> >> Cheers >>> >> Abhishek >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> > >>> > >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From sthorger at redhat.com Mon Oct 24 02:08:28 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 24 Oct 2016 08:08:28 +0200 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> Message-ID: Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin wrote: > Hello, > > I've got a strange behavior with Keycloak instance (version 2.2.1 Final) > behind an Apache Reverse Proxy (with Mod_cluster). > > First of all, here is my test environment : https://postimg.org/image/ > z7xrb08ev/ > > I think it's worth mention that : > > * Wildfly & keycloak are installed on the same servers but each in > separate instances (not using overlay deployment) > > * mod_cluster is configured in http mode (not ajp) with > mod_proxy_wstunnel activated because I use Websocket with wildfly > > So, in this configuration, applications deployed on wildfly instances work > well but I got some problem with Keycloak. > Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as > soon as I click on the link < Aministration Console > (resolved normally to > https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to > plain http connection and so the request failed. > > If I browse directly to https://XXXXXXX/auth/admin/ my browser complains > about < some insecured items on the page > and I can't reach the console > neither. > > Here a a snippet of my keycloak configuration : > > > > socket-binding="http" redirect-socket="proxy-https"/> > enabled-protocols="TLSv1.2" security-realm="UndertowRealm" > socket-binding="https"/> > [...] > > [...] > > connector="default"> > > > > > > [...] > > > [...] > > [...] > > > > Can someone tell me what I'm doing wrong or give me the right direction to > further investigate this behavior ? > > Thanks for your help. > > Vincent. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From abhi.raghav007 at gmail.com Mon Oct 24 07:59:32 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Mon, 24 Oct 2016 17:29:32 +0530 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: References: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Message-ID: Thanks for clarifying the feature. Meanwhile until we get this feature rolled out, Do you suggest any workaround which is kind of standard and not creating any security loophole in the system. In which release we can expect this feature..? Cheers Abhishek On Mon, Oct 24, 2016 at 10:01 AM, Stian Thorgersen wrote: > Welcome mail is not probably covering your use-case. AFAIK that issue is > more about a "hello welcome aboard" rather than a activate your account > mail. You can add a comment to the issue to be able to send a welcome mail > with the ability to initialize the password. > > On 21 October 2016 at 15:10, abhishek raghav > wrote: > >> Hey >> >> Thanks for explaining how the user credential are setting. >> I guess the problem which I facing can be solved by using KEYCLOAK- 1835 >> >> *https://issues.jboss.org/browse/KEYCLOAK-1835 >> * >> >> When can we expect this to be released..? >> >> And if it is not going to be released in the future, what should be the >> strategy to activate the user where they can set there password. >> >> Keycloak send a link to update the password to the user at the time of >> user creation. Now this link have very small life time. Now I cant expect >> my users to respond that quickly. (Say 5 minutes) So by then they click on >> it, it gets expired. >> >> This isn't a problem with self registration. Just when administrator is >> creating account for the user. >> >> Please suggest any strategy to come-over this scenario or whats the >> standard way IDM does to activate the user account / Provision the users >> first time. >> >> Cheers >> Abhishek >> >> >> >> >> >> On Fri, Oct 21, 2016 at 10:19 AM, Stian Thorgersen >> wrote: >> >>> We'll never expose user credentials over the rest endpoints. We don't >>> even know them as they are hashed. >>> >>> Instead of sending a temporary password you should send the user a reset >>> password link. That's a special code that let's the user set the password. >>> >>> On 20 October 2016 at 21:55, abhishek raghav >>> wrote: >>> >>>> I am able to set the user credentials by calling a different endpoint as >>>> suggested by you. but still when I am inspecting the returned >>>> UserRepresentation Object, credentials are coming as null. >>>> >>>> I am actually trying to create a email template theme, where I am >>>> sending >>>> the temporary created user password to the user to his registered >>>> email. So >>>> I am able to introduce username like this : >>>> >>>> ${msg("executeActionsBodyHtml",link, linkExpiration, realmName, >>>> user.getUsername())} >>>> >>>> But when I am trying to do same for >>>> credentials, user.getCredentials().get(0).getValue() I am getting a >>>> Null >>>> pointer as credentials were not set in the user. >>>> >>>> I know its kind of absurd. >>>> >>>> Please suggest. What I am doing wrong. >>>> >>>> Cheers >>>> Abhishek >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Oct 20, 2016 at 9:11 PM, Marek Posolda >>>> wrote: >>>> >>>> > Yes, but we have separate endpoint for manage (reset) user password >>>> and >>>> > other credentials. >>>> > >>>> > See for example admin console and check with some plugin (like FF >>>> firebug >>>> > for example) what REST endpoints are called when you reset password >>>> for >>>> > some user. >>>> > >>>> > Marek >>>> > >>>> > >>>> > On 20/10/16 17:02, abhishek raghav wrote: >>>> > >>>> >> Hey >>>> >> >>>> >> I am writing to create user by calling keycloak rest APIs through my >>>> own >>>> >> REST api's. I am able to set all other properties of a user and >>>> create a >>>> >> user, but when i try assigning the credentials , I get stuck. >>>> >> >>>> >> First of all Is it possible to do it externally create such >>>> scenario..? >>>> >> >>>> >> If yes, how can i do that. >>>> >> >>>> >> >>>> >> Cheers >>>> >> Abhishek >>>> >> _______________________________________________ >>>> >> keycloak-user mailing list >>>> >> keycloak-user at lists.jboss.org >>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >>>> > >>>> > >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From max.catarino at rps.com.br Mon Oct 24 10:17:57 2016 From: max.catarino at rps.com.br (max.catarino at rps.com.br) Date: Mon, 24 Oct 2016 12:17:57 -0200 Subject: [keycloak-user] It's possible to check if an user have an active/valid session through REST API? Message-ID: It's possible to check if an user have an active/valid session through REST API? I saw the UserSessionRepresentation returned by Keycloak.realm("realmId").users().get("userId").getUserSessions(). But UserSessionRepresentation do not have the information I want. Best regards Maximiliano From bruno at abstractj.org Mon Oct 24 15:01:38 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 24 Oct 2016 17:01:38 -0200 Subject: [keycloak-user] It's possible to check if an user have an active/valid session through REST API? In-Reply-To: References: Message-ID: <20161024190138.GA10318@abstractj.org> Hi Max, I'm not sure which information you want, but you can try to look at these endpoints: * http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client * http://www.keycloak.org/docs/rest-api/#_get_client_session_stats On 2016-10-24, max.catarino at rps.com.br wrote: > > > It's possible to check if an user have an active/valid session through > REST API? > > I saw the UserSessionRepresentation returned by > Keycloak.realm("realmId").users().get("userId").getUserSessions(). But > UserSessionRepresentation do not have the information I want. > > Best regards > > Maximiliano > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From sourin-v at bridgestone-bae.com Mon Oct 24 15:38:20 2016 From: sourin-v at bridgestone-bae.com (Vincent Sourin) Date: Mon, 24 Oct 2016 19:38:20 +0000 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> Message-ID: Yes I think X-Forwarded-* Headers and preservation of original host are set. Actually, I?m not really a ? network ? guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website. I ? tweak ? the configuration to try to achieve SSL Termination and Websocket like this : ------------------------ Apache Configuration ---------------------------- ServerRoot "/opt/jboss/httpd/httpd" LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so [?] LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Require all denied ErrorLog "logs/error_log" LogLevel warn LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog "logs/access.log" combined env=!dontlog ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" AllowOverride None Options None Require all granted TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin MemManagerFile "/dev/shm/httpd/cache/mod_cluster" SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)" EnableWsTunnel Listen XXXXXXXX:443 ServerName XXXXXXXXXXXXXXX CreateBalancers 0 AllowDisplay On SetHandler mod_cluster-manager Require ip 10.10 ProxyPass ! SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCertificateFile /opt/mod_cluster-certs/CERT.pem SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem SSLCACertificateFile /opt/mod_cluster-certs/CA.pem SSLVerifyClient none ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" Listen XXXXXXXXX:6666 ServerName XXXXXXXXXXXXXXXXX Require ip 10.10 AllowDisplay On KeepAliveTimeout 300 MaxKeepAliveRequests 0 ServerAdvertise on AdvertiseFrequency 5 AdvertiseGroup 224.0.1.205:24364 EnableMCPMReceive ManagerBalancerName mycluster ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" ------------------------ Apache Configuration ---------------------------- De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : lundi 24 octobre 2016 08:08 ? : Vincent Sourin Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin > wrote: Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : [...] [...] [...] [...] [...] Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Oct 25 03:48:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 25 Oct 2016 09:48:54 +0200 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> Message-ID: Try: https:///auth/realms/master/.well-known/openid-configuration And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details. On 24 October 2016 at 21:38, Vincent Sourin wrote: > Yes I think X-Forwarded-* Headers and preservation of original host are > set. > > > > Actually, I?m not really a ? network ? guy. So for testing purpose, I use > the bundle (httpd + ssl ) provided on mod_cluster website. > > I ? tweak ? the configuration to try to achieve SSL Termination and > Websocket like this : > > > > ------------------------ Apache Configuration ---------------------------- > > ServerRoot "/opt/jboss/httpd/httpd" > > > > LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so > > > [?] > > LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/ > modules/mod_rewrite.so > > > > > > User daemon > > Group daemon > > > > > > > > AllowOverride none > > Require all denied > > > > > > DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" > > > > Options Indexes FollowSymLinks > > AllowOverride None > > Require all granted > > > > > > > > DirectoryIndex index.html > > > > > > > > Require all denied > > > > > > ErrorLog "logs/error_log" > > LogLevel warn > > > > > > LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" combined > > LogFormat "%h %l %u %t \"%r\" %>s %b" common > > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\" %I %O" combinedio > > > > SetEnvIf Request_URI "^/check\.txt$" dontlog > > CustomLog "logs/access.log" combined env=!dontlog > > > > > > > > ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" > > > > > > > > > > > > > > AllowOverride None > > Options None > > Require all granted > > > > > > > > TypesConfig conf/mime.types > > AddType application/x-compress .Z > > AddType application/x-gzip .gz .tgz > > > > > > > > Include conf/extra/proxy-html.conf > > > > > > > > SSLRandomSeed startup builtin > > SSLRandomSeed connect builtin > > > > > > MemManagerFile "/dev/shm/httpd/cache/mod_cluster" > > SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/ > logs/ssl_gcache_data(512000)" > > EnableWsTunnel > > > > Listen XXXXXXXX:443 > > > > ServerName XXXXXXXXXXXXXXX > > > > CreateBalancers 0 > > > > > > AllowDisplay On > > SetHandler mod_cluster-manager > > Require ip 10.10 > > > > > > > > ProxyPass ! > > > > > > SSLEngine on > > SSLProtocol all -SSLv2 > > SSLHonorCipherOrder on > > SSLCertificateFile /opt/mod_cluster-certs/CERT.pem > > SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem > > SSLCACertificateFile /opt/mod_cluster-certs/CA.pem > > SSLVerifyClient none > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > > > Listen XXXXXXXXX:6666 > > > > ServerName XXXXXXXXXXXXXXXXX > > > > > > Require ip 10.10 > > > > > > AllowDisplay On > > KeepAliveTimeout 300 > > MaxKeepAliveRequests 0 > > ServerAdvertise on > > AdvertiseFrequency 5 > > AdvertiseGroup 224.0.1.205:24364 > > EnableMCPMReceive > > ManagerBalancerName mycluster > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > ------------------------ Apache Configuration ---------------------------- > > > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* lundi 24 octobre 2016 08:08 > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also > preserving the preserving the original Host header? > > > > On 22 October 2016 at 13:19, Vincent Sourin > wrote: > > Hello, > > I've got a strange behavior with Keycloak instance (version 2.2.1 Final) > behind an Apache Reverse Proxy (with Mod_cluster). > > First of all, here is my test environment : https://postimg.org/image/ > z7xrb08ev/ > > I think it's worth mention that : > > * Wildfly & keycloak are installed on the same servers but each in > separate instances (not using overlay deployment) > > * mod_cluster is configured in http mode (not ajp) with > mod_proxy_wstunnel activated because I use Websocket with wildfly > > So, in this configuration, applications deployed on wildfly instances work > well but I got some problem with Keycloak. > Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as > soon as I click on the link < Aministration Console > (resolved normally to > https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to > plain http connection and so the request failed. > > If I browse directly to https://XXXXXXX/auth/admin/ my browser complains > about < some insecured items on the page > and I can't reach the console > neither. > > Here a a snippet of my keycloak configuration : > > > > socket-binding="http" redirect-socket="proxy-https"/> > enabled-protocols="TLSv1.2" security-realm="UndertowRealm" > socket-binding="https"/> > [...] > > [...] > > connector="default"> > > > > > > [...] > > > [...] > > [...] > > > > Can someone tell me what I'm doing wrong or give me the right direction to > further investigate this behavior ? > > Thanks for your help. > > Vincent. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sthorger at redhat.com Tue Oct 25 04:04:09 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 25 Oct 2016 10:04:09 +0200 Subject: [keycloak-user] Not able to set credentials for a user while creating a user through my own Rest API In-Reply-To: References: <7ba338e2-6396-6b4a-1f34-a5330f079e58@redhat.com> Message-ID: For now you'd need to generate a random password and use the admin endpoints to set that. Not sure when we can get around to implementing the feature. It may be possible in 3.x, but no guarantees. On 24 October 2016 at 13:59, abhishek raghav wrote: > Thanks for clarifying the feature. > > Meanwhile until we get this feature rolled out, Do you suggest any > workaround which is kind of standard and not creating any security loophole > in the system. > > In which release we can expect this feature..? > > > Cheers > Abhishek > > > > > > > > On Mon, Oct 24, 2016 at 10:01 AM, Stian Thorgersen > wrote: > >> Welcome mail is not probably covering your use-case. AFAIK that issue is >> more about a "hello welcome aboard" rather than a activate your account >> mail. You can add a comment to the issue to be able to send a welcome mail >> with the ability to initialize the password. >> >> On 21 October 2016 at 15:10, abhishek raghav >> wrote: >> >>> Hey >>> >>> Thanks for explaining how the user credential are setting. >>> I guess the problem which I facing can be solved by using KEYCLOAK- 1835 >>> >>> *https://issues.jboss.org/browse/KEYCLOAK-1835 >>> * >>> >>> When can we expect this to be released..? >>> >>> And if it is not going to be released in the future, what should be the >>> strategy to activate the user where they can set there password. >>> >>> Keycloak send a link to update the password to the user at the time of >>> user creation. Now this link have very small life time. Now I cant expect >>> my users to respond that quickly. (Say 5 minutes) So by then they click on >>> it, it gets expired. >>> >>> This isn't a problem with self registration. Just when administrator is >>> creating account for the user. >>> >>> Please suggest any strategy to come-over this scenario or whats the >>> standard way IDM does to activate the user account / Provision the users >>> first time. >>> >>> Cheers >>> Abhishek >>> >>> >>> >>> >>> >>> On Fri, Oct 21, 2016 at 10:19 AM, Stian Thorgersen >>> wrote: >>> >>>> We'll never expose user credentials over the rest endpoints. We don't >>>> even know them as they are hashed. >>>> >>>> Instead of sending a temporary password you should send the user a >>>> reset password link. That's a special code that let's the user set the >>>> password. >>>> >>>> On 20 October 2016 at 21:55, abhishek raghav >>>> wrote: >>>> >>>>> I am able to set the user credentials by calling a different endpoint >>>>> as >>>>> suggested by you. but still when I am inspecting the returned >>>>> UserRepresentation Object, credentials are coming as null. >>>>> >>>>> I am actually trying to create a email template theme, where I am >>>>> sending >>>>> the temporary created user password to the user to his registered >>>>> email. So >>>>> I am able to introduce username like this : >>>>> >>>>> ${msg("executeActionsBodyHtml",link, linkExpiration, realmName, >>>>> user.getUsername())} >>>>> >>>>> But when I am trying to do same for >>>>> credentials, user.getCredentials().get(0).getValue() I am getting a >>>>> Null >>>>> pointer as credentials were not set in the user. >>>>> >>>>> I know its kind of absurd. >>>>> >>>>> Please suggest. What I am doing wrong. >>>>> >>>>> Cheers >>>>> Abhishek >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Oct 20, 2016 at 9:11 PM, Marek Posolda >>>>> wrote: >>>>> >>>>> > Yes, but we have separate endpoint for manage (reset) user password >>>>> and >>>>> > other credentials. >>>>> > >>>>> > See for example admin console and check with some plugin (like FF >>>>> firebug >>>>> > for example) what REST endpoints are called when you reset password >>>>> for >>>>> > some user. >>>>> > >>>>> > Marek >>>>> > >>>>> > >>>>> > On 20/10/16 17:02, abhishek raghav wrote: >>>>> > >>>>> >> Hey >>>>> >> >>>>> >> I am writing to create user by calling keycloak rest APIs through >>>>> my own >>>>> >> REST api's. I am able to set all other properties of a user and >>>>> create a >>>>> >> user, but when i try assigning the credentials , I get stuck. >>>>> >> >>>>> >> First of all Is it possible to do it externally create such >>>>> scenario..? >>>>> >> >>>>> >> If yes, how can i do that. >>>>> >> >>>>> >> >>>>> >> Cheers >>>>> >> Abhishek >>>>> >> _______________________________________________ >>>>> >> keycloak-user mailing list >>>>> >> keycloak-user at lists.jboss.org >>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >> >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From sourin-v at bridgestone-bae.com Tue Oct 25 04:05:41 2016 From: sourin-v at bridgestone-bae.com (Vincent Sourin) Date: Tue, 25 Oct 2016 08:05:41 +0000 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> Message-ID: <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> All the URLs at the given address contain https and the reverse proxy hostname. Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 09:49 ? : Vincent Sourin Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Try: https:///auth/realms/master/.well-known/openid-configuration And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details. On 24 October 2016 at 21:38, Vincent Sourin > wrote: Yes I think X-Forwarded-* Headers and preservation of original host are set. Actually, I?m not really a ? network ? guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website. I ? tweak ? the configuration to try to achieve SSL Termination and Websocket like this : ------------------------ Apache Configuration ---------------------------- ServerRoot "/opt/jboss/httpd/httpd" LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so [?] LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Require all denied ErrorLog "logs/error_log" LogLevel warn LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog "logs/access.log" combined env=!dontlog ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" AllowOverride None Options None Require all granted TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin MemManagerFile "/dev/shm/httpd/cache/mod_cluster" SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)" EnableWsTunnel Listen XXXXXXXX:443 ServerName XXXXXXXXXXXXXXX CreateBalancers 0 AllowDisplay On SetHandler mod_cluster-manager Require ip 10.10 ProxyPass ! SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCertificateFile /opt/mod_cluster-certs/CERT.pem SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem SSLCACertificateFile /opt/mod_cluster-certs/CA.pem SSLVerifyClient none ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" Listen XXXXXXXXX:6666 ServerName XXXXXXXXXXXXXXXXX Require ip 10.10 AllowDisplay On KeepAliveTimeout 300 MaxKeepAliveRequests 0 ServerAdvertise on AdvertiseFrequency 5 AdvertiseGroup 224.0.1.205:24364 EnableMCPMReceive ManagerBalancerName mycluster ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" ------------------------ Apache Configuration ---------------------------- De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : lundi 24 octobre 2016 08:08 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin > wrote: Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : [...] [...] [...] [...] [...] Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Oct 25 04:38:15 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 25 Oct 2016 10:38:15 +0200 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> Message-ID: What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open http://localhost:8080/auth or use the add-user-keycloak script."? On 25 October 2016 at 10:05, Vincent Sourin wrote: > All the URLs at the given address contain https and the reverse proxy > hostname. > > > > Sourin Vincent - Systems Engineer > > Bridgestone Aircraft Tire (Europe) > > Route de Bavay - B7080 Frameries (Belgium) > > Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 > > GSM : +32 492 97 44 99 > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* mardi 25 octobre 2016 09:49 > > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Try: > > > > https:///auth/realms/master/.well-known/openid-configuration > > > > And check the URLs in the page. They should contain https and correct > hostname (for your reverse proxy, not Keycloak). If not there's an issue > with your reverse proxy or it's not configured correctly in Keycloak > server. Check the installation guide for more details. > > > > On 24 October 2016 at 21:38, Vincent Sourin > wrote: > > Yes I think X-Forwarded-* Headers and preservation of original host are > set. > > > > Actually, I?m not really a ? network ? guy. So for testing purpose, I use > the bundle (httpd + ssl ) provided on mod_cluster website. > > I ? tweak ? the configuration to try to achieve SSL Termination and > Websocket like this : > > > > ------------------------ Apache Configuration ---------------------------- > > ServerRoot "/opt/jboss/httpd/httpd" > > > > LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so > > > [?] > > LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/ > modules/mod_rewrite.so > > > > > > User daemon > > Group daemon > > > > > > > > AllowOverride none > > Require all denied > > > > > > DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" > > > > Options Indexes FollowSymLinks > > AllowOverride None > > Require all granted > > > > > > > > DirectoryIndex index.html > > > > > > > > Require all denied > > > > > > ErrorLog "logs/error_log" > > LogLevel warn > > > > > > LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" combined > > LogFormat "%h %l %u %t \"%r\" %>s %b" common > > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\" %I %O" combinedio > > > > SetEnvIf Request_URI "^/check\.txt$" dontlog > > CustomLog "logs/access.log" combined env=!dontlog > > > > > > > > ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" > > > > > > > > > > > > > > AllowOverride None > > Options None > > Require all granted > > > > > > > > TypesConfig conf/mime.types > > AddType application/x-compress .Z > > AddType application/x-gzip .gz .tgz > > > > > > > > Include conf/extra/proxy-html.conf > > > > > > > > SSLRandomSeed startup builtin > > SSLRandomSeed connect builtin > > > > > > MemManagerFile "/dev/shm/httpd/cache/mod_cluster" > > SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/ > logs/ssl_gcache_data(512000)" > > EnableWsTunnel > > > > Listen XXXXXXXX:443 > > > > ServerName XXXXXXXXXXXXXXX > > > > CreateBalancers 0 > > > > > > AllowDisplay On > > SetHandler mod_cluster-manager > > Require ip 10.10 > > > > > > > > ProxyPass ! > > > > > > SSLEngine on > > SSLProtocol all -SSLv2 > > SSLHonorCipherOrder on > > SSLCertificateFile /opt/mod_cluster-certs/CERT.pem > > SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem > > SSLCACertificateFile /opt/mod_cluster-certs/CA.pem > > SSLVerifyClient none > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > > > Listen XXXXXXXXX:6666 > > > > ServerName XXXXXXXXXXXXXXXXX > > > > > > Require ip 10.10 > > > > > > AllowDisplay On > > KeepAliveTimeout 300 > > MaxKeepAliveRequests 0 > > ServerAdvertise on > > AdvertiseFrequency 5 > > AdvertiseGroup 224.0.1.205:24364 > > EnableMCPMReceive > > ManagerBalancerName mycluster > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > ------------------------ Apache Configuration ---------------------------- > > > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* lundi 24 octobre 2016 08:08 > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also > preserving the preserving the original Host header? > > > > On 22 October 2016 at 13:19, Vincent Sourin > wrote: > > Hello, > > I've got a strange behavior with Keycloak instance (version 2.2.1 Final) > behind an Apache Reverse Proxy (with Mod_cluster). > > First of all, here is my test environment : https://postimg.org/image/ > z7xrb08ev/ > > I think it's worth mention that : > > * Wildfly & keycloak are installed on the same servers but each in > separate instances (not using overlay deployment) > > * mod_cluster is configured in http mode (not ajp) with > mod_proxy_wstunnel activated because I use Websocket with wildfly > > So, in this configuration, applications deployed on wildfly instances work > well but I got some problem with Keycloak. > Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as > soon as I click on the link < Aministration Console > (resolved normally to > https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to > plain http connection and so the request failed. > > If I browse directly to https://XXXXXXX/auth/admin/ my browser complains > about < some insecured items on the page > and I can't reach the console > neither. > > Here a a snippet of my keycloak configuration : > > > > socket-binding="http" redirect-socket="proxy-https"/> > enabled-protocols="TLSv1.2" security-realm="UndertowRealm" > socket-binding="https"/> > [...] > > [...] > > connector="default"> > > > > > > [...] > > > [...] > > [...] > > > > Can someone tell me what I'm doing wrong or give me the right direction to > further investigate this behavior ? > > Thanks for your help. > > Vincent. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From sourin-v at bridgestone-bae.com Tue Oct 25 05:24:33 2016 From: sourin-v at bridgestone-bae.com (Vincent Sourin) Date: Tue, 25 Oct 2016 09:24:33 +0000 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> Message-ID: No, it is the link Administration Console I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/ Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 10:38 ? : Vincent Sourin Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open http://localhost:8080/auth or use the add-user-keycloak script."? On 25 October 2016 at 10:05, Vincent Sourin > wrote: All the URLs at the given address contain https and the reverse proxy hostname. Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 09:49 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Try: https:///auth/realms/master/.well-known/openid-configuration And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details. On 24 October 2016 at 21:38, Vincent Sourin > wrote: Yes I think X-Forwarded-* Headers and preservation of original host are set. Actually, I?m not really a ? network ? guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website. I ? tweak ? the configuration to try to achieve SSL Termination and Websocket like this : ------------------------ Apache Configuration ---------------------------- ServerRoot "/opt/jboss/httpd/httpd" LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so [?] LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Require all denied ErrorLog "logs/error_log" LogLevel warn LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog "logs/access.log" combined env=!dontlog ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" AllowOverride None Options None Require all granted TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin MemManagerFile "/dev/shm/httpd/cache/mod_cluster" SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)" EnableWsTunnel Listen XXXXXXXX:443 ServerName XXXXXXXXXXXXXXX CreateBalancers 0 AllowDisplay On SetHandler mod_cluster-manager Require ip 10.10 ProxyPass ! SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCertificateFile /opt/mod_cluster-certs/CERT.pem SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem SSLCACertificateFile /opt/mod_cluster-certs/CA.pem SSLVerifyClient none ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" Listen XXXXXXXXX:6666 ServerName XXXXXXXXXXXXXXXXX Require ip 10.10 AllowDisplay On KeepAliveTimeout 300 MaxKeepAliveRequests 0 ServerAdvertise on AdvertiseFrequency 5 AdvertiseGroup 224.0.1.205:24364 EnableMCPMReceive ManagerBalancerName mycluster ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" ------------------------ Apache Configuration ---------------------------- De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : lundi 24 octobre 2016 08:08 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin > wrote: Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : [...] [...] [...] [...] [...] Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Oct 25 05:58:34 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 25 Oct 2016 11:58:34 +0200 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> Message-ID: Strange. I can't see why that should ever redirect to non-https. Can you capture the requests that are being sent after you click on the link to see where/when the redirect to non-https is coming into play? On 25 October 2016 at 11:24, Vincent Sourin wrote: > No, it is the link Administration Console > > I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/ > > > > Sourin Vincent - Systems Engineer > > Bridgestone Aircraft Tire (Europe) > > Route de Bavay - B7080 Frameries (Belgium) > > Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 > > GSM : +32 492 97 44 99 > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* mardi 25 octobre 2016 10:38 > > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > What specific link on the "welcome page" are you referring to? Is it the > link in the text "You need local access to create the initial admin user. > Open http://localhost:8080/auth > or use the add-user-keycloak script."? > > > > On 25 October 2016 at 10:05, Vincent Sourin > wrote: > > All the URLs at the given address contain https and the reverse proxy > hostname. > > > > Sourin Vincent - Systems Engineer > > Bridgestone Aircraft Tire (Europe) > > Route de Bavay - B7080 Frameries (Belgium) > > Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 > > GSM : +32 492 97 44 99 > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* mardi 25 octobre 2016 09:49 > > > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Try: > > > > https:///auth/realms/master/.well-known/openid-configuration > > > > And check the URLs in the page. They should contain https and correct > hostname (for your reverse proxy, not Keycloak). If not there's an issue > with your reverse proxy or it's not configured correctly in Keycloak > server. Check the installation guide for more details. > > > > On 24 October 2016 at 21:38, Vincent Sourin > wrote: > > Yes I think X-Forwarded-* Headers and preservation of original host are > set. > > > > Actually, I?m not really a ? network ? guy. So for testing purpose, I use > the bundle (httpd + ssl ) provided on mod_cluster website. > > I ? tweak ? the configuration to try to achieve SSL Termination and > Websocket like this : > > > > ------------------------ Apache Configuration ---------------------------- > > ServerRoot "/opt/jboss/httpd/httpd" > > > > LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so > > > [?] > > LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/ > modules/mod_rewrite.so > > > > > > User daemon > > Group daemon > > > > > > > > AllowOverride none > > Require all denied > > > > > > DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" > > > > Options Indexes FollowSymLinks > > AllowOverride None > > Require all granted > > > > > > > > DirectoryIndex index.html > > > > > > > > Require all denied > > > > > > ErrorLog "logs/error_log" > > LogLevel warn > > > > > > LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" combined > > LogFormat "%h %l %u %t \"%r\" %>s %b" common > > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\" %I %O" combinedio > > > > SetEnvIf Request_URI "^/check\.txt$" dontlog > > CustomLog "logs/access.log" combined env=!dontlog > > > > > > > > ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" > > > > > > > > > > > > > > AllowOverride None > > Options None > > Require all granted > > > > > > > > TypesConfig conf/mime.types > > AddType application/x-compress .Z > > AddType application/x-gzip .gz .tgz > > > > > > > > Include conf/extra/proxy-html.conf > > > > > > > > SSLRandomSeed startup builtin > > SSLRandomSeed connect builtin > > > > > > MemManagerFile "/dev/shm/httpd/cache/mod_cluster" > > SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/ > logs/ssl_gcache_data(512000)" > > EnableWsTunnel > > > > Listen XXXXXXXX:443 > > > > ServerName XXXXXXXXXXXXXXX > > > > CreateBalancers 0 > > > > > > AllowDisplay On > > SetHandler mod_cluster-manager > > Require ip 10.10 > > > > > > > > ProxyPass ! > > > > > > SSLEngine on > > SSLProtocol all -SSLv2 > > SSLHonorCipherOrder on > > SSLCertificateFile /opt/mod_cluster-certs/CERT.pem > > SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem > > SSLCACertificateFile /opt/mod_cluster-certs/CA.pem > > SSLVerifyClient none > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > > > Listen XXXXXXXXX:6666 > > > > ServerName XXXXXXXXXXXXXXXXX > > > > > > Require ip 10.10 > > > > > > AllowDisplay On > > KeepAliveTimeout 300 > > MaxKeepAliveRequests 0 > > ServerAdvertise on > > AdvertiseFrequency 5 > > AdvertiseGroup 224.0.1.205:24364 > > EnableMCPMReceive > > ManagerBalancerName mycluster > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > ------------------------ Apache Configuration ---------------------------- > > > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* lundi 24 octobre 2016 08:08 > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also > preserving the preserving the original Host header? > > > > On 22 October 2016 at 13:19, Vincent Sourin > wrote: > > Hello, > > I've got a strange behavior with Keycloak instance (version 2.2.1 Final) > behind an Apache Reverse Proxy (with Mod_cluster). > > First of all, here is my test environment : https://postimg.org/image/ > z7xrb08ev/ > > I think it's worth mention that : > > * Wildfly & keycloak are installed on the same servers but each in > separate instances (not using overlay deployment) > > * mod_cluster is configured in http mode (not ajp) with > mod_proxy_wstunnel activated because I use Websocket with wildfly > > So, in this configuration, applications deployed on wildfly instances work > well but I got some problem with Keycloak. > Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as > soon as I click on the link < Aministration Console > (resolved normally to > https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to > plain http connection and so the request failed. > > If I browse directly to https://XXXXXXX/auth/admin/ my browser complains > about < some insecured items on the page > and I can't reach the console > neither. > > Here a a snippet of my keycloak configuration : > > > > socket-binding="http" redirect-socket="proxy-https"/> > enabled-protocols="TLSv1.2" security-realm="UndertowRealm" > socket-binding="https"/> > [...] > > [...] > > connector="default"> > > > > > > [...] > > > [...] > > [...] > > > > Can someone tell me what I'm doing wrong or give me the right direction to > further investigate this behavior ? > > Thanks for your help. > > Vincent. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > From michael_furman at hotmail.com Tue Oct 25 06:10:09 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 25 Oct 2016 10:10:09 +0000 Subject: [keycloak-user] How to configure OpenID Connect authentication? In-Reply-To: <4b77c388-a43a-eb75-42ea-ed8a7245eb6f@redhat.com> References: , <4b77c388-a43a-eb75-42ea-ed8a7245eb6f@redhat.com> Message-ID: Thanks Marek, I was able to see the secret generated by the server. Can I set (configure) the secret by myself? Best regards, Michael ________________________________ From: Marek Posolda Sent: Thursday, October 20, 2016 6:40 PM To: Michael Furman; stian at redhat.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to configure OpenID Connect authentication? On 20/10/16 15:24, Michael Furman wrote: > Hi Stian, > Thank you for your help! > I was able to access to the OIDC configuration. > Now I want to configure OIDC client using the static registration. > I have opened the client configuration screen (at http://localhost:8080/auth/admin/master/console/#/realms/master/clients) and added client with openid-connect protocol. > > Unfortunately I can not find a way for the configuration of the client secret. If you set "Access Type" -> "confidential" and then go to tabs "Credentials" you will see client secret. Marek > How can I do it? > Best regards, > Michael > > > ________________________________ > From: Stian Thorgersen > Sent: Monday, October 17, 2016 9:36 PM > To: Michael Furman > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to configure OpenID Connect authentication? > > The correct URL is http://localhost:8080/auth/realms/master/.well-known/openid-configuration > > On 13 October 2016 at 10:55, Michael Furman > wrote: > Hi all, > I have started to learn Keycloak and I need your help. > I have downloaded the Keycloak Standalone server 2.2.1 distribution from here http://www.keycloak.org/downloads.html > I am trying to get openid-configuration without success using this URL: > http://localhost:8080/auth/admin/master/console/#/realms/master/.well-known/openid-configuration > > I cannot find any glue here: > https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/topics/sso-protocols/oidc.html > > Trying to use Demo distribution without success. > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sourin-v at bridgestone-bae.com Tue Oct 25 06:31:10 2016 From: sourin-v at bridgestone-bae.com (Vincent Sourin) Date: Tue, 25 Oct 2016 10:31:10 +0000 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> Message-ID: Here is the captured packets dumped by Undertow. Strangely, on the second request I don?t see X-Forwarded-* Header in the request. I don?t think it?s normal ? 1/ First when browsing to https://as.mydomain.com/auth ============================================================== 2016-10-25 12:23:59,164 INFO [io.undertow.request.dump] (default task-3) ----------------------------REQUEST--------------------------- URI=/auth/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=X-Forwarded-Server=webserver.mydomain.com header=Upgrade=WebSocket header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Connection=Upgrade header=X-Forwarded-Proto=https header=X-Forwarded-For=10.10.0.89 header=Upgrade-Insecure-Requests=1 header=Host=as.mydomain.com header=X-Forwarded-Host=as.mydomain.com locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.10.0.89:0 remoteHost=10.10.0.89 scheme=https host=as.mydomain.com serverPort=0 --------------------------RESPONSE-------------------------- contentLength=2740 contentType=text/html;charset=utf-8 header=Cache-Control=no-cache, must-revalidate, no-transform, no-store header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=X-Frame-Options=SAMEORIGIN header=Content-Security-Policy=frame-src 'self' header=Date=Tue, 25 Oct 2016 10:23:59 GMT header=Connection=keep-alive header=X-Content-Type-Options=nosniff header=Content-Type=text/html;charset=utf-8 header=Content-Length=2740 status=200 2/ Then, when clicking the Administration console link on the auth page : ============================================================== 2016-10-25 12:24:11,069 INFO [io.undertow.request.dump] (default task-4) ----------------------------REQUEST--------------------------- URI=/auth/admin/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Connection=keep-alive header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Referer=https://as.mydomain.com/auth/ header=Upgrade-Insecure-Requests=1 header=Host=as.bridgestone-bae.corp locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=/10.10.2.134:47440 remoteHost=webserver.mydomain.com scheme=http host=as.mydomain.com serverPort=18080 --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=keep-alive header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Location=http://as.mydomain.com/auth/admin/master/console/ header=Content-Length=0 header=Date=Tue, 25 Oct 2016 10:24:11 GMT status=302 Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 11:59 ? : Vincent Sourin Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Strange. I can't see why that should ever redirect to non-https. Can you capture the requests that are being sent after you click on the link to see where/when the redirect to non-https is coming into play? On 25 October 2016 at 11:24, Vincent Sourin > wrote: No, it is the link Administration Console I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/ Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 10:38 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open http://localhost:8080/auth or use the add-user-keycloak script."? On 25 October 2016 at 10:05, Vincent Sourin > wrote: All the URLs at the given address contain https and the reverse proxy hostname. Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 09:49 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Try: https:///auth/realms/master/.well-known/openid-configuration And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details. On 24 October 2016 at 21:38, Vincent Sourin > wrote: Yes I think X-Forwarded-* Headers and preservation of original host are set. Actually, I?m not really a ? network ? guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website. I ? tweak ? the configuration to try to achieve SSL Termination and Websocket like this : ------------------------ Apache Configuration ---------------------------- ServerRoot "/opt/jboss/httpd/httpd" LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so [?] LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Require all denied ErrorLog "logs/error_log" LogLevel warn LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog "logs/access.log" combined env=!dontlog ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" AllowOverride None Options None Require all granted TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin MemManagerFile "/dev/shm/httpd/cache/mod_cluster" SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)" EnableWsTunnel Listen XXXXXXXX:443 ServerName XXXXXXXXXXXXXXX CreateBalancers 0 AllowDisplay On SetHandler mod_cluster-manager Require ip 10.10 ProxyPass ! SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCertificateFile /opt/mod_cluster-certs/CERT.pem SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem SSLCACertificateFile /opt/mod_cluster-certs/CA.pem SSLVerifyClient none ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" Listen XXXXXXXXX:6666 ServerName XXXXXXXXXXXXXXXXX Require ip 10.10 AllowDisplay On KeepAliveTimeout 300 MaxKeepAliveRequests 0 ServerAdvertise on AdvertiseFrequency 5 AdvertiseGroup 224.0.1.205:24364 EnableMCPMReceive ManagerBalancerName mycluster ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" ------------------------ Apache Configuration ---------------------------- De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : lundi 24 octobre 2016 08:08 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin > wrote: Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : [...] [...] [...] [...] [...] Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Tue Oct 25 06:35:05 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 25 Oct 2016 12:35:05 +0200 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> Message-ID: Did you do replace some values in what you pasted? In the second request it's also showing a strange value for Host: header=Referer=https://as.mydomain.com/auth/ header=Host=as.bridgestone-bae.corp Referrer is as.mydomain.com, but it's trying to get as.bridgestone-bae.corp. Then there's also missing X-Forwarded* headers yes. On 25 October 2016 at 12:31, Vincent Sourin wrote: > Here is the captured packets dumped by Undertow. > > Strangely, on the second request I don?t see X-Forwarded-* Header in the > request. > > I don?t think it?s normal ? > > > > 1/ First when browsing to https://as.mydomain.com/auth > > > > ============================================================== > > 2016-10-25 12:23:59,164 INFO [io.undertow.request.dump] (default task-3) > > ----------------------------REQUEST--------------------------- > > URI=/auth/ > > characterEncoding=null > > contentLength=-1 > > contentType=null > > header=Accept=text/html,application/xhtml+xml, > application/xml;q=0.9,*/*;q=0.8 > > header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 > > header=Accept-Encoding=gzip, deflate, br > > header=X-Forwarded-Server=webserver.mydomain.com > > header=Upgrade=WebSocket > > header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) > Gecko/20100101 Firefox/49.0 > > header=Connection=Upgrade > > header=X-Forwarded-Proto=https > > header=X-Forwarded-For=10.10.0.89 > > header=Upgrade-Insecure-Requests=1 > > header=Host=as.mydomain.com > > header=X-Forwarded-Host=as.mydomain.com > > locale=[fr, fr_FR, en_US, en] > > method=GET > > protocol=HTTP/1.1 > > queryString= > > remoteAddr=10.10.0.89:0 > > remoteHost=10.10.0.89 > > scheme=https > > host=as.mydomain.com > > serverPort=0 > > --------------------------RESPONSE-------------------------- > > contentLength=2740 > > contentType=text/html;charset=utf-8 > > header=Cache-Control=no-cache, must-revalidate, no-transform, > no-store > > header=X-Powered-By=Undertow/1 > > header=Server=WildFly/10 > > header=X-Frame-Options=SAMEORIGIN > > header=Content-Security-Policy=frame-src 'self' > > header=Date=Tue, 25 Oct 2016 10:23:59 GMT > > header=Connection=keep-alive > > header=X-Content-Type-Options=nosniff > > header=Content-Type=text/html;charset=utf-8 > > header=Content-Length=2740 > > status=200 > > > > 2/ Then, when clicking the Administration console link on the auth page : > > > > ============================================================== > > 2016-10-25 12:24:11,069 INFO [io.undertow.request.dump] (default task-4) > > ----------------------------REQUEST--------------------------- > > URI=/auth/admin/ > > characterEncoding=null > > contentLength=-1 > > contentType=null > > header=Accept=text/html,application/xhtml+xml, > application/xml;q=0.9,*/*;q=0.8 > > header=Connection=keep-alive > > header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 > > header=Accept-Encoding=gzip, deflate, br > > header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) > Gecko/20100101 Firefox/49.0 > > header=Referer=https://as.mydomain.com/auth/ > > header=Upgrade-Insecure-Requests=1 > > header=Host=as.bridgestone-bae.corp > > locale=[fr, fr_FR, en_US, en] > > method=GET > > protocol=HTTP/1.1 > > queryString= > > remoteAddr=/10.10.2.134:47440 > > remoteHost=webserver.mydomain.com > > scheme=http > > host=as.mydomain.com > > serverPort=18080 > > --------------------------RESPONSE-------------------------- > > contentLength=0 > > contentType=null > > header=Connection=keep-alive > > header=X-Powered-By=Undertow/1 > > header=Server=WildFly/10 > > header=Location=http://as.mydomain.com/auth/admin/ > master/console/ > > header=Content-Length=0 > > header=Date=Tue, 25 Oct 2016 10:24:11 GMT > > status=302 > > > > Sourin Vincent - Systems Engineer > > Bridgestone Aircraft Tire (Europe) > > Route de Bavay - B7080 Frameries (Belgium) > > Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 > > GSM : +32 492 97 44 99 > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* mardi 25 octobre 2016 11:59 > > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Strange. I can't see why that should ever redirect to non-https. Can you > capture the requests that are being sent after you click on the link to see > where/when the redirect to non-https is coming into play? > > > > On 25 October 2016 at 11:24, Vincent Sourin > wrote: > > No, it is the link Administration Console > > I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/ > > > > Sourin Vincent - Systems Engineer > > Bridgestone Aircraft Tire (Europe) > > Route de Bavay - B7080 Frameries (Belgium) > > Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 > > GSM : +32 492 97 44 99 > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* mardi 25 octobre 2016 10:38 > > > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > What specific link on the "welcome page" are you referring to? Is it the > link in the text "You need local access to create the initial admin user. > Open http://localhost:8080/auth > or use the add-user-keycloak script."? > > > > On 25 October 2016 at 10:05, Vincent Sourin > wrote: > > All the URLs at the given address contain https and the reverse proxy > hostname. > > > > Sourin Vincent - Systems Engineer > > Bridgestone Aircraft Tire (Europe) > > Route de Bavay - B7080 Frameries (Belgium) > > Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 > > GSM : +32 492 97 44 99 > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* mardi 25 octobre 2016 09:49 > > > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Try: > > > > https:///auth/realms/master/.well-known/openid-configuration > > > > And check the URLs in the page. They should contain https and correct > hostname (for your reverse proxy, not Keycloak). If not there's an issue > with your reverse proxy or it's not configured correctly in Keycloak > server. Check the installation guide for more details. > > > > On 24 October 2016 at 21:38, Vincent Sourin > wrote: > > Yes I think X-Forwarded-* Headers and preservation of original host are > set. > > > > Actually, I?m not really a ? network ? guy. So for testing purpose, I use > the bundle (httpd + ssl ) provided on mod_cluster website. > > I ? tweak ? the configuration to try to achieve SSL Termination and > Websocket like this : > > > > ------------------------ Apache Configuration ---------------------------- > > ServerRoot "/opt/jboss/httpd/httpd" > > > > LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so > > > [?] > > LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/ > modules/mod_rewrite.so > > > > > > User daemon > > Group daemon > > > > > > > > AllowOverride none > > Require all denied > > > > > > DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" > > > > Options Indexes FollowSymLinks > > AllowOverride None > > Require all granted > > > > > > > > DirectoryIndex index.html > > > > > > > > Require all denied > > > > > > ErrorLog "logs/error_log" > > LogLevel warn > > > > > > LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" combined > > LogFormat "%h %l %u %t \"%r\" %>s %b" common > > > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\" %I %O" combinedio > > > > SetEnvIf Request_URI "^/check\.txt$" dontlog > > CustomLog "logs/access.log" combined env=!dontlog > > > > > > > > ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" > > > > > > > > > > > > > > AllowOverride None > > Options None > > Require all granted > > > > > > > > TypesConfig conf/mime.types > > AddType application/x-compress .Z > > AddType application/x-gzip .gz .tgz > > > > > > > > Include conf/extra/proxy-html.conf > > > > > > > > SSLRandomSeed startup builtin > > SSLRandomSeed connect builtin > > > > > > MemManagerFile "/dev/shm/httpd/cache/mod_cluster" > > SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/ > logs/ssl_gcache_data(512000)" > > EnableWsTunnel > > > > Listen XXXXXXXX:443 > > > > ServerName XXXXXXXXXXXXXXX > > > > CreateBalancers 0 > > > > > > AllowDisplay On > > SetHandler mod_cluster-manager > > Require ip 10.10 > > > > > > > > ProxyPass ! > > > > > > SSLEngine on > > SSLProtocol all -SSLv2 > > SSLHonorCipherOrder on > > SSLCertificateFile /opt/mod_cluster-certs/CERT.pem > > SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem > > SSLCACertificateFile /opt/mod_cluster-certs/CA.pem > > SSLVerifyClient none > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > > > Listen XXXXXXXXX:6666 > > > > ServerName XXXXXXXXXXXXXXXXX > > > > > > Require ip 10.10 > > > > > > AllowDisplay On > > KeepAliveTimeout 300 > > MaxKeepAliveRequests 0 > > ServerAdvertise on > > AdvertiseFrequency 5 > > AdvertiseGroup 224.0.1.205:24364 > > EnableMCPMReceive > > ManagerBalancerName mycluster > > > > ProxyPreserveHost On > > RequestHeader Set X-Forwarded-Proto "https" > > > > > > > > ------------------------ Apache Configuration ---------------------------- > > > > > > *De :* Stian Thorgersen [mailto:sthorger at redhat.com] > *Envoy? :* lundi 24 octobre 2016 08:08 > *? :* Vincent Sourin > *Cc :* keycloak-user at lists.jboss.org > *Objet :* Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster > > > > Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also > preserving the preserving the original Host header? > > > > On 22 October 2016 at 13:19, Vincent Sourin > wrote: > > Hello, > > I've got a strange behavior with Keycloak instance (version 2.2.1 Final) > behind an Apache Reverse Proxy (with Mod_cluster). > > First of all, here is my test environment : https://postimg.org/image/ > z7xrb08ev/ > > I think it's worth mention that : > > * Wildfly & keycloak are installed on the same servers but each in > separate instances (not using overlay deployment) > > * mod_cluster is configured in http mode (not ajp) with > mod_proxy_wstunnel activated because I use Websocket with wildfly > > So, in this configuration, applications deployed on wildfly instances work > well but I got some problem with Keycloak. > Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as > soon as I click on the link < Aministration Console > (resolved normally to > https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to > plain http connection and so the request failed. > > If I browse directly to https://XXXXXXX/auth/admin/ my browser complains > about < some insecured items on the page > and I can't reach the console > neither. > > Here a a snippet of my keycloak configuration : > > > > socket-binding="http" redirect-socket="proxy-https"/> > enabled-protocols="TLSv1.2" security-realm="UndertowRealm" > socket-binding="https"/> > [...] > > [...] > > connector="default"> > > > > > > [...] > > > [...] > > [...] > > > > Can someone tell me what I'm doing wrong or give me the right direction to > further investigate this behavior ? > > Thanks for your help. > > Vincent. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > From sourin-v at bridgestone-bae.com Tue Oct 25 07:10:05 2016 From: sourin-v at bridgestone-bae.com (Vincent Sourin) Date: Tue, 25 Oct 2016 11:10:05 +0000 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> Message-ID: <7aef5d8866f44a6cb466ff0b7eff7f89@bridgestone-bae.com> Arf, yes my bad, I tried to sanitize the logs and missed this one ? I think the problem come from the missing headers. I?ll investigate on this and keep you posted. De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 12:35 ? : Vincent Sourin Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Did you do replace some values in what you pasted? In the second request it's also showing a strange value for Host: header=Referer=https://as.mydomain.com/auth/ header=Host=as.bridgestone-bae.corp Referrer is as.mydomain.com, but it's trying to get as.bridgestone-bae.corp. Then there's also missing X-Forwarded* headers yes. On 25 October 2016 at 12:31, Vincent Sourin > wrote: Here is the captured packets dumped by Undertow. Strangely, on the second request I don?t see X-Forwarded-* Header in the request. I don?t think it?s normal ? 1/ First when browsing to https://as.mydomain.com/auth ============================================================== 2016-10-25 12:23:59,164 INFO [io.undertow.request.dump] (default task-3) ----------------------------REQUEST--------------------------- URI=/auth/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=X-Forwarded-Server=webserver.mydomain.com header=Upgrade=WebSocket header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Connection=Upgrade header=X-Forwarded-Proto=https header=X-Forwarded-For=10.10.0.89 header=Upgrade-Insecure-Requests=1 header=Host=as.mydomain.com header=X-Forwarded-Host=as.mydomain.com locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.10.0.89:0 remoteHost=10.10.0.89 scheme=https host=as.mydomain.com serverPort=0 --------------------------RESPONSE-------------------------- contentLength=2740 contentType=text/html;charset=utf-8 header=Cache-Control=no-cache, must-revalidate, no-transform, no-store header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=X-Frame-Options=SAMEORIGIN header=Content-Security-Policy=frame-src 'self' header=Date=Tue, 25 Oct 2016 10:23:59 GMT header=Connection=keep-alive header=X-Content-Type-Options=nosniff header=Content-Type=text/html;charset=utf-8 header=Content-Length=2740 status=200 2/ Then, when clicking the Administration console link on the auth page : ============================================================== 2016-10-25 12:24:11,069 INFO [io.undertow.request.dump] (default task-4) ----------------------------REQUEST--------------------------- URI=/auth/admin/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Connection=keep-alive header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Referer=https://as.mydomain.com/auth/ header=Upgrade-Insecure-Requests=1 header=Host=as.bridgestone-bae.corp locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=/10.10.2.134:47440 remoteHost=webserver.mydomain.com scheme=http host=as.mydomain.com serverPort=18080 --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=keep-alive header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Location=http://as.mydomain.com/auth/admin/master/console/ header=Content-Length=0 header=Date=Tue, 25 Oct 2016 10:24:11 GMT status=302 Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 11:59 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Strange. I can't see why that should ever redirect to non-https. Can you capture the requests that are being sent after you click on the link to see where/when the redirect to non-https is coming into play? On 25 October 2016 at 11:24, Vincent Sourin > wrote: No, it is the link Administration Console I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/ Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 10:38 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open http://localhost:8080/auth or use the add-user-keycloak script."? On 25 October 2016 at 10:05, Vincent Sourin > wrote: All the URLs at the given address contain https and the reverse proxy hostname. Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 09:49 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Try: https:///auth/realms/master/.well-known/openid-configuration And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details. On 24 October 2016 at 21:38, Vincent Sourin > wrote: Yes I think X-Forwarded-* Headers and preservation of original host are set. Actually, I?m not really a ? network ? guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website. I ? tweak ? the configuration to try to achieve SSL Termination and Websocket like this : ------------------------ Apache Configuration ---------------------------- ServerRoot "/opt/jboss/httpd/httpd" LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so [?] LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Require all denied ErrorLog "logs/error_log" LogLevel warn LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog "logs/access.log" combined env=!dontlog ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" AllowOverride None Options None Require all granted TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin MemManagerFile "/dev/shm/httpd/cache/mod_cluster" SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)" EnableWsTunnel Listen XXXXXXXX:443 ServerName XXXXXXXXXXXXXXX CreateBalancers 0 AllowDisplay On SetHandler mod_cluster-manager Require ip 10.10 ProxyPass ! SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCertificateFile /opt/mod_cluster-certs/CERT.pem SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem SSLCACertificateFile /opt/mod_cluster-certs/CA.pem SSLVerifyClient none ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" Listen XXXXXXXXX:6666 ServerName XXXXXXXXXXXXXXXXX Require ip 10.10 AllowDisplay On KeepAliveTimeout 300 MaxKeepAliveRequests 0 ServerAdvertise on AdvertiseFrequency 5 AdvertiseGroup 224.0.1.205:24364 EnableMCPMReceive ManagerBalancerName mycluster ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" ------------------------ Apache Configuration ---------------------------- De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : lundi 24 octobre 2016 08:08 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin > wrote: Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : [...] [...] [...] [...] [...] Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From bystrik.horvath at gmail.com Tue Oct 25 07:23:46 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Tue, 25 Oct 2016 13:23:46 +0200 Subject: [keycloak-user] password history not always correctly considered Message-ID: Hello, I have a realm where password history was set to 3. When I try to set the password for an user too fast (via REST API), I'm able to use one of the passwords that should be recorded as not usable. When I put a small sleep between the password changes (aprox. 300 ms), the usecase works fine - so I'm not allowed to use any of the 3 recorded password from the history. I tested the case using 1.9.3 Final and 2.2.1 Final with same results. It looks to me like a bug, isn't it? Thank you for the answer&best regards, Bystrik From sthorger at redhat.com Tue Oct 25 08:54:51 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 25 Oct 2016 14:54:51 +0200 Subject: [keycloak-user] password history not always correctly considered In-Reply-To: References: Message-ID: I suspect what's happening is that there's two concurrent requests to update the password history and one overrides the changes from the other. Is it really a problem though? I somehow don't think users update their password every 300 ms. On 25 October 2016 at 13:23, Bystrik Horvath wrote: > Hello, > > I have a realm where password history was set to 3. When I try to set the > password for an user too fast (via REST API), I'm able to use one of the > passwords that should be recorded as not usable. When I put a small sleep > between the password changes (aprox. 300 ms), the usecase works fine - so > I'm not allowed to use any of the 3 recorded password from the history. I > tested the case using 1.9.3 Final and 2.2.1 Final with same results. > It looks to me like a bug, isn't it? > > Thank you for the answer&best regards, > Bystrik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Tue Oct 25 09:00:48 2016 From: bburke at redhat.com (Bill Burke) Date: Tue, 25 Oct 2016 09:00:48 -0400 Subject: [keycloak-user] password history not always correctly considered In-Reply-To: References: Message-ID: <14c8a140-6367-73ae-ac43-f501988ffa63@redhat.com> We purge older history entries. Its based on creation date of current time in milliseconds. I guess it could be possible that the update is happening so fast that multiple entries have the same creation date. Are you running tests in a cluster? Could also be possible that the machines in your cluster don't have fully synchronized clocks. Does it work for the 1st 2 tries, then fail on the 3rd? Then that is probably the problem you are experiencing. On 10/25/16 7:23 AM, Bystrik Horvath wrote: > Hello, > > I have a realm where password history was set to 3. When I try to set the > password for an user too fast (via REST API), I'm able to use one of the > passwords that should be recorded as not usable. When I put a small sleep > between the password changes (aprox. 300 ms), the usecase works fine - so > I'm not allowed to use any of the 3 recorded password from the history. I > tested the case using 1.9.3 Final and 2.2.1 Final with same results. > It looks to me like a bug, isn't it? > > Thank you for the answer&best regards, > Bystrik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From michael_furman at hotmail.com Tue Oct 25 09:14:18 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 25 Oct 2016 13:14:18 +0000 Subject: [keycloak-user] Newbie API question In-Reply-To: <57F650AC.5010808@redhat.com> References: , <57F650AC.5010808@redhat.com> Message-ID: Thanks James, I will happy for the one additional clarification. I use 2.2.1 and the following tutorial: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/admin-rest-api.html Where can I find the description of the required permissions? The link in the document points to the content page: https://keycloak.gitbooks.io/server-adminstration-guide/content/ Best regards, Michael ________________________________ From: James Falkner Sent: Thursday, October 6, 2016 4:25 PM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Newbie API question Michael Furman October 6, 2016 at 2:40 AM Hi all, I have started to learn Keycloak and I need your help. 1. Is it possible to resister a new client using REST API? http://www.keycloak.org/docs/rest-api/ I want to use the static client registration. Yes, it's possible - for example, this is how the JBoss EAP/Wildfly adapter does automatic client registration - it does a POST to /admin/realms//clients with a json blob that looks something like { "clientId": "some-client-id", "rootUrl": "", "adminUrl": "https://some-host:8443/", "baseUrl": "", "secret": "", "redirectUris": [], "bearerOnly": true, "publicClient": false, "protocol": "openid-connect" } -James From bystrik.horvath at gmail.com Tue Oct 25 09:28:28 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Tue, 25 Oct 2016 15:28:28 +0200 Subject: [keycloak-user] password history not always correctly considered In-Reply-To: <14c8a140-6367-73ae-ac43-f501988ffa63@redhat.com> References: <14c8a140-6367-73ae-ac43-f501988ffa63@redhat.com> Message-ID: Hi Bill and Stian, I know that this is a silly test case, but the API provides the possibity ;-) Anyway, I run my test from POSTMAN tool and the requests are running in a sequece. I have a standalone Keycloak on my windows maschine, so it is not a cluster. Yes Bill, you are right, most failing is the 3rd attempt. Best regards, Bystrik On Tue, Oct 25, 2016 at 3:00 PM, Bill Burke wrote: > We purge older history entries. Its based on creation date of current > time in milliseconds. I guess it could be possible that the update is > happening so fast that multiple entries have the same creation date. > Are you running tests in a cluster? Could also be possible that the > machines in your cluster don't have fully synchronized clocks. > > Does it work for the 1st 2 tries, then fail on the 3rd? Then that is > probably the problem you are experiencing. > > > On 10/25/16 7:23 AM, Bystrik Horvath wrote: > > Hello, > > > > I have a realm where password history was set to 3. When I try to set the > > password for an user too fast (via REST API), I'm able to use one of the > > passwords that should be recorded as not usable. When I put a small sleep > > between the password changes (aprox. 300 ms), the usecase works fine - so > > I'm not allowed to use any of the 3 recorded password from the history. I > > tested the case using 1.9.3 Final and 2.2.1 Final with same results. > > It looks to me like a bug, isn't it? > > > > Thank you for the answer&best regards, > > Bystrik > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Tue Oct 25 10:09:22 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Tue, 25 Oct 2016 14:09:22 +0000 Subject: [keycloak-user] Different login pages for different clients Message-ID: Hi all, Is it possible to support Different login pages for different OIDC clients? Or at least to understand what OIDC and behave differently for each client? Thank you in advance for your help. Best regards, Michael From sthorger at redhat.com Wed Oct 26 02:20:36 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 26 Oct 2016 08:20:36 +0200 Subject: [keycloak-user] Different login pages for different clients In-Reply-To: References: Message-ID: Are you talking about different looking login pages? Or different logins altogether? On 25 October 2016 at 16:09, Michael Furman wrote: > Hi all, > Is it possible to support Different login pages for different OIDC clients? > Or at least to understand what OIDC and behave differently for each client? > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bruno at abstractj.org Wed Oct 26 04:42:35 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 26 Oct 2016 06:42:35 -0200 Subject: [keycloak-user] It's possible to check if an user have an active/valid session through REST API? In-Reply-To: <87df719b17aa1c066cf248e76a41aea3@rps.com.br> References: <20161024190138.GA10318@abstractj.org> <87df719b17aa1c066cf248e76a41aea3@rps.com.br> Message-ID: <20161026084235.GA26735@abstractj.org> Hi Max, I'm adding the ML back. Unless I'm mistaken, I don't think this is supported today. On 2016-10-25, max.catarino at rps.com.br wrote: > > > Hello Bruno, > > Thank you for your repply. > The http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client > [2] endpoint returns an UserSessionRepresentation. As I said, there is > no information about the session is active or not. > The http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3] > endpont returns a session count only. > > I looking for a endpoint that returns the status of the user session, > active/valid (after login), inactive/invalid (after logout, expired). > > Best regards. > > Maximiliano > > Em 24.10.2016 17:01, Bruno Oliveira escreveu: > > > Hi Max, I'm not sure which information you want, but you can try to look > > at these endpoints: > > > > * http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client [2] > > * http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3] > > > > On 2016-10-24, max.catarino at rps.com.br wrote: > > > >> It's possible to check if an user have an active/valid session through > >> REST API? > >> > >> I saw the UserSessionRepresentation returned by > >> Keycloak.realm("realmId").users().get("userId").getUserSessions(). But > >> UserSessionRepresentation do not have the information I want. > >> > >> Best regards > >> > >> Maximiliano > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] > > > > -- > > > > abstractj > > PGP: 0x84DC9914 > > > > Links: > ------ > [1] https://lists.jboss.org/mailman/listinfo/keycloak-user > [2] http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client > [3] http://www.keycloak.org/docs/rest-api/#_get_client_session_stats -- abstractj PGP: 0x84DC9914 From Dimitrios.Gkazgkas at tangoservices.lu Wed Oct 26 05:21:10 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Wed, 26 Oct 2016 09:21:10 +0000 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Hello Stian, Thank you for this hint and your help in general. Indeed you are right the URLs in the specified path returns security1 or security2 (Loadbalanced) and not security.lu. But our backend servers + the reverse proxy are configured according to specs + some rewrites. You can see our EAP and proxy configuration at the end of this messsage. The principal issue is that the backend servers are not able to understand themselves as security.lu but frankly I do not know how this could work as we have nowhere configuration in the individual keykloack servers (EAP 7 + keycloak-overlay-1.9.8) that reference the public name ?security.lu?. The only machine that knows the ?security.lu? is the RP (apache + mod_proxy) which is hosted in another server. Could you explain how the individual Keycloak servers should automatically understand thay they are seen as ?security.lu? from the outisde ??? What would be more logical is that the backend keycloack servers do have a configuration to know which other keycloack servers are on the same cluster and use this list as white-list to serve request regardless if the destination is security1 or security2 ?. =============Standalone-ha XML config======= ?.. =============RP config=========== ProxyRequests off ServerName security.lu SSLEngine On SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite xxxxxxxxxxxxxxxx; SSLHonorCipherOrder on AddDefaultCharset Off Order deny,allow Allow from all BalancerMember http://mojito-security1.lu:8080 route=mojitosecurity1 BalancerMember http://mojito-security2.lu:8080 route=mojitosecurity2 Order Deny,Allow Deny from none Allow from all # By default, ProxySet lbmethod=byrequests # ProxySet stickysession=ROUTEID SetHandler balancer-manager # I recommend locking this one down to your # your office Order deny,allow Allow from 172.25.240.0/21 ProxyPass /balancer-manager ! ProxyPass / balancer://securitycluster/ stickysession=JSESSIONID|jsessionid RewriteEngine on RewriteRule "/auth\?redirect_uri=https://facture\.lu/(.*)" "/realms/Tango/protocol/openid-connect/auth\?redirect_uri=http://billing2\.lu/$1" Header edit Location http://billing2.lu https://facture.tango.lu Header edit Location ^http://mojito-security1.lu:8080 https://security.lu Header edit Location ^http://mojito-security2.lu:8080 https://security.lu ErrorLog "/opt/csw/apache2/var/log/error_security.lu.log" TransferLog "/opt/csw/apache2/var/log/access_security.lu.log" Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 20 October 2016 13:20 To: GKAZGKAS Dimitrios (TAN/MST) Cc: keycloak-user at lists.jboss.org; Beno?t Reny Subject: Re: [keycloak-user] SAML in a keycloak cluster Check the urls in http://security.lu/auth/realms/master/protocol/saml/descriptor. The URLs should contain security.lu and not URLs for the individual nodes. If that's not working, then you don't have the reverse proxy parts configured correctly. On 20 October 2016 at 11:47, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello, This part of the configuration (Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a Reverse Proxy") is already in place in our system but still it does not work. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 19 October 2016 16:12 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org; Beno?t Reny > Subject: Re: [keycloak-user] SAML in a keycloak cluster Hm.. Just reviewing that doc and it's not far from obvious. "Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a Reverse Proxy" are both relevant. On 19 October 2016 at 15:51, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello, I suppose that you are talking about the part : Using the Built-In Load Balancer The thing is that if i understand well is that we can do this configuration for a domain clustered mode. Our configuration is currently a standalone clustered mode. This configuration can be also applied in this case ? Thanks for your reply, Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 19 October 2016 14:36 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster If you configure your reverse proxy correct as well as configure it on the Keycloak side. Keycloak will see it's URL as security.lu and not the URL used by the reverse proxy to access it. The steps to do this is explained in the documentation I sent you. On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) > wrote: ======Sent again without the picture===== Hello, Could you please be more specific ? In the documentation proposed it is referred how to FW the original client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. We get the following error: 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination It seems to come from the following part of the code of Keycloack project. package org.keycloak.protocol.saml; public class SamlService extends AuthorizationEndpointBase protected Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) { SamlClient samlClient = new SamlClient(client); // validate destination if (requestAbstractType.getDestination() != null && !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) { event.detail(Details.REASON, "invalid_destination"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); return ErrorPage.error(session, Messages.INVALID_REQUEST); } The destination check simply do not much , request destination is always the internal keyclaock address ?security1.lu? and it fails when saml requests end up to the second keycloack ?securty2.lu?. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 18 October 2016 20:12 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster Please look at the documentation. It explains this. On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello Stian, Thank you for your response. Could you explain a bit more what you mean by saying ?as Keycloak should see security.lu, not the internal addresses of the nodes? ? According to our understanding the Keycloak servers in the internal network is behind reverse proxy and thus they do not know that they are called ?security.lu?, they just know that they are either security1.lu or security2.lu. When we tried to overwite the Saml XML configuration (that client uses for integration) and put the public address ?security.lu? we again had the same ERROR in Keycloak logs ?reason=invalid_destination? probably due to same root cause, the destination in the Saml AuthRequest was ?Service.lu?, an address unknown for keycloack inside the private network. xxxxx The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From abhi.raghav007 at gmail.com Wed Oct 26 05:43:24 2016 From: abhi.raghav007 at gmail.com (abhishek raghav) Date: Wed, 26 Oct 2016 15:13:24 +0530 Subject: [keycloak-user] Unable to load depency for "keycloak-events-api" module Message-ID: Hi I am trying to write my own event listener on keycloak. I refered the sysout examle. When i am registering this module on jboss, i am getting this exception. Caused by: org.jboss.modules.ModuleNotFoundException: org.keycloak.keycloak-events-api:main When i checked i could not locate keycloak-events-api module under modules directory. I am working on keycloak-2.2.1 Final version. Please suggest what wrong I am doing here. Thanks in advance. Cheers Abhishek Raghav From bruno at abstractj.org Wed Oct 26 05:59:55 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Wed, 26 Oct 2016 07:59:55 -0200 Subject: [keycloak-user] Unable to load depency for "keycloak-events-api" module In-Reply-To: References: Message-ID: <20161026095955.GA2001@abstractj.org> Have you tried to compare with one of our examples[1]? It seems to me that you forgot include it as dependency[2], but I can be wrong. [1] - https://github.com/keycloak/keycloak/tree/master/examples/providers/event-listener-sysout [2] - https://github.com/keycloak/keycloak/blob/master/examples/providers/event-listener-sysout/pom.xml#L40 On 2016-10-26, abhishek raghav wrote: > Hi > > I am trying to write my own event listener on keycloak. I refered the > sysout examle. When i am registering this module on jboss, i am getting > this exception. > > Caused by: org.jboss.modules.ModuleNotFoundException: > org.keycloak.keycloak-events-api:main > > When i checked i could not locate keycloak-events-api module under modules > directory. > > I am working on keycloak-2.2.1 Final version. > > Please suggest what wrong I am doing here. Thanks in advance. > > > Cheers > Abhishek Raghav > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From sthorger at redhat.com Wed Oct 26 06:45:41 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 26 Oct 2016 12:45:41 +0200 Subject: [keycloak-user] Keycloak 2.3.0.Final Released Message-ID: Keycloak 2.3.0.Final has just been released. For the list of resolved issues check out JIRA and to download the release go to the Keycloak homepage . Before you upgrade refer to the migration guide From huazonglin at gmail.com Wed Oct 26 07:09:51 2016 From: huazonglin at gmail.com (Joey) Date: Wed, 26 Oct 2016 19:09:51 +0800 Subject: [keycloak-user] Get error when I set https to keycloak and tomcat server. In-Reply-To: References: Message-ID: Yes, Stian, I was using Authorization services. I would like to create a Jira issue. but I created my account but cannot find create issue button on the page. https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-3331?filter=allopenissues Joey On Tue, Oct 18, 2016 at 12:13 AM, Stian Thorgersen wrote: > Looks like a bug in the authorization services when https is used. I assume > you're using the authorization services? Can you create a JIRA please. > > On 13 October 2016 at 06:13, Joey wrote: >> >> Hi Guys, >> >> I am trying to set SSL for both of keycloak and tomcat server. I apply >> a free cer from http://www.cacert.org. I installed cer to my keycloak >> server follow document 7.3 and 7.4 >> >> https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.2/topics/network/outgoing.html >> >> and installed cer to my tomcat server follow >> https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html >> >> I started keycloak server from https, it works fine. But I started >> tomcat with my application (It works fine with http, I changed >> everything from http to https in all configuation files) >> but I saw this error message in tomcat server log. >> >> Anyone can help me out of this problem, thank you. >> >> ERROR MESSAGE >> >> >> 2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG >> org.springframework.web.servlet.DispatcherServlet - Servlet 'spring' >> configured successfully >> >> >> Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase >> addChildInternal >> >> SEVERE: ContainerBase.addChild: start: >> >> org.apache.catalina.LifecycleException: Failed to start component >> >> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] >> >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:162) >> >> at >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) >> >> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) >> >> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) >> >> at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) >> >> at >> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) >> >> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> >> Caused by: java.lang.RuntimeException: Could not obtain configuration >> from server >> [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c-sso-test/.well-known/uma-configuration]. >> >> at >> org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:82) >> >> at >> org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:56) >> >> at >> org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:59) >> >> at >> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:118) >> >> at >> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127) >> >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) >> >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) >> >> at >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) >> >> at >> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) >> >> at >> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:388) >> >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) >> >> ... 10 more >> >> Caused by: java.lang.NullPointerException >> >> at java.lang.String.(String.java:566) >> >> at >> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:103) >> >> at >> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) >> >> at >> org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:80) >> >> ... 20 more >> >> >> Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig deployWAR >> >> SEVERE: Error deploying web application archive >> /root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war >> >> java.lang.IllegalStateException: ContainerBase.addChild: start: >> org.apache.catalina.LifecycleException: Failed to start component >> >> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] >> >> at >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:903) >> >> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) >> >> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) >> >> at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) >> >> at >> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) >> >> at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >> at java.lang.Thread.run(Thread.java:745) >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From huazonglin at gmail.com Wed Oct 26 07:40:34 2016 From: huazonglin at gmail.com (Joey) Date: Wed, 26 Oct 2016 19:40:34 +0800 Subject: [keycloak-user] Policy Enforcement Mode cannot be changed. Message-ID: Hi Guys, I read from documents, and my understanding is if set Policy Enforcement Mode to disable, then any users can access all resources. but I tried to set it to disable. but nothing be changed. For example, I have a role call Role_A , and set a user Tom as this Role_A, if I set a resource access policy without Role_A. this user Tom cannot access this resource. And I can see some log in tomcat. Oct 26, 2016 7:37:33 PM org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Policy enforcement is enable. Enforcing policy decisions for path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portalLoginStatistics.jsp]. Oct 26, 2016 7:37:33 PM org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Policy enforcement result for path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/portalLoginStatistics.jsp] is : GRANTED Oct 26, 2016 7:37:33 PM org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Returning authorization context with permissions: Joey From psilva at redhat.com Wed Oct 26 07:55:56 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Wed, 26 Oct 2016 09:55:56 -0200 Subject: [keycloak-user] Policy Enforcement Mode cannot be changed. In-Reply-To: References: Message-ID: <1477482956.7522.7.camel@redhat.com> >From your logs it seems that access was actually GRANTED. So your user should be able to access that resource: Oct 26, 2016 7:37:33 org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: Returning authorization context with permissions: You don't have any permission in the logs because when you set enforcement-mode to DISABLE, the enforcer will just let the request to pass. Maybe you have some other constraint applied to your resource within your application ? On Wed, 2016-10-26 at 19:40 +0800, Joey wrote: > Hi Guys, > > I read from documents, and my understanding is if set Policy > Enforcement Mode to disable, then any users can access all resources. > but I tried to set it to disable. but nothing be changed. > > For example, > > I have a role call Role_A , and set a user Tom as this Role_A, if I > set a resource access policy without Role_A. this user Tom cannot > access this resource. And I can see some log in tomcat. > > Oct 26, 2016 7:37:33 PM > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > DEBUG: Policy enforcement is enable. Enforcing policy decisions for > path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatist > ics/portalLoginStatistics.jsp]. > > Oct 26, 2016 7:37:33 PM > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > DEBUG: Policy enforcement result for path > [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/p > ortalLoginStatistics.jsp] > is : GRANTED > > Oct 26, 2016 7:37:33 PM > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > DEBUG: Returning authorization context with permissions: > > > Joey > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Pedro Igor From michael_furman at hotmail.com Wed Oct 26 08:05:55 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 26 Oct 2016 12:05:55 +0000 Subject: [keycloak-user] Different login pages for different clients In-Reply-To: References: , Message-ID: Hi Stian, I am talking about different looking login pages depend on the client. Best regards, Michael ________________________________ From: Stian Thorgersen Sent: Wednesday, October 26, 2016 9:20 AM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Different login pages for different clients Are you talking about different looking login pages? Or different logins altogether? On 25 October 2016 at 16:09, Michael Furman > wrote: Hi all, Is it possible to support Different login pages for different OIDC clients? Or at least to understand what OIDC and behave differently for each client? Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jeremy at jeremysimon.com Wed Oct 26 08:20:13 2016 From: jeremy at jeremysimon.com (Jeremy Simon) Date: Wed, 26 Oct 2016 08:20:13 -0400 Subject: [keycloak-user] Spring security adapter for SAML In-Reply-To: References: Message-ID: Pulkit, There is a SAML extention for Spring: http://projects.spring.io/spring-security-saml/ We're using this on a few applications and it works pretty good. The only drawback, and maybe a later version has overcome this, is that backchannel logouts coming from an IDP (in the case of SLO / Global Logout) didn't work, since the application side did not store the SessionIndex outside of an HttpSession's context (linked to a browser cookie). We just ended up writing our own registry to overcome that. jeremy jeremy at jeremysimon.com www.JeremySimon.com On Wed, Oct 19, 2016 at 3:03 AM, Pulkit Gupta wrote: > Hi Team, > > I have a application with Spring security configured. > We are trying to migrate the same to keycloak. > > Do we have a spring security adapter for keycloak with SAML. > I went through the documentation and can see that we have a spring adapter > but that is for open ID connect. > > -- > Thanks, > Pulkit > AMS > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Oct 26 09:04:08 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 26 Oct 2016 15:04:08 +0200 Subject: [keycloak-user] Different login pages for different clients In-Reply-To: References: Message-ID: You can do it with conditional blocks inside the theme, but we don't directly support different themes for different clients On 26 October 2016 at 14:05, Michael Furman wrote: > Hi Stian, > > I am talking about different looking login pages depend on the client. > > > Best regards, > Michael > > > > ------------------------------ > *From:* Stian Thorgersen > *Sent:* Wednesday, October 26, 2016 9:20 AM > *To:* Michael Furman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Different login pages for different clients > > Are you talking about different looking login pages? Or different logins > altogether? > > On 25 October 2016 at 16:09, Michael Furman > wrote: > >> Hi all, >> Is it possible to support Different login pages for different OIDC >> clients? >> Or at least to understand what OIDC and behave differently for each >> client? >> Thank you in advance for your help. >> Best regards, >> Michael >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Wed Oct 26 09:06:11 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 26 Oct 2016 15:06:11 +0200 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: This is standard proxy stuff. It uses Host header and X-Forwarded-*. You need to make sure that X-Forwarded-* headers are included and that the original Host header is passed on. On 26 October 2016 at 11:21, GKAZGKAS Dimitrios (TAN/MST) < Dimitrios.Gkazgkas at tangoservices.lu> wrote: > Hello Stian, > > > > Thank you for this hint and your help in general. Indeed you are right the > URLs in the specified path returns security1 or security2 (Loadbalanced) > and not security.lu. > > > > ** > > ** > > ** > > ** > > ** > > > > But our backend servers + the reverse proxy are configured according to > specs + some rewrites. You can see our EAP and proxy configuration at the > end of this messsage. The principal issue is that the backend servers are > not able to understand themselves as *security.lu * > but frankly I do not know how this could work as *we have nowhere > configuration in the individual keykloack servers (EAP 7 + k* > eycloak-overlay-1.9.8*) that reference the public name ?security.lu > ?. *The *only machine* that knows the ?security.lu? > is the *RP *(apache + mod_proxy) which is hosted in another server. > Could you explain how the individual Keycloak servers should automatically > understand thay they are seen as ?security.lu? from the outisde ??? > > > > What would be more logical is that the backend keycloack servers do have a > configuration to know which other keycloack servers are on the same cluster > and use this list as white-list to serve request regardless if the > destination is security1 or security2 ?. > > > > > > =============Standalone-ha XML config======= > > > > instance-id="mojitosecurity1"> > > > > > > > > socket-binding="http" redirect-socket="proxy-https"/> > > alias="localhost"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > header-value="JBoss-EAP/7"/> > > header-name="X-Powered-By" header-value="Undertow/1"/> > > class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/> > > > > > > ?.. > > > > > > > > > > > > > > > > > > > > > > > > > > > > default-interface="public" port-offset="${jboss.socket. > binding.port-offset:0}"> > > port="${jboss.management.http.port:xxxxx}"/> > > port="${jboss.management.https.port:xxxx}"/> > > > > > > > > multicast-address="${jboss.default.multicast.address:xxx.x.x.x}" mu > > lticast-port="xxxxxx"/> > > port="xxxxx"/> > > > > > multicast-port="45688"/> > > > > > > > > > > > > > > > > > > > > > > =============RP config=========== > > > > > > ProxyRequests off > > ServerName security.lu > > SSLEngine On > > SSLProtocol ALL -SSLv2 -SSLv3 > > SSLCipherSuite xxxxxxxxxxxxxxxx; > > SSLHonorCipherOrder on > > > > AddDefaultCharset Off > > Order deny,allow > > Allow from all > > > > > > > > BalancerMember http://mojito-security1.lu:8080 > route=mojitosecurity1 > > BalancerMember http://mojito-security2.lu:8080 > route=mojitosecurity2 > > Order Deny,Allow > > Deny from none > > Allow from all > > # By default, ProxySet lbmethod=byrequests > > # ProxySet stickysession=ROUTEID > > > > > > SetHandler balancer-manager > > # I recommend locking this one down to your > > # your office > > Order deny,allow > > Allow from 172.25.240.0/21 > > > > ProxyPass /balancer-manager ! > > ProxyPass / balancer://securitycluster/ stickysession=JSESSIONID| > jsessionid > > RewriteEngine on > > > > > > RewriteRule "/auth\?redirect_uri=https://facture\.lu/(.*)" > "/realms/Tango/protocol/openid-connect/auth\?redirect_uri=http://billing2 > \.lu/$1" > > Header edit Location http://billing2.lu https://facture.tango.lu > > > > > > Header edit Location ^http://mojito-security1.lu:8080 > https://security.lu > > Header edit Location ^http://mojito-security2.lu:8080 > https://security.lu > > > > > > > > ErrorLog "/opt/csw/apache2/var/log/error_security.lu.log" > > TransferLog "/opt/csw/apache2/var/log/access_security.lu.log" > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 20 October 2016 13:20 > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org; Beno?t Reny > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Check the urls in http://security.lu/auth/realms/master/protocol/saml/ > descriptor. The URLs should contain security.lu and not URLs for the > individual nodes. If that's not working, then you don't have the reverse > proxy parts configured correctly. > > > > On 20 October 2016 at 11:47, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello, > > > > This part of the configuration (Identifying Client IP Addresses" as well > as "Enable HTTPS/SSL with a Reverse Proxy") is already in place in our > system but still it does not work. > > > > > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 19 October 2016 16:12 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org; Beno?t Reny > > > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Hm.. Just reviewing that doc and it's not far from obvious. > > > > "Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a > Reverse Proxy" are both relevant. > > > > On 19 October 2016 at 15:51, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello, > > > > I suppose that you are talking about the part : > Using the Built-In Load Balancer > > > > The thing is that if i understand well is that we can do this > configuration for a domain clustered mode. Our configuration is currently a > standalone clustered mode. This configuration can be also applied in this > case ? > > > > Thanks for your reply, > > > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 19 October 2016 14:36 > > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > If you configure your reverse proxy correct as well as configure it on the > Keycloak side. Keycloak will see it's URL as security.lu and not the URL > used by the reverse proxy to access it. The steps to do this is explained > in the documentation I sent you. > > > > On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > ======Sent again without the picture===== > > > > Hello, > > > > Could you please be more specific ? > > > > In the documentation proposed it is referred how to FW the original > client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. > > > > > > > We get the following error: > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > It seems to come from the following part of the code of Keycloack project. > > > > package org.keycloak.protocol.saml; > > public class SamlService extends AuthorizationEndpointBase > > > > *protected Response loginRequest(String relayState, AuthnRequestType > requestAbstractType, ClientModel client) {* > > * SamlClient samlClient = new SamlClient(client);* > > * // validate destination* > > * if (requestAbstractType.getDestination() != null && > !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) {* > > * event.detail(Details.REASON, "invalid_destination");* > > * event.error(Errors.INVALID_SAML_AUTHN_REQUEST);* > > * return ErrorPage.error(session, > Messages.INVALID_REQUEST);* > > * }* > > > > The destination check simply do not much , request destination is always > the internal keyclaock address ?security1.lu? and it fails when saml > requests end up to the second keycloack ?securty2.lu?. > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* 18 October 2016 20:12 > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Please look at the documentation. It explains this. > > > > On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello Stian, > > > > Thank you for your response. > > > > Could you explain a bit more what you mean by saying ?*as Keycloak should > see security.lu , not the internal addresses of the > nodes*? ? According to our understanding the Keycloak servers in the > internal network is behind reverse proxy and thus they do not know that > they are called ?security.lu?, they just know that they are either > security1.lu or security2.lu . > > > > When we tried to overwite the Saml XML configuration (that client uses > for integration) and put the public address ?security.lu? we again had > the same ERROR in Keycloak logs ?reason=invalid_destination? probably due > to same root cause, the destination in the Saml AuthRequest was > ?Service.lu?, an address unknown for keycloack inside the private network. > > Destination=" > > > > I attach our HA configuration. We do not use the build in Load Balancer > but an Appache Reverse Proxy which actually rewrites all internall URLs to > Publics for outgoing trafiif and the oposite for the incoming traffic. Thus > there is not much left in the page you sent to be configured in our > Keycloak. > > > > I hope I was clear. Any help would be highly appreciated. > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 17 October 2016 20:41 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Sounds like you haven't setup things properly as Keycloak should see > security.lu, not the internal addresses of the nodes. Take a look at > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html > > > > On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > The response from the list on my initial mails was : After content > filtering, the message was empty > > So I try to send the same mail without CC and without attached > > > > =========== > > Hello, > > We are trying to configure a SAML authentication system in a keycloak > cluster. First, with only one node , we are currently managing to > authenticate in SAML way. > > The architecture : > --> we have one apache reverse proxy with a public and unique endpoint for > saml authentication. We can call the pubic url : security.lu< > http://security.lu> > > --> the reverse proxy will load-balance all calls that come on security.lu > to two keycloak nodes : security1.lu< > http://security1.lu> and security2.lu ( the private > urls) . > > The issue that we have : > --> The client that integrates saml has a tomcat and integrates a > keycloak-saml.xml file. Of course, in this file the configuration is > refering to security1.lu ( the private address as > the keycloak node only knows its private address). > --> If we arrive during the load-balancing on the security1.lu< > http://security1.lu> node, it will work. If I arrive on the second > security2.lu node, it will fail. When I dig a little > bit more, it's because in fact, the SAMLRequest that is generated looks > like this : > > Destination="http://security1.lu:8080/realms/xxx/protocol/saml" > ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" > IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" > Version="2.0">xxxxx AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format: > persistent"> > > The error that I get is an invalid_destination because we receive this > SAMLRequest on the security2.lu node : > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > >From what I see there is for saml client, a Clustering tab where I have > currently nothing. Maybe I need to add some host nodes here ? But i don't > know how to proceed. > > Or is there any way to define both security1.lu and > security2.lu on the Saml XML configuration that the client integrates? > > We have set proxy-address-forwarding=true > > Thank you for your help. > > Kr, > > > > > > > Br > > Dimitrios Gkazgkas > IT Solutions Architect > > > > ________________________________ > > **** DISCLAIMER **** > http://www.tango.lu/maildisclaimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > From michael_furman at hotmail.com Wed Oct 26 09:51:57 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 26 Oct 2016 13:51:57 +0000 Subject: [keycloak-user] Clarifications regarding Spring Security Adapter Configuration Message-ID: Hi all, I will happy for couple of clarifications regarding Java Adapter Configuration: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html I want to use Spring Security Adapter: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html 1. Where keycloak.json should be located? How I pass it to the Spring Security Adapter? 2. Is it possible to configure all properties (that configured in keycloak.json) via database? Or alternatively via some Spring Context? In this case I will be able to put confidential information (e.g. truststore-password) in the database Thank you in advance for your help. Best regards, Michael From michael_furman at hotmail.com Wed Oct 26 10:29:13 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 26 Oct 2016 14:29:13 +0000 Subject: [keycloak-user] Clarifications regarding Spring Security Adapter Configuration In-Reply-To: References: Message-ID: One additional question if the adapter supports Spring Security version 4 ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Wednesday, October 26, 2016 4:51 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Clarifications regarding Spring Security Adapter Configuration Hi all, I will happy for couple of clarifications regarding Java Adapter Configuration: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html I want to use Spring Security Adapter: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html 1. Where keycloak.json should be located? How I pass it to the Spring Security Adapter? 2. Is it possible to configure all properties (that configured in keycloak.json) via database? Or alternatively via some Spring Context? In this case I will be able to put confidential information (e.g. truststore-password) in the database Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.savory at edlogics.com Wed Oct 26 10:58:17 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 26 Oct 2016 14:58:17 +0000 Subject: [keycloak-user] Clarifications regarding Spring Security Adapter Configuration In-Reply-To: References: Message-ID: <097F3414-6E51-42DD-B536-01C80F8B1622@edlogics.com> We are using the Spring Security Adapter with Spring Security 4. -- Christopher Savory On 10/26/16, 9:29 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman" wrote: One additional question if the adapter supports Spring Security version 4 ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Michael Furman Sent: Wednesday, October 26, 2016 4:51 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Clarifications regarding Spring Security Adapter Configuration Hi all, I will happy for couple of clarifications regarding Java Adapter Configuration: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html I want to use Spring Security Adapter: https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html 1. Where keycloak.json should be located? How I pass it to the Spring Security Adapter? 2. Is it possible to configure all properties (that configured in keycloak.json) via database? Or alternatively via some Spring Context? In this case I will be able to put confidential information (e.g. truststore-password) in the database Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From michael_furman at hotmail.com Wed Oct 26 11:01:24 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 26 Oct 2016 15:01:24 +0000 Subject: [keycloak-user] Keep alive sessions for multiply applications Message-ID: Hi all, How Keycloak keeps alive sessions for multiply applications? For example, I login to the first application then perform SSO case for the second application. After it I work only on the first application for a long time (more than the second application session timeout). What happens when I move back to the second application? Will Keycloak keep alive the session for the second application? Thank you in advance for your help. Best regards, Michael From michael_furman at hotmail.com Wed Oct 26 11:08:57 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Wed, 26 Oct 2016 15:08:57 +0000 Subject: [keycloak-user] Creation UI for new authentication schema configuration. Message-ID: Hi all, I want to add support for the new authentication schema. How can I add UI for new authentication schema configuration? For example, I want to add the TACACS authentication schema. Therefore I need to configure the TACACS server IP and the secret. May be I have missed but I can not find it here: https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html Thank you in advance for your help. Best regards, Michael From sblanc at redhat.com Wed Oct 26 11:41:39 2016 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 26 Oct 2016 17:41:39 +0200 Subject: [keycloak-user] Having a policy enforcer and an unsecured endpoint at the same time ? Message-ID: Hi, I'm trying to help a community member that is having issues to provide a rest endpoint that do not need authentication but other endpoints are protected and make use of a policy enforcer. Looks like it is not possible to have both , is that correct ? The authz seems to intercept all the request (as mentioned in the documentation) and even by setting the enforcement to "permissive" it fails for this unprotected endpoint. For reference : https://issues.jboss.org/browse/KEYCLOAK-3799 (There are other issues in this ticket like configuring authz for SpringBoot but this is another problem to have to be solved separately) Sebi From huazonglin at gmail.com Wed Oct 26 12:48:02 2016 From: huazonglin at gmail.com (Joey) Date: Thu, 27 Oct 2016 00:48:02 +0800 Subject: [keycloak-user] Policy Enforcement Mode cannot be changed. In-Reply-To: <1477482956.7522.7.camel@redhat.com> References: <1477482956.7522.7.camel@redhat.com> Message-ID: Thanks Pedro, I think you are right. I would like to ask one more question. I want to let keycloak protect most of resources of my website. but I also want to expose some resources to anonymous, for example, let anonymous user can visit all files within /resources folder, then I do something like this. Tomcat web.xml All Resources /user/login.action /jsp/* admin All Resources /resources/* KEYCLOAK master admin Keycloak I don't create permission can control folder [/resources] or it's parent folder. But when I tried to visit a file in folder [/resources], I got http 500 error. java.lang.RuntimeException: Failed to enforce policy decisions. org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:149) org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60) org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) java.lang.Thread.run(Thread.java:745) root cause java.lang.NullPointerException org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize(AbstractPolicyEnforcer.java:68) org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnforcer.java:76) org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(AuthenticatedActionsHandler.java:142) org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(AuthenticatedActionsHandler.java:60) org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(AuthenticatedActionsValve.java:63) Any suggest? thanks. Joey On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva wrote: > From your logs it seems that access was actually GRANTED. So your user > should be able to access that resource: > > Oct 26, 2016 7:37:33 > org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: > Returning authorization context with permissions: > > You don't have any permission in the logs because when you set > enforcement-mode to DISABLE, the enforcer will just let the request to > pass. > > Maybe you have some other constraint applied to your resource within > your application ? > > On Wed, 2016-10-26 at 19:40 +0800, Joey wrote: >> Hi Guys, >> >> I read from documents, and my understanding is if set Policy >> Enforcement Mode to disable, then any users can access all resources. >> but I tried to set it to disable. but nothing be changed. >> >> For example, >> >> I have a role call Role_A , and set a user Tom as this Role_A, if I >> set a resource access policy without Role_A. this user Tom cannot >> access this resource. And I can see some log in tomcat. >> >> Oct 26, 2016 7:37:33 PM >> org.keycloak.adapters.authorization.PolicyEnforcer enforce >> >> DEBUG: Policy enforcement is enable. Enforcing policy decisions for >> path [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatist >> ics/portalLoginStatistics.jsp]. >> >> Oct 26, 2016 7:37:33 PM >> org.keycloak.adapters.authorization.PolicyEnforcer enforce >> >> DEBUG: Policy enforcement result for path >> [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatistics/p >> ortalLoginStatistics.jsp] >> is : GRANTED >> >> Oct 26, 2016 7:37:33 PM >> org.keycloak.adapters.authorization.PolicyEnforcer enforce >> >> DEBUG: Returning authorization context with permissions: >> >> >> Joey >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > -- > Pedro Igor From Gta.fox at hotmail.com Wed Oct 26 12:50:49 2016 From: Gta.fox at hotmail.com (Gta Fox) Date: Wed, 26 Oct 2016 16:50:49 +0000 Subject: [keycloak-user] Keycloak Import not importing admin-events Message-ID: Hello My use case is the following: Export data Destroy keycloak db, recreat without any data Import data And my problem is here admin events does not appear, in ...#/realms/master/admin-events page. Thanks From sthorger at redhat.com Thu Oct 27 02:31:13 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Oct 2016 08:31:13 +0200 Subject: [keycloak-user] Get error when I set https to keycloak and tomcat server. In-Reply-To: References: Message-ID: Are you logged-in? If so there should be a green create button on the top menu On 26 October 2016 at 13:09, Joey wrote: > Yes, Stian, I was using Authorization services. > > I would like to create a Jira issue. but I created my account but > cannot find create issue button on the page. > https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-3331?filter= > allopenissues > > Joey > > On Tue, Oct 18, 2016 at 12:13 AM, Stian Thorgersen > wrote: > > Looks like a bug in the authorization services when https is used. I > assume > > you're using the authorization services? Can you create a JIRA please. > > > > On 13 October 2016 at 06:13, Joey wrote: > >> > >> Hi Guys, > >> > >> I am trying to set SSL for both of keycloak and tomcat server. I apply > >> a free cer from http://www.cacert.org. I installed cer to my keycloak > >> server follow document 7.3 and 7.4 > >> > >> https://keycloak.gitbooks.io/server-installation-and- > configuration/content/v/2.2/topics/network/outgoing.html > >> > >> and installed cer to my tomcat server follow > >> https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html > >> > >> I started keycloak server from https, it works fine. But I started > >> tomcat with my application (It works fine with http, I changed > >> everything from http to https in all configuation files) > >> but I saw this error message in tomcat server log. > >> > >> Anyone can help me out of this problem, thank you. > >> > >> ERROR MESSAGE > >> > >> > >> 2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG > >> org.springframework.web.servlet.DispatcherServlet - Servlet 'spring' > >> configured successfully > >> > >> > >> Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase > >> addChildInternal > >> > >> SEVERE: ContainerBase.addChild: start: > >> > >> org.apache.catalina.LifecycleException: Failed to start component > >> > >> [StandardEngine[Catalina].StandardHost[localhost]. > StandardContext[/ec-operation]] > >> > >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:162) > >> > >> at > >> org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > >> > >> at org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:875) > >> > >> at org.apache.catalina.core.StandardHost.addChild( > StandardHost.java:652) > >> > >> at org.apache.catalina.startup.HostConfig.deployWAR( > HostConfig.java:1092) > >> > >> at > >> org.apache.catalina.startup.HostConfig$DeployWar.run( > HostConfig.java:1984) > >> > >> at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > >> > >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >> > >> at > >> java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > >> > >> at > >> java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > >> > >> at java.lang.Thread.run(Thread.java:745) > >> > >> Caused by: java.lang.RuntimeException: Could not obtain configuration > >> from server > >> [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c- > sso-test/.well-known/uma-configuration]. > >> > >> at > >> org.keycloak.authorization.client.AuthzClient.( > AuthzClient.java:82) > >> > >> at > >> org.keycloak.authorization.client.AuthzClient.create( > AuthzClient.java:56) > >> > >> at > >> org.keycloak.adapters.authorization.PolicyEnforcer.< > init>(PolicyEnforcer.java:59) > >> > >> at > >> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild( > KeycloakDeploymentBuilder.java:118) > >> > >> at > >> org.keycloak.adapters.KeycloakDeploymentBuilder.build( > KeycloakDeploymentBuilder.java:127) > >> > >> at > >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) > >> > >> at > >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) > >> > >> at > >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent( > LifecycleSupport.java:117) > >> > >> at > >> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent( > LifecycleBase.java:90) > >> > >> at > >> org.apache.catalina.util.LifecycleBase.setStateInternal( > LifecycleBase.java:388) > >> > >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) > >> > >> ... 10 more > >> > >> Caused by: java.lang.NullPointerException > >> > >> at java.lang.String.(String.java:566) > >> > >> at > >> org.keycloak.authorization.client.util.HttpMethod. > execute(HttpMethod.java:103) > >> > >> at > >> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute( > HttpMethodResponse.java:48) > >> > >> at > >> org.keycloak.authorization.client.AuthzClient.( > AuthzClient.java:80) > >> > >> ... 20 more > >> > >> > >> Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig > deployWAR > >> > >> SEVERE: Error deploying web application archive > >> /root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war > >> > >> java.lang.IllegalStateException: ContainerBase.addChild: start: > >> org.apache.catalina.LifecycleException: Failed to start component > >> > >> [StandardEngine[Catalina].StandardHost[localhost]. > StandardContext[/ec-operation]] > >> > >> at > >> org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:903) > >> > >> at org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:875) > >> > >> at org.apache.catalina.core.StandardHost.addChild( > StandardHost.java:652) > >> > >> at org.apache.catalina.startup.HostConfig.deployWAR( > HostConfig.java:1092) > >> > >> at > >> org.apache.catalina.startup.HostConfig$DeployWar.run( > HostConfig.java:1984) > >> > >> at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > >> > >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >> > >> at > >> java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > >> > >> at > >> java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > >> > >> at java.lang.Thread.run(Thread.java:745) > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From sthorger at redhat.com Thu Oct 27 02:32:44 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Oct 2016 08:32:44 +0200 Subject: [keycloak-user] It's possible to check if an user have an active/valid session through REST API? In-Reply-To: <20161026084235.GA26735@abstractj.org> References: <20161024190138.GA10318@abstractj.org> <87df719b17aa1c066cf248e76a41aea3@rps.com.br> <20161026084235.GA26735@abstractj.org> Message-ID: Are you looking for details about a specific session or all the sessions for a user? On 26 October 2016 at 10:42, Bruno Oliveira wrote: > Hi Max, I'm adding the ML back. > > Unless I'm mistaken, I don't think this is supported today. > > On 2016-10-25, max.catarino at rps.com.br wrote: > > > > > > Hello Bruno, > > > > Thank you for your repply. > > The http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client > > [2] endpoint returns an UserSessionRepresentation. As I said, there is > > no information about the session is active or not. > > The http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3] > > endpont returns a session count only. > > > > I looking for a endpoint that returns the status of the user session, > > active/valid (after login), inactive/invalid (after logout, expired). > > > > Best regards. > > > > Maximiliano > > > > Em 24.10.2016 17:01, Bruno Oliveira escreveu: > > > > > Hi Max, I'm not sure which information you want, but you can try to > look > > > at these endpoints: > > > > > > * http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client > [2] > > > * http://www.keycloak.org/docs/rest-api/#_get_client_session_stats [3] > > > > > > On 2016-10-24, max.catarino at rps.com.br wrote: > > > > > >> It's possible to check if an user have an active/valid session through > > >> REST API? > > >> > > >> I saw the UserSessionRepresentation returned by > > >> Keycloak.realm("realmId").users().get("userId").getUserSessions(). > But > > >> UserSessionRepresentation do not have the information I want. > > >> > > >> Best regards > > >> > > >> Maximiliano > > >> > > >> _______________________________________________ > > >> keycloak-user mailing list > > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user [1] > > > > > > -- > > > > > > abstractj > > > PGP: 0x84DC9914 > > > > > > > > Links: > > ------ > > [1] https://lists.jboss.org/mailman/listinfo/keycloak-user > > [2] http://www.keycloak.org/docs/rest-api/#_get_user_sessions_for_client > > [3] http://www.keycloak.org/docs/rest-api/#_get_client_session_stats > > -- > > abstractj > PGP: 0x84DC9914 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Oct 27 02:35:06 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Oct 2016 08:35:06 +0200 Subject: [keycloak-user] Keep alive sessions for multiply applications In-Reply-To: References: Message-ID: It's an SSO session. Any application requesting a token refresh will keep the session for all applications alive. On 26 October 2016 at 17:01, Michael Furman wrote: > Hi all, > How Keycloak keeps alive sessions for multiply applications? > For example, I login to the first application then perform SSO case for > the second application. > After it I work only on the first application for a long time (more than > the second application session timeout). > > What happens when I move back to the second application? > Will Keycloak keep alive the session for the second application? > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Oct 27 02:55:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Oct 2016 08:55:54 +0200 Subject: [keycloak-user] Keycloak Import not importing admin-events In-Reply-To: References: Message-ID: Please create a JIRA bug for it On 26 October 2016 at 18:50, Gta Fox wrote: > Hello > > > My use case is the following: > Export data > Destroy keycloak db, recreat without any data > Import data > And my problem is here admin events does not appear, in > ...#/realms/master/admin-events page. > > Thanks > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Oct 27 02:57:46 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Oct 2016 08:57:46 +0200 Subject: [keycloak-user] Creation UI for new authentication schema configuration. In-Reply-To: References: Message-ID: We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that. On 26 October 2016 at 17:08, Michael Furman wrote: > Hi all, > I want to add support for the new authentication schema. > How can I add UI for new authentication schema configuration? > For example, I want to add the TACACS authentication schema. > Therefore I need to configure the TACACS server IP and the secret. > May be I have missed but I can not find it here: > https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/auth-spi.html > > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From huazonglin at gmail.com Thu Oct 27 05:21:48 2016 From: huazonglin at gmail.com (Joey) Date: Thu, 27 Oct 2016 17:21:48 +0800 Subject: [keycloak-user] Get error when I set https to keycloak and tomcat server. In-Reply-To: References: Message-ID: I think login got some problem. my login steps is here. I logged in without any error, but the login link still is there when page redirect to Jira. Joey On Thu, Oct 27, 2016 at 2:31 PM, Stian Thorgersen wrote: > Are you logged-in? If so there should be a green create button on the top > menu > > On 26 October 2016 at 13:09, Joey wrote: >> >> Yes, Stian, I was using Authorization services. >> >> I would like to create a Jira issue. but I created my account but >> cannot find create issue button on the page. >> >> https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-3331?filter=allopenissues >> >> Joey >> >> On Tue, Oct 18, 2016 at 12:13 AM, Stian Thorgersen >> wrote: >> > Looks like a bug in the authorization services when https is used. I >> > assume >> > you're using the authorization services? Can you create a JIRA please. >> > >> > On 13 October 2016 at 06:13, Joey wrote: >> >> >> >> Hi Guys, >> >> >> >> I am trying to set SSL for both of keycloak and tomcat server. I apply >> >> a free cer from http://www.cacert.org. I installed cer to my keycloak >> >> server follow document 7.3 and 7.4 >> >> >> >> >> >> https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.2/topics/network/outgoing.html >> >> >> >> and installed cer to my tomcat server follow >> >> https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html >> >> >> >> I started keycloak server from https, it works fine. But I started >> >> tomcat with my application (It works fine with http, I changed >> >> everything from http to https in all configuation files) >> >> but I saw this error message in tomcat server log. >> >> >> >> Anyone can help me out of this problem, thank you. >> >> >> >> ERROR MESSAGE >> >> >> >> >> >> 2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG >> >> org.springframework.web.servlet.DispatcherServlet - Servlet 'spring' >> >> configured successfully >> >> >> >> >> >> Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase >> >> addChildInternal >> >> >> >> SEVERE: ContainerBase.addChild: start: >> >> >> >> org.apache.catalina.LifecycleException: Failed to start component >> >> >> >> >> >> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] >> >> >> >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:162) >> >> >> >> at >> >> >> >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) >> >> >> >> at >> >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) >> >> >> >> at >> >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) >> >> >> >> at >> >> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) >> >> >> >> at >> >> >> >> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) >> >> >> >> at >> >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> >> >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> >> >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >> >> >> at java.lang.Thread.run(Thread.java:745) >> >> >> >> Caused by: java.lang.RuntimeException: Could not obtain configuration >> >> from server >> >> >> >> [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c-sso-test/.well-known/uma-configuration]. >> >> >> >> at >> >> >> >> org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:82) >> >> >> >> at >> >> >> >> org.keycloak.authorization.client.AuthzClient.create(AuthzClient.java:56) >> >> >> >> at >> >> >> >> org.keycloak.adapters.authorization.PolicyEnforcer.(PolicyEnforcer.java:59) >> >> >> >> at >> >> >> >> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:118) >> >> >> >> at >> >> >> >> org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:127) >> >> >> >> at >> >> >> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) >> >> >> >> at >> >> >> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) >> >> >> >> at >> >> >> >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117) >> >> >> >> at >> >> >> >> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90) >> >> >> >> at >> >> >> >> org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:388) >> >> >> >> at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) >> >> >> >> ... 10 more >> >> >> >> Caused by: java.lang.NullPointerException >> >> >> >> at java.lang.String.(String.java:566) >> >> >> >> at >> >> >> >> org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:103) >> >> >> >> at >> >> >> >> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:48) >> >> >> >> at >> >> >> >> org.keycloak.authorization.client.AuthzClient.(AuthzClient.java:80) >> >> >> >> ... 20 more >> >> >> >> >> >> Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig >> >> deployWAR >> >> >> >> SEVERE: Error deploying web application archive >> >> /root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war >> >> >> >> java.lang.IllegalStateException: ContainerBase.addChild: start: >> >> org.apache.catalina.LifecycleException: Failed to start component >> >> >> >> >> >> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/ec-operation]] >> >> >> >> at >> >> >> >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:903) >> >> >> >> at >> >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) >> >> >> >> at >> >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) >> >> >> >> at >> >> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1092) >> >> >> >> at >> >> >> >> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1984) >> >> >> >> at >> >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> >> >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> >> >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) >> >> >> >> at >> >> >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) >> >> >> >> at java.lang.Thread.run(Thread.java:745) >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > > > From rickard.ostergard at gmail.com Thu Oct 27 05:29:27 2016 From: rickard.ostergard at gmail.com (=?UTF-8?Q?Rickard_=C3=96sterg=C3=A5rd?=) Date: Thu, 27 Oct 2016 09:29:27 +0000 Subject: [keycloak-user] (no subject) Message-ID: Hi, I have a question about user session expiration. When the SSO Session Idle or SSO Session Max times are reached the auth server will invalidate the user session. Will the clients that have initiated these session be notified? Hence, are the clients logged out (via the admin url) when the auth server expires a user session? If not, is this a feature that will be implemented in coming releases ? Best regards, Rickard From sthorger at redhat.com Thu Oct 27 06:15:07 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Oct 2016 12:15:07 +0200 Subject: [keycloak-user] (no subject) In-Reply-To: References: Message-ID: No, there is no notification in this case. Only if user or admin actively logs out the session. As access tokens have short expiration the applications would notice the session idle in either case when trying to refresh the token, so I don't think it's needed. On 27 October 2016 at 11:29, Rickard ?sterg?rd wrote: > Hi, > > I have a question about user session expiration. > > When the SSO Session Idle or SSO Session Max times are reached the auth > server will invalidate the user session. Will the clients that have > initiated these session be notified? Hence, are the clients logged out (via > the admin url) when the auth server expires a user session? > > If not, is this a feature that will be implemented in coming releases ? > > Best regards, > Rickard > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bystrik.horvath at gmail.com Thu Oct 27 06:22:29 2016 From: bystrik.horvath at gmail.com (Bystrik Horvath) Date: Thu, 27 Oct 2016 12:22:29 +0200 Subject: [keycloak-user] password history not always correctly considered In-Reply-To: References: <14c8a140-6367-73ae-ac43-f501988ffa63@redhat.com> Message-ID: Hi, the question is whether is this buggy behavior or not regardless of mu use case. I came to this behavior on slower virtual machine where the gaps between the calls was more than 300 ms, than I realized to test it locally on windows machine without network communication. What could I expect then on clustered solution where I change the password on one node and do the same on next node? Thank you for the answer. Best regards, Bystrik On Tue, Oct 25, 2016 at 3:28 PM, Bystrik Horvath wrote: > Hi Bill and Stian, > > I know that this is a silly test case, but the API provides the possibity > ;-) Anyway, I run my test from POSTMAN tool and the requests are running in > a sequece. I have a standalone Keycloak on my windows maschine, so it is > not a cluster. Yes Bill, you are right, most failing is the 3rd attempt. > > Best regards, > Bystrik > > On Tue, Oct 25, 2016 at 3:00 PM, Bill Burke wrote: > >> We purge older history entries. Its based on creation date of current >> time in milliseconds. I guess it could be possible that the update is >> happening so fast that multiple entries have the same creation date. >> Are you running tests in a cluster? Could also be possible that the >> machines in your cluster don't have fully synchronized clocks. >> >> Does it work for the 1st 2 tries, then fail on the 3rd? Then that is >> probably the problem you are experiencing. >> >> >> On 10/25/16 7:23 AM, Bystrik Horvath wrote: >> > Hello, >> > >> > I have a realm where password history was set to 3. When I try to set >> the >> > password for an user too fast (via REST API), I'm able to use one of the >> > passwords that should be recorded as not usable. When I put a small >> sleep >> > between the password changes (aprox. 300 ms), the usecase works fine - >> so >> > I'm not allowed to use any of the 3 recorded password from the history. >> I >> > tested the case using 1.9.3 Final and 2.2.1 Final with same results. >> > It looks to me like a bug, isn't it? >> > >> > Thank you for the answer&best regards, >> > Bystrik >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Thu Oct 27 06:52:59 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 27 Oct 2016 12:52:59 +0200 Subject: [keycloak-user] Get error when I set https to keycloak and tomcat server. In-Reply-To: References: Message-ID: You can send a mail to help at jboss.org if you're unable to login On 27 October 2016 at 11:21, Joey wrote: > I think login got some problem. my login steps is here. I logged in > without any error, but the login link still is there when page > redirect to Jira. > > Joey > > On Thu, Oct 27, 2016 at 2:31 PM, Stian Thorgersen > wrote: > > Are you logged-in? If so there should be a green create button on the top > > menu > > > > On 26 October 2016 at 13:09, Joey wrote: > >> > >> Yes, Stian, I was using Authorization services. > >> > >> I would like to create a Jira issue. but I created my account but > >> cannot find create issue button on the page. > >> > >> https://issues.jboss.org/projects/KEYCLOAK/issues/KEYCLOAK-3331?filter= > allopenissues > >> > >> Joey > >> > >> On Tue, Oct 18, 2016 at 12:13 AM, Stian Thorgersen > > >> wrote: > >> > Looks like a bug in the authorization services when https is used. I > >> > assume > >> > you're using the authorization services? Can you create a JIRA please. > >> > > >> > On 13 October 2016 at 06:13, Joey wrote: > >> >> > >> >> Hi Guys, > >> >> > >> >> I am trying to set SSL for both of keycloak and tomcat server. I > apply > >> >> a free cer from http://www.cacert.org. I installed cer to my > keycloak > >> >> server follow document 7.3 and 7.4 > >> >> > >> >> > >> >> https://keycloak.gitbooks.io/server-installation-and- > configuration/content/v/2.2/topics/network/outgoing.html > >> >> > >> >> and installed cer to my tomcat server follow > >> >> https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html > >> >> > >> >> I started keycloak server from https, it works fine. But I started > >> >> tomcat with my application (It works fine with http, I changed > >> >> everything from http to https in all configuation files) > >> >> but I saw this error message in tomcat server log. > >> >> > >> >> Anyone can help me out of this problem, thank you. > >> >> > >> >> ERROR MESSAGE > >> >> > >> >> > >> >> 2016-10-13 11:59:03.382 [localhost-startStop-1] DEBUG > >> >> org.springframework.web.servlet.DispatcherServlet - Servlet 'spring' > >> >> configured successfully > >> >> > >> >> > >> >> Oct 13, 2016 11:59:03 AM org.apache.catalina.core.ContainerBase > >> >> addChildInternal > >> >> > >> >> SEVERE: ContainerBase.addChild: start: > >> >> > >> >> org.apache.catalina.LifecycleException: Failed to start component > >> >> > >> >> > >> >> [StandardEngine[Catalina].StandardHost[localhost]. > StandardContext[/ec-operation]] > >> >> > >> >> at org.apache.catalina.util.LifecycleBase.start( > LifecycleBase.java:162) > >> >> > >> >> at > >> >> > >> >> org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:899) > >> >> > >> >> at > >> >> org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:875) > >> >> > >> >> at > >> >> org.apache.catalina.core.StandardHost.addChild( > StandardHost.java:652) > >> >> > >> >> at > >> >> org.apache.catalina.startup.HostConfig.deployWAR( > HostConfig.java:1092) > >> >> > >> >> at > >> >> > >> >> org.apache.catalina.startup.HostConfig$DeployWar.run( > HostConfig.java:1984) > >> >> > >> >> at > >> >> java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > >> >> > >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >> >> > >> >> at > >> >> > >> >> java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > >> >> > >> >> at > >> >> > >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > >> >> > >> >> at java.lang.Thread.run(Thread.java:745) > >> >> > >> >> Caused by: java.lang.RuntimeException: Could not obtain configuration > >> >> from server > >> >> > >> >> [https://sso.iishang-test.com:8443/auth/realms/iishang-b2c- > sso-test/.well-known/uma-configuration]. > >> >> > >> >> at > >> >> > >> >> org.keycloak.authorization.client.AuthzClient.( > AuthzClient.java:82) > >> >> > >> >> at > >> >> > >> >> org.keycloak.authorization.client.AuthzClient.create( > AuthzClient.java:56) > >> >> > >> >> at > >> >> > >> >> org.keycloak.adapters.authorization.PolicyEnforcer.< > init>(PolicyEnforcer.java:59) > >> >> > >> >> at > >> >> > >> >> org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild( > KeycloakDeploymentBuilder.java:118) > >> >> > >> >> at > >> >> > >> >> org.keycloak.adapters.KeycloakDeploymentBuilder.build( > KeycloakDeploymentBuilder.java:127) > >> >> > >> >> at > >> >> > >> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:133) > >> >> > >> >> at > >> >> > >> >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:75) > >> >> > >> >> at > >> >> > >> >> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent( > LifecycleSupport.java:117) > >> >> > >> >> at > >> >> > >> >> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent( > LifecycleBase.java:90) > >> >> > >> >> at > >> >> > >> >> org.apache.catalina.util.LifecycleBase.setStateInternal( > LifecycleBase.java:388) > >> >> > >> >> at org.apache.catalina.util.LifecycleBase.start( > LifecycleBase.java:155) > >> >> > >> >> ... 10 more > >> >> > >> >> Caused by: java.lang.NullPointerException > >> >> > >> >> at java.lang.String.(String.java:566) > >> >> > >> >> at > >> >> > >> >> org.keycloak.authorization.client.util.HttpMethod. > execute(HttpMethod.java:103) > >> >> > >> >> at > >> >> > >> >> org.keycloak.authorization.client.util.HttpMethodResponse$2.execute( > HttpMethodResponse.java:48) > >> >> > >> >> at > >> >> > >> >> org.keycloak.authorization.client.AuthzClient.( > AuthzClient.java:80) > >> >> > >> >> ... 20 more > >> >> > >> >> > >> >> Oct 13, 2016 11:59:03 AM org.apache.catalina.startup.HostConfig > >> >> deployWAR > >> >> > >> >> SEVERE: Error deploying web application archive > >> >> /root/ssotesting/apache-tomcat-7.0.72/webapps/ec-operation.war > >> >> > >> >> java.lang.IllegalStateException: ContainerBase.addChild: start: > >> >> org.apache.catalina.LifecycleException: Failed to start component > >> >> > >> >> > >> >> [StandardEngine[Catalina].StandardHost[localhost]. > StandardContext[/ec-operation]] > >> >> > >> >> at > >> >> > >> >> org.apache.catalina.core.ContainerBase.addChildInternal( > ContainerBase.java:903) > >> >> > >> >> at > >> >> org.apache.catalina.core.ContainerBase.addChild( > ContainerBase.java:875) > >> >> > >> >> at > >> >> org.apache.catalina.core.StandardHost.addChild( > StandardHost.java:652) > >> >> > >> >> at > >> >> org.apache.catalina.startup.HostConfig.deployWAR( > HostConfig.java:1092) > >> >> > >> >> at > >> >> > >> >> org.apache.catalina.startup.HostConfig$DeployWar.run( > HostConfig.java:1984) > >> >> > >> >> at > >> >> java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > >> >> > >> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >> >> > >> >> at > >> >> > >> >> java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > >> >> > >> >> at > >> >> > >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > >> >> > >> >> at java.lang.Thread.run(Thread.java:745) > >> >> _______________________________________________ > >> >> keycloak-user mailing list > >> >> keycloak-user at lists.jboss.org > >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > >> > > > > > > From psilva at redhat.com Thu Oct 27 09:13:47 2016 From: psilva at redhat.com (Pedro Igor Craveiro e Silva) Date: Thu, 27 Oct 2016 11:13:47 -0200 Subject: [keycloak-user] Policy Enforcement Mode cannot be changed. In-Reply-To: References: <1477482956.7522.7.camel@redhat.com> Message-ID: <1477574027.2249.3.camel@redhat.com> This one smells like a bug. Can you create a JIRA, please ? On Thu, 2016-10-27 at 00:48 +0800, Joey wrote: > Thanks Pedro, I think you are right. > > I would like to ask one more question. I want to let keycloak protect > most of resources of my website. but I also want to expose some > resources to anonymous, > for example,??let anonymous user can visit all files within > /resources > folder,??then I do something like this. > > Tomcat web.xml > > ???? > ??????? > ????????????All Resources > ????????????/user/login.action > ????????????/jsp/* > ???????? > ???????? > ????????????admin > ???????? > ???? > > ???? > ???????? > ????????????All Resources > ????????????/resources/* > ???????? > ???? > > ???? > ????????KEYCLOAK > ????????master > ???? > > ???? > ????????admin > ???? > > Keycloak > > I don't create permission can control folder [/resources] or it's > parent folder. > > But when I tried to visit a file in folder [/resources], I got http > 500 error. > > > java.lang.RuntimeException: Failed to enforce policy decisions. > org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen > ticatedActionsHandler.java:149) > org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth > enticatedActionsHandler.java:60) > org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent > icatedActionsValve.java:63) > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica > torBase.java:505) > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invok > e(AbstractKeycloakAuthenticatorValve.java:187) > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j > ava:103) > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java: > 956) > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav > a:436) > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp > 11Processor.java:1078) > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process( > AbstractProtocol.java:625) > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoin > t.java:316) > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor. > java:1142) > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor > .java:617) > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskTh > read.java:61) > java.lang.Thread.run(Thread.java:745) > > root cause > > java.lang.NullPointerException > org.keycloak.adapters.authorization.AbstractPolicyEnforcer.authorize( > AbstractPolicyEnforcer.java:68) > org.keycloak.adapters.authorization.PolicyEnforcer.enforce(PolicyEnfo > rcer.java:76) > org.keycloak.adapters.AuthenticatedActionsHandler.isAuthorized(Authen > ticatedActionsHandler.java:142) > org.keycloak.adapters.AuthenticatedActionsHandler.handledRequest(Auth > enticatedActionsHandler.java:60) > org.keycloak.adapters.tomcat.AuthenticatedActionsValve.invoke(Authent > icatedActionsValve.java:63) > > > Any suggest? thanks. > > Joey > > > On Wed, Oct 26, 2016 at 7:55 PM, Pedro Igor Craveiro e Silva > wrote: > > > > From your logs it seems that access was actually GRANTED. So your > > user > > should be able to access that resource: > > > > ????????Oct 26, 2016 7:37:33 > > org.keycloak.adapters.authorization.PolicyEnforcer enforce DEBUG: > > Returning authorization context with permissions: > > > > You don't have any permission in the logs because when you set > > enforcement-mode to DISABLE, the enforcer will just let the request > > to > > pass. > > > > Maybe you have some other constraint applied to your resource > > within > > your application ? > > > > On Wed, 2016-10-26 at 19:40 +0800, Joey wrote: > > > > > > Hi Guys, > > > > > > I read from documents, and my understanding is if set Policy > > > Enforcement Mode to disable, then any users can access all > > > resources. > > > but I tried to set it to disable. but nothing be changed. > > > > > > For example, > > > > > > I have a role call Role_A , and set a user Tom as this Role_A, if > > > I > > > set a resource access policy without Role_A. this user Tom cannot > > > access this resource. And I can see some log in tomcat. > > > > > > Oct 26, 2016 7:37:33 PM > > > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > > > > > DEBUG: Policy enforcement is enable. Enforcing policy decisions > > > for > > > path [http://operation.iishang-intr.com:9111/op/jsp/base/loginSta > > > tist > > > ics/portalLoginStatistics.jsp]. > > > > > > Oct 26, 2016 7:37:33 PM > > > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > > > > > DEBUG: Policy enforcement result for path > > > [http://operation.iishang-intr.com:9111/op/jsp/base/loginStatisti > > > cs/p > > > ortalLoginStatistics.jsp] > > > is : GRANTED > > > > > > Oct 26, 2016 7:37:33 PM > > > org.keycloak.adapters.authorization.PolicyEnforcer enforce > > > > > > DEBUG: Returning authorization context with permissions: > > > > > > > > > Joey > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > > Pedro Igor -- Pedro Igor From jcain at redhat.com Thu Oct 27 09:23:11 2016 From: jcain at redhat.com (Josh Cain) Date: Thu, 27 Oct 2016 08:23:11 -0500 Subject: [keycloak-user] (no subject) In-Reply-To: References: Message-ID: <1477574591.3089.61.camel@redhat.com> Interesting - and what of the SAML Use case? ?Typically SAML SP's are going to consume the assertion and then establish a session with the end user. ?Seems like a valid use case to notify these consumers so that there aren't lingering sessions if their expiry happens to be longer than the IDP. On Thu, 2016-10-27 at 12:15 +0200, Stian Thorgersen wrote: > No, there is no notification in this case. Only if user or admin > actively > logs out the session. > > As access tokens have short expiration the applications would notice > the > session idle in either case when trying to refresh the token, so I > don't > think it's needed. > > On 27 October 2016 at 11:29, Rickard ?sterg?rd il.com> > wrote: > > > > > Hi, > > > > I have a question about user session expiration. > > > > When the SSO Session Idle or SSO Session Max times are reached the > > auth > > server will invalidate the user session. Will the clients that have > > initiated these session be notified? Hence, are the clients logged > > out (via > > the admin url) when the auth server expires a user session? > > > > If not, is this a feature that will be implemented in coming > > releases ? > > > > Best regards, > > Rickard > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jblashka at redhat.com Thu Oct 27 10:03:52 2016 From: jblashka at redhat.com (Jared Blashka) Date: Thu, 27 Oct 2016 10:03:52 -0400 Subject: [keycloak-user] (no subject) In-Reply-To: <1477574591.3089.61.camel@redhat.com> References: <1477574591.3089.61.camel@redhat.com> Message-ID: It's not quite the solution you want, but the SAML spec supports having a SesssionNotOnOrAfter attribute that indicates the max length of time an SP should have the session last. Currently Keycloak isn't including this attribute though (see my failed MR https://github.com/keycloak/keycloak/pull/3250) Jared On Thu, Oct 27, 2016 at 9:23 AM, Josh Cain wrote: > Interesting - and what of the SAML Use case? Typically SAML SP's are > going to consume the assertion and then establish a session with the > end user. Seems like a valid use case to notify these consumers so > that there aren't lingering sessions if their expiry happens to be > longer than the IDP. > On Thu, 2016-10-27 at 12:15 +0200, Stian Thorgersen wrote: > > No, there is no notification in this case. Only if user or admin > > actively > > logs out the session. > > > > As access tokens have short expiration the applications would notice > > the > > session idle in either case when trying to refresh the token, so I > > don't > > think it's needed. > > > > On 27 October 2016 at 11:29, Rickard ?sterg?rd > il.com> > > wrote: > > > > > > > > Hi, > > > > > > I have a question about user session expiration. > > > > > > When the SSO Session Idle or SSO Session Max times are reached the > > > auth > > > server will invalidate the user session. Will the clients that have > > > initiated these session be notified? Hence, are the clients logged > > > out (via > > > the admin url) when the auth server expires a user session? > > > > > > If not, is this a feature that will be implemented in coming > > > releases ? > > > > > > Best regards, > > > Rickard > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Dimitrios.Gkazgkas at tangoservices.lu Thu Oct 27 11:43:54 2016 From: Dimitrios.Gkazgkas at tangoservices.lu (GKAZGKAS Dimitrios (TAN/MST)) Date: Thu, 27 Oct 2016 15:43:54 +0000 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Thank you STian. Finally we make it work. The real issue was that we had not configured our RP to preserve the original Host Header (security.lu) and pass it on to the server on the private network behind. This can be done if in RP (apache mod_proxy) you have: ProxyPreserveHost On This specific configuration someone can find in EAP HA configuration (load balance enable) https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/paged/configuration-guide/chapter-21-configuring-high-availability#mod_proxy-config and thanks to Stian we got the hint to search for it and able to understand if works or not (check http://security.lu/auth/realms/master/protocol/saml/descriptor) but to be honest it was not clearly defined as prerequisite in the keycloack cluster documentation guide. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 26 October 2016 15:06 To: GKAZGKAS Dimitrios (TAN/MST) Cc: keycloak-user at lists.jboss.org; Beno?t Reny ; PIOCEL Vincent (TAN/MST) Subject: Re: [keycloak-user] SAML in a keycloak cluster This is standard proxy stuff. It uses Host header and X-Forwarded-*. You need to make sure that X-Forwarded-* headers are included and that the original Host header is passed on. On 26 October 2016 at 11:21, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello Stian, Thank you for this hint and your help in general. Indeed you are right the URLs in the specified path returns security1 or security2 (Loadbalanced) and not security.lu. But our backend servers + the reverse proxy are configured according to specs + some rewrites. You can see our EAP and proxy configuration at the end of this messsage. The principal issue is that the backend servers are not able to understand themselves as security.lu but frankly I do not know how this could work as we have nowhere configuration in the individual keykloack servers (EAP 7 + keycloak-overlay-1.9.8) that reference the public name ?security.lu?. The only machine that knows the ?security.lu? is the RP (apache + mod_proxy) which is hosted in another server. Could you explain how the individual Keycloak servers should automatically understand thay they are seen as ?security.lu? from the outisde ??? What would be more logical is that the backend keycloack servers do have a configuration to know which other keycloack servers are on the same cluster and use this list as white-list to serve request regardless if the destination is security1 or security2 ?. =============Standalone-ha XML config======= ?.. =============RP config=========== ProxyRequests off ServerName security.lu SSLEngine On SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite xxxxxxxxxxxxxxxx; SSLHonorCipherOrder on AddDefaultCharset Off Order deny,allow Allow from all BalancerMember http://mojito-security1.lu:8080 route=mojitosecurity1 BalancerMember http://mojito-security2.lu:8080 route=mojitosecurity2 Order Deny,Allow Deny from none Allow from all # By default, ProxySet lbmethod=byrequests # ProxySet stickysession=ROUTEID SetHandler balancer-manager # I recommend locking this one down to your # your office Order deny,allow Allow from 172.25.240.0/21 ProxyPass /balancer-manager ! ProxyPass / balancer://securitycluster/ stickysession=JSESSIONID|jsessionid RewriteEngine on RewriteRule "/auth\?redirect_uri=https://facture\.lu/(.*)" "/realms/Tango/protocol/openid-connect/auth\?redirect_uri=http://billing2\.lu/$1" Header edit Location http://billing2.lu https://facture.tango.lu Header edit Location ^http://mojito-security1.lu:8080 https://security.lu Header edit Location ^http://mojito-security2.lu:8080 https://security.lu ErrorLog "/opt/csw/apache2/var/log/error_security.lu.log" TransferLog "/opt/csw/apache2/var/log/access_security.lu.log" Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 20 October 2016 13:20 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org; Beno?t Reny > Subject: Re: [keycloak-user] SAML in a keycloak cluster Check the urls in http://security.lu/auth/realms/master/protocol/saml/descriptor. The URLs should contain security.lu and not URLs for the individual nodes. If that's not working, then you don't have the reverse proxy parts configured correctly. On 20 October 2016 at 11:47, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello, This part of the configuration (Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a Reverse Proxy") is already in place in our system but still it does not work. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 19 October 2016 16:12 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org; Beno?t Reny > Subject: Re: [keycloak-user] SAML in a keycloak cluster Hm.. Just reviewing that doc and it's not far from obvious. "Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a Reverse Proxy" are both relevant. On 19 October 2016 at 15:51, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello, I suppose that you are talking about the part : Using the Built-In Load Balancer The thing is that if i understand well is that we can do this configuration for a domain clustered mode. Our configuration is currently a standalone clustered mode. This configuration can be also applied in this case ? Thanks for your reply, Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 19 October 2016 14:36 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster If you configure your reverse proxy correct as well as configure it on the Keycloak side. Keycloak will see it's URL as security.lu and not the URL used by the reverse proxy to access it. The steps to do this is explained in the documentation I sent you. On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) > wrote: ======Sent again without the picture===== Hello, Could you please be more specific ? In the documentation proposed it is referred how to FW the original client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. We get the following error: 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination It seems to come from the following part of the code of Keycloack project. package org.keycloak.protocol.saml; public class SamlService extends AuthorizationEndpointBase protected Response loginRequest(String relayState, AuthnRequestType requestAbstractType, ClientModel client) { SamlClient samlClient = new SamlClient(client); // validate destination if (requestAbstractType.getDestination() != null && !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) { event.detail(Details.REASON, "invalid_destination"); event.error(Errors.INVALID_SAML_AUTHN_REQUEST); return ErrorPage.error(session, Messages.INVALID_REQUEST); } The destination check simply do not much , request destination is always the internal keyclaock address ?security1.lu? and it fails when saml requests end up to the second keycloack ?securty2.lu?. Br Dimitrios Gkazgkas IT Solutions Architect .............................................................................................. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 18 October 2016 20:12 To: GKAZGKAS Dimitrios (TAN/MST) > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] SAML in a keycloak cluster Please look at the documentation. It explains this. On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) > wrote: Hello Stian, Thank you for your response. Could you explain a bit more what you mean by saying ?as Keycloak should see security.lu, not the internal addresses of the nodes? ? According to our understanding the Keycloak servers in the internal network is behind reverse proxy and thus they do not know that they are called ?security.lu?, they just know that they are either security1.lu or security2.lu. When we tried to overwite the Saml XML configuration (that client uses for integration) and put the public address ?security.lu? we again had the same ERROR in Keycloak logs ?reason=invalid_destination? probably due to same root cause, the destination in the Saml AuthRequest was ?Service.lu?, an address unknown for keycloack inside the private network. xxxxx The error that I get is an invalid_destination because we receive this SAMLRequest on the security2.lu node : 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, error=invalid_authn_request, reason=invalid_destination >From what I see there is for saml client, a Clustering tab where I have currently nothing. Maybe I need to add some host nodes here ? But i don't know how to proceed. Or is there any way to define both security1.lu and security2.lu on the Saml XML configuration that the client integrates? We have set proxy-address-forwarding=true Thank you for your help. Kr, Br Dimitrios Gkazgkas IT Solutions Architect ________________________________ **** DISCLAIMER **** http://www.tango.lu/maildisclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From TBarcia at wfscorp.com Thu Oct 27 14:58:25 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Thu, 27 Oct 2016 18:58:25 +0000 Subject: [keycloak-user] Oracle Database Connection Issues Message-ID: I'm experiencing errors with Keycloak connected to an Oracle database. It was working fine and we didn't notice the errors until after upgrading to 2.2.1. The errors: 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) SQL Error: 17008, SQLState: 08003 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) Closed Connection 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:99) at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:424) at org.keycloak.services.scheduled.ClearExpiredEvents.run(ClearExpiredEvents.java:34) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:53) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:49) at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner.runTask(ClusterAwareScheduledTaskRunner.java:49) at org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:44) at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1928) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1897) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2611) at org.hibernate.loader.Loader.doList(Loader.java:2594) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) at org.hibernate.loader.Loader.list(Loader.java:2418) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 11 more Caused by: java.sql.SQLRecoverableException: Closed Connection at oracle.jdbc.driver.PhysicalConnection.prepareStatement(PhysicalConnection.java:3587) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:778) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:764) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 28 more Here's the datasource config: jdbc:oracle:thin:@dbserver:1550:instance oracle 5 200 true KEYCLOAK true select 1 from dual The H2 datasource is still in the standalone-ha.xml as is the h2 driver but they've never been used or modified. As I said, this has been working perfectly but suddenly appears to be closing connections despite having the automatic validation turned on. This only happens with the production environment and experiences no issues in the DEV environment that has the same config except for being connected to a different DB server. The DBAs are seeing only 5 connections in this environment but more in DEV. Any help would be appreciated. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** From sthorger at redhat.com Fri Oct 28 01:05:39 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 28 Oct 2016 07:05:39 +0200 Subject: [keycloak-user] SAML in a keycloak cluster In-Reply-To: References: Message-ID: Please it's working. We're planning on improving the documentation around this as I think it's far from obvious at the moment. On 27 October 2016 at 17:43, GKAZGKAS Dimitrios (TAN/MST) < Dimitrios.Gkazgkas at tangoservices.lu> wrote: > Thank you STian. > > > > Finally we make it work. > > > > The real issue was that we had not configured our RP to preserve the > original Host Header (security.lu) and pass it on to the server on the > private network behind. This can be done if in RP (apache mod_proxy) you > have: > > ProxyPreserveHost On > > This specific configuration someone can find in EAP HA configuration > (load balance enable) > > https://access.redhat.com/documentation/en/red-hat- > jboss-enterprise-application-platform/7.0/paged/ > configuration-guide/chapter-21-configuring-high- > availability#mod_proxy-config > > > > and thanks to Stian we got the hint to search for it and able to > understand if works or not > > (check http://security.lu/auth/realms/master/protocol/saml/descriptor) > > but to be honest it was not clearly defined as prerequisite in the > keycloack cluster documentation guide. > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 26 October 2016 15:06 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org; Beno?t Reny ; > PIOCEL Vincent (TAN/MST) > > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > This is standard proxy stuff. It uses Host header and X-Forwarded-*. You > need to make sure that X-Forwarded-* headers are included and that the > original Host header is passed on. > > > > On 26 October 2016 at 11:21, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello Stian, > > > > Thank you for this hint and your help in general. Indeed you are right the > URLs in the specified path returns security1 or security2 (Loadbalanced) > and not security.lu. > > > > > ** > > > ** > > > ** > > > ** > > > ** > > > > But our backend servers + the reverse proxy are configured according to > specs + some rewrites. You can see our EAP and proxy configuration at the > end of this messsage. The principal issue is that the backend servers are > not able to understand themselves as *security.lu* > but frankly I do not know how this could work as *we have nowhere > configuration in the individual keykloack servers (EAP 7 + k* > eycloak-overlay-1.9.8*) that reference the public name ?**security.lu* > *?. *The *only machine* that knows the ?security.lu? > is the *RP *(apache + mod_proxy) which is hosted in another server. > Could you explain how the individual Keycloak servers should automatically > understand thay they are seen as ?security.lu? from the outisde ??? > > > > What would be more logical is that the backend keycloack servers do have a > configuration to know which other keycloack servers are on the same cluster > and use this list as white-list to serve request regardless if the > destination is security1 or security2 ?. > > > > > > =============Standalone-ha XML config======= > > > > instance-id="mojitosecurity1"> > > > > > > > > socket-binding="http" redirect-socket="proxy-https"/> > > alias="localhost"> > > > > > > > > > > > > > > > > > > > > > > > > > > > > header-value="JBoss-EAP/7"/> > > header-name="X-Powered-By" header-value="Undertow/1"/> > > class-name="io.undertow.server.handlers.ProxyPeerAddressHandler"/> > > > > > > ?.. > > > > > > > > > > > > > > > > > > > > > > > > > > > > default-interface="public" port-offset="${jboss.socket. > binding.port-offset:0}"> > > port="${jboss.management.http.port:xxxxx}"/> > > port="${jboss.management.https.port:xxxx}"/> > > > > > > > > multicast-address="${jboss.default.multicast.address:xxx.x.x.x}" mu > > lticast-port="xxxxxx"/> > > port="xxxxx"/> > > > > > multicast-port="45688"/> > > > > > > > > > > > > > > > > > > > > > > =============RP config=========== > > > > > > ProxyRequests off > > ServerName security.lu > > SSLEngine On > > SSLProtocol ALL -SSLv2 -SSLv3 > > SSLCipherSuite xxxxxxxxxxxxxxxx; > > SSLHonorCipherOrder on > > > > AddDefaultCharset Off > > Order deny,allow > > Allow from all > > > > > > > > BalancerMember http://mojito-security1.lu:8080 > route=mojitosecurity1 > > BalancerMember http://mojito-security2.lu:8080 > route=mojitosecurity2 > > Order Deny,Allow > > Deny from none > > Allow from all > > # By default, ProxySet lbmethod=byrequests > > # ProxySet stickysession=ROUTEID > > > > > > SetHandler balancer-manager > > # I recommend locking this one down to your > > # your office > > Order deny,allow > > Allow from 172.25.240.0/21 > > > > ProxyPass /balancer-manager ! > > ProxyPass / balancer://securitycluster/ stickysession=JSESSIONID| > jsessionid > > RewriteEngine on > > > > > > RewriteRule "/auth\?redirect_uri=https://facture\.lu/(.*)" > "/realms/Tango/protocol/openid-connect/auth\?redirect_uri=http://billing2 > \.lu/$1" > > Header edit Location http://billing2.lu https://facture.tango.lu > > > > > > Header edit Location ^http://mojito-security1.lu:8080 > https://security.lu > > Header edit Location ^http://mojito-security2.lu:8080 > https://security.lu > > > > > > > > ErrorLog "/opt/csw/apache2/var/log/error_security.lu.log" > > TransferLog "/opt/csw/apache2/var/log/access_security.lu.log" > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 20 October 2016 13:20 > > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org; Beno?t Reny > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Check the urls in http://security.lu/auth/realms/master/protocol/saml/ > descriptor. The URLs should contain security.lu and not URLs for the > individual nodes. If that's not working, then you don't have the reverse > proxy parts configured correctly. > > > > On 20 October 2016 at 11:47, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello, > > > > This part of the configuration (Identifying Client IP Addresses" as well > as "Enable HTTPS/SSL with a Reverse Proxy") is already in place in our > system but still it does not work. > > > > > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 19 October 2016 16:12 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org; Beno?t Reny > > > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Hm.. Just reviewing that doc and it's not far from obvious. > > > > "Identifying Client IP Addresses" as well as "Enable HTTPS/SSL with a > Reverse Proxy" are both relevant. > > > > On 19 October 2016 at 15:51, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello, > > > > I suppose that you are talking about the part : > Using the Built-In Load Balancer > > > > The thing is that if i understand well is that we can do this > configuration for a domain clustered mode. Our configuration is currently a > standalone clustered mode. This configuration can be also applied in this > case ? > > > > Thanks for your reply, > > > > > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 19 October 2016 14:36 > > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > If you configure your reverse proxy correct as well as configure it on the > Keycloak side. Keycloak will see it's URL as security.lu and not the URL > used by the reverse proxy to access it. The steps to do this is explained > in the documentation I sent you. > > > > On 19 October 2016 at 14:29, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > ======Sent again without the picture===== > > > > Hello, > > > > Could you please be more specific ? > > > > In the documentation proposed it is referred how to FW the original > client IP but our problem seems to be the Destination (IDP) inside the ?samlp:AuthnRequest?. > > > > > > > We get the following error: > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > It seems to come from the following part of the code of Keycloack project. > > > > package org.keycloak.protocol.saml; > > public class SamlService extends AuthorizationEndpointBase > > > > *protected Response loginRequest(String relayState, AuthnRequestType > requestAbstractType, ClientModel client) {* > > * SamlClient samlClient = new SamlClient(client);* > > * // validate destination* > > * if (requestAbstractType.getDestination() != null && > !uriInfo.getAbsolutePath().equals(requestAbstractType.getDestination())) {* > > * event.detail(Details.REASON, "invalid_destination");* > > * event.error(Errors.INVALID_SAML_AUTHN_REQUEST);* > > * return ErrorPage.error(session, > Messages.INVALID_REQUEST);* > > * }* > > > > The destination check simply do not much , request destination is always > the internal keyclaock address ?security1.lu? and it fails when saml > requests end up to the second keycloack ?securty2.lu?. > > > > > > > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com ] > > *Sent:* 18 October 2016 20:12 > > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Please look at the documentation. It explains this. > > > > On 18 October 2016 at 16:57, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > Hello Stian, > > > > Thank you for your response. > > > > Could you explain a bit more what you mean by saying ?*as Keycloak should > see **security.lu* *, not the internal addresses of > the nodes*? ? According to our understanding the Keycloak servers in > the internal network is behind reverse proxy and thus they do not know that > they are called ?security.lu?, they just know that they are either > security1.lu or security2.lu . > > > > When we tried to overwite the Saml XML configuration (that client uses > for integration) and put the public address ?security.lu? we again had > the same ERROR in Keycloak logs ?reason=invalid_destination? probably due > to same root cause, the destination in the Saml AuthRequest was > ?Service.lu?, an address unknown for keycloack inside the private network. > > Destination=" > > > > I attach our HA configuration. We do not use the build in Load Balancer > but an Appache Reverse Proxy which actually rewrites all internall URLs to > Publics for outgoing trafiif and the oposite for the incoming traffic. Thus > there is not much left in the page you sent to be configured in our > Keycloak. > > > > I hope I was clear. Any help would be highly appreciated. > > > > Br > > > > Dimitrios Gkazgkas > > IT Solutions Architect > > ............................................................ > .................................. > > > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* 17 October 2016 20:41 > *To:* GKAZGKAS Dimitrios (TAN/MST) > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] SAML in a keycloak cluster > > > > Sounds like you haven't setup things properly as Keycloak should see > security.lu, not the internal addresses of the nodes. Take a look at > https://keycloak.gitbooks.io/server-installation-and- > configuration/content/topics/clustering/load-balancer.html > > > > On 13 October 2016 at 19:14, GKAZGKAS Dimitrios (TAN/MST) < > Dimitrios.Gkazgkas at tangoservices.lu> wrote: > > The response from the list on my initial mails was : After content > filtering, the message was empty > > So I try to send the same mail without CC and without attached > > > > =========== > > Hello, > > We are trying to configure a SAML authentication system in a keycloak > cluster. First, with only one node , we are currently managing to > authenticate in SAML way. > > The architecture : > --> we have one apache reverse proxy with a public and unique endpoint for > saml authentication. We can call the pubic url : security.lu< > http://security.lu> > > --> the reverse proxy will load-balance all calls that come on security.lu > to two keycloak nodes : security1.lu< > http://security1.lu> and security2.lu ( the private > urls) . > > The issue that we have : > --> The client that integrates saml has a tomcat and integrates a > keycloak-saml.xml file. Of course, in this file the configuration is > refering to security1.lu ( the private address as > the keycloak node only knows its private address). > --> If we arrive during the load-balancing on the security1.lu< > http://security1.lu> node, it will work. If I arrive on the second > security2.lu node, it will fail. When I dig a little > bit more, it's because in fact, the SAMLRequest that is generated looks > like this : > > Destination="http://security1.lu:8080/realms/xxx/protocol/saml" > ForceAuthn="false" ID="ID_e563f50b-4ed8-454c-b938-0727d18ec08e" > IsPassive="false" IssueInstant="2016-10-11T12:52:09.865Z" > Version="2.0">xxxxx AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format: > persistent"> > > The error that I get is an invalid_destination because we receive this > SAMLRequest on the security2.lu node : > > 2016-10-11 14:52:10,152 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=xxx, clientId=null, userId=null, ipAddress=xxxx, > error=invalid_authn_request, reason=invalid_destination > > >From what I see there is for saml client, a Clustering tab where I have > currently nothing. Maybe I need to add some host nodes here ? But i don't > know how to proceed. > > Or is there any way to define both security1.lu and > security2.lu on the Saml XML configuration that the client integrates? > > We have set proxy-address-forwarding=true > > Thank you for your help. > > Kr, > > > > > > > Br > > Dimitrios Gkazgkas > IT Solutions Architect > > > > ________________________________ > > **** DISCLAIMER **** > http://www.tango.lu/maildisclaimer > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > From sthorger at redhat.com Fri Oct 28 02:55:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 28 Oct 2016 08:55:14 +0200 Subject: [keycloak-user] Oracle Database Connection Issues In-Reply-To: References: Message-ID: I don't think there's anything that has changed on our end that is causing this issue and since it's happening only in your prod environment maybe there's some network issue or db configuration issues that is causing this. Try a Google search there's quite a lot of hints around this type of issue. On 27 October 2016 at 20:58, Thomas Barcia wrote: > I'm experiencing errors with Keycloak connected to an Oracle database. It > was working fine and we didn't notice the errors until after upgrading to > 2.2.1. > > The errors: > 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (Timer-3) SQL Error: 17008, SQLState: 08003 > 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (Timer-3) Closed Connection > 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) > KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: > javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: > could not prepare statement > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1692) > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1602) > at org.hibernate.jpa.internal.QueryImpl.getResultList( > QueryImpl.java:492) > at org.keycloak.models.jpa.JpaRealmProvider.getRealms( > JpaRealmProvider.java:99) > at org.keycloak.models.cache.infinispan.RealmCacheSession. > getRealms(RealmCacheSession.java:424) > at org.keycloak.services.scheduled.ClearExpiredEvents. > run(ClearExpiredEvents.java:34) > at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunne > r$1.call(ClusterAwareScheduledTaskRunner.java:53) > at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunne > r$1.call(ClusterAwareScheduledTaskRunner.java:49) > at org.keycloak.cluster.infinispan.InfinispanClusterProvider. > executeIfNotExecuted(InfinispanClusterProvider.java:90) > at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunne > r.runTask(ClusterAwareScheduledTaskRunner.java:49) > at org.keycloak.services.scheduled.ScheduledTaskRunner. > run(ScheduledTaskRunner.java:44) > at org.keycloak.timer.basic.BasicTimerProvider$1.run( > BasicTimerProvider.java:51) > at java.util.TimerThread.mainLoop(Timer.java:555) > at java.util.TimerThread.run(Timer.java:505) > Caused by: org.hibernate.exception.JDBCConnectionException: could not > prepare statement > at org.hibernate.exception.internal.SQLStateConversionDelegate. > convert(SQLStateConversionDelegate.java:115) > at org.hibernate.exception.internal.StandardSQLExceptionConverter. > convert(StandardSQLExceptionConverter.java:42) > at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > SqlExceptionHelper.java:109) > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java: > 182) > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl. > prepareQueryStatement(StatementPreparerImpl.java:148) > at org.hibernate.loader.Loader.prepareQueryStatement(Loader. > java:1928) > at org.hibernate.loader.Loader.executeQueryStatement(Loader. > java:1897) > at org.hibernate.loader.Loader.executeQueryStatement(Loader. > java:1875) > at org.hibernate.loader.Loader.doQuery(Loader.java:919) > at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCol > lections(Loader.java:336) > at org.hibernate.loader.Loader.doList(Loader.java:2611) > at org.hibernate.loader.Loader.doList(Loader.java:2594) > at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader. > java:2423) > at org.hibernate.loader.Loader.list(Loader.java:2418) > at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) > at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list( > QueryTranslatorImpl.java:371) > at org.hibernate.engine.query.spi.HQLQueryPlan.performList( > HQLQueryPlan.java:216) > at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) > at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) > at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) > at org.hibernate.jpa.internal.QueryImpl.getResultList( > QueryImpl.java:483) > ... 11 more > Caused by: java.sql.SQLRecoverableException: Closed Connection > at oracle.jdbc.driver.PhysicalConnection.prepareStatement( > PhysicalConnection.java:3587) > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. > doPrepareStatement(BaseWrapperManagedConnection.java:778) > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. > prepareStatement(BaseWrapperManagedConnection.java:764) > at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement( > WrappedConnection.java:454) > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5. > doPrepare(StatementPreparerImpl.java:146) > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java: > 172) > ... 28 more > > > > Here's the datasource config: > pool-name="KeycloakDS" enabled="true" use-java-context="true"> > jdbc:oracle:thin:@dbserver:1550:instance connection-url> > oracle > > 5 > 200 > true > > > KEYCLOAK > > > > true > select 1 from > dual > > > > The H2 datasource is still in the standalone-ha.xml as is the h2 driver > but they've never been used or modified. > > As I said, this has been working perfectly but suddenly appears to be > closing connections despite having the automatic validation turned on. > This only happens with the production environment and experiences no issues > in the DEV environment that has the same config except for being connected > to a different DB server. The DBAs are seeing only 5 connections in this > environment but more in DEV. > > Any help would be appreciated. > > *** This communication has been sent from World Fuel Services > Corporation or its subsidiaries or its affiliates for the intended > recipient > only and may contain proprietary, confidential or privileged information. > If you are not the intended recipient, any review, disclosure, copying, > use, or distribution of the information included in this communication > and any attachments is strictly prohibited. If you have received this > communication in error, please notify us immediately by replying to this > communication and delete the communication, including any > attachments, from your computer. Electronic communications sent to or > from World Fuel Services Corporation or its subsidiaries or its affiliates > may be monitored for quality assurance and compliance purposes.*** > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Fri Oct 28 03:18:22 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 28 Oct 2016 09:18:22 +0200 Subject: [keycloak-user] Oracle Database Connection Issues In-Reply-To: References: Message-ID: Hello, this is interesting - I just saw the same exception yesterday in one of our clusters with 2.2.1.Final and users couldn't log in to Keycloak anymore. Only restart of the Keycloak (Docker Container) helped. Still trying to find out what happend.... Cheers, Thomas 2016-10-28 8:55 GMT+02:00 Stian Thorgersen : > I don't think there's anything that has changed on our end that is causing > this issue and since it's happening only in your prod environment maybe > there's some network issue or db configuration issues that is causing this. > Try a Google search there's quite a lot of hints around this type of issue. > > On 27 October 2016 at 20:58, Thomas Barcia wrote: > > > I'm experiencing errors with Keycloak connected to an Oracle database. It > > was working fine and we didn't notice the errors until after upgrading to > > 2.2.1. > > > > The errors: > > 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc. > spi.SqlExceptionHelper] > > (Timer-3) SQL Error: 17008, SQLState: 08003 > > 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc. > spi.SqlExceptionHelper] > > (Timer-3) Closed Connection > > 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) > > KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: > > javax.persistence.PersistenceException: org.hibernate.exception. > JDBCConnectionException: > > could not prepare statement > > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > > AbstractEntityManagerImpl.java:1692) > > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > > AbstractEntityManagerImpl.java:1602) > > at org.hibernate.jpa.internal.QueryImpl.getResultList( > > QueryImpl.java:492) > > at org.keycloak.models.jpa.JpaRealmProvider.getRealms( > > JpaRealmProvider.java:99) > > at org.keycloak.models.cache.infinispan.RealmCacheSession. > > getRealms(RealmCacheSession.java:424) > > at org.keycloak.services.scheduled.ClearExpiredEvents. > > run(ClearExpiredEvents.java:34) > > at org.keycloak.services.scheduled. > ClusterAwareScheduledTaskRunne > > r$1.call(ClusterAwareScheduledTaskRunner.java:53) > > at org.keycloak.services.scheduled. > ClusterAwareScheduledTaskRunne > > r$1.call(ClusterAwareScheduledTaskRunner.java:49) > > at org.keycloak.cluster.infinispan.InfinispanClusterProvider. > > executeIfNotExecuted(InfinispanClusterProvider.java:90) > > at org.keycloak.services.scheduled. > ClusterAwareScheduledTaskRunne > > r.runTask(ClusterAwareScheduledTaskRunner.java:49) > > at org.keycloak.services.scheduled.ScheduledTaskRunner. > > run(ScheduledTaskRunner.java:44) > > at org.keycloak.timer.basic.BasicTimerProvider$1.run( > > BasicTimerProvider.java:51) > > at java.util.TimerThread.mainLoop(Timer.java:555) > > at java.util.TimerThread.run(Timer.java:505) > > Caused by: org.hibernate.exception.JDBCConnectionException: could not > > prepare statement > > at org.hibernate.exception.internal.SQLStateConversionDelegate. > > convert(SQLStateConversionDelegate.java:115) > > at org.hibernate.exception.internal. > StandardSQLExceptionConverter. > > convert(StandardSQLExceptionConverter.java:42) > > at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > > SqlExceptionHelper.java:109) > > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > > StatementPreparationTemplate.prepareStatement( > StatementPreparerImpl.java: > > 182) > > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl. > > prepareQueryStatement(StatementPreparerImpl.java:148) > > at org.hibernate.loader.Loader.prepareQueryStatement(Loader. > > java:1928) > > at org.hibernate.loader.Loader.executeQueryStatement(Loader. > > java:1897) > > at org.hibernate.loader.Loader.executeQueryStatement(Loader. > > java:1875) > > at org.hibernate.loader.Loader.doQuery(Loader.java:919) > > at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCol > > lections(Loader.java:336) > > at org.hibernate.loader.Loader.doList(Loader.java:2611) > > at org.hibernate.loader.Loader.doList(Loader.java:2594) > > at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader. > > java:2423) > > at org.hibernate.loader.Loader.list(Loader.java:2418) > > at org.hibernate.loader.hql.QueryLoader.list(QueryLoader. > java:501) > > at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list( > > QueryTranslatorImpl.java:371) > > at org.hibernate.engine.query.spi.HQLQueryPlan.performList( > > HQLQueryPlan.java:216) > > at org.hibernate.internal.SessionImpl.list(SessionImpl. > java:1326) > > at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) > > at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) > > at org.hibernate.jpa.internal.QueryImpl.getResultList( > > QueryImpl.java:483) > > ... 11 more > > Caused by: java.sql.SQLRecoverableException: Closed Connection > > at oracle.jdbc.driver.PhysicalConnection.prepareStatement( > > PhysicalConnection.java:3587) > > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. > > doPrepareStatement(BaseWrapperManagedConnection.java:778) > > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. > > prepareStatement(BaseWrapperManagedConnection.java:764) > > at org.jboss.jca.adapters.jdbc.WrappedConnection. > prepareStatement( > > WrappedConnection.java:454) > > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5. > > doPrepare(StatementPreparerImpl.java:146) > > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > > StatementPreparationTemplate.prepareStatement( > StatementPreparerImpl.java: > > 172) > > ... 28 more > > > > > > > > Here's the datasource config: > > > pool-name="KeycloakDS" enabled="true" use-java-context="true"> > > jdbc:oracle:thin:@dbserver > :1550:instance > connection-url> > > oracle > > > > 5 > > 200 > > true > > > > > > KEYCLOAK > > > > > > > > true > > select 1 from > > dual > > > > > > > > The H2 datasource is still in the standalone-ha.xml as is the h2 driver > > but they've never been used or modified. > > > > As I said, this has been working perfectly but suddenly appears to be > > closing connections despite having the automatic validation turned on. > > This only happens with the production environment and experiences no > issues > > in the DEV environment that has the same config except for being > connected > > to a different DB server. The DBAs are seeing only 5 connections in this > > environment but more in DEV. > > > > Any help would be appreciated. > > > > *** This communication has been sent from World Fuel Services > > Corporation or its subsidiaries or its affiliates for the intended > > recipient > > only and may contain proprietary, confidential or privileged information. > > If you are not the intended recipient, any review, disclosure, copying, > > use, or distribution of the information included in this communication > > and any attachments is strictly prohibited. If you have received this > > communication in error, please notify us immediately by replying to this > > communication and delete the communication, including any > > attachments, from your computer. Electronic communications sent to or > > from World Fuel Services Corporation or its subsidiaries or its > affiliates > > may be monitored for quality assurance and compliance purposes.*** > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Fri Oct 28 03:52:19 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 28 Oct 2016 09:52:19 +0200 Subject: [keycloak-user] Oracle Database Connection Issues In-Reply-To: References: Message-ID: Oracle as well? On 28 October 2016 at 09:18, Thomas Darimont wrote: > Hello, > > this is interesting - I just saw the same exception yesterday in one of > our clusters with 2.2.1.Final and users couldn't log in to Keycloak > anymore. Only restart of the Keycloak (Docker Container) helped. > > Still trying to find out what happend.... > > Cheers, > Thomas > > 2016-10-28 8:55 GMT+02:00 Stian Thorgersen : > >> I don't think there's anything that has changed on our end that is causing >> this issue and since it's happening only in your prod environment maybe >> there's some network issue or db configuration issues that is causing >> this. >> Try a Google search there's quite a lot of hints around this type of >> issue. >> >> On 27 October 2016 at 20:58, Thomas Barcia wrote: >> >> > I'm experiencing errors with Keycloak connected to an Oracle database. >> It >> > was working fine and we didn't notice the errors until after upgrading >> to >> > 2.2.1. >> > >> > The errors: >> > 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi >> .SqlExceptionHelper] >> > (Timer-3) SQL Error: 17008, SQLState: 08003 >> > 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi >> .SqlExceptionHelper] >> > (Timer-3) Closed Connection >> > 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) >> > KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: >> > javax.persistence.PersistenceException: org.hibernate.exception.JDBCCo >> nnectionException: >> > could not prepare statement >> > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( >> > AbstractEntityManagerImpl.java:1692) >> > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( >> > AbstractEntityManagerImpl.java:1602) >> > at org.hibernate.jpa.internal.QueryImpl.getResultList( >> > QueryImpl.java:492) >> > at org.keycloak.models.jpa.JpaRealmProvider.getRealms( >> > JpaRealmProvider.java:99) >> > at org.keycloak.models.cache.infinispan.RealmCacheSession. >> > getRealms(RealmCacheSession.java:424) >> > at org.keycloak.services.scheduled.ClearExpiredEvents. >> > run(ClearExpiredEvents.java:34) >> > at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRun >> ne >> > r$1.call(ClusterAwareScheduledTaskRunner.java:53) >> > at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRun >> ne >> > r$1.call(ClusterAwareScheduledTaskRunner.java:49) >> > at org.keycloak.cluster.infinispan.InfinispanClusterProvider. >> > executeIfNotExecuted(InfinispanClusterProvider.java:90) >> > at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRun >> ne >> > r.runTask(ClusterAwareScheduledTaskRunner.java:49) >> > at org.keycloak.services.scheduled.ScheduledTaskRunner. >> > run(ScheduledTaskRunner.java:44) >> > at org.keycloak.timer.basic.BasicTimerProvider$1.run( >> > BasicTimerProvider.java:51) >> > at java.util.TimerThread.mainLoop(Timer.java:555) >> > at java.util.TimerThread.run(Timer.java:505) >> > Caused by: org.hibernate.exception.JDBCConnectionException: could not >> > prepare statement >> > at org.hibernate.exception.internal.SQLStateConversionDelegate. >> > convert(SQLStateConversionDelegate.java:115) >> > at org.hibernate.exception.internal.StandardSQLExceptionConvert >> er. >> > convert(StandardSQLExceptionConverter.java:42) >> > at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( >> > SqlExceptionHelper.java:109) >> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ >> > StatementPreparationTemplate.prepareStatement(StatementPrepa >> rerImpl.java: >> > 182) >> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl. >> > prepareQueryStatement(StatementPreparerImpl.java:148) >> > at org.hibernate.loader.Loader.prepareQueryStatement(Loader. >> > java:1928) >> > at org.hibernate.loader.Loader.executeQueryStatement(Loader. >> > java:1897) >> > at org.hibernate.loader.Loader.executeQueryStatement(Loader. >> > java:1875) >> > at org.hibernate.loader.Loader.doQuery(Loader.java:919) >> > at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCol >> > lections(Loader.java:336) >> > at org.hibernate.loader.Loader.doList(Loader.java:2611) >> > at org.hibernate.loader.Loader.doList(Loader.java:2594) >> > at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader. >> > java:2423) >> > at org.hibernate.loader.Loader.list(Loader.java:2418) >> > at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java: >> 501) >> > at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list( >> > QueryTranslatorImpl.java:371) >> > at org.hibernate.engine.query.spi.HQLQueryPlan.performList( >> > HQLQueryPlan.java:216) >> > at org.hibernate.internal.SessionImpl.list(SessionImpl.java: >> 1326) >> > at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) >> > at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606 >> ) >> > at org.hibernate.jpa.internal.QueryImpl.getResultList( >> > QueryImpl.java:483) >> > ... 11 more >> > Caused by: java.sql.SQLRecoverableException: Closed Connection >> > at oracle.jdbc.driver.PhysicalConnection.prepareStatement( >> > PhysicalConnection.java:3587) >> > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. >> > doPrepareStatement(BaseWrapperManagedConnection.java:778) >> > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. >> > prepareStatement(BaseWrapperManagedConnection.java:764) >> > at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStateme >> nt( >> > WrappedConnection.java:454) >> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5. >> > doPrepare(StatementPreparerImpl.java:146) >> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ >> > StatementPreparationTemplate.prepareStatement(StatementPrepa >> rerImpl.java: >> > 172) >> > ... 28 more >> > >> > >> > >> > Here's the datasource config: >> > > > pool-name="KeycloakDS" enabled="true" use-java-context="true"> >> > jdbc:oracle:thin:@dbserver >> :1550:instance> > connection-url> >> > oracle >> > >> > 5 >> > 200 >> > true >> > >> > >> > KEYCLOAK >> > >> > >> > >> > true >> > select 1 from >> > dual >> > >> > >> > >> > The H2 datasource is still in the standalone-ha.xml as is the h2 driver >> > but they've never been used or modified. >> > >> > As I said, this has been working perfectly but suddenly appears to be >> > closing connections despite having the automatic validation turned on. >> > This only happens with the production environment and experiences no >> issues >> > in the DEV environment that has the same config except for being >> connected >> > to a different DB server. The DBAs are seeing only 5 connections in >> this >> > environment but more in DEV. >> > >> > Any help would be appreciated. >> > >> > *** This communication has been sent from World Fuel Services >> > Corporation or its subsidiaries or its affiliates for the intended >> > recipient >> > only and may contain proprietary, confidential or privileged >> information. >> > If you are not the intended recipient, any review, disclosure, copying, >> > use, or distribution of the information included in this communication >> > and any attachments is strictly prohibited. If you have received this >> > communication in error, please notify us immediately by replying to this >> > communication and delete the communication, including any >> > attachments, from your computer. Electronic communications sent to or >> > from World Fuel Services Corporation or its subsidiaries or its >> affiliates >> > may be monitored for quality assurance and compliance purposes.*** >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From thomas.darimont at googlemail.com Fri Oct 28 03:54:52 2016 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 28 Oct 2016 09:54:52 +0200 Subject: [keycloak-user] Oracle Database Connection Issues In-Reply-To: References: Message-ID: Oh nope - with PostgreSQL 9.5 Am 28.10.2016 9:52 vorm. schrieb "Stian Thorgersen" : > Oracle as well? > > On 28 October 2016 at 09:18, Thomas Darimont com> wrote: > >> Hello, >> >> this is interesting - I just saw the same exception yesterday in one of >> our clusters with 2.2.1.Final and users couldn't log in to Keycloak >> anymore. Only restart of the Keycloak (Docker Container) helped. >> >> Still trying to find out what happend.... >> >> Cheers, >> Thomas >> >> 2016-10-28 8:55 GMT+02:00 Stian Thorgersen : >> >>> I don't think there's anything that has changed on our end that is >>> causing >>> this issue and since it's happening only in your prod environment maybe >>> there's some network issue or db configuration issues that is causing >>> this. >>> Try a Google search there's quite a lot of hints around this type of >>> issue. >>> >>> On 27 October 2016 at 20:58, Thomas Barcia wrote: >>> >>> > I'm experiencing errors with Keycloak connected to an Oracle database. >>> It >>> > was working fine and we didn't notice the errors until after upgrading >>> to >>> > 2.2.1. >>> > >>> > The errors: >>> > 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi >>> .SqlExceptionHelper] >>> > (Timer-3) SQL Error: 17008, SQLState: 08003 >>> > 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi >>> .SqlExceptionHelper] >>> > (Timer-3) Closed Connection >>> > 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) >>> > KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: >>> > javax.persistence.PersistenceException: org.hibernate.exception.JDBCCo >>> nnectionException: >>> > could not prepare statement >>> > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( >>> > AbstractEntityManagerImpl.java:1692) >>> > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( >>> > AbstractEntityManagerImpl.java:1602) >>> > at org.hibernate.jpa.internal.QueryImpl.getResultList( >>> > QueryImpl.java:492) >>> > at org.keycloak.models.jpa.JpaRealmProvider.getRealms( >>> > JpaRealmProvider.java:99) >>> > at org.keycloak.models.cache.infinispan.RealmCacheSession. >>> > getRealms(RealmCacheSession.java:424) >>> > at org.keycloak.services.scheduled.ClearExpiredEvents. >>> > run(ClearExpiredEvents.java:34) >>> > at org.keycloak.services.schedule >>> d.ClusterAwareScheduledTaskRunne >>> > r$1.call(ClusterAwareScheduledTaskRunner.java:53) >>> > at org.keycloak.services.schedule >>> d.ClusterAwareScheduledTaskRunne >>> > r$1.call(ClusterAwareScheduledTaskRunner.java:49) >>> > at org.keycloak.cluster.infinispan.InfinispanClusterProvider. >>> > executeIfNotExecuted(InfinispanClusterProvider.java:90) >>> > at org.keycloak.services.schedule >>> d.ClusterAwareScheduledTaskRunne >>> > r.runTask(ClusterAwareScheduledTaskRunner.java:49) >>> > at org.keycloak.services.scheduled.ScheduledTaskRunner. >>> > run(ScheduledTaskRunner.java:44) >>> > at org.keycloak.timer.basic.BasicTimerProvider$1.run( >>> > BasicTimerProvider.java:51) >>> > at java.util.TimerThread.mainLoop(Timer.java:555) >>> > at java.util.TimerThread.run(Timer.java:505) >>> > Caused by: org.hibernate.exception.JDBCConnectionException: could not >>> > prepare statement >>> > at org.hibernate.exception.intern >>> al.SQLStateConversionDelegate. >>> > convert(SQLStateConversionDelegate.java:115) >>> > at org.hibernate.exception.intern >>> al.StandardSQLExceptionConverter. >>> > convert(StandardSQLExceptionConverter.java:42) >>> > at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( >>> > SqlExceptionHelper.java:109) >>> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ >>> > StatementPreparationTemplate.prepareStatement(StatementPrepa >>> rerImpl.java: >>> > 182) >>> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl. >>> > prepareQueryStatement(StatementPreparerImpl.java:148) >>> > at org.hibernate.loader.Loader.prepareQueryStatement(Loader. >>> > java:1928) >>> > at org.hibernate.loader.Loader.executeQueryStatement(Loader. >>> > java:1897) >>> > at org.hibernate.loader.Loader.executeQueryStatement(Loader. >>> > java:1875) >>> > at org.hibernate.loader.Loader.doQuery(Loader.java:919) >>> > at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCol >>> > lections(Loader.java:336) >>> > at org.hibernate.loader.Loader.doList(Loader.java:2611) >>> > at org.hibernate.loader.Loader.doList(Loader.java:2594) >>> > at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader. >>> > java:2423) >>> > at org.hibernate.loader.Loader.list(Loader.java:2418) >>> > at org.hibernate.loader.hql.Query >>> Loader.list(QueryLoader.java:501) >>> > at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list( >>> > QueryTranslatorImpl.java:371) >>> > at org.hibernate.engine.query.spi.HQLQueryPlan.performList( >>> > HQLQueryPlan.java:216) >>> > at org.hibernate.internal.Session >>> Impl.list(SessionImpl.java:1326) >>> > at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) >>> > at org.hibernate.jpa.internal.Que >>> ryImpl.list(QueryImpl.java:606) >>> > at org.hibernate.jpa.internal.QueryImpl.getResultList( >>> > QueryImpl.java:483) >>> > ... 11 more >>> > Caused by: java.sql.SQLRecoverableException: Closed Connection >>> > at oracle.jdbc.driver.PhysicalConnection.prepareStatement( >>> > PhysicalConnection.java:3587) >>> > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. >>> > doPrepareStatement(BaseWrapperManagedConnection.java:778) >>> > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. >>> > prepareStatement(BaseWrapperManagedConnection.java:764) >>> > at org.jboss.jca.adapters.jdbc.Wr >>> appedConnection.prepareStatement( >>> > WrappedConnection.java:454) >>> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5. >>> > doPrepare(StatementPreparerImpl.java:146) >>> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ >>> > StatementPreparationTemplate.prepareStatement(StatementPrepa >>> rerImpl.java: >>> > 172) >>> > ... 28 more >>> > >>> > >>> > >>> > Here's the datasource config: >>> > >> > pool-name="KeycloakDS" enabled="true" use-java-context="true"> >>> > jdbc:oracle:thin:@dbserver >>> :1550:instance>> > connection-url> >>> > oracle >>> > >>> > 5 >>> > 200 >>> > true >>> > >>> > >>> > KEYCLOAK >>> > >>> > >>> > >>> > true>> background-validation> >>> > select 1 from >>> > dual >>> > >>> > >>> > >>> > The H2 datasource is still in the standalone-ha.xml as is the h2 driver >>> > but they've never been used or modified. >>> > >>> > As I said, this has been working perfectly but suddenly appears to be >>> > closing connections despite having the automatic validation turned on. >>> > This only happens with the production environment and experiences no >>> issues >>> > in the DEV environment that has the same config except for being >>> connected >>> > to a different DB server. The DBAs are seeing only 5 connections in >>> this >>> > environment but more in DEV. >>> > >>> > Any help would be appreciated. >>> > >>> > *** This communication has been sent from World Fuel Services >>> > Corporation or its subsidiaries or its affiliates for the intended >>> > recipient >>> > only and may contain proprietary, confidential or privileged >>> information. >>> > If you are not the intended recipient, any review, disclosure, copying, >>> > use, or distribution of the information included in this communication >>> > and any attachments is strictly prohibited. If you have received this >>> > communication in error, please notify us immediately by replying to >>> this >>> > communication and delete the communication, including any >>> > attachments, from your computer. Electronic communications sent to or >>> > from World Fuel Services Corporation or its subsidiaries or its >>> affiliates >>> > may be monitored for quality assurance and compliance purposes.*** >>> > >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From sthorger at redhat.com Fri Oct 28 03:57:29 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 28 Oct 2016 09:57:29 +0200 Subject: [keycloak-user] Oracle Database Connection Issues In-Reply-To: References: Message-ID: Hmm... Strange sounds like something more sinister could be going on then. On 28 October 2016 at 09:54, Thomas Darimont wrote: > Oh nope - with PostgreSQL 9.5 > > Am 28.10.2016 9:52 vorm. schrieb "Stian Thorgersen" : > >> Oracle as well? >> >> On 28 October 2016 at 09:18, Thomas Darimont < >> thomas.darimont at googlemail.com> wrote: >> >>> Hello, >>> >>> this is interesting - I just saw the same exception yesterday in one of >>> our clusters with 2.2.1.Final and users couldn't log in to Keycloak >>> anymore. Only restart of the Keycloak (Docker Container) helped. >>> >>> Still trying to find out what happend.... >>> >>> Cheers, >>> Thomas >>> >>> 2016-10-28 8:55 GMT+02:00 Stian Thorgersen : >>> >>>> I don't think there's anything that has changed on our end that is >>>> causing >>>> this issue and since it's happening only in your prod environment maybe >>>> there's some network issue or db configuration issues that is causing >>>> this. >>>> Try a Google search there's quite a lot of hints around this type of >>>> issue. >>>> >>>> On 27 October 2016 at 20:58, Thomas Barcia wrote: >>>> >>>> > I'm experiencing errors with Keycloak connected to an Oracle >>>> database. It >>>> > was working fine and we didn't notice the errors until after >>>> upgrading to >>>> > 2.2.1. >>>> > >>>> > The errors: >>>> > 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi >>>> .SqlExceptionHelper] >>>> > (Timer-3) SQL Error: 17008, SQLState: 08003 >>>> > 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi >>>> .SqlExceptionHelper] >>>> > (Timer-3) Closed Connection >>>> > 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) >>>> > KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: >>>> > javax.persistence.PersistenceException: >>>> org.hibernate.exception.JDBCConnectionException: >>>> > could not prepare statement >>>> > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( >>>> > AbstractEntityManagerImpl.java:1692) >>>> > at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( >>>> > AbstractEntityManagerImpl.java:1602) >>>> > at org.hibernate.jpa.internal.QueryImpl.getResultList( >>>> > QueryImpl.java:492) >>>> > at org.keycloak.models.jpa.JpaRealmProvider.getRealms( >>>> > JpaRealmProvider.java:99) >>>> > at org.keycloak.models.cache.infinispan.RealmCacheSession. >>>> > getRealms(RealmCacheSession.java:424) >>>> > at org.keycloak.services.scheduled.ClearExpiredEvents. >>>> > run(ClearExpiredEvents.java:34) >>>> > at org.keycloak.services.schedule >>>> d.ClusterAwareScheduledTaskRunne >>>> > r$1.call(ClusterAwareScheduledTaskRunner.java:53) >>>> > at org.keycloak.services.schedule >>>> d.ClusterAwareScheduledTaskRunne >>>> > r$1.call(ClusterAwareScheduledTaskRunner.java:49) >>>> > at org.keycloak.cluster.infinispan.InfinispanClusterProvider. >>>> > executeIfNotExecuted(InfinispanClusterProvider.java:90) >>>> > at org.keycloak.services.schedule >>>> d.ClusterAwareScheduledTaskRunne >>>> > r.runTask(ClusterAwareScheduledTaskRunner.java:49) >>>> > at org.keycloak.services.scheduled.ScheduledTaskRunner. >>>> > run(ScheduledTaskRunner.java:44) >>>> > at org.keycloak.timer.basic.BasicTimerProvider$1.run( >>>> > BasicTimerProvider.java:51) >>>> > at java.util.TimerThread.mainLoop(Timer.java:555) >>>> > at java.util.TimerThread.run(Timer.java:505) >>>> > Caused by: org.hibernate.exception.JDBCConnectionException: could not >>>> > prepare statement >>>> > at org.hibernate.exception.intern >>>> al.SQLStateConversionDelegate. >>>> > convert(SQLStateConversionDelegate.java:115) >>>> > at org.hibernate.exception.intern >>>> al.StandardSQLExceptionConverter. >>>> > convert(StandardSQLExceptionConverter.java:42) >>>> > at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( >>>> > SqlExceptionHelper.java:109) >>>> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ >>>> > StatementPreparationTemplate.prepareStatement(StatementPrepa >>>> rerImpl.java: >>>> > 182) >>>> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl. >>>> > prepareQueryStatement(StatementPreparerImpl.java:148) >>>> > at org.hibernate.loader.Loader.prepareQueryStatement(Loader. >>>> > java:1928) >>>> > at org.hibernate.loader.Loader.executeQueryStatement(Loader. >>>> > java:1897) >>>> > at org.hibernate.loader.Loader.executeQueryStatement(Loader. >>>> > java:1875) >>>> > at org.hibernate.loader.Loader.doQuery(Loader.java:919) >>>> > at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCol >>>> > lections(Loader.java:336) >>>> > at org.hibernate.loader.Loader.doList(Loader.java:2611) >>>> > at org.hibernate.loader.Loader.doList(Loader.java:2594) >>>> > at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader. >>>> > java:2423) >>>> > at org.hibernate.loader.Loader.list(Loader.java:2418) >>>> > at org.hibernate.loader.hql.Query >>>> Loader.list(QueryLoader.java:501) >>>> > at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list( >>>> > QueryTranslatorImpl.java:371) >>>> > at org.hibernate.engine.query.spi.HQLQueryPlan.performList( >>>> > HQLQueryPlan.java:216) >>>> > at org.hibernate.internal.Session >>>> Impl.list(SessionImpl.java:1326) >>>> > at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) >>>> > at org.hibernate.jpa.internal.Que >>>> ryImpl.list(QueryImpl.java:606) >>>> > at org.hibernate.jpa.internal.QueryImpl.getResultList( >>>> > QueryImpl.java:483) >>>> > ... 11 more >>>> > Caused by: java.sql.SQLRecoverableException: Closed Connection >>>> > at oracle.jdbc.driver.PhysicalConnection.prepareStatement( >>>> > PhysicalConnection.java:3587) >>>> > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. >>>> > doPrepareStatement(BaseWrapperManagedConnection.java:778) >>>> > at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. >>>> > prepareStatement(BaseWrapperManagedConnection.java:764) >>>> > at org.jboss.jca.adapters.jdbc.Wr >>>> appedConnection.prepareStatement( >>>> > WrappedConnection.java:454) >>>> > at org.hibernate.engine.jdbc.inte >>>> rnal.StatementPreparerImpl$5. >>>> > doPrepare(StatementPreparerImpl.java:146) >>>> > at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ >>>> > StatementPreparationTemplate.prepareStatement(StatementPrepa >>>> rerImpl.java: >>>> > 172) >>>> > ... 28 more >>>> > >>>> > >>>> > >>>> > Here's the datasource config: >>>> > >>> > pool-name="KeycloakDS" enabled="true" use-java-context="true"> >>>> > jdbc:oracle:thin:@dbserver >>>> :1550:instance>>> > connection-url> >>>> > oracle >>>> > >>>> > 5 >>>> > 200 >>>> > true >>>> > >>>> > >>>> > KEYCLOAK >>>> > >>>> > >>>> > >>>> > true>>> background-validation> >>>> > select 1 from >>>> > dual >>>> > >>>> > >>>> > >>>> > The H2 datasource is still in the standalone-ha.xml as is the h2 >>>> driver >>>> > but they've never been used or modified. >>>> > >>>> > As I said, this has been working perfectly but suddenly appears to be >>>> > closing connections despite having the automatic validation turned on. >>>> > This only happens with the production environment and experiences no >>>> issues >>>> > in the DEV environment that has the same config except for being >>>> connected >>>> > to a different DB server. The DBAs are seeing only 5 connections in >>>> this >>>> > environment but more in DEV. >>>> > >>>> > Any help would be appreciated. >>>> > >>>> > *** This communication has been sent from World Fuel Services >>>> > Corporation or its subsidiaries or its affiliates for the intended >>>> > recipient >>>> > only and may contain proprietary, confidential or privileged >>>> information. >>>> > If you are not the intended recipient, any review, disclosure, >>>> copying, >>>> > use, or distribution of the information included in this communication >>>> > and any attachments is strictly prohibited. If you have received this >>>> > communication in error, please notify us immediately by replying to >>>> this >>>> > communication and delete the communication, including any >>>> > attachments, from your computer. Electronic communications sent to or >>>> > from World Fuel Services Corporation or its subsidiaries or its >>>> affiliates >>>> > may be monitored for quality assurance and compliance purposes.*** >>>> > >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> From Vincent.Sluijter at crv4all.com Fri Oct 28 04:33:39 2016 From: Vincent.Sluijter at crv4all.com (Vincent Sluijter) Date: Fri, 28 Oct 2016 08:33:39 +0000 Subject: [keycloak-user] Feature request: increase federation provider ldap filter field length Message-ID: As I am unable to login to the Keycloak Jira on jbossdeveloper.org to enter this issue, I am trying this mailing list. The maximum character size of the LDAP filter in a federation provider is 255 (similar to http://lists.jboss.org/pipermail/keycloak-user/2015-October/003319.html). Our filter query is larger then this. We would like to request that the value field, for the table user_federation_config, is made larger. For example varchar(2047) to allow long LDAP filters (multiple groups with big Active Directory names). Kind regards, Vincent Sluijter This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050. From h.benz at first8.nl Fri Oct 28 07:29:49 2016 From: h.benz at first8.nl (Hartmut Benz) Date: Fri, 28 Oct 2016 13:29:49 +0200 Subject: [keycloak-user] Stuck in Email Validation question Message-ID: <2b9a4136-a395-e8cc-4b36-424c487234c2@first8.nl> Hi all, I have a question about how I can get (a user) out of a Validate-Email deadlock that can result in our use case. Situation: New users can register with Social Login, Email verification is On, but for policy reasons, we do not use the incoming email from the Identity Provider, but require the user type in another email. Case: A user registers with (for instance) Google, but puts a typo in the email address entered in the registration page. Upon submit, the validation mail goes to Nirvana (the mis-typed email address) and the user is stuck with no way out I can discover. He cannot validate the email that he cannot receive. Every time he logs in (with Google), he gets the page that he needs to validate the email before proceeding. Is there a method to get out of this deadlock without involving a helpdesk call to delete 'stuck' user? Many thanks in advance Hartmut -- Dr. Hartmut Benz +31 (0)6 30 167 093 First8 B.V. Kerkenbos 10-59b +31 (0)24 34 835 70 www.first8.nl 6546BB Nijmegen h.benz at first8.nl From bruno at abstractj.org Fri Oct 28 07:34:17 2016 From: bruno at abstractj.org (Bruno Oliveira) Date: Fri, 28 Oct 2016 09:34:17 -0200 Subject: [keycloak-user] Clarifications regarding Spring Security Adapter Configuration In-Reply-To: References: Message-ID: <20161028113417.GA31012@abstractj.org> Hi Michael On 2016-10-26, Michael Furman wrote: > Hi all, > I will happy for couple of clarifications regarding Java Adapter Configuration: > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html > > I want to use Spring Security Adapter: > https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html > > > 1. Where keycloak.json should be located? > How I pass it to the Spring Security Adapter? If you look at the section "XML Configuration"[1] there's a snippet showing how to configure it: > 2. Is it possible to configure all properties (that configured in keycloak.json) via database? > Or alternatively via some Spring Context? I did something related to this in the past with RESTful endpoints, not sure if it helps. But if you have sensitive information, I strongly recommend not doing that. > In this case I will be able to put confidential information (e.g. truststore-password) in the databasea Looking at this issue[2], I'm not sure if what you want is supported now. > > [1] - https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html [2] - https://issues.jboss.org/browse/KEYCLOAK-1410 > Thank you in advance for your help. > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- abstractj PGP: 0x84DC9914 From sthorger at redhat.com Fri Oct 28 08:53:33 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 28 Oct 2016 14:53:33 +0200 Subject: [keycloak-user] Feature request: increase federation provider ldap filter field length In-Reply-To: References: Message-ID: Hi, We are soon porting the LDAP provider to our new User Storage SPI. That is using the new Component Storage model which supports attributes values up to 4KB so this should be fixed when we do that. The aim is to have this work included in 2.4. On 28 October 2016 at 10:33, Vincent Sluijter wrote: > As I am unable to login to the Keycloak Jira on jbossdeveloper.org to > enter this issue, I am trying this mailing list. > > The maximum character size of the LDAP filter in a federation provider is > 255 (similar to http://lists.jboss.org/pipermail/keycloak-user/2015- > October/003319.html). Our filter query is larger then this. We would like > to request that the value field, for the table user_federation_config, is > made larger. For example varchar(2047) to allow long LDAP filters (multiple > groups with big Active Directory names). > > Kind regards, > > Vincent Sluijter > This message is subject to the following E-mail Disclaimer. ( > http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats > according to the articles of association in Arnhem, Dutch trade number > 09125050. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From TBarcia at wfscorp.com Fri Oct 28 09:44:50 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Fri, 28 Oct 2016 13:44:50 +0000 Subject: [keycloak-user] Oracle Database Connection Issues In-Reply-To: References: Message-ID: <06a6ce2ca8cb40f0bb114e2569e646ab@MIA-WEX-P16.wfs.com> Stan, Thank you for your response? I had a network engineer spend 2 hours looking into logs and packet captures, had the DBA team checking their logs and I?ve been thru all of the Linux server logs and cannot see anything that might be the cause. Now, we have upgraded from 1.6.1 to 1.9.0 to 1.9.8 to 2.2.1 all without a server restart so there was a thought that there might have been a process running that could be causing the issue so I rebooted the Linux servers last night. I?ll keep an eye on it today to see if this has resolved the issue. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, October 28, 2016 2:55 AM To: Thomas Barcia Cc: keycloak-user at lists.jboss.org Subject: [EXTERNAL]Re: [keycloak-user] Oracle Database Connection Issues I don't think there's anything that has changed on our end that is causing this issue and since it's happening only in your prod environment maybe there's some network issue or db configuration issues that is causing this. Try a Google search there's quite a lot of hints around this type of issue. On 27 October 2016 at 20:58, Thomas Barcia > wrote: I'm experiencing errors with Keycloak connected to an Oracle database. It was working fine and we didn't notice the errors until after upgrading to 2.2.1. The errors: 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) SQL Error: 17008, SQLState: 08003 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) Closed Connection 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:99) at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:424) at org.keycloak.services.scheduled.ClearExpiredEvents.run(ClearExpiredEvents.java:34) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:53) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:49) at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner.runTask(ClusterAwareScheduledTaskRunner.java:49) at org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:44) at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1928) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1897) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2611) at org.hibernate.loader.Loader.doList(Loader.java:2594) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) at org.hibernate.loader.Loader.list(Loader.java:2418) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 11 more Caused by: java.sql.SQLRecoverableException: Closed Connection at oracle.jdbc.driver.PhysicalConnection.prepareStatement(PhysicalConnection.java:3587) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:778) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:764) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 28 more Here's the datasource config: jdbc:oracle:thin:@dbserver:1550:instance oracle 5 200 true KEYCLOAK true select 1 from dual The H2 datasource is still in the standalone-ha.xml as is the h2 driver but they've never been used or modified. As I said, this has been working perfectly but suddenly appears to be closing connections despite having the automatic validation turned on. This only happens with the production environment and experiences no issues in the DEV environment that has the same config except for being connected to a different DB server. The DBAs are seeing only 5 connections in this environment but more in DEV. Any help would be appreciated. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From TBarcia at wfscorp.com Fri Oct 28 22:20:07 2016 From: TBarcia at wfscorp.com (Thomas Barcia) Date: Sat, 29 Oct 2016 02:20:07 +0000 Subject: [keycloak-user] Oracle Database Connection Issues In-Reply-To: <06a6ce2ca8cb40f0bb114e2569e646ab@MIA-WEX-P16.wfs.com> References: <06a6ce2ca8cb40f0bb114e2569e646ab@MIA-WEX-P16.wfs.com> Message-ID: <6d368f7566ff4d84bad26e88bfc8ec0b@MIA-WEX-P16.wfs.com> I think we fixed it. The reboot didn't improve the situation but here's what did... Months ago, I configured a validation query that according to docs should have run every 10 minutes (default) however the DBA team never saw the validation query. Today I set a value for timing for the validation and we are now seeing the validation query and we are not seeing the errors relating to the DB connections. The total of the code I added is: true select 1 from dual 120000 Thank you for your help. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Thomas Barcia Sent: Friday, October 28, 2016 9:45 AM To: stian at redhat.com Cc: keycloak-user at lists.jboss.org Subject: [EXTERNAL]Re: [keycloak-user] Oracle Database Connection Issues Stan, Thank you for your response? I had a network engineer spend 2 hours looking into logs and packet captures, had the DBA team checking their logs and I?ve been thru all of the Linux server logs and cannot see anything that might be the cause. Now, we have upgraded from 1.6.1 to 1.9.0 to 1.9.8 to 2.2.1 all without a server restart so there was a thought that there might have been a process running that could be causing the issue so I rebooted the Linux servers last night. I?ll keep an eye on it today to see if this has resolved the issue. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Friday, October 28, 2016 2:55 AM To: Thomas Barcia Cc: keycloak-user at lists.jboss.org Subject: [EXTERNAL]Re: [keycloak-user] Oracle Database Connection Issues I don't think there's anything that has changed on our end that is causing this issue and since it's happening only in your prod environment maybe there's some network issue or db configuration issues that is causing this. Try a Google search there's quite a lot of hints around this type of issue. On 27 October 2016 at 20:58, Thomas Barcia > wrote: I'm experiencing errors with Keycloak connected to an Oracle database. It was working fine and we didn't notice the errors until after upgrading to 2.2.1. The errors: 2016-10-26 11:35:19,502 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) SQL Error: 17008, SQLState: 08003 2016-10-26 11:35:19,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (Timer-3) Closed Connection 2016-10-26 11:35:19,504 ERROR [org.keycloak.services] (Timer-3) KC-SERVICES0089: Failed to run scheduled task ClearExpiredEvents: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:99) at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:424) at org.keycloak.services.scheduled.ClearExpiredEvents.run(ClearExpiredEvents.java:34) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:53) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner$1.call(ClusterAwareScheduledTaskRunner.java:49) at org.keycloak.cluster.infinispan.InfinispanClusterProvider.executeIfNotExecuted(InfinispanClusterProvider.java:90) at org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner.runTask(ClusterAwareScheduledTaskRunner.java:49) at org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:44) at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:148) at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:1928) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1897) at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1875) at org.hibernate.loader.Loader.doQuery(Loader.java:919) at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:336) at org.hibernate.loader.Loader.doList(Loader.java:2611) at org.hibernate.loader.Loader.doList(Loader.java:2594) at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2423) at org.hibernate.loader.Loader.list(Loader.java:2418) at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1326) at org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) at org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) ... 11 more Caused by: java.sql.SQLRecoverableException: Closed Connection at oracle.jdbc.driver.PhysicalConnection.prepareStatement(PhysicalConnection.java:3587) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:778) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:764) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:146) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 28 more Here's the datasource config: jdbc:oracle:thin:@dbserver:1550:instance oracle 5 200 true KEYCLOAK true select 1 from dual The H2 datasource is still in the standalone-ha.xml as is the h2 driver but they've never been used or modified. As I said, this has been working perfectly but suddenly appears to be closing connections despite having the automatic validation turned on. This only happens with the production environment and experiences no issues in the DEV environment that has the same config except for being connected to a different DB server. The DBAs are seeing only 5 connections in this environment but more in DEV. Any help would be appreciated. *** This communication has been sent from World Fuel Services Corporation or its subsidiaries or its affiliates for the intended recipient only and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any review, disclosure, copying, use, or distribution of the information included in this communication and any attachments is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to this communication and delete the communication, including any attachments, from your computer. Electronic communications sent to or from World Fuel Services Corporation or its subsidiaries or its affiliates may be monitored for quality assurance and compliance purposes.*** _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sourin-v at bridgestone-bae.com Sat Oct 29 14:28:50 2016 From: sourin-v at bridgestone-bae.com (Vincent Sourin) Date: Sat, 29 Oct 2016 18:28:50 +0000 Subject: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster In-Reply-To: References: <63089ad90392499788b738728f8e55a8@bridgestone-bae.com> <54e98e7291674ec3bc02c08067f34158@bridgestone-bae.com> Message-ID: Hello Stian, I can confirm now that the problem came from a bad configuration in my reverse-proxy. It works like a charm now. Sorry for the inconvenience and thanks a lot for your time and help. De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 12:35 ? : Vincent Sourin Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Did you do replace some values in what you pasted? In the second request it's also showing a strange value for Host: header=Referer=https://as.mydomain.com/auth/ header=Host=as.bridgestone-bae.corp Referrer is as.mydomain.com, but it's trying to get as.bridgestone-bae.corp. Then there's also missing X-Forwarded* headers yes. On 25 October 2016 at 12:31, Vincent Sourin > wrote: Here is the captured packets dumped by Undertow. Strangely, on the second request I don?t see X-Forwarded-* Header in the request. I don?t think it?s normal ? 1/ First when browsing to https://as.mydomain.com/auth ============================================================== 2016-10-25 12:23:59,164 INFO [io.undertow.request.dump] (default task-3) ----------------------------REQUEST--------------------------- URI=/auth/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=X-Forwarded-Server=webserver.mydomain.com header=Upgrade=WebSocket header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Connection=Upgrade header=X-Forwarded-Proto=https header=X-Forwarded-For=10.10.0.89 header=Upgrade-Insecure-Requests=1 header=Host=as.mydomain.com header=X-Forwarded-Host=as.mydomain.com locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=10.10.0.89:0 remoteHost=10.10.0.89 scheme=https host=as.mydomain.com serverPort=0 --------------------------RESPONSE-------------------------- contentLength=2740 contentType=text/html;charset=utf-8 header=Cache-Control=no-cache, must-revalidate, no-transform, no-store header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=X-Frame-Options=SAMEORIGIN header=Content-Security-Policy=frame-src 'self' header=Date=Tue, 25 Oct 2016 10:23:59 GMT header=Connection=keep-alive header=X-Content-Type-Options=nosniff header=Content-Type=text/html;charset=utf-8 header=Content-Length=2740 status=200 2/ Then, when clicking the Administration console link on the auth page : ============================================================== 2016-10-25 12:24:11,069 INFO [io.undertow.request.dump] (default task-4) ----------------------------REQUEST--------------------------- URI=/auth/admin/ characterEncoding=null contentLength=-1 contentType=null header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 header=Connection=keep-alive header=Accept-Language=fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 header=Accept-Encoding=gzip, deflate, br header=User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0 header=Referer=https://as.mydomain.com/auth/ header=Upgrade-Insecure-Requests=1 header=Host=as.bridgestone-bae.corp locale=[fr, fr_FR, en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=/10.10.2.134:47440 remoteHost=webserver.mydomain.com scheme=http host=as.mydomain.com serverPort=18080 --------------------------RESPONSE-------------------------- contentLength=0 contentType=null header=Connection=keep-alive header=X-Powered-By=Undertow/1 header=Server=WildFly/10 header=Location=http://as.mydomain.com/auth/admin/master/console/ header=Content-Length=0 header=Date=Tue, 25 Oct 2016 10:24:11 GMT status=302 Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 11:59 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Strange. I can't see why that should ever redirect to non-https. Can you capture the requests that are being sent after you click on the link to see where/when the redirect to non-https is coming into play? On 25 October 2016 at 11:24, Vincent Sourin > wrote: No, it is the link Administration Console I made a screenshot here : https://postimg.org/image/5q6vg95iz/482e5a3f/ Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 10:38 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster What specific link on the "welcome page" are you referring to? Is it the link in the text "You need local access to create the initial admin user. Open http://localhost:8080/auth or use the add-user-keycloak script."? On 25 October 2016 at 10:05, Vincent Sourin > wrote: All the URLs at the given address contain https and the reverse proxy hostname. Sourin Vincent - Systems Engineer Bridgestone Aircraft Tire (Europe) Route de Bavay - B7080 Frameries (Belgium) Tel: +32 65 61 11 53 - Fax: +32 65 61 11 09 GSM : +32 492 97 44 99 De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : mardi 25 octobre 2016 09:49 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Try: https:///auth/realms/master/.well-known/openid-configuration And check the URLs in the page. They should contain https and correct hostname (for your reverse proxy, not Keycloak). If not there's an issue with your reverse proxy or it's not configured correctly in Keycloak server. Check the installation guide for more details. On 24 October 2016 at 21:38, Vincent Sourin > wrote: Yes I think X-Forwarded-* Headers and preservation of original host are set. Actually, I?m not really a ? network ? guy. So for testing purpose, I use the bundle (httpd + ssl ) provided on mod_cluster website. I ? tweak ? the configuration to try to achieve SSL Termination and Websocket like this : ------------------------ Apache Configuration ---------------------------- ServerRoot "/opt/jboss/httpd/httpd" LoadModule authn_file_module /opt/jboss/httpd/lib/httpd/modules/mod_authn_file.so [?] LoadModule rewrite_module /opt/jboss/httpd/lib/httpd/modules/mod_rewrite.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot "/opt/jboss/httpd/htdocs/htdocs" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Require all denied ErrorLog "logs/error_log" LogLevel warn LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog "logs/access.log" combined env=!dontlog ScriptAlias /cgi-bin/ "/opt/jboss/httpd/htdocs/cgi-bin/" AllowOverride None Options None Require all granted TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin MemManagerFile "/dev/shm/httpd/cache/mod_cluster" SSLSessionCache "shmcb:/opt/jboss/httpd/httpd/logs/ssl_gcache_data(512000)" EnableWsTunnel Listen XXXXXXXX:443 ServerName XXXXXXXXXXXXXXX CreateBalancers 0 AllowDisplay On SetHandler mod_cluster-manager Require ip 10.10 ProxyPass ! SSLEngine on SSLProtocol all -SSLv2 SSLHonorCipherOrder on SSLCertificateFile /opt/mod_cluster-certs/CERT.pem SSLCertificateKeyFile /opt/mod_cluster-certs/KEY.pem SSLCACertificateFile /opt/mod_cluster-certs/CA.pem SSLVerifyClient none ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" Listen XXXXXXXXX:6666 ServerName XXXXXXXXXXXXXXXXX Require ip 10.10 AllowDisplay On KeepAliveTimeout 300 MaxKeepAliveRequests 0 ServerAdvertise on AdvertiseFrequency 5 AdvertiseGroup 224.0.1.205:24364 EnableMCPMReceive ManagerBalancerName mycluster ProxyPreserveHost On RequestHeader Set X-Forwarded-Proto "https" ------------------------ Apache Configuration ---------------------------- De : Stian Thorgersen [mailto:sthorger at redhat.com] Envoy? : lundi 24 octobre 2016 08:08 ? : Vincent Sourin > Cc : keycloak-user at lists.jboss.org Objet : Re: [keycloak-user] Keycloak 2.2.1 and Apache + mod_cluster Is your proxy setting X-Forwarded-For, X-Forwarded-Proto and also preserving the preserving the original Host header? On 22 October 2016 at 13:19, Vincent Sourin > wrote: Hello, I've got a strange behavior with Keycloak instance (version 2.2.1 Final) behind an Apache Reverse Proxy (with Mod_cluster). First of all, here is my test environment : https://postimg.org/image/z7xrb08ev/ I think it's worth mention that : * Wildfly & keycloak are installed on the same servers but each in separate instances (not using overlay deployment) * mod_cluster is configured in http mode (not ajp) with mod_proxy_wstunnel activated because I use Websocket with wildfly So, in this configuration, applications deployed on wildfly instances work well but I got some problem with Keycloak. Reaching keycloak < auth > page (https://XXXXXXX/auth/) works fine but as soon as I click on the link < Aministration Console > (resolved normally to https://XXXXXXX/auth/admin/ as indicated by my browser) I'm redirected to plain http connection and so the request failed. If I browse directly to https://XXXXXXX/auth/admin/ my browser complains about < some insecured items on the page > and I can't reach the console neither. Here a a snippet of my keycloak configuration : [...] [...] [...] [...] [...] Can someone tell me what I'm doing wrong or give me the right direction to further investigate this behavior ? Thanks for your help. Vincent. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From palermo at pobox.com Sat Oct 29 18:10:45 2016 From: palermo at pobox.com (Bruno Palermo) Date: Sat, 29 Oct 2016 22:10:45 -0000 Subject: [keycloak-user] Custom Required Action Message-ID: Hi, I'm trying to develop a custom required action to verify the user email without relying on the user session and allow the confirmation link to live longer. Let's say I send the user email as query parameter on the confirmation link. It's possible to search the database directly using this email and avoid using 'RequiredActionContext getUser()'? Thanks, Bruno From michael_furman at hotmail.com Sun Oct 30 07:28:57 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Sun, 30 Oct 2016 11:28:57 +0000 Subject: [keycloak-user] Creation UI for new authentication schema configuration. In-Reply-To: References: , Message-ID: Thanks Stian, I will happy for the additional clarifications. I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot. I think that the following is relevant: The next few methods define how the Authenticator can be configured. ... The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute. But according to my understanding the configuration should appear in the Authenticator configuration UI. Therefore, how should I create the UI? Additional question: will the new Authenticator appear in Authentication Flows: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html Will I be able to configure Required / Optional / Disabled for the new the new Authenticator? Thank you in advance for your help. Best regards, Michael ________________________________ From: Stian Thorgersen Sent: Thursday, October 27, 2016 9:57 AM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration. We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that. On 26 October 2016 at 17:08, Michael Furman > wrote: Hi all, I want to add support for the new authentication schema. How can I add UI for new authentication schema configuration? For example, I want to add the TACACS authentication schema. Therefore I need to configure the TACACS server IP and the secret. May be I have missed but I can not find it here: https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From java at neposoft.com Sun Oct 30 08:30:26 2016 From: java at neposoft.com (java_os) Date: Sun, 30 Oct 2016 08:30:26 -0400 Subject: [keycloak-user] keycloak consuming saml Message-ID: Group Portal where users authenticted in adfs and need to add a link to my webapp protected by keycloak. Users click on link should trigger a saml post into keycloak , consume the assertion and let user in. Given this scenario how could i configure keycloak to receive the assertion and give my webapp an oidc token. Is this doable? Was looking at identity brokering, but this triggers request from keycloak to idp. I think my case is idp initiated saml post . is it possible to use id brokering in this case, or how does anyone solve this scenario? Thanks From sthorger at redhat.com Mon Oct 31 01:58:14 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 31 Oct 2016 06:58:14 +0100 Subject: [keycloak-user] Stuck in Email Validation question In-Reply-To: <2b9a4136-a395-e8cc-4b36-424c487234c2@first8.nl> References: <2b9a4136-a395-e8cc-4b36-424c487234c2@first8.nl> Message-ID: There's no way currently. On 28 October 2016 at 13:29, Hartmut Benz wrote: > Hi all, > > I have a question about how I can get (a user) out of a Validate-Email > deadlock that can result in our use case. > > Situation: > New users can register with Social Login, Email verification is On, > but for policy reasons, we do not use the incoming email from the > Identity Provider, but require the user type in another email. > > Case: > A user registers with (for instance) Google, but puts a typo in the > email address entered in the registration page. > Upon submit, the validation mail goes to Nirvana (the mis-typed email > address) and the user is stuck with no way out I can discover. > He cannot validate the email that he cannot receive. > Every time he logs in (with Google), he gets the page that he needs to > validate the email before proceeding. > > Is there a method to get out of this deadlock without involving a > helpdesk call to delete 'stuck' user? > > Many thanks in advance > Hartmut > > -- > Dr. Hartmut Benz +31 (0)6 30 167 093 > First8 B.V. Kerkenbos 10-59b +31 (0)24 34 835 70 > www.first8.nl 6546BB Nijmegen h.benz at first8.nl > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Mon Oct 31 02:00:38 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 31 Oct 2016 07:00:38 +0100 Subject: [keycloak-user] Creation UI for new authentication schema configuration. In-Reply-To: References: Message-ID: Configuration UI is generated based on what's returned by the getConfigProperties method On 30 October 2016 at 12:28, Michael Furman wrote: > Thanks Stian, > > I will happy for the additional clarifications. > > I have looked in https://keycloak.gitbooks.io/server-developer-guide/ > content/topics/auth-spi.html but was not able to find a lot. > > I think that the following is relevant: > > > > *The next few methods define how the Authenticator can be configured. * > > *? * > > *The getConfigProperties() method returns a list of ProviderConfigProperty > objects. These objects define a specific configuration attribute.* > > > > But according to my understanding the configuration should appear in the > Authenticator configuration UI. > > Therefore, how should I create the UI? > > > > Additional question: will the new Authenticator appear in Authentication > Flows: > > https://keycloak.gitbooks.io/server-adminstration-guide/ > content/topics/authentication/flows.html > > Will I be able to configure Required / Optional / Disabled for the new the > new Authenticator? > > Thank you in advance for your help. > > Best regards, > > Michael > > > ------------------------------ > *From:* Stian Thorgersen > *Sent:* Thursday, October 27, 2016 9:57 AM > *To:* Michael Furman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Creation UI for new authentication schema > configuration. > > We don't support that directly so you would have to develop your own > custom authenticator for it. The doc you linked describes how to do that. > > On 26 October 2016 at 17:08, Michael Furman > wrote: > >> Hi all, >> I want to add support for the new authentication schema. >> How can I add UI for new authentication schema configuration? >> For example, I want to add the TACACS authentication schema. >> Therefore I need to configure the TACACS server IP and the secret. >> May be I have missed but I can not find it here: >> https://keycloak.gitbooks.io/server-developer-guide/content/ >> topics/auth-spi.html >> >> Thank you in advance for your help. >> Best regards, >> Michael >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From sthorger at redhat.com Mon Oct 31 02:29:54 2016 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 31 Oct 2016 07:29:54 +0100 Subject: [keycloak-user] password history not always correctly considered In-Reply-To: References: <14c8a140-6367-73ae-ac43-f501988ffa63@redhat.com> Message-ID: I guess it's buggy behavior, but the real question is do we care? It seems to be an issue purely limited to testing and not to real usage? On 27 October 2016 at 12:22, Bystrik Horvath wrote: > Hi, > > the question is whether is this buggy behavior or not regardless of mu use > case. I came to this behavior on slower virtual machine where the gaps > between the calls was more than 300 ms, than I realized to test it locally > on windows machine without network communication. > What could I expect then on clustered solution where I change the password > on one node and do the same on next node? > Thank you for the answer. > > Best regards, > Bystrik > > On Tue, Oct 25, 2016 at 3:28 PM, Bystrik Horvath < > bystrik.horvath at gmail.com> > wrote: > > > Hi Bill and Stian, > > > > I know that this is a silly test case, but the API provides the possibity > > ;-) Anyway, I run my test from POSTMAN tool and the requests are running > in > > a sequece. I have a standalone Keycloak on my windows maschine, so it is > > not a cluster. Yes Bill, you are right, most failing is the 3rd attempt. > > > > Best regards, > > Bystrik > > > > On Tue, Oct 25, 2016 at 3:00 PM, Bill Burke wrote: > > > >> We purge older history entries. Its based on creation date of current > >> time in milliseconds. I guess it could be possible that the update is > >> happening so fast that multiple entries have the same creation date. > >> Are you running tests in a cluster? Could also be possible that the > >> machines in your cluster don't have fully synchronized clocks. > >> > >> Does it work for the 1st 2 tries, then fail on the 3rd? Then that is > >> probably the problem you are experiencing. > >> > >> > >> On 10/25/16 7:23 AM, Bystrik Horvath wrote: > >> > Hello, > >> > > >> > I have a realm where password history was set to 3. When I try to set > >> the > >> > password for an user too fast (via REST API), I'm able to use one of > the > >> > passwords that should be recorded as not usable. When I put a small > >> sleep > >> > between the password changes (aprox. 300 ms), the usecase works fine - > >> so > >> > I'm not allowed to use any of the 3 recorded password from the > history. > >> I > >> > tested the case using 1.9.3 Final and 2.2.1 Final with same results. > >> > It looks to me like a bug, isn't it? > >> > > >> > Thank you for the answer&best regards, > >> > Bystrik > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From michael_furman at hotmail.com Mon Oct 31 04:41:25 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Mon, 31 Oct 2016 08:41:25 +0000 Subject: [keycloak-user] Creating the UI using REST API Message-ID: Hi all, We need to create our own UI using REST API. I have authenticated a user in UI (http://localhost:8080/auth/admin/master/console/#/realms/master ) and then I have tried to open some REST API from a browser in the new tab (for example http://localhost:8080/auth/admin/realms/master/clients). Unfortunately I get HTTP 401 barrier error. I see that I need the barrier token if I access REST API from the command line: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/admin-rest-api.html What UI should do to access REST API? Also to allocate the barrier token and then to access REST API? Do you have any JS lib that make the process easier? Thank you in advance for your help. Best regards, Michael From mposolda at redhat.com Mon Oct 31 04:55:14 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 31 Oct 2016 09:55:14 +0100 Subject: [keycloak-user] Feature request: increase federation provider ldap filter field length In-Reply-To: References: Message-ID: <0ba4cb5b-b9df-fe79-3f91-2be5bcb27537@redhat.com> Could you please create JIRA for this? Thanks, Marek On 28/10/16 10:33, Vincent Sluijter wrote: > As I am unable to login to the Keycloak Jira on jbossdeveloper.org to enter this issue, I am trying this mailing list. > > The maximum character size of the LDAP filter in a federation provider is 255 (similar to http://lists.jboss.org/pipermail/keycloak-user/2015-October/003319.html). Our filter query is larger then this. We would like to request that the value field, for the table user_federation_config, is made larger. For example varchar(2047) to allow long LDAP filters (multiple groups with big Active Directory names). > > Kind regards, > > Vincent Sluijter > This message is subject to the following E-mail Disclaimer. (http://www.crv4all.com/disclaimer-email/) CRV Holding B.V. seats according to the articles of association in Arnhem, Dutch trade number 09125050. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From michael_furman at hotmail.com Mon Oct 31 08:47:46 2016 From: michael_furman at hotmail.com (Michael Furman) Date: Mon, 31 Oct 2016 12:47:46 +0000 Subject: [keycloak-user] Creation UI for new authentication schema configuration. In-Reply-To: References: , Message-ID: Thanks, Where I will see the generated UI? On the authentication page? http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser Also, can I add / update the authenticator configuration via REST API? http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration Thank you in advance for your help. Best regards, Michael ________________________________ From: Stian Thorgersen Sent: Monday, October 31, 2016 8:00 AM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration. Configuration UI is generated based on what's returned by the getConfigProperties method On 30 October 2016 at 12:28, Michael Furman > wrote: Thanks Stian, I will happy for the additional clarifications. I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot. I think that the following is relevant: The next few methods define how the Authenticator can be configured. ... The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute. But according to my understanding the configuration should appear in the Authenticator configuration UI. Therefore, how should I create the UI? Additional question: will the new Authenticator appear in Authentication Flows: https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html Will I be able to configure Required / Optional / Disabled for the new the new Authenticator? Thank you in advance for your help. Best regards, Michael ________________________________ From: Stian Thorgersen > Sent: Thursday, October 27, 2016 9:57 AM To: Michael Furman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration. We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that. On 26 October 2016 at 17:08, Michael Furman > wrote: Hi all, I want to add support for the new authentication schema. How can I add UI for new authentication schema configuration? For example, I want to add the TACACS authentication schema. Therefore I need to configure the TACACS server IP and the secret. May be I have missed but I can not find it here: https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html Thank you in advance for your help. Best regards, Michael _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From niko at n-k.de Mon Oct 31 11:15:48 2016 From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=) Date: Mon, 31 Oct 2016 16:15:48 +0100 Subject: [keycloak-user] Exception with User Storage SPI priority configuration Message-ID: Hi, I just implemented the User Storage SPI as replacement for our User Federation SPI. Creating the User-Storage Provider works w/o errors, but not Priority value will be saved. When updating the Provider with a value for Priority, it will fail with an exception (see below), updating the Provider without setting a value for Priority works. Do I have to implement/configure something special to get it work? I based my implementation on the user-storage-jpa-example, provided with Keycloak. Or is it a general error? Should a create a Jira issue for it? The exception/stack trace: 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-31) RESTEASY002005: Failed executing PUT /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"]) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184) at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"]) at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26) at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523) at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285) at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61) at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) ... 48 more Regards, - Niko From palermo at pobox.com Mon Oct 31 13:07:38 2016 From: palermo at pobox.com (Bruno Palermo) Date: Mon, 31 Oct 2016 17:07:38 -0000 Subject: [keycloak-user] Admin Client Message-ID: Hi, I'm trying to use the keycloak-admin-client. Keycloak kc = KeycloakBuilder.builder() .serverUrl(serverUrl) .realm("master") .username("username") .password("password") .clientId("admin-cli") .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) .build(); UserRepresentation user = kc.realm(realm) .users() .get("userId") .toRepresentation(); But returns an error: Caused by: java.lang.LinkageError: loader constraint violation: loader (instance of org/jboss/modules/ModuleClassLoader) previously initiated loading for a different type with name "org/keycloak/representations/idm/RealmRepresentation" Any ideas? Thanks, Bruno From kevin.thorpe at p-i.net Mon Oct 31 13:09:34 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Mon, 31 Oct 2016 17:09:34 +0000 Subject: [keycloak-user] Hi, can I please ask someone to edit the upgrade notes? Message-ID: Hi, just going through an upgrade from 1.7.0.Final to 2.3.0.Final. Didn't see anything in the notes but this doesn't do the database upgrade successfully. It did work going through 2.0.0.Final but there may be more than one way to do this. It's related to the appearance of the CLIENT_TEMPLATE table. Can someone please add this information to the upgrade notes. *Kevin Thorpe* From mposolda at redhat.com Mon Oct 31 13:18:12 2016 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 31 Oct 2016 18:18:12 +0100 Subject: [keycloak-user] Hi, can I please ask someone to edit the upgrade notes? In-Reply-To: References: Message-ID: <4f96352a-aa34-1a91-1c00-343e6c0fe21d@redhat.com> Hi Kevin, I assume you saw some exception stacktrace during failed migration? Can you please create JIRA and ideally also specify which DB are you using and attach whole exception stacktrace (if any) or server log? Thanks, Marek On 31/10/16 18:09, Kevin Thorpe wrote: > Hi, just going through an upgrade from 1.7.0.Final to 2.3.0.Final. Didn't > see anything in the notes but this doesn't do the database upgrade > successfully. It did work going through 2.0.0.Final but there may be more > than one way to do this. It's related to the appearance of the > CLIENT_TEMPLATE table. Can someone please add this information to the > upgrade notes. > > > *Kevin Thorpe* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kevin.thorpe at p-i.net Mon Oct 31 13:21:49 2016 From: kevin.thorpe at p-i.net (Kevin Thorpe) Date: Mon, 31 Oct 2016 17:21:49 +0000 Subject: [keycloak-user] Hi, can I please ask someone to edit the upgrade notes? In-Reply-To: <4f96352a-aa34-1a91-1c00-343e6c0fe21d@redhat.com> References: <4f96352a-aa34-1a91-1c00-343e6c0fe21d@redhat.com> Message-ID: Ok, will do. *Kevin Thorpe* VP Enterprise Platform www.p-i.net | @PI_150 *T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20 7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344 <%2B44%20%280%29808%20204%200344> * *150 Buckingham Palace Road, London, SW1W 9TR, UK* *SAVE PAPER - THINK BEFORE YOU PRINT!* ____________________________________________________________________ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. On 31 October 2016 at 17:18, Marek Posolda wrote: > Hi Kevin, > > I assume you saw some exception stacktrace during failed migration? Can > you please create JIRA and ideally also specify which DB are you using and > attach whole exception stacktrace (if any) or server log? > > Thanks, > Marek > > On 31/10/16 18:09, Kevin Thorpe wrote: > >> Hi, just going through an upgrade from 1.7.0.Final to 2.3.0.Final. Didn't >> see anything in the notes but this doesn't do the database upgrade >> successfully. It did work going through 2.0.0.Final but there may be more >> than one way to do this. It's related to the appearance of the >> CLIENT_TEMPLATE table. Can someone please add this information to the >> upgrade notes. >> >> >> *Kevin Thorpe* >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From amorse at deloitte.com Mon Oct 31 17:10:58 2016 From: amorse at deloitte.com (Morse, Alexander (US - Newton)) Date: Mon, 31 Oct 2016 21:10:58 +0000 Subject: [keycloak-user] Backend to Backend Call Message-ID: Hi, Want to know the recommended approach for having asynchronous backend services that are secured through bearer tokens call each other. We have an interactive web application that calls a backend service. The JavaScript adapter places the access token in the Authorization header. This backend services starts an asynchronous job that then calls another backend service, passing along the same Access Token. The problem arises when the access token has expired while the first job was processing. Seems like one relatively straight forward approach would be to have the front end pass a refresh token to the backend, which it can use to obtain a new access token. Are there better approaches? The adapters do not seem to natively support this. Thanks, Alex This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited. v.E.1 From mstrukel at redhat.com Mon Oct 31 17:40:56 2016 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 31 Oct 2016 22:40:56 +0100 Subject: [keycloak-user] Admin Client In-Reply-To: References: Message-ID: That error can happen when jboss modules dependencies are misconfigured. RealmRepresentation class is part of keycloak-core module, and should only be available through that module. What that means is that you should declare a dependency on keycloak-core module in your module (whatever that is - maybe jboss-deployment-structure.xml for your .war), but make sure not to reexport the dependency content. The following for example would be a wrong way to declare a module dependency: On Tue, Jul 10, 2018 at 7:03 PM, Bruno Palermo wrote: > Hi, > > > I'm trying to use the keycloak-admin-client. > > > Keycloak kc = KeycloakBuilder.builder() > > .serverUrl(serverUrl) > > .realm("master") > > .username("username") > > .password("password") > > .clientId("admin-cli") > > .resteasyClient(new ResteasyClientBuilder(). > connectionPoolSize(10).build()) > > .build(); > > > UserRepresentation user = kc.realm(realm) > > .users() > > .get("userId") > > .toRepresentation(); > > > But returns an error: > > > Caused by: java.lang.LinkageError: loader constraint violation: loader > (instance of org/jboss/modules/ModuleClassLoader) previously initiated > loading for a different type with name "org/keycloak/representations/ > idm/RealmRepresentation" > > > Any ideas? > > > Thanks, > > Bruno > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From chris.savory at edlogics.com Mon Oct 31 19:11:36 2016 From: chris.savory at edlogics.com (Chris Savory) Date: Mon, 31 Oct 2016 23:11:36 +0000 Subject: [keycloak-user] Having difficulty logging out in a 2 client scenario Message-ID: <692F2625-FAA8-4931-B0C2-50889222582C@edlogics.com> Our application has 2 clients: 1. A Confidential Client that uses the Spring Security Adapter 2. A Public Client that uses the JavaScript Adapter for an Angular SPA app. Everything between the two is working fine until I try to logout under certain conditions. Logout works fine if I first: deep link into a protected page in my app. The SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in and sends me back to my app where my token was issued for client #1. If I logout under this scenario via the SpringSecurity adapter it works fine. In Scenario #2 I first hit an Angular page in my app. Then I log in from the JS Adapter in client #2. Then through a Rest call to my Spring App (which a Bearer token is passed) a java session is established on Tomcat. When I put some break points in the Keycloak Adapter classes I can see that the KeycloakToken only contains the token in this scenario, but not the refresh token. I can also see that the token was issued for client #2. When I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and keycloak returns a 400 error, thus nullifying the logout. I also tried another scenario where use the JS Adapter get the logout URL and logout directly to Keycloak via ?window.location = keycloak.createLogoutUrl({ redirectUri: ?/site-url?) }). This actually logs out the user from all clients (which is what I want), but the problem here is on the next request to the Spring app I think there is still an HttpSession alive and I?m running into the check in SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is already an (old) token inside the SecurityContextHolder. Any advice on how to proceed from either of these two scenarios? -- Christopher Savory Software Engineer | EdLogics