Error

From marc.tempelmeier at flane.de Sat Jul 1 08:29:09 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Sat, 1 Jul 2017 12:29:09 +0000 Subject: [keycloak-user] Sign out on account page Message-ID: <382856b8a5954c7480a8fa9fcd992491@derzex2013.europe.flane.local> Hi, Just a short question, the Sign out on the account page, should that terminate the client sessions too or just log out from account page? Best regards Marc From thomas at recloux.fr Sat Jul 1 14:03:01 2017 From: thomas at recloux.fr (Thomas Recloux) Date: Sat, 01 Jul 2017 20:03:01 +0200 Subject: [keycloak-user] Sign out on account page In-Reply-To: <382856b8a5954c7480a8fa9fcd992491@derzex2013.europe.flane.local> References: <382856b8a5954c7480a8fa9fcd992491@derzex2013.europe.flane.local> Message-ID: <1498932181.1919657.1027538152.4C08F904@webmail.messagingengine.com> On Sat, Jul 1, 2017, at 14:29, Marc Tempelmeier wrote: > Hi, Hi Marc, > Just a short question, the Sign out on the account page, should that > terminate the client sessions too or just log out from account page? It's a global logout. Thomas From aswin88us at gmail.com Sun Jul 2 12:47:37 2017 From: aswin88us at gmail.com (Karthik Jayaraman) Date: Sun, 2 Jul 2017 09:47:37 -0700 Subject: [keycloak-user] Error when keycloak.js is bundled with application but not otherwise Message-ID: Hi all, I am having the following issue: Scenario 1: In my application index.html (bundled in a JAR file and deployed in Jetty), I have the following code: And I have the following client configuration in Keycloak server Client Protocol - openid-connect Access Type - public Standard Flow Enabled - ON Implicit Flow Enabled - OFF Direct Access Grants Enabled - ON Authorization Enabled - OFF Root URL - Valid Redirect URIs - http:// <>:<>/admin/* Base URL - http://<>:<>/admin Admin URL - Web Origins - With this configuration, the first time when I hit http://<>:<>/admin/ , I am getting redirected to http:// <>:<>/realms/master/protocol/openid-connect /auth?client_id=client1&redirect_uri=http%3A%2F%2F<>%3A<>%2Fadmin%2F&state=c524eb6c-9245-4f82-87e9-e767dd733b0d&nonce=760809b5-b2d5-4c3e-9d76-40cd43bdef0d&response_mode=fragment&response_type=code&scope=openid and I get 404 which is expected since keycloak is trying to redirect to http://<>:<>/realms/... which does not exist in our application. Scenario 2: When I do the same thing as scenario 1 except the way keycloak.js is loaded, everything works as expected. So, what is operationally different between bundling keycloak.js and loading it at run time ? - Karthik From mitya at cargosoft.ru Sun Jul 2 21:44:12 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Mon, 03 Jul 2017 04:44:12 +0300 Subject: [keycloak-user] ProviderFactory::postInit not called with hot deployment In-Reply-To: References: <1498613746.13078.1.camel@cargosoft.ru> Message-ID: <1499046252.11005.1.camel@cargosoft.ru> https://issues.jboss.org/browse/https://issues.jboss.org/browse/KEYCLOA K-5131 https://github.com/keycloak/keycloak/pull/4282 > The PR fixes the bug, however, the ProviderFactory::postInit invoked > this way will have limitations, e.g. won't be able to access > java:comp?JNDI namespace; the other stuff like accessing the data > model works?well nevertheless. This is because the code is executed > in WildFly's?"MSC service thread", unlike application code that uses > "ServerService?Thread Pool". > > If we are to get rid of this limitation, I think there exists an > approach that will by the way fix KEYCLOAK-5132 too. Let me know if > this is topical, so we can discuss it further. Dmitry ? Wed, 28/06/2017 ? 07:15 +0200, Stian Thorgersen ?????: > Yep, seems like a bug > > On 28 June 2017 at 03:35, Dmitry Telegin wrote: > > Hi, > > > > Seems like o.k.provider.ProviderFactory::postInit() is called only > > upon > > server startup, no matter which way the provider has been deployed, > > as > > a module or via the deployments dir. However, if the provider is > > hot > > (re)deployed on the running server, the method is not called. > > (ProviderFactory::init() is called always, but it's insufficient > > for > > most init phase tasks since normally a KeycloakSessionFactory > > instance > > is required.) > > > > Indeed, o.k.services.DefaultKeycloakSessionFactory::deploy() > > doesn't > > contain mentions of postInit, contrary to > > DefaultKeycloakSessionFactory::init(). Seems like a bug to me, OK > > to > > file JIRA issue and PR? > > > > Regards, > > Dmitry > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From mitya at cargosoft.ru Sun Jul 2 21:50:03 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Mon, 03 Jul 2017 04:50:03 +0300 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: <1498673904.3162.1.camel@cargosoft.ru> References: <1498673904.3162.1.camel@cargosoft.ru> Message-ID: <1499046603.11005.3.camel@cargosoft.ru> https://issues.jboss.org/browse/KEYCLOAK-5132 Meanwhile I've found a workaround - just run a transaction in a new thread. However, this should be a "managed thread" - see issue details & comments for more info. ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: > Hi, > > (TL;DR) if a KeycloakTransaction is opened from > ProviderFactory::postInit, sometimes the transaction is already > active > on the underlying > org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads > to errors. > > (full version) I think it's essential for the providers to be able to > access realm data in postInit(). For that, a transaction is required; > using KeycloakModelUtils.runJobInTransaction() is a convenient method > to do that: > > ????@Override > ????public void postInit(KeycloakSessionFactory factory) { > ????????KeycloakModelUtils.runJobInTransaction(factory, > (KeycloakSession session) -> { > ????????????List realms = session.realms().getRealms(); > ????????????// do stuff > ????????}); > ????} > > When such a provider is deployed, in about half of cases Keycloak > fails > to start due to the following exception: > > java.sql.SQLException: IJ031017: You cannot set autocommit during a > managed transaction > > (see full stacktrace here https://pastebin.com/ETtPqXQk) > > I've managed to track it down to something that looks like > transaction > clash over a single instance of > org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What > happens > is that the two treads at the same time begin two > KeycloakTransactions > which end up with the same instance of LocalManagedConnection. The > above exception results from the second begin() call. > > There's a system property called "ironjacamar.jdbc.ignoreautocommit" > that allows to ignore the situation, but I think it's dangerous > because > it doesn't eliminate the transaction clash, just suppresses the > check. > If I'm not mistaken, this began to happen around Keycloak 2.2.x, > which > coincides with the changes to Keycloak transaction management. That > said, do I need now some additional transaction coordination with the > rest of Keycloak, or is it a bug? If former, how do I do that? If > latter, how do we fix it? > > I hope we'll sort it out, since the ability to access the data at > every > phase of provider's lifecycle seems something fundamental to me. > > Regards, > Dmitry > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Sun Jul 2 23:14:05 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 3 Jul 2017 05:14:05 +0200 Subject: [keycloak-user] Error when keycloak.js is bundled with application but not otherwise In-Reply-To: References: Message-ID: On 2 July 2017 at 18:47, Karthik Jayaraman wrote: > Hi all, > > I am having the following issue: > > Scenario 1: > > In my application index.html (bundled in a JAR file and deployed in Jetty), > I have the following code: > > > > > > And I have the following client configuration in Keycloak server > > Client Protocol - openid-connect > Access Type - public > Standard Flow Enabled - ON > Implicit Flow Enabled - OFF > Direct Access Grants Enabled - ON > Authorization Enabled - OFF > Root URL - > Valid Redirect URIs - http:// > <>:<>/admin/* > Base URL - http://<>:<>/admin > Admin URL - > Web Origins - > > With this configuration, the first time when I hit > http://<>:<>/admin/ > , I am getting redirected to http:// > <>:<>/realms/ > master/protocol/openid-connect > /auth?client_id=client1&redirect_uri=http%3A%2F%2F<>%3A<< > myapplicationPort>>%2Fadmin%2F&state=c524eb6c-9245-4f82- > 87e9-e767dd733b0d&nonce=760809b5-b2d5-4c3e-9d76- > 40cd43bdef0d&response_mode=fragment&response_type=code&scope=openid > > and I get 404 which is expected since keycloak is trying to redirect to > http://<>:<>/realms/... which does > not > exist in our application. > > Scenario 2: > > When I do the same thing as scenario 1 except the way keycloak.js is > loaded, everything works as expected. > > > > So, what is operationally different between bundling keycloak.js and > loading it at run time ? > > - Karthik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Sun Jul 2 23:21:27 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 3 Jul 2017 05:21:27 +0200 Subject: [keycloak-user] Review Chinese translations PR Message-ID: Can someone please review PR for Chinese translations? https://github.com/keycloak/keycloak/pull/4251 From dcorbett at expedia.com Mon Jul 3 00:32:39 2017 From: dcorbett at expedia.com (Dan Corbett) Date: Mon, 3 Jul 2017 04:32:39 +0000 Subject: [keycloak-user] Infinispan JMX Cache Stats return zero? Message-ID: We have a Keycloak 3.1.0 standalone cluster of 3 instances in docker. I?m trying to get Infinispan distributed cache stats out (via JMX) for operational monitoring. We are getting 0?s for all values on the cache metrics when we review. We?ve set Hello, I would like to present a usecase to you where we struggle a bit to see how to implement it properly using keycloak... We are creating a solution where we have some legacy components using X.509 and SAML to identify users in our front-end applications. These applications now need to call some REST services, and pass on the identity. Our front-end system would call the REST service by presenting a token obtained via client credentials grant, based on a signed JWT. This way, we can establish a circle of trust between the front-end applications and the REST service. The REST service is prepared to accept that the user is the one that our front-end applications vow that he is. Question is now : how do we transport this claim from the front-end to the backend REST service? We have found an RFC in internet-draft status that addresses this problem : https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-08. But since this is not yet approved, I assume you do not support this yet. One way of solving this problem is sending the identity of the user out-of-band, in an HTTP header. This is however a bit of a pain, since then we need to make the REST service aware that for certain users (our frontends), the header needs to be interpreted. However, for other callers (both machine and user), this HTTP header must not be interpreted (we do not want a normal user adding this header and impersonating who he wants). So we are moving the configuration of who may impersonate/delegate to the business service... which is not great. Also, when we want to pass on the token, we need to repeat/set the header as well, which means we could potentially change the content... and the idea is that our front-end is stating that this is the user, not that any intermediate service can alter that. So it would be nice to have this in the token, taking over a value set in the initial signed JWT that we present to keycloak. Is this possible (I cannot seem to find if you pass any of the token information on the user session so that we could map this)? Furthermore, we would like to get some control on that value... because we would like to be able to place restrictions on who is impersonated (not every front-end has the same audience, so we should be able to limit for which persons they are making claims). Is this possible with the current extension points? If so, could you give us a hint on which one(s) to use? Thanks in advance. Jef From mposolda at redhat.com Mon Jul 3 06:10:41 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 3 Jul 2017 12:10:41 +0200 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: <1499046603.11005.3.camel@cargosoft.ru> References: <1498673904.3162.1.camel@cargosoft.ru> <1499046603.11005.3.camel@cargosoft.ru> Message-ID: <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> Hi, I think it's not good to directly start transactions from postInit. Among the issues you mentioned, various initial steps (eg. migration from previous version, export/import) may not be yet finished at this stage. Probably you can either: - Register listener for PostMigrationEvent in your postInit. See the testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java for inspiration. - Use the pattern with "lazyInit" like for example here https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/connections/jpa/DefaultJpaConnectionProviderFactory.java#L78 , which is called 1st time before your provider is actually needed. Maybe we can improve by provide more callback methods to ProviderFactory/Provider to avoid the lazyInit pattern directly in providers, but rather integrate it better with the Provider framework. But for now, I think that some of the workaround above should work for you IMO. Marek On 03/07/17 03:50, Dmitry Telegin wrote: > https://issues.jboss.org/browse/KEYCLOAK-5132 > > Meanwhile I've found a workaround - just run a transaction in a new > thread. However, this should be a "managed thread" - see issue details > & comments for more info. > > ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: >> Hi, >> >> (TL;DR) if a KeycloakTransaction is opened from >> ProviderFactory::postInit, sometimes the transaction is already >> active >> on the underlying >> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads >> to errors. >> >> (full version) I think it's essential for the providers to be able to >> access realm data in postInit(). For that, a transaction is required; >> using KeycloakModelUtils.runJobInTransaction() is a convenient method >> to do that: >> >> @Override >> public void postInit(KeycloakSessionFactory factory) { >> KeycloakModelUtils.runJobInTransaction(factory, >> (KeycloakSession session) -> { >> List realms = session.realms().getRealms(); >> // do stuff >> }); >> } >> >> When such a provider is deployed, in about half of cases Keycloak >> fails >> to start due to the following exception: >> >> java.sql.SQLException: IJ031017: You cannot set autocommit during a >> managed transaction >> >> (see full stacktrace here https://pastebin.com/ETtPqXQk) >> >> I've managed to track it down to something that looks like >> transaction >> clash over a single instance of >> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What >> happens >> is that the two treads at the same time begin two >> KeycloakTransactions >> which end up with the same instance of LocalManagedConnection. The >> above exception results from the second begin() call. >> >> There's a system property called "ironjacamar.jdbc.ignoreautocommit" >> that allows to ignore the situation, but I think it's dangerous >> because >> it doesn't eliminate the transaction clash, just suppresses the >> check. >> If I'm not mistaken, this began to happen around Keycloak 2.2.x, >> which >> coincides with the changes to Keycloak transaction management. That >> said, do I need now some additional transaction coordination with the >> rest of Keycloak, or is it a bug? If former, how do I do that? If >> latter, how do we fix it? >> >> I hope we'll sort it out, since the ability to access the data at >> every >> phase of provider's lifecycle seems something fundamental to me. >> >> Regards, >> Dmitry >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mitya at cargosoft.ru Mon Jul 3 07:01:01 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Mon, 03 Jul 2017 14:01:01 +0300 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> References: <1498673904.3162.1.camel@cargosoft.ru> <1499046603.11005.3.camel@cargosoft.ru> <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> Message-ID: <1499079661.2825.2.camel@cargosoft.ru> Hi Marek, Thanks for the hint, looks very reasonable. I think the PostMigrationEvent approach is more suitable for heavyweight stuff like checking and creating database entries etc., while lazyInit is good for more lightweight tasks like opening connections etc. However, there's an interesting case when the postInit method is called on hot (re)deploy (no PostMigrationEvent obviously) *and* some heavyweight stuff needs to be done right away. (ATM postInit is not called on hot deploy, but I hope that will be fixed soon, see KEYCLOAK- 5131 and PR #4282.) Luckily, in this case transactions just work, so everything could be done straightforwardly. The only question is how to distinguish between server startup and hot (re)deploy inside postInit. There are some indirect signs like thread name, presence/absence of specific JNDI entries etc., but this seems hacky. Any suggestions? Cheers, Dmitry > Hi, > > I think it's not good to directly start transactions from postInit.? > Among the issues you mentioned, various initial steps (eg. migration? > from previous version, export/import) may not be yet finished at > this? > stage. Probably you can either: > - Register listener for PostMigrationEvent in your postInit. See the? > testsuite/integration-arquillian/servers/auth- > server/services/testsuite- > providers/src/main/java/org/keycloak/testsuite/authentication/PushBut > tonAuthenticator.java? > for inspiration. > - Use the pattern with "lazyInit" like for example here? > https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/j > ava/org/keycloak/connections/jpa/DefaultJpaConnectionProviderFactory. > java#L78? > , which is called 1st time before your provider is actually needed. > > Maybe we can improve by provide more callback methods to? > ProviderFactory/Provider to avoid the lazyInit pattern directly in? > providers, but rather integrate it better with the Provider > framework.? > But for now, I think that some of the workaround above should work > for? > you IMO. > > Marek > > On 03/07/17 03:50, Dmitry Telegin wrote: > > https://issues.jboss.org/browse/KEYCLOAK-5132 > > > > Meanwhile I've found a workaround - just run a transaction in a new > > thread. However, this should be a "managed thread" - see issue > > details > > & comments for more info. > > > > ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: > > > Hi, > > > > > > (TL;DR) if a KeycloakTransaction is opened from > > > ProviderFactory::postInit, sometimes the transaction is already > > > active > > > on the underlying > > > org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which > > > leads > > > to errors. > > > > > > (full version) I think it's essential for the providers to be > > > able to > > > access realm data in postInit(). For that, a transaction is > > > required; > > > using KeycloakModelUtils.runJobInTransaction() is a convenient > > > method > > > to do that: > > > > > > ?????@Override > > > ?????public void postInit(KeycloakSessionFactory factory) { > > > ?????????KeycloakModelUtils.runJobInTransaction(factory, > > > (KeycloakSession session) -> { > > > ?????????????List realms = > > > session.realms().getRealms(); > > > ?????????????// do stuff > > > ?????????}); > > > ?????} > > > > > > When such a provider is deployed, in about half of cases Keycloak > > > fails > > > to start due to the following exception: > > > > > > java.sql.SQLException: IJ031017: You cannot set autocommit during > > > a > > > managed transaction > > > > > > (see full stacktrace here https://pastebin.com/ETtPqXQk) > > > > > > I've managed to track it down to something that looks like > > > transaction > > > clash over a single instance of > > > org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What > > > happens > > > is that the two treads at the same time begin two > > > KeycloakTransactions > > > which end up with the same instance of LocalManagedConnection. > > > The > > > above exception results from the second begin() call. > > > > > > There's a system property called > > > "ironjacamar.jdbc.ignoreautocommit" > > > that allows to ignore the situation, but I think it's dangerous > > > because > > > it doesn't eliminate the transaction clash, just suppresses the > > > check. > > > If I'm not mistaken, this began to happen around Keycloak 2.2.x, > > > which > > > coincides with the changes to Keycloak transaction management. > > > That > > > said, do I need now some additional transaction coordination with > > > the > > > rest of Keycloak, or is it a bug? If former, how do I do that? If > > > latter, how do we fix it? > > > > > > I hope we'll sort it out, since the ability to access the data at > > > every > > > phase of provider's lifecycle seems something fundamental to me. > > > > > > Regards, > > > Dmitry > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mposolda at redhat.com Mon Jul 3 07:43:21 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 3 Jul 2017 13:43:21 +0200 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: <1499079661.2825.2.camel@cargosoft.ru> References: <1498673904.3162.1.camel@cargosoft.ru> <1499046603.11005.3.camel@cargosoft.ru> <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> <1499079661.2825.2.camel@cargosoft.ru> Message-ID: On 03/07/17 13:01, Dmitry Telegin wrote: > Hi Marek, > > Thanks for the hint, looks very reasonable. I think the > PostMigrationEvent approach is more suitable for heavyweight stuff > like checking and creating database entries etc., while lazyInit is > good for more lightweight tasks like opening connections etc. > > However, there's an interesting case when the postInit method is > called on hot (re)deploy (no PostMigrationEvent obviously) *and* some > heavyweight stuff needs to be done right away. (ATM postInit is not > called on hot deploy, but I hope that will be fixed soon, see > KEYCLOAK-5131 and PR #4282.) > Luckily, in this case transactions just work, so everything could be > done straightforwardly. The only question is how to distinguish > between server startup and hot (re)deploy inside postInit. There are > some indirect signs like thread name, presence/absence of specific > JNDI entries etc., but this seems hacky. Any suggestions? I don't have any good suggestions besides other workaround. You can create provider, which will be deployed "statically" and will track whether PostMigrationEvent was already sent. Since it is deployed at startup like builtin providers, the event will be always there. The "dynamic" providers will be then able either to ask this provider or listen to the event. Maybe we need to have another lifecycle method on ProviderFactory for this usecase, not sure.. Marek > > Cheers, > Dmitry > >> Hi, >> >> I think it's not good to directly start transactions from postInit. >> Among the issues you mentioned, various initial steps (eg. migration >> from previous version, export/import) may not be yet finished at this >> stage. Probably you can either: >> - Register listener for PostMigrationEvent in your postInit. See the >> testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java >> >> for inspiration. >> - Use the pattern with "lazyInit" like for example here >> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/connections/jpa/DefaultJpaConnectionProviderFactory.java#L78 >> >> , which is called 1st time before your provider is actually needed. >> >> Maybe we can improve by provide more callback methods to >> ProviderFactory/Provider to avoid the lazyInit pattern directly in >> providers, but rather integrate it better with the Provider framework. >> But for now, I think that some of the workaround above should work for >> you IMO. >> >> Marek >> >> On 03/07/17 03:50, Dmitry Telegin wrote: >>> https://issues.jboss.org/browse/KEYCLOAK-5132 >>> >>> Meanwhile I've found a workaround - just run a transaction in a new >>> thread. However, this should be a "managed thread" - see issue details >>> & comments for more info. >>> >>> ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: >>>> Hi, >>>> >>>> (TL;DR) if a KeycloakTransaction is opened from >>>> ProviderFactory::postInit, sometimes the transaction is already >>>> active >>>> on the underlying >>>> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads >>>> to errors. >>>> >>>> (full version) I think it's essential for the providers to be able to >>>> access realm data in postInit(). For that, a transaction is required; >>>> using KeycloakModelUtils.runJobInTransaction() is a convenient method >>>> to do that: >>>> >>>> @Override >>>> public void postInit(KeycloakSessionFactory factory) { >>>> KeycloakModelUtils.runJobInTransaction(factory, >>>> (KeycloakSession session) -> { >>>> List realms = session.realms().getRealms(); >>>> // do stuff >>>> }); >>>> } >>>> >>>> When such a provider is deployed, in about half of cases Keycloak >>>> fails >>>> to start due to the following exception: >>>> >>>> java.sql.SQLException: IJ031017: You cannot set autocommit during a >>>> managed transaction >>>> >>>> (see full stacktrace here https://pastebin.com/ETtPqXQk) >>>> >>>> I've managed to track it down to something that looks like >>>> transaction >>>> clash over a single instance of >>>> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What >>>> happens >>>> is that the two treads at the same time begin two >>>> KeycloakTransactions >>>> which end up with the same instance of LocalManagedConnection. The >>>> above exception results from the second begin() call. >>>> >>>> There's a system property called "ironjacamar.jdbc.ignoreautocommit" >>>> that allows to ignore the situation, but I think it's dangerous >>>> because >>>> it doesn't eliminate the transaction clash, just suppresses the >>>> check. >>>> If I'm not mistaken, this began to happen around Keycloak 2.2.x, >>>> which >>>> coincides with the changes to Keycloak transaction management. That >>>> said, do I need now some additional transaction coordination with the >>>> rest of Keycloak, or is it a bug? If former, how do I do that? If >>>> latter, how do we fix it? >>>> >>>> I hope we'll sort it out, since the ability to access the data at >>>> every >>>> phase of provider's lifecycle seems something fundamental to me. >>>> >>>> Regards, >>>> Dmitry >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> From mitya at cargosoft.ru Mon Jul 3 09:05:41 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Mon, 03 Jul 2017 16:05:41 +0300 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: References: <1498673904.3162.1.camel@cargosoft.ru> <1499046603.11005.3.camel@cargosoft.ru> <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> <1499079661.2825.2.camel@cargosoft.ru> Message-ID: <1499087141.2825.5.camel@cargosoft.ru> On Mon, 03/07/2017 13:43 +0200, Marek Posolda wrote: > On 03/07/17 13:01, Dmitry Telegin wrote: > > Hi Marek, > > > > Thanks for the hint, looks very reasonable. I think the > > PostMigrationEvent approach is more suitable for heavyweight stuff > > like checking and creating database entries etc., while lazyInit is > > good for more lightweight tasks like opening connections etc. > > > > However, there's an interesting case when the postInit method is > > called on hot (re)deploy (no PostMigrationEvent obviously) *and* > > some heavyweight stuff needs to be done right away. (ATM postInit > > is not called on hot deploy, but I hope that will be fixed soon, > > see KEYCLOAK-5131 and PR #4282.) > > Luckily, in this case transactions just work, so everything could > > be done straightforwardly. The only question is how to distinguish > > between server startup and hot (re)deploy inside postInit. There > > are some indirect signs like thread name, presence/absence of > > specific JNDI entries etc., but this seems hacky. Any suggestions? > ?I don't have any good suggestions besides other workaround. You can > create provider, which will be deployed "statically" and will track > whether PostMigrationEvent was already sent. Since it is deployed at > startup like builtin providers, the event will be always there. The > "dynamic" providers will be then able either to ask this provider or > listen to the event. Another (simpler) approach is to query Resteasy for the presence/absence of Keycloak-specific classes, because Resteasy deployment happens right after PostMigrateEvent, but this seems very hacky too :-\ > > Maybe we need to have another lifecycle method on ProviderFactory for > this usecase, not sure.. How about ProviderFactory::postInit(KeycloakSessionFactory factory, boolean hot) with default implementation delegating to postInit(KeycloakSessionFactory factory)? Dmitry > > Marek > > Cheers, > > Dmitry > > > > > Hi, > > > > > > I think it's not good to directly start transactions from > > > postInit.? > > > Among the issues you mentioned, various initial steps (eg. > > > migration? > > > from previous version, export/import) may not be yet finished at > > > this? > > > stage. Probably you can either: > > > - Register listener for PostMigrationEvent in your postInit. See > > > the? > > > testsuite/integration-arquillian/servers/auth- > > > server/services/testsuite- > > > providers/src/main/java/org/keycloak/testsuite/authentication/Pus > > > hButtonAuthenticator.java? > > > for inspiration. > > > - Use the pattern with "lazyInit" like for example here? > > > https://github.com/keycloak/keycloak/blob/master/model/jpa/src/ma > > > in/java/org/keycloak/connections/jpa/DefaultJpaConnectionProvider > > > Factory.java#L78? > > > , which is called 1st time before your provider is actually > > > needed. > > > > > > Maybe we can improve by provide more callback methods to? > > > ProviderFactory/Provider to avoid the lazyInit pattern directly > > > in? > > > providers, but rather integrate it better with the Provider > > > framework.? > > > But for now, I think that some of the workaround above should > > > work for? > > > you IMO. > > > > > > Marek > > > > > > On 03/07/17 03:50, Dmitry Telegin wrote: > > > > https://issues.jboss.org/browse/KEYCLOAK-5132 > > > > > > > > Meanwhile I've found a workaround - just run a transaction in a > > > > new > > > > thread. However, this should be a "managed thread" - see issue > > > > details > > > > & comments for more info. > > > > > > > > ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: > > > > > Hi, > > > > > > > > > > (TL;DR) if a KeycloakTransaction is opened from > > > > > ProviderFactory::postInit, sometimes the transaction is > > > > > already > > > > > active > > > > > on the underlying > > > > > org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, > > > > > which leads > > > > > to errors. > > > > > > > > > > (full version) I think it's essential for the providers to be > > > > > able to > > > > > access realm data in postInit(). For that, a transaction is > > > > > required; > > > > > using KeycloakModelUtils.runJobInTransaction() is a > > > > > convenient method > > > > > to do that: > > > > > > > > > > ?????@Override > > > > > ?????public void postInit(KeycloakSessionFactory factory) { > > > > > ?????????KeycloakModelUtils.runJobInTransaction(factory, > > > > > (KeycloakSession session) -> { > > > > > ?????????????List realms = > > > > > session.realms().getRealms(); > > > > > ?????????????// do stuff > > > > > ?????????}); > > > > > ?????} > > > > > > > > > > When such a provider is deployed, in about half of cases > > > > > Keycloak > > > > > fails > > > > > to start due to the following exception: > > > > > > > > > > java.sql.SQLException: IJ031017: You cannot set autocommit > > > > > during a > > > > > managed transaction > > > > > > > > > > (see full stacktrace here https://pastebin.com/ETtPqXQk) > > > > > > > > > > I've managed to track it down to something that looks like > > > > > transaction > > > > > clash over a single instance of > > > > > org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. > > > > > What > > > > > happens > > > > > is that the two treads at the same time begin two > > > > > KeycloakTransactions > > > > > which end up with the same instance of > > > > > LocalManagedConnection. The > > > > > above exception results from the second begin() call. > > > > > > > > > > There's a system property called > > > > > "ironjacamar.jdbc.ignoreautocommit" > > > > > that allows to ignore the situation, but I think it's > > > > > dangerous > > > > > because > > > > > it doesn't eliminate the transaction clash, just suppresses > > > > > the > > > > > check. > > > > > If I'm not mistaken, this began to happen around Keycloak > > > > > 2.2.x, > > > > > which > > > > > coincides with the changes to Keycloak transaction > > > > > management. That > > > > > said, do I need now some additional transaction coordination > > > > > with the > > > > > rest of Keycloak, or is it a bug? If former, how do I do > > > > > that? If > > > > > latter, how do we fix it? > > > > > > > > > > I hope we'll sort it out, since the ability to access the > > > > > data at > > > > > every > > > > > phase of provider's lifecycle seems something fundamental to > > > > > me. > > > > > > > > > > Regards, > > > > > Dmitry > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > From antoine at saagie.com Mon Jul 3 09:29:28 2017 From: antoine at saagie.com (Antoine Carton) Date: Mon, 3 Jul 2017 15:29:28 +0200 Subject: [keycloak-user] Workflow Refresh token Message-ID: Hello, Suppose a client "C" sends a request with an expired access token, to an application "A". Suppose that application "A" has the refresh token of client "C" and that "A" automatically uses this refresh token so that everything is transparent for client "C" until the refresh token expires as well. The trouble is that a leak of the access token (yes, access token) of client "C" will have the same result as a leak of the refresh token. Is it a good practice to implement automatic refresh of the token? If it's not, how should we use the refresh token? The Oauth 2.0 RFC (https://tools.ietf.org/html/rfc6819#section-5.2.2.2) explains that we have to bind the refresh token to the client_id to avoid this situation. However, I am not able to understand what it means for application "A"? Thanks! From mposolda at redhat.com Mon Jul 3 10:43:59 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 3 Jul 2017 16:43:59 +0200 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: <1499087141.2825.5.camel@cargosoft.ru> References: <1498673904.3162.1.camel@cargosoft.ru> <1499046603.11005.3.camel@cargosoft.ru> <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> <1499079661.2825.2.camel@cargosoft.ru> <1499087141.2825.5.camel@cargosoft.ru> Message-ID: On 03/07/17 15:05, Dmitry Telegin wrote: > On Mon, 03/07/2017 13:43 +0200, Marek Posolda wrote: >> On 03/07/17 13:01, Dmitry Telegin wrote: >>> Hi Marek, >>> >>> Thanks for the hint, looks very reasonable. I think the >>> PostMigrationEvent approach is more suitable for heavyweight stuff >>> like checking and creating database entries etc., while lazyInit is >>> good for more lightweight tasks like opening connections etc. >>> >>> However, there's an interesting case when the postInit method is >>> called on hot (re)deploy (no PostMigrationEvent obviously) *and* >>> some heavyweight stuff needs to be done right away. (ATM postInit is >>> not called on hot deploy, but I hope that will be fixed soon, see >>> KEYCLOAK-5131 and PR #4282.) >>> Luckily, in this case transactions just work, so everything could be >>> done straightforwardly. The only question is how to distinguish >>> between server startup and hot (re)deploy inside postInit. There are >>> some indirect signs like thread name, presence/absence of specific >>> JNDI entries etc., but this seems hacky. Any suggestions? >> I don't have any good suggestions besides other workaround. You can >> create provider, which will be deployed "statically" and will track >> whether PostMigrationEvent was already sent. Since it is deployed at >> startup like builtin providers, the event will be always there. The >> "dynamic" providers will be then able either to ask this provider or >> listen to the event. > > Another (simpler) approach is to query Resteasy for the > presence/absence of Keycloak-specific classes, because Resteasy > deployment happens right after PostMigrateEvent, but this seems very > hacky too :-\ > >> >> Maybe we need to have another lifecycle method on ProviderFactory for >> this usecase, not sure.. > > How about ProviderFactory::postInit(KeycloakSessionFactory factory, > boolean hot) with default implementation delegating to > postInit(KeycloakSessionFactory factory)? Not sure TBH. I personally don't know how the deployer lifecycle works and if ProviderFactory.postInit for the "deployer" providers still can't be called earlier than auth-server is fully bootstrapped. Also you would need some "if" checks in the postInit method to differentiate between both cases, which doesn't look so great to me personally. Having new method should be good from backwards compatibility perspective, as we have JDK8 and you can easily add new empty "default" method to the ProviderFactory interface without affect existing providers, which already use current "postInit" method with current signature. Maybe will be good to move the discussion to keycloak-dev though. Perhaps you can start the thread here? Thanks, Marek > > Dmitry > >> >> Marek >>> Cheers, >>> Dmitry >>> >>>> Hi, >>>> >>>> I think it's not good to directly start transactions from postInit. >>>> Among the issues you mentioned, various initial steps (eg. migration >>>> from previous version, export/import) may not be yet finished at this >>>> stage. Probably you can either: >>>> - Register listener for PostMigrationEvent in your postInit. See the >>>> testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java >>>> >>>> for inspiration. >>>> - Use the pattern with "lazyInit" like for example here >>>> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/connections/jpa/DefaultJpaConnectionProviderFactory.java#L78 >>>> >>>> , which is called 1st time before your provider is actually needed. >>>> >>>> Maybe we can improve by provide more callback methods to >>>> ProviderFactory/Provider to avoid the lazyInit pattern directly in >>>> providers, but rather integrate it better with the Provider framework. >>>> But for now, I think that some of the workaround above should work for >>>> you IMO. >>>> >>>> Marek >>>> >>>> On 03/07/17 03:50, Dmitry Telegin wrote: >>>>> https://issues.jboss.org/browse/KEYCLOAK-5132 >>>>> >>>>> Meanwhile I've found a workaround - just run a transaction in a new >>>>> thread. However, this should be a "managed thread" - see issue details >>>>> & comments for more info. >>>>> >>>>> ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: >>>>>> Hi, >>>>>> >>>>>> (TL;DR) if a KeycloakTransaction is opened from >>>>>> ProviderFactory::postInit, sometimes the transaction is already >>>>>> active >>>>>> on the underlying >>>>>> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads >>>>>> to errors. >>>>>> >>>>>> (full version) I think it's essential for the providers to be able to >>>>>> access realm data in postInit(). For that, a transaction is required; >>>>>> using KeycloakModelUtils.runJobInTransaction() is a convenient method >>>>>> to do that: >>>>>> >>>>>> @Override >>>>>> public void postInit(KeycloakSessionFactory factory) { >>>>>> KeycloakModelUtils.runJobInTransaction(factory, >>>>>> (KeycloakSession session) -> { >>>>>> List realms = session.realms().getRealms(); >>>>>> // do stuff >>>>>> }); >>>>>> } >>>>>> >>>>>> When such a provider is deployed, in about half of cases Keycloak >>>>>> fails >>>>>> to start due to the following exception: >>>>>> >>>>>> java.sql.SQLException: IJ031017: You cannot set autocommit during a >>>>>> managed transaction >>>>>> >>>>>> (see full stacktrace here https://pastebin.com/ETtPqXQk) >>>>>> >>>>>> I've managed to track it down to something that looks like >>>>>> transaction >>>>>> clash over a single instance of >>>>>> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What >>>>>> happens >>>>>> is that the two treads at the same time begin two >>>>>> KeycloakTransactions >>>>>> which end up with the same instance of LocalManagedConnection. The >>>>>> above exception results from the second begin() call. >>>>>> >>>>>> There's a system property called "ironjacamar.jdbc.ignoreautocommit" >>>>>> that allows to ignore the situation, but I think it's dangerous >>>>>> because >>>>>> it doesn't eliminate the transaction clash, just suppresses the >>>>>> check. >>>>>> If I'm not mistaken, this began to happen around Keycloak 2.2.x, >>>>>> which >>>>>> coincides with the changes to Keycloak transaction management. That >>>>>> said, do I need now some additional transaction coordination with the >>>>>> rest of Keycloak, or is it a bug? If former, how do I do that? If >>>>>> latter, how do we fix it? >>>>>> >>>>>> I hope we'll sort it out, since the ability to access the data at >>>>>> every >>>>>> phase of provider's lifecycle seems something fundamental to me. >>>>>> >>>>>> Regards, >>>>>> Dmitry >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >> >> From jeremy.safont at insidegroup.fr Mon Jul 3 10:56:27 2017 From: jeremy.safont at insidegroup.fr (Jeremy SAFONT) Date: Mon, 3 Jul 2017 16:56:27 +0200 Subject: [keycloak-user] Get "username" field in credential model for hashing password Message-ID: Hi everybody, I have to modify the behavior of the hash process in order to use username + password in order to match encryption of legacy passwords from imported users. I understood I have to implement PasswordHashProvider. The blocking point is that the credentialModel object does not allow me to get the login information. I debugged keycloak to find where the model is filled and I find the "toModel" method into "JpaUserProvider" class. I would like to add "username" field into this function and this model but I don't know how to proceed in order to get it in the PasswordHashProvider. Someone have a detailed process to achieve this please ? Thank you a lot ! -- *J?r?my S.* *D?veloppeur applications web* From chexxor at gmail.com Mon Jul 3 12:16:39 2017 From: chexxor at gmail.com (Alex Berg) Date: Mon, 3 Jul 2017 11:16:39 -0500 Subject: [keycloak-user] Workflow Refresh token In-Reply-To: References: Message-ID: Here's my view, FWIW. If the client C is a full OIC client, it should be responsible for refreshing. It sounds like you're serving the client, which is a web app. If it's a web app you're serving, and you are giving the user's browser a session, then your app server is responsible for refreshing. I put the access token in an HTTP-only cookie, so I would need to apply same rules for securing a session token as securing the access token. On Jul 3, 2017 9:38 AM, "Antoine Carton" wrote: > Hello, > > Suppose a client "C" sends a request with an expired access token, to an > application "A". > Suppose that application "A" has the refresh token of client "C" and that > "A" automatically uses this refresh token so that everything is transparent > for client "C" until the refresh token expires as well. > > The trouble is that a leak of the access token (yes, access token) of > client "C" will have the same result as a leak of the refresh token. > > Is it a good practice to implement automatic refresh of the token? If it's > not, how should we use the refresh token? > > The Oauth 2.0 RFC (https://tools.ietf.org/html/rfc6819#section-5.2.2.2) > explains that we have to bind the refresh token to the client_id to avoid > this situation. However, I am not able to understand what it means for > application "A"? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From bburke at redhat.com Mon Jul 3 12:48:25 2017 From: bburke at redhat.com (Bill Burke) Date: Mon, 3 Jul 2017 12:48:25 -0400 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: References: <1498673904.3162.1.camel@cargosoft.ru> <1499046603.11005.3.camel@cargosoft.ru> <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> <1499079661.2825.2.camel@cargosoft.ru> <1499087141.2825.5.camel@cargosoft.ru> Message-ID: <246d17c2-e534-8de2-2ca7-9102096a357d@redhat.com> I think the problem is that DefaultJpaConnectionProviderFactory.checkJtaEnabled() is called after your provider's postInit method. The error you are seeing is that JPA is trying to use a JDBC connection features within a JTA transaction that it is not supposed to. I think you might be able to call checkJtaEnabled within DefaultJpaConnectionProviderFactory.lazyInit and that will solve the problem. On 7/3/17 10:43 AM, Marek Posolda wrote: > On 03/07/17 15:05, Dmitry Telegin wrote: >> On Mon, 03/07/2017 13:43 +0200, Marek Posolda wrote: >>> On 03/07/17 13:01, Dmitry Telegin wrote: >>>> Hi Marek, >>>> >>>> Thanks for the hint, looks very reasonable. I think the >>>> PostMigrationEvent approach is more suitable for heavyweight stuff >>>> like checking and creating database entries etc., while lazyInit is >>>> good for more lightweight tasks like opening connections etc. >>>> >>>> However, there's an interesting case when the postInit method is >>>> called on hot (re)deploy (no PostMigrationEvent obviously) *and* >>>> some heavyweight stuff needs to be done right away. (ATM postInit is >>>> not called on hot deploy, but I hope that will be fixed soon, see >>>> KEYCLOAK-5131 and PR #4282.) >>>> Luckily, in this case transactions just work, so everything could be >>>> done straightforwardly. The only question is how to distinguish >>>> between server startup and hot (re)deploy inside postInit. There are >>>> some indirect signs like thread name, presence/absence of specific >>>> JNDI entries etc., but this seems hacky. Any suggestions? >>> I don't have any good suggestions besides other workaround. You can >>> create provider, which will be deployed "statically" and will track >>> whether PostMigrationEvent was already sent. Since it is deployed at >>> startup like builtin providers, the event will be always there. The >>> "dynamic" providers will be then able either to ask this provider or >>> listen to the event. >> Another (simpler) approach is to query Resteasy for the >> presence/absence of Keycloak-specific classes, because Resteasy >> deployment happens right after PostMigrateEvent, but this seems very >> hacky too :-\ >> >>> Maybe we need to have another lifecycle method on ProviderFactory for >>> this usecase, not sure.. >> How about ProviderFactory::postInit(KeycloakSessionFactory factory, >> boolean hot) with default implementation delegating to >> postInit(KeycloakSessionFactory factory)? > Not sure TBH. > > I personally don't know how the deployer lifecycle works and if > ProviderFactory.postInit for the "deployer" providers still can't be > called earlier than auth-server is fully bootstrapped. Also you would > need some "if" checks in the postInit method to differentiate between > both cases, which doesn't look so great to me personally. > > Having new method should be good from backwards compatibility > perspective, as we have JDK8 and you can easily add new empty "default" > method to the ProviderFactory interface without affect existing > providers, which already use current "postInit" method with current > signature. > > Maybe will be good to move the discussion to keycloak-dev though. > Perhaps you can start the thread here? > > Thanks, > Marek >> Dmitry >> >>> Marek >>>> Cheers, >>>> Dmitry >>>> >>>>> Hi, >>>>> >>>>> I think it's not good to directly start transactions from postInit. >>>>> Among the issues you mentioned, various initial steps (eg. migration >>>>> from previous version, export/import) may not be yet finished at this >>>>> stage. Probably you can either: >>>>> - Register listener for PostMigrationEvent in your postInit. See the >>>>> testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/PushButtonAuthenticator.java >>>>> >>>>> for inspiration. >>>>> - Use the pattern with "lazyInit" like for example here >>>>> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/connections/jpa/DefaultJpaConnectionProviderFactory.java#L78 >>>>> >>>>> , which is called 1st time before your provider is actually needed. >>>>> >>>>> Maybe we can improve by provide more callback methods to >>>>> ProviderFactory/Provider to avoid the lazyInit pattern directly in >>>>> providers, but rather integrate it better with the Provider framework. >>>>> But for now, I think that some of the workaround above should work for >>>>> you IMO. >>>>> >>>>> Marek >>>>> >>>>> On 03/07/17 03:50, Dmitry Telegin wrote: >>>>>> https://issues.jboss.org/browse/KEYCLOAK-5132 >>>>>> >>>>>> Meanwhile I've found a workaround - just run a transaction in a new >>>>>> thread. However, this should be a "managed thread" - see issue details >>>>>> & comments for more info. >>>>>> >>>>>> ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: >>>>>>> Hi, >>>>>>> >>>>>>> (TL;DR) if a KeycloakTransaction is opened from >>>>>>> ProviderFactory::postInit, sometimes the transaction is already >>>>>>> active >>>>>>> on the underlying >>>>>>> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads >>>>>>> to errors. >>>>>>> >>>>>>> (full version) I think it's essential for the providers to be able to >>>>>>> access realm data in postInit(). For that, a transaction is required; >>>>>>> using KeycloakModelUtils.runJobInTransaction() is a convenient method >>>>>>> to do that: >>>>>>> >>>>>>> @Override >>>>>>> public void postInit(KeycloakSessionFactory factory) { >>>>>>> KeycloakModelUtils.runJobInTransaction(factory, >>>>>>> (KeycloakSession session) -> { >>>>>>> List realms = session.realms().getRealms(); >>>>>>> // do stuff >>>>>>> }); >>>>>>> } >>>>>>> >>>>>>> When such a provider is deployed, in about half of cases Keycloak >>>>>>> fails >>>>>>> to start due to the following exception: >>>>>>> >>>>>>> java.sql.SQLException: IJ031017: You cannot set autocommit during a >>>>>>> managed transaction >>>>>>> >>>>>>> (see full stacktrace here https://pastebin.com/ETtPqXQk) >>>>>>> >>>>>>> I've managed to track it down to something that looks like >>>>>>> transaction >>>>>>> clash over a single instance of >>>>>>> org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What >>>>>>> happens >>>>>>> is that the two treads at the same time begin two >>>>>>> KeycloakTransactions >>>>>>> which end up with the same instance of LocalManagedConnection. The >>>>>>> above exception results from the second begin() call. >>>>>>> >>>>>>> There's a system property called "ironjacamar.jdbc.ignoreautocommit" >>>>>>> that allows to ignore the situation, but I think it's dangerous >>>>>>> because >>>>>>> it doesn't eliminate the transaction clash, just suppresses the >>>>>>> check. >>>>>>> If I'm not mistaken, this began to happen around Keycloak 2.2.x, >>>>>>> which >>>>>>> coincides with the changes to Keycloak transaction management. That >>>>>>> said, do I need now some additional transaction coordination with the >>>>>>> rest of Keycloak, or is it a bug? If former, how do I do that? If >>>>>>> latter, how do we fix it? >>>>>>> >>>>>>> I hope we'll sort it out, since the ability to access the data at >>>>>>> every >>>>>>> phase of provider's lifecycle seems something fundamental to me. >>>>>>> >>>>>>> Regards, >>>>>>> Dmitry >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Jul 3 15:18:54 2017 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 3 Jul 2017 21:18:54 +0200 Subject: [keycloak-user] Keycloak offline token In-Reply-To: References: Message-ID: Not sure you need offline token. Offline token is useful if you need to do something on behalf of user when this user is not online (eg. some background task). Here the user will be always online AFAIK? Also the offline token is kind of refresh token, which is useful just for refreshing the access token. But offline token (or refresh token) itself is not intended to be used as bearer token from the authentication of one application to other. I am not sure I understand your usecase, but maybe you can: - Login into app A and then invoke the REST endpoint on app B with the access token used as bearer token - Or secure app B with Keycloak too and authenticate with "prompt=none" parameter, which will mean that app B will be authenticated just if user is already authenticated in SSO session. Otherwise Keycloak login form won't be shown and app B will need to be authenticated some other way. Marek On 23/06/17 19:05, Sherminator Kasuga wrote: > I have a web app (called A) that is using Keycloak to login in. > There is another external web app (called B) that uses an own system as > login. > > Now I need to create a link between A to B that automatic logins into web > app B without keycloak login form (auto-login). > > How can i reproduce this behavior? > I have user and a password for B , and i am thinking to use an offline > token could help me with this objective. > > username=bburke&password=geheim&grant_type=password&scope=offline_access > > Saving into the database of A the offline token at the first time that > i use the link and then using this offline token for the next. > > could it be possible? > > > my idea is something like: > > If database.offlinetoken = empty > LINK_TO_GENERATE_OFFLINE_TOKEN --- save this token into db after login in B > > else > > LINK_USING_OFFLINETOKEN > endif > > > Do you have any example about how to build above links? Thanks in advance :) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mitya at cargosoft.ru Mon Jul 3 18:34:16 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Tue, 04 Jul 2017 01:34:16 +0300 Subject: [keycloak-user] ProviderFactory::postInit + transactions = startup failure In-Reply-To: <246d17c2-e534-8de2-2ca7-9102096a357d@redhat.com> References: <1498673904.3162.1.camel@cargosoft.ru> <1499046603.11005.3.camel@cargosoft.ru> <1c5c3041-754f-9767-98f1-8da4aa91b839@redhat.com> <1499079661.2825.2.camel@cargosoft.ru> <1499087141.2825.5.camel@cargosoft.ru> <246d17c2-e534-8de2-2ca7-9102096a357d@redhat.com> Message-ID: <1499121256.4095.2.camel@cargosoft.ru> Hi Bill, thanks for the suggestion, > I think the problem is that? > DefaultJpaConnectionProviderFactory.checkJtaEnabled() is called > after? > your provider's postInit method.??The error you are seeing is that > JPA? > is trying to use a JDBC connection features within a JTA transaction? > that it is not supposed to. > > I think you might be able to call checkJtaEnabled within? > DefaultJpaConnectionProviderFactory.lazyInit and that will solve the? > problem. I?think you meant DefaultJpaConnectionProviderFactory.postInit? (since lazyInit is private and doesn't call checkJtaEnabled) Indeed, I've added the following lines to my postInit: ????????ProviderFactory jpa = factory.getProviderFactory(JpaConnectionProvider.class); ????????jpa.postInit(factory); // now do the real stuff KeycloakModelUtils.runJobInTransaction(factory, (KeycloakSession session) -> { ... } ...and this worked, the result is very stable, no exceptions are thrown. However, as Marek has noted, postInit is called really very early. For example, on the very first run it is invoked even before database schema is created and master realm is initialized, so it ends up with an empty list of realms. To sum up, we have the following three approaches: 1. if absolutely needed, transactions can be used in postInit right away after the explicit call to DefaultJpaConnectionProviderFactory.postInit(). Should be used at one's risk since it is called early; 2. listen for PostMigrationEvent; 3. implement lazyInit pattern. If this situation with checkJtaEnabled() is kind of by design, I think KEYCLOAK-5132 can be closed w/o resolution, provided that we document the above approaches somewhere. Thanks again for your help! Dmitry > > > On 7/3/17 10:43 AM, Marek Posolda wrote: > > On 03/07/17 15:05, Dmitry Telegin wrote: > > > On Mon, 03/07/2017 13:43 +0200, Marek Posolda wrote: > > > > On 03/07/17 13:01, Dmitry Telegin wrote: > > > > > Hi Marek, > > > > > > > > > > Thanks for the hint, looks very reasonable. I think the > > > > > PostMigrationEvent approach is more suitable for heavyweight > > > > > stuff > > > > > like checking and creating database entries etc., while > > > > > lazyInit is > > > > > good for more lightweight tasks like opening connections etc. > > > > > > > > > > However, there's an interesting case when the postInit method > > > > > is > > > > > called on hot (re)deploy (no PostMigrationEvent obviously) > > > > > *and* > > > > > some heavyweight stuff needs to be done right away. (ATM > > > > > postInit is > > > > > not called on hot deploy, but I hope that will be fixed soon, > > > > > see > > > > > KEYCLOAK-5131 and PR #4282.) > > > > > Luckily, in this case transactions just work, so everything > > > > > could be > > > > > done straightforwardly. The only question is how to > > > > > distinguish > > > > > between server startup and hot (re)deploy inside postInit. > > > > > There are > > > > > some indirect signs like thread name, presence/absence of > > > > > specific > > > > > JNDI entries etc., but this seems hacky. Any suggestions? > > > > > > > > ? I don't have any good suggestions besides other workaround. > > > > You can > > > > create provider, which will be deployed "statically" and will > > > > track > > > > whether PostMigrationEvent was already sent. Since it is > > > > deployed at > > > > startup like builtin providers, the event will be always there. > > > > The > > > > "dynamic" providers will be then able either to ask this > > > > provider or > > > > listen to the event. > > > > > > Another (simpler) approach is to query Resteasy for the > > > presence/absence of Keycloak-specific classes, because Resteasy > > > deployment happens right after PostMigrateEvent, but this seems > > > very > > > hacky too :-\ > > > > > > > Maybe we need to have another lifecycle method on > > > > ProviderFactory for > > > > this usecase, not sure.. > > > > > > How about ProviderFactory::postInit(KeycloakSessionFactory > > > factory, > > > boolean hot) with default implementation delegating to > > > postInit(KeycloakSessionFactory factory)? > > > > Not sure TBH. > > > > I personally don't know how the deployer lifecycle works and if > > ProviderFactory.postInit for the "deployer" providers still can't > > be > > called earlier than auth-server is fully bootstrapped. Also you > > would > > need some "if" checks in the postInit method to differentiate > > between > > both cases, which doesn't look so great to me personally. > > > > Having new method should be good from backwards compatibility > > perspective, as we have JDK8 and you can easily add new empty > > "default" > > method to the ProviderFactory interface without affect existing > > providers, which already use current "postInit" method with current > > signature. > > > > Maybe will be good to move the discussion to keycloak-dev though. > > Perhaps you can start the thread here? > > > > Thanks, > > Marek > > > Dmitry > > > > > > > Marek > > > > > Cheers, > > > > > Dmitry > > > > > > > > > > > Hi, > > > > > > > > > > > > I think it's not good to directly start transactions from > > > > > > postInit. > > > > > > Among the issues you mentioned, various initial steps (eg. > > > > > > migration > > > > > > from previous version, export/import) may not be yet > > > > > > finished at this > > > > > > stage. Probably you can either: > > > > > > - Register listener for PostMigrationEvent in your > > > > > > postInit. See the > > > > > > testsuite/integration-arquillian/servers/auth- > > > > > > server/services/testsuite- > > > > > > providers/src/main/java/org/keycloak/testsuite/authenticati > > > > > > on/PushButtonAuthenticator.java > > > > > > > > > > > > for inspiration. > > > > > > - Use the pattern with "lazyInit" like for example here > > > > > > https://github.com/keycloak/keycloak/blob/master/model/jpa/ > > > > > > src/main/java/org/keycloak/connections/jpa/DefaultJpaConnec > > > > > > tionProviderFactory.java#L78 > > > > > > > > > > > > , which is called 1st time before your provider is actually > > > > > > needed. > > > > > > > > > > > > Maybe we can improve by provide more callback methods to > > > > > > ProviderFactory/Provider to avoid the lazyInit pattern > > > > > > directly in > > > > > > providers, but rather integrate it better with the Provider > > > > > > framework. > > > > > > But for now, I think that some of the workaround above > > > > > > should work for > > > > > > you IMO. > > > > > > > > > > > > Marek > > > > > > > > > > > > On 03/07/17 03:50, Dmitry Telegin wrote: > > > > > > > https://issues.jboss.org/browse/KEYCLOAK-5132 > > > > > > > > > > > > > > Meanwhile I've found a workaround - just run a > > > > > > > transaction in a new > > > > > > > thread. However, this should be a "managed thread" - see > > > > > > > issue details > > > > > > > & comments for more info. > > > > > > > > > > > > > > ? Wed, 28/06/2017 ? 21:18 +0300, Dmitry Telegin ?????: > > > > > > > > Hi, > > > > > > > > > > > > > > > > (TL;DR) if a KeycloakTransaction is opened from > > > > > > > > ProviderFactory::postInit, sometimes the transaction is > > > > > > > > already > > > > > > > > active > > > > > > > > on the underlying > > > > > > > > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectio > > > > > > > > n, which leads > > > > > > > > to errors. > > > > > > > > > > > > > > > > (full version) I think it's essential for the providers > > > > > > > > to be able to > > > > > > > > access realm data in postInit(). For that, a > > > > > > > > transaction is required; > > > > > > > > using KeycloakModelUtils.runJobInTransaction() is a > > > > > > > > convenient method > > > > > > > > to do that: > > > > > > > > > > > > > > > > ??????@Override > > > > > > > > ??????public void postInit(KeycloakSessionFactory > > > > > > > > factory) { > > > > > > > > ??????????KeycloakModelUtils.runJobInTransaction(factor > > > > > > > > y, > > > > > > > > (KeycloakSession session) -> { > > > > > > > > ??????????????List realms = > > > > > > > > session.realms().getRealms(); > > > > > > > > ??????????????// do stuff > > > > > > > > ??????????}); > > > > > > > > ??????} > > > > > > > > > > > > > > > > When such a provider is deployed, in about half of > > > > > > > > cases Keycloak > > > > > > > > fails > > > > > > > > to start due to the following exception: > > > > > > > > > > > > > > > > java.sql.SQLException: IJ031017: You cannot set > > > > > > > > autocommit during a > > > > > > > > managed transaction > > > > > > > > > > > > > > > > (see full stacktrace here https://pastebin.com/ETtPqXQk > > > > > > > > ) > > > > > > > > > > > > > > > > I've managed to track it down to something that looks > > > > > > > > like > > > > > > > > transaction > > > > > > > > clash over a single instance of > > > > > > > > org.jboss.jca.adapters.jdbc.local.LocalManagedConnectio > > > > > > > > n. What > > > > > > > > happens > > > > > > > > is that the two treads at the same time begin two > > > > > > > > KeycloakTransactions > > > > > > > > which end up with the same instance of > > > > > > > > LocalManagedConnection. The > > > > > > > > above exception results from the second begin() call. > > > > > > > > > > > > > > > > There's a system property called > > > > > > > > "ironjacamar.jdbc.ignoreautocommit" > > > > > > > > that allows to ignore the situation, but I think it's > > > > > > > > dangerous > > > > > > > > because > > > > > > > > it doesn't eliminate the transaction clash, just > > > > > > > > suppresses the > > > > > > > > check. > > > > > > > > If I'm not mistaken, this began to happen around > > > > > > > > Keycloak 2.2.x, > > > > > > > > which > > > > > > > > coincides with the changes to Keycloak transaction > > > > > > > > management. That > > > > > > > > said, do I need now some additional transaction > > > > > > > > coordination with the > > > > > > > > rest of Keycloak, or is it a bug? If former, how do I > > > > > > > > do that? If > > > > > > > > latter, how do we fix it? > > > > > > > > > > > > > > > > I hope we'll sort it out, since the ability to access > > > > > > > > the data at > > > > > > > > every > > > > > > > > phase of provider's lifecycle seems something > > > > > > > > fundamental to me. > > > > > > > > > > > > > > > > Regards, > > > > > > > > Dmitry > > > > > > > > _______________________________________________ > > > > > > > > keycloak-user mailing list > > > > > > > > keycloak-user at lists.jboss.org > > > > > > > user at lists.jboss.org> > > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > _______________________________________________ > > > > > > > keycloak-user mailing list > > > > > > > keycloak-user at lists.jboss.org > > > > > > user at lists.jboss.org> > > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From akaya at expedia.com Tue Jul 4 02:41:31 2017 From: akaya at expedia.com (Sarp Kaya) Date: Tue, 4 Jul 2017 06:41:31 +0000 Subject: [keycloak-user] Keycloak very slow on retrieving "events" Message-ID: Hello, When I click on Events, it takes very long time (more than a minute) just to display first 5 events. I checked what endpoint it uses and it?s using this: "/auth/admin/realms//events?first=0&max=5? endpoint. I believe that there is something broken with the filtering option as it should never take more than a minute to just retrieve 5 results. I?m using Keycloak 3.1.0 and MySQL for the database. From antoine at saagie.com Tue Jul 4 05:45:52 2017 From: antoine at saagie.com (Antoine Carton) Date: Tue, 4 Jul 2017 11:45:52 +0200 Subject: [keycloak-user] Workflow Refresh token In-Reply-To: References:

Message-ID: Hello Alex, Indeed, it seems that HTTP-only and Secure flags on the cookie seems to be the best solution. However, it seems strange that this is the main workflow of refresh tokens? Thanks! 2017-07-03 18:16 GMT+02:00 Alex Berg : > Here's my view, FWIW. If the client C is a full OIC client, it should be > responsible for refreshing. It sounds like you're serving the client, which > is a web app. If it's a web app you're serving, and you are giving the > user's browser a session, then your app server is responsible for > refreshing. I put the access token in an HTTP-only cookie, so I would need > to apply same rules for securing a session token as securing the access > token. > > On Jul 3, 2017 9:38 AM, "Antoine Carton" wrote: > >> Hello, >> >> Suppose a client "C" sends a request with an expired access token, to an >> application "A". >> Suppose that application "A" has the refresh token of client "C" and that >> "A" automatically uses this refresh token so that everything is >> transparent >> for client "C" until the refresh token expires as well. >> >> The trouble is that a leak of the access token (yes, access token) of >> client "C" will have the same result as a leak of the refresh token. >> >> Is it a good practice to implement automatic refresh of the token? If it's >> not, how should we use the refresh token? >> >> The Oauth 2.0 RFC (https://tools.ietf.org/html/rfc6819#section-5.2.2.2) >> explains that we have to bind the refresh token to the client_id to avoid >> this situation. However, I am not able to understand what it means for >> application "A"? >> >> Thanks! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From marc.tempelmeier at flane.de Tue Jul 4 08:18:44 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Tue, 4 Jul 2017 12:18:44 +0000 Subject: [keycloak-user] Workflow Refresh token In-Reply-To: References:

Message-ID: Hi, Is k_logout supported with SAML Implementation? BR Marc From nikolaj at majorov.biz Tue Jul 4 11:35:38 2017 From: nikolaj at majorov.biz (Nikolaj Majorov) Date: Tue, 4 Jul 2017 17:35:38 +0200 Subject: [keycloak-user] Consent Required how it works exatly Message-ID: Hi all, I see that for sample app-jee-html5 application in the the client configuration the property "Consent Required" is configured. How does it implemented ? doest it mean that application get cookie first after user logged-in with user-name password or other js Iframe ? and only after login with user-name& password the client can ask for token ? From tech at psynd.net Tue Jul 4 12:42:40 2017 From: tech at psynd.net (Tech) Date: Tue, 4 Jul 2017 18:42:40 +0200 Subject: [keycloak-user] Application to application: could Keycloak implement this? Message-ID: <7d4227a7-9bc4-0a93-dffb-c1daa725b0fa@psynd.net> Dear experts, I want to bring you this use case to understand if you might be able to support me. Our architecture is based in java, where we might have two kind of clients: * Fat java clients * Browsers Application servers with: * Web containers performing local and remote EJB calls + remote WS calls * EJB container performing local and remote EJB calls + remote WS calls * A remote EJB server performing local and remote EJB calls + remote WS calls * Ws implemeting SOAP or REST * Server SSO able to protect what described above The goal is to allow the clients (thin and fat) to authenticate on the SSO server and to propagate the user identity on these requests: * Fat client authenticated -> EJB secure -> WS secure * Browser authenticated -> Web container -> EJB secure -> WS secure The solution could use a secure token OAuth, OIDC or SAML. The token propagation should be based on standards JAAS and WS-Security. We saw that is possible to implement something similar in some SAML Login Modules on JBoss Enterprise server, but we are not finding anything equivalent in Keycloak. We cannot neither find, for example, not neither for a STS server, that are the required elements to transform this kind of tokens. Did anybody faced a similar experience? Thanks for your support! From sthorger at redhat.com Tue Jul 4 13:56:13 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 4 Jul 2017 19:56:13 +0200 Subject: [keycloak-user] Keycloak very slow on retrieving "events" In-Reply-To: References: Message-ID: That's not good, it should be much quicker than that. Do you have a lot of events? On 4 July 2017 at 08:41, Sarp Kaya wrote: > Hello, > > When I click on Events, it takes very long time (more than a minute) just > to display first 5 events. I checked what endpoint it uses and it?s using > this: > > "/auth/admin/realms//events?first=0&max=5? endpoint. > > I believe that there is something broken with the filtering option as it > should never take more than a minute to just retrieve 5 results. > > I?m using Keycloak 3.1.0 and MySQL for the database. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From matija.mazi at gmail.com Tue Jul 4 14:10:53 2017 From: matija.mazi at gmail.com (Matija Mazi) Date: Tue, 04 Jul 2017 18:10:53 +0000 Subject: [keycloak-user] KeycloakSession users() returns UserRepresentation with no name after REGISTER event In-Reply-To: References: Message-ID: Hi, I'm using an EventListenerProvider to catch user registration events (when the user registers via Keycloak's Registration Form) and send the registered user's details to an outside system. Here's the relevant code: public class LocoinsEventListenerProvider implements EventListenerProvider { private final KeycloakSession session; // provided in constructor @Override public void onEvent(Event evt) { if (evt.getType() == EventType.REGISTER && Objects.equals(evt.getRealmId(), this.realm)) { final String userId = evt.getUserId(); final RealmModel realm = session.realms().getRealm(evt.getRealmId()); final UserModel user = session.users().getUserById(userId, realm); log.info("Customer registered, notifying application: id = {}, name = {} {}, email = {}", userId, user.getFirstName(), user.getLastName(), user.getEmail()); } } } The problem is that user.getFirstName(), user.getLastName() are both null (but user.getEmail() holds the correct value). If I check the Keycloak database directly after this (table USER_ENTITY), FIRST_NAME and LAST_NAME are both there. Any ideas why this might be? How should I get what the first and last name entered by the users? Thanks! P.S. If I create the user via the Keycloak REST API client and then catch the corresponding Admin event (I don't get a REGISTER event in this case), the UserRepresentation obtained in the same way as above holds all the data (first, last name etc.): final UserRepresentation user = new UserRepresentation(); user.setUsername(email); user.setEmail(email); user.setFirstName(name); kc.realm(*"MyRealm"*).users().create(user); From jasonspittel at yahoo.com Tue Jul 4 17:51:50 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Tue, 4 Jul 2017 21:51:50 +0000 (UTC) Subject: [keycloak-user] Problems logging out using JEE to keycloak to SAML (ADFS) (better formatted) References: <2140990500.5387792.1499205110788.ref@mail.yahoo.com> Message-ID: <2140990500.5387792.1499205110788@mail.yahoo.com> Apparently my formatting was lost. So I'm reposting this in a more readable format: Hello, I'm having difficulty completing a logout. SETUP: JEE webapp to keycloak to IdP (ADFS (SAML)) WORKFLOW: 1) On logout in the webapp externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true"); 2) User is sent to ADFS letting them know they have successfully logged out. 3) However, there is still a keycloak user session alive (seen in the admin console) 4) Hitting a protected resource in the webapp lets user in without having to log back in. Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262: String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER); if (brokerId != null) {???? ?? IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId);???? ?? Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm);???? ?? if (response != null) return response; } return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers); I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session. But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly? Thanks, Jason From akaya at expedia.com Tue Jul 4 19:10:40 2017 From: akaya at expedia.com (Sarp Kaya) Date: Tue, 4 Jul 2017 23:10:40 +0000 Subject: [keycloak-user] Keycloak very slow on retrieving "events" In-Reply-To: References:

Message-ID: Yes, I have a lot of events, but I thought it shouldn?t matter when picking the first 5 events. Thanks, Sarp From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Wednesday, July 5, 2017 at 3:56 AM To: Abdullah Sarp > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak very slow on retrieving "events" That's not good, it should be much quicker than that. Do you have a lot of events? On 4 July 2017 at 08:41, Sarp Kaya > wrote: Hello, When I click on Events, it takes very long time (more than a minute) just to display first 5 events. I checked what endpoint it uses and it?s using this: "/auth/admin/realms//events?first=0&max=5? endpoint. I believe that there is something broken with the filtering option as it should never take more than a minute to just retrieve 5 results. I?m using Keycloak 3.1.0 and MySQL for the database. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Jul 5 01:29:51 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 5 Jul 2017 07:29:51 +0200 Subject: [keycloak-user] Keycloak very slow on retrieving "events" In-Reply-To: References:

Message-ID: Can you create a bug report please? Include as much info as you can so it's easy for us to reproduce the problem (how many events you have, what the query is you're running, etc..) On 5 July 2017 at 01:10, Sarp Kaya wrote: > Yes, I have a lot of events, but I thought it shouldn?t matter when > picking the first 5 events. > > Thanks, > Sarp > > From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Wednesday, July 5, 2017 at 3:56 AM > To: Abdullah Sarp > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak very slow on retrieving "events" > > That's not good, it should be much quicker than that. Do you have a lot of > events? > > On 4 July 2017 at 08:41, Sarp Kaya wrote: > >> Hello, >> >> When I click on Events, it takes very long time (more than a minute) just >> to display first 5 events. I checked what endpoint it uses and it?s using >> this: >> >> "/auth/admin/realms//events?first=0&max=5? endpoint. >> >> I believe that there is something broken with the filtering option as it >> should never take more than a minute to just retrieve 5 results. >> >> I?m using Keycloak 3.1.0 and MySQL for the database. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sthorger at redhat.com Wed Jul 5 01:33:04 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 5 Jul 2017 07:33:04 +0200 Subject: [keycloak-user] Chinese translations Message-ID: I'm trying once more. Is there someone out there that knows Chinese that can review PR for translations? The PR is here: https://github.com/keycloak/keycloak/pull/4251 From johan.heylen.public at gmail.com Wed Jul 5 03:08:38 2017 From: johan.heylen.public at gmail.com (Johan Heylen) Date: Wed, 5 Jul 2017 09:08:38 +0200 Subject: [keycloak-user] Keycloak very slow on retrieving "events" (Sarp Kaya) Message-ID: We faced the same problem and added a series of indexes on the events table. CREATE INDEX idx_event_entity_user_id_realm_id_dnsbelgium ON event_entity USING btree (user_id, realm_id); CREATE INDEX idx_event_entity_user_id_type_dnsbelgium ON event_entity USING btree (user_id, type); CREATE INDEX idx_event_entity_type_dnsbelgium ON event_entity USING btree (type); CREATE INDEX idx_event_entity_realm_id_dnsbelgium ON event_entity USING btree (realm_id); CREATE INDEX idx_event_entity_client_id_dnsbelgium ON event_entity USING btree (client_id); CREATE INDEX idx_event_entity_user_id_dnsbelgium ON event_entity USING btree (user_id); and now queries are working fast Johan On 4 July 2017 at 08:41, Sarp Kaya wrote: > Hello, > > When I click on Events, it takes very long time (more than a minute) just > to display first 5 events. I checked what endpoint it uses and it?s using > this: > > "/auth/admin/realms//events?first=0&max=5? endpoint. > > I believe that there is something broken with the filtering option as it > should never take more than a minute to just retrieve 5 results. > > I?m using Keycloak 3.1.0 and MySQL for the database. From sthorger at redhat.com Wed Jul 5 03:39:57 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 5 Jul 2017 09:39:57 +0200 Subject: [keycloak-user] Keycloak 3.2.0.Final Released Message-ID: Keycloak 3.2.0.Final has just been released. To download the release go to the Keycloak homepage . The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . From marc.tempelmeier at flane.de Wed Jul 5 04:09:43 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Wed, 5 Jul 2017 08:09:43 +0000 Subject: [keycloak-user] Keycloak 3.2.0.Final Released In-Reply-To: References: Message-ID: Hi, I get the following error with the new version in Domain Controlled Mode: slave3_1 | [Server:slave3] 08:08:40,100 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0180: Services with missing/unavailable dependencies" => [ slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.ValidatorFactory is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.ModuleName is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.InAppClientContainer is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.app.auth is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.concurrent.ee.context.config.auth.auth is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.InstanceName is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.Validator is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.app.auth.AppName is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]" BR Marc -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Stian Thorgersen Gesendet: Wednesday, July 5, 2017 9:40 AM An: keycloak-user Betreff: [keycloak-user] Keycloak 3.2.0.Final Released Keycloak 3.2.0.Final has just been released. To download the release go to the Keycloak homepage . The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From marc.tempelmeier at flane.de Wed Jul 5 04:31:09 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Wed, 5 Jul 2017 08:31:09 +0000 Subject: [keycloak-user] Keycloak 3.2.0.Final Released In-Reply-To: References: Message-ID: Nevermind, I missed the new settings in domain.xml :) -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marc Tempelmeier Gesendet: Wednesday, July 5, 2017 10:10 AM An: stian at redhat.com; keycloak-user Betreff: Re: [keycloak-user] Keycloak 3.2.0.Final Released Hi, I get the following error with the new version in Domain Controlled Mode: slave3_1 | [Server:slave3] 08:08:40,100 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0180: Services with missing/unavailable dependencies" => [ slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.ValidatorFactory is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.ModuleName is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.deployment.unit.\"keycloak-server.war\".jca.cachedConnectionManagerSetupProcessor is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.InAppClientContainer is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.app.auth is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.concurrent.ee.context.config.auth.auth is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.InstanceName is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.deployment.unit.\"keycloak-server.war\".INSTALL is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.module.auth.auth.Validator is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.naming.context.java.app.auth.AppName is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]", slave3_1 | [Server:slave3] "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service is missing [jboss.infinispan.keycloak.actionTokens, jboss.infinispan.keycloak.authenticationSessions]" BR Marc -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Stian Thorgersen Gesendet: Wednesday, July 5, 2017 9:40 AM An: keycloak-user Betreff: [keycloak-user] Keycloak 3.2.0.Final Released Keycloak 3.2.0.Final has just been released. To download the release go to the Keycloak homepage . The full list of resolved issues is available in JIRA . Upgrading Before you upgrade remember to backup your database and check the migration guide . _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From tdudgeon.ml at gmail.com Wed Jul 5 05:24:20 2017 From: tdudgeon.ml at gmail.com (Tim Dudgeon) Date: Wed, 5 Jul 2017 10:24:20 +0100 Subject: [keycloak-user] reverse proxy woes Message-ID: <476026f2-9022-a73f-34b3-fa1f569c009c@gmail.com> Hi All, I'm having a problem with running keycloak behind an nginx reverse proxy. I've had this running for some time now without problems, but have now stood up a new system in a networking environment that I don't have much control over, and for some reason things are not working. My nginx proxy forwarding looks like this: location /auth/ { proxy_pass http://keycloak:8080/auth/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; proxy_connect_timeout 75s; } Similar for the app that is using keycloak for SSO (this is a tomcat based servlet app). In my keycloak's standalone.xml the http-listener element has had proxy-address-forwarding="true" added. This has all been fine, but in this new environment its not working. I get the keycloak login prompt, and can login OK. But when I look in the session in Keycloack the From IP address is 10.0.0.10 not the actual IP address of the machine where the browser resides. And the app using Keycloak denies access with this exception in the logs: 05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4] org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to turn code into token java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:532) at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:48) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471) at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Can anyone shed any light on what might be wrong here? Note this is using quite an old version of keycloak (2.1.0) though I don't think this is the problem. Thanks Tim From thomas.darimont at googlemail.com Wed Jul 5 05:38:21 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 5 Jul 2017 11:38:21 +0200 Subject: [keycloak-user] reverse proxy woes In-Reply-To: <476026f2-9022-a73f-34b3-fa1f569c009c@gmail.com> References: <476026f2-9022-a73f-34b3-fa1f569c009c@gmail.com> Message-ID: Hi Tim, did you specify proxy-address-forwarding="true" for the element in the undertow subsystem of you standalone(-ha).xml? https://keycloak.gitbooks.io/documentation/server_installation/topics/clustering/load-balancer.html Cheers, Thomas 2017-07-05 11:24 GMT+02:00 Tim Dudgeon : > Hi All, > > I'm having a problem with running keycloak behind an nginx reverse proxy. > > I've had this running for some time now without problems, but have now > stood up a new system in a networking environment that I don't have much > control over, and for some reason things are not working. > > My nginx proxy forwarding looks like this: > > location /auth/ { > proxy_pass http://keycloak:8080/auth/; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_redirect off; > proxy_connect_timeout 75s; > } > > Similar for the app that is using keycloak for SSO (this is a tomcat > based servlet app). > > In my keycloak's standalone.xml the http-listener element has had > proxy-address-forwarding="true" added. > This has all been fine, but in this new environment its not working. > > I get the keycloak login prompt, and can login OK. But when I look in > the session in Keycloack the From IP address is 10.0.0.10 not the actual > IP address of the machine where the browser resides. > > And the app using Keycloak denies access with this exception in the logs: > > 05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4] > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to > turn code into token > java.net.ConnectException: Connection refused > at java.net.PlainSocketImpl.socketConnect(Native Method) > at > java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java: > 350) > at > java.net.AbstractPlainSocketImpl.connectToAddress( > AbstractPlainSocketImpl.java:206) > at > java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) > at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) > at java.net.Socket.connect(Socket.java:589) > at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket( > SSLSocketFactory.java:532) > at > org.keycloak.adapters.SniSSLSocketFactory.connectSocket( > SniSSLSocketFactory.java:109) > at > org.apache.http.conn.ssl.SSLSocketFactory.connectSocket( > SSLSocketFactory.java:409) > at > org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection( > DefaultClientConnectionOperator.java:177) > at > org.apache.http.impl.conn.AbstractPoolEntry.open( > AbstractPoolEntry.java:144) > at > org.apache.http.impl.conn.AbstractPooledConnAdapter.open( > AbstractPooledConnAdapter.java:131) > at > org.apache.http.impl.client.DefaultRequestDirector.tryConnect( > DefaultRequestDirector.java:611) > at > org.apache.http.impl.client.DefaultRequestDirector.execute( > DefaultRequestDirector.java:446) > at > org.apache.http.impl.client.AbstractHttpClient.doExecute( > AbstractHttpClient.java:882) > at > org.apache.http.impl.client.CloseableHttpClient.execute( > CloseableHttpClient.java:82) > at > org.apache.http.impl.client.CloseableHttpClient.execute( > CloseableHttpClient.java:107) > at > org.apache.http.impl.client.CloseableHttpClient.execute( > CloseableHttpClient.java:55) > at > org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken( > ServerRequest.java:107) > at > org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode( > OAuthRequestAuthenticator.java:327) > at > org.keycloak.adapters.OAuthRequestAuthenticator.authenticate( > OAuthRequestAuthenticator.java:273) > at > org.keycloak.adapters.RequestAuthenticator.authenticate( > RequestAuthenticator.java:130) > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorV > alve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) > at > org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.authenticate( > KeycloakAuthenticatorValve.java:48) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke( > AuthenticatorBase.java:471) > at > org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke( > AbstractKeycloakAuthenticatorValve.java:187) > at > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:141) > at > org.apache.catalina.valves.ErrorReportValve.invoke( > ErrorReportValve.java:79) > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke( > AbstractAccessLogValve.java:616) > at > org.apache.catalina.authenticator.SingleSignOn. > invoke(SingleSignOn.java:240) > at > org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:88) > at > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:521) > at > org.apache.coyote.http11.AbstractHttp11Processor.process( > AbstractHttp11Processor.java:1096) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler. > process(AbstractProtocol.java:674) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > doRun(NioEndpoint.java:1500) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor. > run(NioEndpoint.java:1456) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > > Can anyone shed any light on what might be wrong here? > Note this is using quite an old version of keycloak (2.1.0) though I > don't think this is the problem. > > Thanks > > Tim > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thomas.darimont at googlemail.com Wed Jul 5 05:39:36 2017 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 5 Jul 2017 11:39:36 +0200 Subject: [keycloak-user] reverse proxy woes In-Reply-To: References: <476026f2-9022-a73f-34b3-fa1f569c009c@gmail.com> Message-ID: ... never mind - I missed the part in your email... 2017-07-05 11:38 GMT+02:00 Thomas Darimont : > Hi Tim, > > did you specify proxy-address-forwarding="true" for the > element in the undertow subsystem of you standalone(-ha).xml? > https://keycloak.gitbooks.io/documentation/server_installation/topics/ > clustering/load-balancer.html > > Cheers, > Thomas > > 2017-07-05 11:24 GMT+02:00 Tim Dudgeon : > >> Hi All, >> >> I'm having a problem with running keycloak behind an nginx reverse proxy. >> >> I've had this running for some time now without problems, but have now >> stood up a new system in a networking environment that I don't have much >> control over, and for some reason things are not working. >> >> My nginx proxy forwarding looks like this: >> >> location /auth/ { >> proxy_pass http://keycloak:8080/auth/; >> proxy_set_header Host $host; >> proxy_set_header X-Real-IP $remote_addr; >> proxy_set_header X-Forwarded-For >> $proxy_add_x_forwarded_for; >> proxy_set_header X-Forwarded-Proto $scheme; >> proxy_redirect off; >> proxy_connect_timeout 75s; >> } >> >> Similar for the app that is using keycloak for SSO (this is a tomcat >> based servlet app). >> >> In my keycloak's standalone.xml the http-listener element has had >> proxy-address-forwarding="true" added. >> This has all been fine, but in this new environment its not working. >> >> I get the keycloak login prompt, and can login OK. But when I look in >> the session in Keycloack the From IP address is 10.0.0.10 not the actual >> IP address of the machine where the browser resides. >> >> And the app using Keycloak denies access with this exception in the logs: >> >> 05-Jul-2017 08:53:31.679 ERROR [http-nio-8080-exec-4] >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode failed to >> turn code into token >> java.net.ConnectException: Connection refused >> at java.net.PlainSocketImpl.socketConnect(Native Method) >> at >> java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock >> etImpl.java:350) >> at >> java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl >> ainSocketImpl.java:206) >> at >> java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket >> Impl.java:188) >> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) >> at java.net.Socket.connect(Socket.java:589) >> at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) >> at >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLS >> ocketFactory.java:532) >> at >> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniS >> SLSocketFactory.java:109) >> at >> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLS >> ocketFactory.java:409) >> at >> org.apache.http.impl.conn.DefaultClientConnectionOperator. >> openConnection(DefaultClientConnectionOperator.java:177) >> at >> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo >> lEntry.java:144) >> at >> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs >> tractPooledConnAdapter.java:131) >> at >> org.apache.http.impl.client.DefaultRequestDirector.tryConnec >> t(DefaultRequestDirector.java:611) >> at >> org.apache.http.impl.client.DefaultRequestDirector.execute(D >> efaultRequestDirector.java:446) >> at >> org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs >> tractHttpClient.java:882) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(Clos >> eableHttpClient.java:82) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(Clos >> eableHttpClient.java:107) >> at >> org.apache.http.impl.client.CloseableHttpClient.execute(Clos >> eableHttpClient.java:55) >> at >> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken( >> ServerRequest.java:107) >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode( >> OAuthRequestAuthenticator.java:327) >> at >> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate >> (OAuthRequestAuthenticator.java:273) >> at >> org.keycloak.adapters.RequestAuthenticator.authenticate(Requ >> estAuthenticator.java:130) >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa >> lve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206) >> at >> org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.auth >> enticate(KeycloakAuthenticatorValve.java:48) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(A >> uthenticatorBase.java:471) >> at >> org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa >> lve.invoke(AbstractKeycloakAuthenticatorValve.java:187) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHo >> stValve.java:141) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo >> rtValve.java:79) >> at >> org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs >> tractAccessLogValve.java:616) >> at >> org.apache.catalina.authenticator.SingleSignOn.invoke( >> SingleSignOn.java:240) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(Standard >> EngineValve.java:88) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd >> apter.java:521) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(Abs >> tractHttp11Processor.java:1096) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler >> .process(AbstractProtocol.java:674) >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun >> (NioEndpoint.java:1500) >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run( >> NioEndpoint.java:1456) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable. >> run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> >> Can anyone shed any light on what might be wrong here? >> Note this is using quite an old version of keycloak (2.1.0) though I >> don't think this is the problem. >> >> Thanks >> >> Tim >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From marc.tempelmeier at flane.de Wed Jul 5 06:20:09 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Wed, 5 Jul 2017 10:20:09 +0000 Subject: [keycloak-user] Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer Message-ID: Hi, now to a real problem :) We have a 3 Node cluster, I always the error after login, sometimes directly at the login. I promptly got logged out. It?s basicly this error: https://issues.jboss.org/browse/KEYCLOAK-3586 But we get it on login to admin console. Any ideas? [Server:slave3] 10:14:09,847 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002005: Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer [Server:slave3] at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:180) [Server:slave3] at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:211) [Server:slave3] at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source) [Server:slave3] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [Server:slave3] at java.lang.reflect.Method.invoke(Method.java:498) [Server:slave3] at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79) [Server:slave3] at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58) [Server:slave3] at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) [Server:slave3] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) [Server:slave3] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) [Server:slave3] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) [Server:slave3] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [Server:slave3] at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [Server:slave3] at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [Server:slave3] at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [Server:slave3] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) [Server:slave3] at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) [Server:slave3] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [Server:slave3] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [Server:slave3] at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [Server:slave3] at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [Server:slave3] at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [Server:slave3] at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) [Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [Server:slave3] at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [Server:slave3] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [Server:slave3] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [Server:slave3] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [Server:slave3] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [Server:slave3] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [Server:slave3] at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [Server:slave3] at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [Server:slave3] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) [Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [Server:slave3] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) [Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) [Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [Server:slave3] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) [Server:slave3] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) [Server:slave3] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) [Server:slave3] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [Server:slave3] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [Server:slave3] at java.lang.Thread.run(Thread.java:748) From federico at info.nl Wed Jul 5 07:33:52 2017 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Wed, 5 Jul 2017 11:33:52 +0000 Subject: [keycloak-user] Internal System Error on screens when a code is expired Message-ID: <63F53E4C-3933-4C90-A137-DB30CD000EA5@info.nl> Hello, There are some screens / links generated by Keycloak that make use of an authorization code, like registration link, forgotten password link, verification link, etc. When those codes expire or a code is already used, the feedback to the user will be just an Internal Server Error screen. This is not very user friendly, since the user doesn?t know what he has done wrong (eg: a simple refresh on the register page will trigger the issue). I wonder if there is a simple way to modify this behavior, and for instance show a different error message informing of the actual problem (eg: the code is invalid. Please go to {link} to restart the process), or this is really a new functionality to be requested to the Keycloak team via JIRA. Regards, Federico From galserg at gmail.com Wed Jul 5 08:16:46 2017 From: galserg at gmail.com (=?UTF-8?B?0KHQtdGA0LPQtdC5INCT0LDQu9GO0LfQuNC9?=) Date: Wed, 5 Jul 2017 15:16:46 +0300 Subject: [keycloak-user] keycloak saml logout Message-ID: hi all! i try use Keycloak as IDP for gitlab via SAML protocol. autentification is work well. but i can't configure integration with logout service gillab can redirect user after logout to customizable url if it redirect to main SAML entry point ( root/realms/{realm}/protocol/saml/) i see error "invalid request" if i try type anybody to field "Logout Service POST Binding URL" and redirect to this url - i see error 404 or blank screen. In the documentation this service is practically not described. Is there a standard entry point for logout servise (like standart SSO point root/realms/{realm}/protocol/saml/clients/{url name}) ? From galserg at gmail.com Wed Jul 5 12:17:43 2017 From: galserg at gmail.com (=?UTF-8?B?0KHQtdGA0LPQtdC5INCT0LDQu9GO0LfQuNC9?=) Date: Wed, 5 Jul 2017 19:17:43 +0300 Subject: [keycloak-user] saml logout Message-ID: hi all! i try use Keycloak as IDP for gitlab via SAML protocol. autentification is work well. but i can't configure integration with logout service gillab can redirect user after logout to customizable url if it redirect to main SAML entry point ( root/realms/{realm}/protocol/saml/) i see error "invalid request" if i try type anybody to field "Logout Service POST Binding URL" and redirect to this url - i see error 404 or blank screen. In the documentation this service is practically not described. Is there a standard entry point for logout servise (like standart SSO point root/realms/{realm}/protocol/saml/clients/{url name}) ? From sthorger at redhat.com Wed Jul 5 14:35:36 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 5 Jul 2017 20:35:36 +0200 Subject: [keycloak-user] Internal System Error on screens when a code is expired In-Reply-To: <63F53E4C-3933-4C90-A137-DB30CD000EA5@info.nl> References: <63F53E4C-3933-4C90-A137-DB30CD000EA5@info.nl> Message-ID: Try 3.2 there's been improvements around this On 5 July 2017 at 13:33, Federico Navarro Polo - Info.nl wrote: > Hello, > > There are some screens / links generated by Keycloak that make use of an > authorization code, like registration link, forgotten password link, > verification link, etc. When those codes expire or a code is already used, > the feedback to the user will be just an Internal Server Error screen. > > This is not very user friendly, since the user doesn?t know what he has > done wrong (eg: a simple refresh on the register page will trigger the > issue). I wonder if there is a simple way to modify this behavior, and for > instance show a different error message informing of the actual problem > (eg: the code is invalid. Please go to {link} to restart the process), or > this is really a new functionality to be requested to the Keycloak team via > JIRA. > > > > Regards, > Federico > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jasonspittel at yahoo.com Wed Jul 5 14:40:48 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Wed, 5 Jul 2017 18:40:48 +0000 (UTC) Subject: [keycloak-user] SAML HttpServletRequest.logout() support References: <1263738321.6142511.1499280048359.ref@mail.yahoo.com> Message-ID: <1263738321.6142511.1499280048359@mail.yahoo.com> I'm having trouble with SAML Logout. ?I have a JEE app that uses Keycloak as an identity broker to ADFS. Following these instructions:Logout | Keycloak Documentation | | | | Logout | Keycloak Documentation | | | I should be able to just call HttpServletRequest.logout(). But that doesn't do anything. Searching Jira I see this a reported issue. [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue Tracker | | | | [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue T... | | | While that's being worked on, are there workarounds to do a SAML logout through Keycloak? Thanks, Jason From mitya at cargosoft.ru Wed Jul 5 16:54:19 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Wed, 05 Jul 2017 23:54:19 +0300 Subject: [keycloak-user] Permission related issues in 3.2.0 Message-ID: <1499288059.2978.1.camel@cargosoft.ru> Hi, After upgrade to 3.2.0, I've noticed the following issues that may all be permissions-related: * in 3.2.0, if you create a (non-master) realm, add a user, assign realm-management.realm-admin client role, click impersonate (or simply relogin) to access the account page - in the Applications tab you'll see only Account itself, and neither Security Admin Console nor Admin CLI like in 3.1.0. This is a bit confusing since the user?actually is able to access admin console and CLI; * in 3.2.0, if you log in as a master realm admin, create a role in a non-master realm, turn it into composite and try to add roles to it, you'll get an exception: 23:12:52,654 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-12) RESTEASY002005: Failed executing POST /admin/realms/foobar/roles-by-id/3e38af68-5aef-482c-868e- 461f12e11592/composites: org.keycloak.services.ForbiddenException at org.keycloak.services.resources.admin.permissions.RolePermissions.requi reMapComposite(RolePermissions.java:383) at org.keycloak.services.resources.admin.RoleResource.addComposites(RoleRe source.java:70) at org.keycloak.services.resources.admin.RoleByIdResource.addComposites(Ro leByIdResource.java:161) I didn't manage to find a working combination of permissions to solve this. Anyway, one might expect this to work out of the box, like it used to in 3.1.0. Dmitry From mitya at cargosoft.ru Wed Jul 5 17:10:29 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Thu, 06 Jul 2017 00:10:29 +0300 Subject: [keycloak-user] LDAP attributes & caching Message-ID: <1499289029.2978.3.camel@cargosoft.ru> Hi, I've got a LDAP federation configured with Import Users = ON and mappers like firstName/lastName having Always Read Value From LDAP = ON. If the corresponding attribute is changed in LDAP, it will show immediately in the "View all users" list. However, it won't be reflected in user details, top-right corner or account page until user cache is cleared. Dmitry From john.bartko at drillinginfo.com Wed Jul 5 19:37:00 2017 From: john.bartko at drillinginfo.com (John Bartko) Date: Wed, 5 Jul 2017 23:37:00 +0000 Subject: [keycloak-user] saml logout In-Reply-To: References: Message-ID: This GitLab issue [1] seems relevant. It may be the case that GitLab does not support SAML SP-initiated global logout at this time. You mentioned that GitLab can redirect users to a URI after performing its own logout procedure. This problem then seems to be another instance of KEYCLOAK-3476 [2], i.e. GitLab may be a SAML SP that cannot process LogoutRequest messages but does offer arbitrary redirection. In theory, GitLab can redirect to the OIDC Logout Endpoint [3] which would destroy the Keycloak IdP session that was initially started by a SAML client. Here's a *major* catch -- In my experience with Keycloak v1.9.8.Final, once an invalid configuration has be placed in the "Logout Service POST Binding URL" field for SAML clients lacking LogoutRequest support, that client is now "polluted" and must be deleted and recreated before GLO will work! Subsequently blanking the field would result in Keycloak throwing NPEs. I cannot speak to whether this behaviour is present in more recent versions of Keycloak. Hope that helps, -John Bartko [1] https://gitlab.com/gitlab-org/gitlab-ce/issues/25854 [2] https://issues.jboss.org/browse/KEYCLOAK-3476 [3] https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/oidc-generic.html#_logout_endpoint ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of ?????? ??????? Sent: Wednesday, July 5, 2017 11:17:43 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] saml logout hi all! i try use Keycloak as IDP for gitlab via SAML protocol. autentification is work well. but i can't configure integration with logout service gillab can redirect user after logout to customizable url if it redirect to main SAML entry point ( root/realms/{realm}/protocol/saml/) i see error "invalid request" if i try type anybody to field "Logout Service POST Binding URL" and redirect to this url - i see error 404 or blank screen. In the documentation this service is practically not described. Is there a standard entry point for logout servise (like standart SSO point root/realms/{realm}/protocol/saml/clients/{url name}) ? _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas_connolly at yahoo.com Wed Jul 5 23:27:09 2017 From: thomas_connolly at yahoo.com (Thomas Connolly) Date: Thu, 6 Jul 2017 03:27:09 +0000 (UTC) Subject: [keycloak-user] Direct Connect API call results in JWT with missing idtoken? References: <1331295271.6505433.1499311629505.ref@mail.yahoo.com> Message-ID: <1331295271.6505433.1499311629505@mail.yahoo.com> Hi All I've just raised the following ticket for a potential bug in KC 3.2.0.Final and KC 3.2.0.CR1. https://issues.jboss.org/browse/KEYCLOAK-5145 I'd really appreciate if you could determine if I've missed something or there is an actual bug. As per bug description using an unconfigured KC. Regards Tom Connolly. From sthorger at redhat.com Thu Jul 6 02:08:57 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 6 Jul 2017 08:08:57 +0200 Subject: [keycloak-user] Direct Connect API call results in JWT with missing idtoken? In-Reply-To: <1331295271.6505433.1499311629505@mail.yahoo.com> References: <1331295271.6505433.1499311629505.ref@mail.yahoo.com> <1331295271.6505433.1499311629505@mail.yahoo.com> Message-ID: Please check the migration guide before upgrading https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationFromOlderVersions.html You need to add scope=openid otherwise the ID token won't be returned and it will be counted as an OAuth2 request rather than an OpenID Connect request. On 6 July 2017 at 05:27, Thomas Connolly wrote: > Hi All > > I've just raised the following ticket for a potential bug in KC > 3.2.0.Final and KC 3.2.0.CR1. > https://issues.jboss.org/browse/KEYCLOAK-5145 > > I'd really appreciate if you could determine if I've missed something or > there is an actual bug. > As per bug description using an unconfigured KC. > > Regards > Tom Connolly. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mitya at cargosoft.ru Thu Jul 6 06:46:06 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Thu, 06 Jul 2017 13:46:06 +0300 Subject: [keycloak-user] Permission related issues in 3.2.0 In-Reply-To: <1499288059.2978.1.camel@cargosoft.ru> References: <1499288059.2978.1.camel@cargosoft.ru> Message-ID: <1499337966.2966.1.camel@cargosoft.ru> https://issues.jboss.org/browse/KEYCLOAK-5152 https://issues.jboss.org/browse/KEYCLOAK-5155 From mitya at cargosoft.ru Thu Jul 6 06:46:27 2017 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Thu, 06 Jul 2017 13:46:27 +0300 Subject: [keycloak-user] LDAP attributes & caching In-Reply-To: <1499289029.2978.3.camel@cargosoft.ru> References: <1499289029.2978.3.camel@cargosoft.ru> Message-ID: <1499337987.2966.2.camel@cargosoft.ru> https://issues.jboss.org/browse/KEYCLOAK-5156 From antoine at saagie.com Thu Jul 6 08:55:29 2017 From: antoine at saagie.com (Antoine Carton) Date: Thu, 6 Jul 2017 14:55:29 +0200 Subject: [keycloak-user] AdapterTokenStore: automatic refresh token Message-ID: Hello, I have implemented an org.keycloak.adapters.AdapterTokenStore, like the existing ones, for example: - org.keycloak.adapters.jetty.core.JettyCookieTokenStore (from keycloak-jetty-core 3.1.0.Final) - org.keycloak.adapters.jetty.core.JettySessionTokenStore (from keycloak-jetty-core 3.1.0.Final) The purpose is that these AdapterTokenStores refresh the current access token with the refreshToken they have stored, and then update the org.keycloak.adapters.RefreshableKeycloakSecurityContext (see refreshExpiredToken() of this context) with a new token. All of this is triggered thanks to the checkCurrentToken, called in org.keycloak.adapters.jetty.core.AbstractKeycloakJettyAuthenticator. The trouble is that the current "Authorization" header of the Request object is not updated with the new token. Therefore, even if the security context has a new token, the current request failed because of the old token that is still in the Authorization header (the check is done in BearerTokenRequestAuthenticator.authenticate(HttpFacade exchange)). Any idea how to solve this issue? Does it mean the request must be done twice even if the token is refreshed? Otherwise, the alternative I see is to have a proxy that will be in charge of refreshing the token by modifying the request header. Thanks! From inofi at gmx.net Thu Jul 6 11:21:09 2017 From: inofi at gmx.net (Malte Finsterwalder) Date: Thu, 6 Jul 2017 17:21:09 +0200 Subject: [keycloak-user] Fwd: Kerberos Authentication throws Exception In-Reply-To: <0d8e7bae-a4b5-2b59-96f4-634e2635bc8e@finsterwalder.name> References: <0d8e7bae-a4b5-2b59-96f4-634e2635bc8e@finsterwalder.name> Message-ID: Hi there, I tried to configure Keycloak to authenticate against Windows Active Directory using Kerberos credentials. But I keep getting an Exception. Setup is as follows: I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final. In addition I installed freeipa-client and added a /etc/krb5.conf file as well as my keytab file. But when I configure Kerberos as required in the browser flow, I get the following Exception and the browser shows me a basic auth login dialog, that does not allow me to log in at all. Any ideas? How can gather more information? 13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH. HANSEMERKUR.DE at HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false storePass is false clearPass is false 13:26:25,796 INFO [stdout] (default task-64) principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE at HH.HANSEMERKUR.DE 13:26:25,796 INFO [stdout] (default task-64) Will use keytab 13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded 13:26:25,796 INFO [stdout] (default task-64) 13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-47) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate( SPNEGOAuthenticator.java:68) at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate( LDAPStorageProvider.java:542) at org.keycloak.credential.UserCredentialStoreManager.authenticate( UserCredentialStoreManager.java:323) at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator. authenticate(SpnegoAuthenticator.java:90) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow( DefaultAuthenticationFlow.java:184) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly( AuthenticationProcessor.java:792) at org.keycloak.authentication.AuthenticationProcessor.authenticate( AuthenticationProcessor.java:667) at org.keycloak.protocol.AuthorizationEndpointBase. handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint. buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build( AuthorizationEndpoint.java:125) at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke( MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest( ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest( FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHand ler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl er.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl er.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler .handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandle r.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssocia tionHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest( PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$ 000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.(GSSHeader.java:97) at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:306) at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:285) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator. establishContext(SPNEGOAuthenticator.java:172) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$ AcceptSecContext.run(SPNEGOAuthenticator.java:135) at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$ AcceptSecContext.run(SPNEGOAuthenticator.java:125) ... 60 more 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]: Entering logout 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]: logged out Subject From petervn1 at yahoo.com Thu Jul 6 12:10:47 2017 From: petervn1 at yahoo.com (Peter Nalyvayko) Date: Thu, 6 Jul 2017 16:10:47 +0000 (UTC) Subject: [keycloak-user] Identity provider, keycloak js adapter and session management References: <1621377393.5523009.1499357447224.ref@mail.yahoo.com> Message-ID: <1621377393.5523009.1499357447224@mail.yahoo.com> Hi, We've hit a bit of a snag while setting up our one page js client. Changing the value of the "sub" claim to anything other than the unique identifier of the keycloak user causes the keycloak adapter to detect the changes to the session and clear out the tokens, forcing the users to re-log in after every 5 seconds. We are using the version 2.3.0 of keycloak. Our app is set up to use keycloak.js adapter for all things related to OIDC. The adapter is configured to use the "code authorization" (standard) flow. The instance of keycloak is configured to use an external OIDC identity provider and the users are uniquely identified by their e-mails. Naturally, we wanted that the "sub" claim in the claim set returned by calling the keycloak's OIDC /token endpoint would return the unique identity of the external user rather than the internal identifier of the keycloak user, so we re-configured the keycloak client by adding a property mapper to map the user's email to the "sub" claim, here the example of the access token: { "sub": "user at company.com", "iat": 223235098325, "email": "user at company.com", ... } Once we had implemented these changes on the keycloak side, our users were able to initially sign into the application, but when they tried to access any functionality within the app, they would be prompted to sign in again. The problem seems to related to the OIDC session management and the assumption and the "sub" claim always matches the keycloak user's unique identifier. We narrowed the problem down to four components: - keycloak.js - login-status-iframe.html - services\srv\main\java\org\keycloak\protocol\oidc\endpoints\LoginStatusIframeEndpoint.java - services\src\main\java\org\keycloak\services\managers\AuthenticationManager.java In keycloak.js, line 637, the implementation creates a session id to be used to check the session state. Notice that the code uses the value from the "sub" claim: var sessionId = kc.realm + "/" + kc.tokenParsed.sub; In AuthenticationManager.createLoginCookie, line 306, the value of the "SESSION_COOKIE" is set to: String sessionCookieValue = realm.getName() + "/" + user.getId(); Sadly, in our configuration, the value returned of by user.getId() is not the same as the value stored in the "sub" claim, thus causing the session management code in login-status-iframe.html, line 53 to clear out any tokens and force the users to re-login the next time it checks the session state (default is 5 second intervals): var cookie = getCookie(); if (sessionState == cookie) { ... } else { callback("changed"); } Looking at the LoginStatusIframeEndpoint.preCheck (LoginSatusIframeEndpoint.java, lines 71-93), we've noticed that the implementation does not even make use of the user identity, only the session id. The workaround, at least temporary, for us was to add the "id" claim containing the user identity internal to keycloak, and modify the keycloak JS adapter code to look for the "id" claim and use its value instead of the value in the "sub" claim when creating the session id, i.e.: var sessionId; if (kc.tokenParsed.id) { sessionId = kc.realm + "/" + kc.tokenParsed.id; } else { sessionId = kc.realm + "/" + kc.tokenParsed.sub; } Is this a bug, or does it work as intended, i.e. the users should never set the "sub" claim to anything other than the keycloak's user identity? If this is a bug, I can submit a JIRA request and a fix as long as the workaround above seems like an acceptable solution Any comments are welcome Regards, Peter From inofi at gmx.net Thu Jul 6 13:19:35 2017 From: inofi at gmx.net (Malte Finsterwalder) Date: Thu, 6 Jul 2017 19:19:35 +0200 Subject: [keycloak-user] Understanding "Server Principal" in Kerberos setup Message-ID: Hi there, I'm trying to set up Keycloak to use Kerberos with Active Directory. But I'm not sure, I understand the Server Principal correctly. Keycloak is running on a server, that is reachable under keycloak.some.domain.com The Kerberos Realm is whatever.else.com So is the Server Principal correctly specified as: HTTP/keycloak.some.domain.com at whatever.else.com Or more general HTTP/@ And is in the Server Principal always the same as stated in "Kerberos Realm" in the admin ui? And does case matter anywhere? Greetings, Malte From inofi at gmx.net Thu Jul 6 13:26:09 2017 From: inofi at gmx.net (Malte Finsterwalder) Date: Thu, 6 Jul 2017 19:26:09 +0200 Subject: [keycloak-user] Kerberos Authentication throws Exception In-Reply-To: References: <0d8e7bae-a4b5-2b59-96f4-634e2635bc8e@finsterwalder.name> Message-ID: I tweaked my config a bit and fixed an error there. It still doesn't work correctly, but now I get an ICMP Error, after the SPNEGO Failure and a try to login with username and password; 17:23:54,184 INFO [stdout] (default task-21) [Krb5LoginModule] authentication failed 17:23:54,184 INFO [stdout] (default task-21) ICMP Port Unreachable 17:23:54,185 WARN [org.keycloak.services] (default task-21) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException: Kerberos unreachable at org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108) at org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:94) at org.keycloak.storage.ldap.LDAPStorageProvider.validPassword(LDAPStorageProvider.java:512) at org.keycloak.storage.ldap.LDAPStorageProvider.isValid(LDAPStorageProvider.java:602) at org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:140) at org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:121) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:175) at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:151) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56) at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92) at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76) at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365) at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347) at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject(KerberosUsernamePasswordAuthenticator.java:128) at org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:90) ... 61 more Caused by: java.net.PortUnreachableException: ICMP Port Unreachable at java.net.PlainDatagramSocketImpl.receive0(Native Method) at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143) at java.net.DatagramSocket.receive(DatagramSocket.java:812) at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206) at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411) at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364) at java.security.AccessController.doPrivileged(Native Method) at sun.security.krb5.KdcComm.send(KdcComm.java:348) at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253) at sun.security.krb5.KdcComm.send(KdcComm.java:229) at sun.security.krb5.KdcComm.send(KdcComm.java:200) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766) ... 75 more On 6 July 2017 at 17:21, Malte Finsterwalder wrote: > Hi there, > > I tried to configure Keycloak to authenticate against Windows Active > Directory using Kerberos credentials. > But I keep getting an Exception. > > Setup is as follows: > > I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final. > In addition I installed freeipa-client and added a /etc/krb5.conf file as > well as my keytab file. > > But when I configure Kerberos as required in the browser flow, I get the > following Exception and the browser shows me a basic auth login dialog, > that does not allow me to log in at all. > > Any ideas? How can gather more information? > > 13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true > useTicketCache false useKeyTab true doNotPrompt true ticketCache is null > isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab > refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANS > EMERKUR.DE at HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false > storePass is false clearPass is false > 13:26:25,796 INFO [stdout] (default task-64) principal is > HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE at HH.HANSEMERKUR.DE > 13:26:25,796 INFO [stdout] (default task-64) Will use keytab > 13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded > 13:26:25,796 INFO [stdout] (default task-64) > > 13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] > (default task-47) SPNEGO login failed: java.security.PrivilegedActionException: > GSSException: Defective token detected (Mechanism level: GSSHeader did not > find the right tag) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.au > thenticate(SPNEGOAuthenticator.java:68) > at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(L > DAPStorageProvider.java:542) > at org.keycloak.credential.UserCredentialStoreManager.authentic > ate(UserCredentialStoreManager.java:323) > at org.keycloak.authentication.authenticators.browser.SpnegoAut > henticator.authenticate(SpnegoAuthenticator.java:90) > at org.keycloak.authentication.DefaultAuthenticationFlow.proces > sFlow(DefaultAuthenticationFlow.java:184) > at org.keycloak.authentication.AuthenticationProcessor.authenti > cateOnly(AuthenticationProcessor.java:792) > at org.keycloak.authentication.AuthenticationProcessor.authenti > cate(AuthenticationProcessor.java:667) > at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowse > rAuthenticationRequest(AuthorizationEndpointBase.java:123) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.b > uildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317) > at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint. > build(AuthorizationEndpoint.java:125) > at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe > thodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje > ctorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget > (ResourceMethodInvoker.java:295) > at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc > eMethodInvoker.java:249) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge > tObject(ResourceLocatorInvoker.java:138) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour > ceLocatorInvoker.java:107) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge > tObject(ResourceLocatorInvoker.java:133) > at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour > ceLocatorInvoker.java:101) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:395) > at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro > nousDispatcher.java:202) > at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi > spatcher.service(ServletContainerDispatcher.java:221) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:56) > at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc > her.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se > rvletHandler.java:85) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d > oFilter(FilterHandler.java:129) > at org.keycloak.services.filters.KeycloakSessionServletFilter.d > oFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d > oFilter(FilterHandler.java:131) > at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil > terHandler.java:84) > at io.undertow.servlet.handlers.security.ServletSecurityRoleHan > dler.handleRequest(ServletSecurityRoleHandler.java:62) > at io.undertow.servlet.handlers.ServletDispatchingHandler.handl > eRequest(ServletDispatchingHandler.java:36) > at org.wildfly.extension.undertow.security.SecurityContextAssoc > iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.servlet.handlers.security.SSLInformationAssociat > ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at io.undertow.servlet.handlers.security.ServletAuthenticationC > allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at io.undertow.servlet.handlers.security.ServletConfidentiality > ConstraintHandler.handleRequest(ServletConfident > ialityConstraintHandler.java:64) > at io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at io.undertow.servlet.handlers.security.CachedAuthenticatedSes > sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at io.undertow.security.handlers.NotificationReceiverHandler.ha > ndleRequest(NotificationReceiverHandler.java:50) > at io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssociation > Handler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa > ndler.handleRequest(JACCContextIdHandler.java:61) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.server.handlers.PredicateHandler.handleRequest(P > redicateHandler.java:43) > at io.undertow.servlet.handlers.ServletInitialHandler.handleFir > stRequest(ServletInitialHandler.java:284) > at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR > equest(ServletInitialHandler.java:263) > at io.undertow.servlet.handlers.ServletInitialHandler.access$00 > 0(ServletInitialHandler.java:81) > at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR > equest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan > ge.java:793) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > Executor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > lExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: GSSException: Defective token detected (Mechanism level: > GSSHeader did not find the right tag) > at sun.security.jgss.GSSHeader.(GSSHeader.java:97) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext > Impl.java:306) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext > Impl.java:285) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.es > tablishContext(SPNEGOAuthenticator.java:172) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac > ceptSecContext.run(SPNEGOAuthenticator.java:135) > at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac > ceptSecContext.run(SPNEGOAuthenticator.java:125) > ... 60 more > > 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]: > Entering logout > 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]: > logged out Subject > > From glavoie at gmail.com Thu Jul 6 14:45:05 2017 From: glavoie at gmail.com (Gabriel Lavoie) Date: Thu, 6 Jul 2017 14:45:05 -0400 Subject: [keycloak-user] LDAP User Federation: Issue with Hardcoded Roles Message-ID: Hi, I've been trying to setup a LDAP user federation with a hardcoded admin role on Keycloak 2.1.0.Final, on the master realm. The role is granted to the user as expected, but not the composite roles attached to the "admin" role. I tried reproducing the issue with the latest Keycloak but encountered a different problem. When I try to add the hardcoded role mapper and add the "admin" role to it, the role displays as "a" in the field (after selection), and I get an error on save. I get the following exception in the log: 2017-07-06 14:43:36,727 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-18) RESTEASY002005: Failed executing POST /admin/realms/master/components: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1611369f; line: 1, column: 12] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["role"]) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184) at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1611369f; line: 1, column: 12] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["role"]) at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835) at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161) at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19) at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342) at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26) at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523) at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) at com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285) at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61) at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) ... 48 more Any idea of what could be wrong? Bug? Thank you, Gabriel -- Gabriel Lavoie glavoie at gmail.com From lists at merit.unu.edu Thu Jul 6 17:15:51 2017 From: lists at merit.unu.edu (mj) Date: Thu, 6 Jul 2017 23:15:51 +0200 Subject: [keycloak-user] Understanding "Server Principal" in Kerberos setup In-Reply-To: References: Message-ID: <3903e380-1a10-8ee7-8376-792e0bf29021@merit.unu.edu> Hi, I can only say that what I did, is add "HTTP/keycloak.some.domain.com" to the AD account. After exporting, the principal looks like: HTTP/keycloak.some.domain.com at WHATEVER.ELSE.COM I'm not sure if the upper case REALM matters. Hope that helps, MJ On 07/06/2017 07:19 PM, Malte Finsterwalder wrote: > Hi there, > > I'm trying to set up Keycloak to use Kerberos with Active Directory. > But I'm not sure, I understand the Server Principal correctly. > > Keycloak is running on a server, that is reachable under > keycloak.some.domain.com > The Kerberos Realm is whatever.else.com > > So is the Server Principal correctly specified as: > > HTTP/keycloak.some.domain.com at whatever.else.com > > Or more general HTTP/@ > > And is in the Server Principal always the same as stated > in "Kerberos Realm" in the admin ui? > > And does case matter anywhere? > > Greetings, > Malte > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From akaya at expedia.com Fri Jul 7 00:58:38 2017 From: akaya at expedia.com (Sarp Kaya) Date: Fri, 7 Jul 2017 04:58:38 +0000 Subject: [keycloak-user] Keycloak very slow on retrieving "events" In-Reply-To: References:

Message-ID: <41473CD9-CF89-41E6-9051-6F569ED09429@expedia.com> Hey again, I checked the database there were 14 million events. After running some basic queries I noticed that even basic count query would take around 4 minutes. One thing I realised is, if you want an instant result, you can use LIMIT, because UI uses 0-5 etc. it can definitely make use of it to make this faster. How I fixed is by adding an index on Event_time: CREATE INDEX `idx_EVENT_ENTITY_EVENT_TIME` ON `keycloak`.`EVENT_ENTITY` (EVENT_TIME) COMMENT '' ALGORITHM DEFAULT LOCK DEFAULT; Now it works really quick. I am not going to create a ticket, but if you wish, you can add this to your liquibase for the next updates. Thanks, Sarp From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Wednesday, July 5, 2017 at 3:29 PM To: Abdullah Sarp > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak very slow on retrieving "events" Can you create a bug report please? Include as much info as you can so it's easy for us to reproduce the problem (how many events you have, what the query is you're running, etc..) On 5 July 2017 at 01:10, Sarp Kaya > wrote: Yes, I have a lot of events, but I thought it shouldn?t matter when picking the first 5 events. Thanks, Sarp From: Stian Thorgersen > Reply-To: "stian at redhat.com" > Date: Wednesday, July 5, 2017 at 3:56 AM To: Abdullah Sarp > Cc: "keycloak-user at lists.jboss.org" > Subject: Re: [keycloak-user] Keycloak very slow on retrieving "events" That's not good, it should be much quicker than that. Do you have a lot of events? On 4 July 2017 at 08:41, Sarp Kaya > wrote: Hello, When I click on Events, it takes very long time (more than a minute) just to display first 5 events. I checked what endpoint it uses and it?s using this: "/auth/admin/realms//events?first=0&max=5? endpoint. I believe that there is something broken with the filtering option as it should never take more than a minute to just retrieve 5 results. I?m using Keycloak 3.1.0 and MySQL for the database. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From steindl.bernhard94 at gmail.com Fri Jul 7 06:16:31 2017 From: steindl.bernhard94 at gmail.com (Bernhard Steindl) Date: Fri, 7 Jul 2017 12:16:31 +0200 Subject: [keycloak-user] Access Query Parameter in FreeMarker Template - Keycloak 2.1.0 Message-ID: <710618DE-5D82-4114-9C2F-D3992F48BD57@gmail.com> Hello, I must access Query Parameters passed to my keycloak login theme. Neither was I able to obtain them using RequestParameters.paramName nor request.getParameter(paramName) in the login FreeMarker template. Everytime I access a query parameter using these methods I get an FreeMarker error 2017-07-06 13:32:07,917 ERROR [freemarker.runtime] (default task-12) Error executing FreeMarker template: freemarker.core.InvalidReferenceException: The following has evaluated to null or missing I also found that there is an url object visible which provides a few keys to access. I am using Keycloak 2.1.0 which includes a FreeMarker jar version 2.3.20. Can anybody support me in this issue? I need to use query params to dynamically display information on the login theme. Kind Regards, Bernhard From petervn1 at yahoo.com Fri Jul 7 12:06:50 2017 From: petervn1 at yahoo.com (Peter Nalyvayko) Date: Fri, 7 Jul 2017 16:06:50 +0000 (UTC) Subject: [keycloak-user] Identity provider, keycloak js adapter and session management References: <1727835614.580304.1499443610670.ref@mail.yahoo.com> Message-ID: <1727835614.580304.1499443610670@mail.yahoo.com> Some additional info: we can also reproduce the same behavior using the Pairwise subject identifier, i.e. users keep getting logged out after 5 seconds. -------------------------------------------- On Thu, 7/6/17, Peter Nalyvayko wrote: Subject: Identity provider, keycloak js adapter and session management To: keycloak-user at lists.jboss.org Date: Thursday, July 6, 2017, 12:10 PM Hi, We've hit a bit of a snag while setting up our one page js client. Changing the value of the "sub" claim to anything other than the unique identifier of the keycloak user causes the keycloak adapter to detect the changes to the session and clear out the tokens, forcing the users to re-log in after every 5 seconds. We are using the version 2.3.0 of keycloak. Our app is set up to use keycloak.js adapter for all things related to OIDC. The adapter is configured to use the "code authorization" (standard) flow. The instance of keycloak is configured to use an external OIDC identity provider and the users are uniquely identified by their e-mails. Naturally, we wanted that the "sub" claim in the claim set returned by calling the keycloak's OIDC /token endpoint would return the unique identity of the external user rather than the internal identifier of the keycloak user, so we re-configured the keycloak client by adding a property mapper to map the user's email to the "sub" claim, here the example of the access token: { ? "sub": "user at company.com", ? "iat": 223235098325, ? "email": "user at company.com", ? ... } Once we had implemented these changes on the keycloak side, our users were able to initially sign into the application, but when they tried to access any functionality within the app, they would be prompted to sign in again. The problem seems to related to the OIDC session management and the assumption and the "sub" claim always matches the keycloak user's unique identifier. We narrowed the problem down to four components: - keycloak.js - login-status-iframe.html - services\srv\main\java\org\keycloak\protocol\oidc\endpoints\LoginStatusIframeEndpoint.java - services\src\main\java\org\keycloak\services\managers\AuthenticationManager.java In keycloak.js, line 637, the implementation creates a session id to be used to check the session state. Notice that the code uses the value from the "sub" claim: ? var sessionId = kc.realm + "/" + kc.tokenParsed.sub; ? In AuthenticationManager.createLoginCookie, line 306, the value of the "SESSION_COOKIE" is set to: ? String sessionCookieValue = realm.getName() + "/" + user.getId(); Sadly, in our configuration, the value returned of by user.getId() is not the same as the value stored in the "sub" claim, thus causing the session management code in login-status-iframe.html, line 53 to clear out any tokens and force the users to re-login the next time it checks the session state (default is 5 second intervals): ? var cookie = getCookie(); ? if (sessionState == cookie) { ... } else { callback("changed"); }? Looking at the LoginStatusIframeEndpoint.preCheck (LoginSatusIframeEndpoint.java, lines 71-93), we've noticed that the implementation does not even make use of the user identity, only the session id. The workaround, at least temporary, for us was to add the "id" claim containing the user identity internal to keycloak, and modify the keycloak JS adapter code to look for the "id" claim and use its value instead of the value in the "sub" claim when creating the session id, i.e.: ? ? var sessionId; ? if (kc.tokenParsed.id) { ? ? ? sessionId = kc.realm + "/" + kc.tokenParsed.id; ? } else { ? ? ? sessionId = kc.realm + "/" + kc.tokenParsed.sub; ? } Is this a bug, or does it work as intended, i.e. the users should never set the "sub" claim to anything other than the keycloak's user identity? If this is a bug, I can submit a JIRA request and a fix as long as the workaround above seems like an acceptable solution Any comments are welcome Regards, Peter From nicolaouantonia at gmail.com Fri Jul 7 15:29:00 2017 From: nicolaouantonia at gmail.com (Antonia Nicolaou) Date: Fri, 7 Jul 2017 22:29:00 +0300 Subject: [keycloak-user] redhat sso get baseurl in custom theme for email registration Message-ID: Hello all, Your help would be greatly appreciated. I am using single sign on service from redhat v7.1 and I am developing a custom template (in a custom theme) for registration email. In the email, Unfortunately, I didn?t find the proper way to get the client baseUrl or the url.registrationUrl . Could you please help me? Thank you in advanced. Sincerely, Antonia Nicolaou From James.P.Mcshane at healthpartners.com Fri Jul 7 16:33:40 2017 From: James.P.Mcshane at healthpartners.com (Mcshane, James P) Date: Fri, 7 Jul 2017 20:33:40 +0000 Subject: [keycloak-user] Keycloak Spring Boot Bearer Authentication Message-ID: I am working on a set of Spring Boot modules all within the same Realm in Keycloak. I would like the service to have bearer only authentication so that the service can only be accessed by authorized clients. For the spring-security adapter, I see the KeycloakRestTemplate, but the factory there requires the SecurityContextHolder, which isn?t present out of the box in the authentication mechanism for the spring-boot adapter. Is there a different rest template that could use the different container auth solutions provided by the KeycloakAutoConfiguration class? Clearly accessing the bearer authentication values from these systems is app server dependent, so it would seem to make sense to have a KeycloakClientRequestFactory provider that can handle the different types of container auth that is being done by the spring-boot adapter. Has this been done already, but not yet documented? In either case, I would be happy to contribute docs or code that deals with these different implementations. Thanks, James ________________________________ This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the individual responsible for delivering the e-mail to the intended recipient, please be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender. Disclaimer R001.0 From dennishonders at gmail.com Sun Jul 9 15:49:30 2017 From: dennishonders at gmail.com (Dennis H) Date: Sun, 9 Jul 2017 21:49:30 +0200 Subject: [keycloak-user] Jboss-modules.jar missing Message-ID: Hi, Today I downloaded Keycloak 3.2.0.Final (zip). When running the standalone.bat, the jboss-modules.jar is missing. Do you know about this? I also have another question. What is a good way to handle authorization, so a user can only edit, for example, his own profile. How to retrieve the incomming token, get the user_id and verify it in, in this case, the ProfileComponent? I'm currently using Java Spring Boot as backend (bearer only). Thanks, Dennis From postmaster at lists.jboss.org Mon Jul 10 00:08:11 2017 From: postmaster at lists.jboss.org (Automatic Email Delivery Software) Date: Mon, 10 Jul 2017 09:38:11 +0530 Subject: [keycloak-user] jmpi Message-ID: <201707100408.v6A48FlT011272@lists01.dmz-a.mwc.hst.phx2.redhat.com> This message was undeliverable due to the following reason: Your message was not delivered because the destination server was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 1 days: Host 153.195.58.206 is not responding. The following recipients did not receive this message: Please reply to postmaster at lists.jboss.org if you feel this message to be in error. From sthorger at redhat.com Mon Jul 10 01:04:28 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 10 Jul 2017 07:04:28 +0200 Subject: [keycloak-user] Jboss-modules.jar missing In-Reply-To: References: Message-ID: On 9 July 2017 at 21:49, Dennis H wrote: > Hi, > > Today I downloaded Keycloak 3.2.0.Final (zip). When running the > standalone.bat, the jboss-modules.jar is missing. > Do you know about this? > Can you give some more details? jboss-modules.jar is there. > > I also have another question. What is a good way to handle authorization, > so a user can only edit, for example, his own profile. How to retrieve the > incomming token, get the user_id and verify it in, in this case, the > ProfileComponent? I'm currently using Java Spring Boot as backend (bearer > only). > > Thanks, > > Dennis > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Mon Jul 10 02:17:00 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 10 Jul 2017 08:17:00 +0200 Subject: [keycloak-user] Keycloak Spring Boot Bearer Authentication In-Reply-To: References: Message-ID: Hi, We don't have this currently for the Spring Boot Adapter and it would be great if you could contribute on this, could you also please open a jira ticket for that on https://issues.jboss.org/browse/KEYCLOAK ? On Fri, Jul 7, 2017 at 10:33 PM, Mcshane, James P < James.P.Mcshane at healthpartners.com> wrote: > I am working on a set of Spring Boot modules all within the same Realm in > Keycloak. I would like the service to have bearer only authentication so > that the service can only be accessed by authorized clients. For the > spring-security adapter, I see the KeycloakRestTemplate, but the factory > there requires the SecurityContextHolder, which isn?t present out of the > box in the authentication mechanism for the spring-boot adapter. > > Is there a different rest template that could use the different container > auth solutions provided by the KeycloakAutoConfiguration class? Clearly > accessing the bearer authentication values from these systems is app server > dependent, so it would seem to make sense to have a > KeycloakClientRequestFactory provider that can handle the different types > of container auth that is being done by the spring-boot adapter. Has this > been done already, but not yet documented? In either case, I would be happy > to contribute docs or code that deals with these different implementations. > Thanks, > > James > > ________________________________ > > This e-mail and any files transmitted with it are confidential and are > intended solely for the use of the individual or entity to whom they are > addressed. If you are not the intended recipient or the individual > responsible for delivering the e-mail to the intended recipient, please be > advised that you have received this e-mail in error and that any use, > dissemination, forwarding, printing, or copying of this e-mail is strictly > prohibited. > > If you have received this communication in error, please return it to the > sender immediately and delete the original message and any copy of it from > your computer system. If you have any questions concerning this message, > please contact the sender. Disclaimer R001.0 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nicolaouantonia at gmail.com Mon Jul 10 02:21:37 2017 From: nicolaouantonia at gmail.com (Antonia Nicolaou) Date: Mon, 10 Jul 2017 09:21:37 +0300 Subject: [keycloak-user] redhat sso get baseurl in custom theme for email registration Message-ID: Hello all, Your help would be greatly appreciated. I am using single sign on service from redhat v7.1 and I am developing a custom template (in a custom theme) for registration email. In the email, Unfortunately, I didn?t find the proper way to get the client baseUrl or the url.registrationUrl . Could you please help me? Thank you in advanced. Sincerely, Antonia Nicolaou From marc.tempelmeier at flane.de Mon Jul 10 03:27:34 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Mon, 10 Jul 2017 07:27:34 +0000 Subject: [keycloak-user] Domain Clustered Mode Message-ID: <8a8b4107cc1842ae9aa51b240d6cb278@dehamex2013.europe.flane.local> Hi, Is there anyone here who has this working with 1 Master and 2-3 Slaves on Version 3.2.0? I frequently get 2 errors: Error 1 (results in unregistering the slave): Position: 22 [Server:slave1] Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist [Server:slave1] Position: 22 [Server:slave1] Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist Error 2 (results in immediate logout, sometimes after 1 sec or later): 10:08:22,066 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-18) RESTEASY002005: Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer If anyone has a working config, it would be really great to share :) Best regards Marc Tempelmeier From hmlnarik at redhat.com Mon Jul 10 09:09:12 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 10 Jul 2017 15:09:12 +0200 Subject: [keycloak-user] Problems logging out using JEE to keycloak to SAML (ADFS) (better formatted) In-Reply-To: <2140990500.5387792.1499205110788@mail.yahoo.com> References: <2140990500.5387792.1499205110788.ref@mail.yahoo.com> <2140990500.5387792.1499205110788@mail.yahoo.com> Message-ID: How are ADFS and Keycloak configured? If according to [1], the sessions should be cleared. Beware that ADFS also leaves ssoCookie in the browser so that it might just relogin the user behind the scenes, see discussion on [2] for further details. --Hynek [1] http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html [2] https://issues.jboss.org/browse/KEYCLOAK-4398 On Tue, Jul 4, 2017 at 11:51 PM, Jason Spittel wrote: > Apparently my formatting was lost. So I'm reposting this in a more readable format: > > Hello, > > I'm having difficulty completing a logout. > SETUP: > JEE webapp to keycloak to IdP (ADFS (SAML)) > > WORKFLOW: > 1) On logout in the webapp > externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true"); > > 2) User is sent to ADFS letting them know they have successfully logged out. > > 3) However, there is still a keycloak user session alive (seen in the admin console) > > 4) Hitting a protected resource in the webapp lets user in without having to log back in. > > Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262: > > String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER); > > if (brokerId != null) { > IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId); > Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm); > if (response != null) return response; > } > > return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers); > > I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session. > But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly? > Thanks, > Jason > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From t.ruiten at rdmedia.com Mon Jul 10 10:04:22 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Mon, 10 Jul 2017 16:04:22 +0200 Subject: [keycloak-user] illegal character in path when testing email setup Message-ID: Hello, I get the following error when hitting the 'Test connection' button on the email tab in Realm settings: 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)* started in 21731ms - Started 449 of 824 services (561 services are lazy, passive or on-demand) 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-11) RESTEASY002130: Failed to parse request.: javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to create URI: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ "port":null,"host":"mail.rdmedia.com ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:749) at org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(ResteasyUriBuilder.java:721) at org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUriInfo.java:58) at org.jboss.resteasy.spi.ResteasyUriInfo.(ResteasyUriInfo.java:53) at org.jboss.resteasy.plugins.server.servlet.ServletUtil.extractUriInfo(ServletUtil.java:41) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:200) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748) Caused by: java.net.URISyntaxException: Illegal character in path at index 67: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ "port":null,"host":"mail.rdmedia.com ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} at java.net.URI$Parser.fail(URI.java:2848) at java.net.URI$Parser.checkChars(URI.java:3021) at java.net.URI$Parser.parseHierarchical(URI.java:3105) at java.net.URI$Parser.parse(URI.java:3053) at java.net.URI.(URI.java:588) at org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:744) ... 40 more The 67th character is the slash after testSMTPConnection. Is this a bug and/or is there a workaround/fix? -- Tiemen Ruiten Systems Engineer R&D Media From jasonspittel at yahoo.com Mon Jul 10 10:44:52 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Mon, 10 Jul 2017 14:44:52 +0000 (UTC) Subject: [keycloak-user] Problems logging out using JEE to keycloak to SAML (ADFS) (better formatted) In-Reply-To: References: <2140990500.5387792.1499205110788.ref@mail.yahoo.com> <2140990500.5387792.1499205110788@mail.yahoo.com> Message-ID: <1621105909.2492952.1499697892635@mail.yahoo.com> Hi Hynek, My setup is exactly from that tutorial. And I found the problem with logging out, I'm not sure how to report the issue (not sure if it's really a KC issue at all), raise a Jira ticket? Setup:JEE app running JSF calling EJBs.JEE app using wildfly keycloak saml adapters to talk to Keycloak (KC)Keycloak setup to use ADFS as its IdP. Problem:JEE app needs to logout twice to logout. (That is, after first logout, you can still hit the protected resource on the JEE app without logging in again) Cause:1) first logout:- JSF's redirects (externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" );) removes the jsessionId cookie, which causes an initial auth from JEE to KC when logout is hit.?-rest of logout proceeds properly, Realm Session ID is removed from KC, ADFS logs use out.2) second logout-JSF's redirect again removes the jsessionId cookie, tries to do an initial auth from JEE to KC, but KC doesn't have any sessions to auth user with, and user is kicked out, 'successfully' logging out. Solution:preserve the jsessionid on redirect, initial auth to KC doesn't occur on logout. ? ?public void logout() throws IOException, ServletException ?? { ??????ExternalContext externalContext = _context.getExternalContext(); ??????try ??????{ ? ? ? ? ?externalContext.invalidateSession(); ???????? _httpRequest.logout(); ??????} ??????catch (Exception ex) ??????{ ???????? _logger.error(ex); ??????} ??????finally ??????{ ???????? // need to set the cookie for the jsessionid, or will re-auth with KC, and will require two logouts to logout completely ???????? preserveJsessionidCookie(externalContext); ???????? externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" ); ??????} ?? } ?? private void preserveJsessionidCookie(ExternalContext externalContext) ?? { ??????for (Cookie cookie : ((HttpServletRequest)externalContext.getRequest()).getCookies()) ??????{ ???????? if (cookie.getName().equalsIgnoreCase("jsessionid")) ???????? { ????????????((HttpServletResponse)externalContext.getResponse()).addCookie(cookie); ????????????break; ???????? } ??????} ?? } Cheers, JasonOn Monday, July 10, 2017, 6:09:36 AM PDT, Hynek Mlnarik wrote: How are ADFS and Keycloak configured? If according to [1], the sessions should be cleared. Beware that ADFS also leaves ssoCookie in the browser so that it might just relogin the user behind the scenes, see discussion on [2] for further details. --Hynek [1] http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html [2] https://issues.jboss.org/browse/KEYCLOAK-4398 On Tue, Jul 4, 2017 at 11:51 PM, Jason Spittel wrote: > Apparently my formatting was lost. So I'm reposting this in a more readable format: > > Hello, > > I'm having difficulty completing a logout. > SETUP: > JEE webapp to keycloak to IdP (ADFS (SAML)) > > WORKFLOW: > 1) On logout in the webapp > externalContext.redirect(externalContext.getRequestContextPath() + "?GLO=true"); > > 2) User is sent to ADFS letting them know they have successfully logged out. > > 3) However, there is still a keycloak user session alive (seen in the admin console) > > 4) Hitting a protected resource in the webapp lets user in without having to log back in. > > Debugging the keycloak server, I found this bit of code in AuthenticationManager.browserLogout() line 262: > > String brokerId = userSession.getNote(Details.IDENTITY_PROVIDER); > > if (brokerId != null) { >? ? IdentityProvider identityProvider = IdentityBrokerService.getIdentityProvider(session, realm, brokerId); >? ? Response response = identityProvider.keycloakInitiatedBrowserLogout(session, userSession, uriInfo, realm); >? ? if (response != null) return response; > } > > return finishBrowserLogout(session, realm, userSession, uriInfo, connection, headers); > > I think, unless I'm misunderstanding it, that I need to hit the finishBrowserLogout method, to clear the keycloak user session. > But the way this is written makes it so it never will. Is keycloak expecting ADFS to clear its user session? Am I logging out incorrectly? > Thanks, > Jason > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From shimin_q at yahoo.com Mon Jul 10 11:56:47 2017 From: shimin_q at yahoo.com (shimin q) Date: Mon, 10 Jul 2017 15:56:47 +0000 (UTC) Subject: [keycloak-user] keycloak APIs to retrieve logged-in user References: <1827862300.2313151.1499702207109.ref@mail.yahoo.com> Message-ID: <1827862300.2313151.1499702207109@mail.yahoo.com> Hi,? I am new to keycloak (sorry if the answer to my question seems obvious!). ?We plan to use keycloak to secure a bunch of web apps, some written in Java, some in JavaScript (with React). ?? After the user is logged in by keycloak, each of those web apps needs to retrieve the user that is logged in and the realm/client roles that the user has. ? - For Java apps, we tried the keycloak Java API (request -> KeycloakSecurityContext -> getIdToken -> getPreferredUsername/getOtherClaims). ? They seem to work fine - For JavaScript apps, we are hitting roadblocks. ? What APIs would you recommend to use specifically? ?Do you have any example code for JavaScript apps? ? Tried the following code, but could not get Keycloak to init successfully (Note this is in web app code after the user is already authenticated by keycloak, the app is only trying to retrieve who logged in with what roles): var kc = Keycloak({????url: 'https://135.112.123.194:8666/auth',????realm: 'rtna',????clientId: 'main'});?//var kc = Keycloak('./keycloak.json'); //this does not work as it can't find the keycloak.json file under WEB-INF//kc.loadUserInfo();var userid = kc.subject;console.log("user id " + userid); kc.init({ onLoad: 'login-required' }).success(function () {????console.log("===================================");????console.log("kc.idToken.preferred_username: " + kc.idToken.preferred_username);? ??alert(JSON.stringify(kc.tokenParsed));?? ??var authenticatedUser = kc.idTokenParsed.name;?? ? console.log(authenticatedUser); ???}).error(function () {????window.location.reload();??}); Please advise. ?Thank you!! From Ori.Doolman at amdocs.com Mon Jul 10 17:18:20 2017 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Mon, 10 Jul 2017 21:18:20 +0000 Subject: [keycloak-user] change password page in my application Message-ID: Hi, I want my application's users to be able to change their password. My app is a web application using React/Node.JS. I have 2 options to implement this having the end user interacts directly with Keycloak (so password will not go through my application): 1) Customize the account theme (ftl) and use the /account endpoint. In this form the user will enter his old and new password interactively. 2) Use the Keycloak admin REST API from my application server (Node.JS) and make Keycloak send the user a mail with a link to reset the password: PUT /admin/realms/{realm}/users/{id}/execute-actions-email Once the user clicks the link, he will need to set the new password. Which of the above is a preferred option ? Or is there any other option ? Thanks, Ori. This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer From Vijay8.pasupuleti at gmail.com Tue Jul 11 01:18:27 2017 From: Vijay8.pasupuleti at gmail.com (Vjraj) Date: Mon, 10 Jul 2017 22:18:27 -0700 (MST) Subject: [keycloak-user] how to Check if User is logged in or not? Message-ID: <1499750307617-3943.post@n6.nabble.com> we are implementing SSO among multiple Angular 2 Applications running on different domains using keycloak (Note: use are not using any keycloak adapters) the problem we face is the cookies are domain specific and we cant access the cokie of one app in another the way this problem can be solved in our point of view is to check if any user in logged in through this browser and if logged in we will direct to login page and it will return back with token and if not login it must the normal page designed for not logged in user 1.how can we be able to check if any user is available ? 2.is there any alternative way to achieve this? thanks in adavance. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/how-to-Check-if-User-is-logged-in-or-not-tp3943.html Sent from the keycloak-user mailing list archive at Nabble.com. From sthorger at redhat.com Tue Jul 11 01:28:50 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 11 Jul 2017 07:28:50 +0200 Subject: [keycloak-user] change password page in my application In-Reply-To: References: Message-ID: Option 1. On 10 July 2017 at 23:18, Ori Doolman wrote: > Hi, > > I want my application's users to be able to change their password. > My app is a web application using React/Node.JS. > > I have 2 options to implement this having the end user interacts directly > with Keycloak (so password will not go through my application): > > > 1) Customize the account theme (ftl) and use the /account endpoint. > In this form the user will enter his old and new password interactively. > > 2) Use the Keycloak admin REST API from my application server > (Node.JS) and make Keycloak send the user a mail with a link to reset the > password: > PUT /admin/realms/{realm}/users/{id}/execute-actions-email > Once the user clicks the link, he will need to set the new password. > > Which of the above is a preferred option ? Or is there any other option ? > > > > Thanks, > > Ori. > > This message and the information contained herein is proprietary and > confidential and subject to the Amdocs policy statement, > > you may review at https://www.amdocs.com/about/email-disclaimer < > https://www.amdocs.com/about/email-disclaimer> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Jul 11 01:35:57 2017 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 11 Jul 2017 07:35:57 +0200 Subject: [keycloak-user] illegal character in path when testing email setup In-Reply-To: References: Message-ID: Tried to reproduce this, but can't and it's working just fine here. Do you have steps to reproduce? On 10 July 2017 at 16:04, Tiemen Ruiten wrote: > Hello, > > I get the following error when hitting the 'Test connection' button on the > email tab in Realm settings: > > 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot Thread) > WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)* started in > 21731ms - Started 449 of 824 services (561 services are lazy, passive or > on-demand) > 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-11) RESTEASY002130: Failed to parse request.: > javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to create > URI: > https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ > "port":null,"host":"mail.rdmedia.com > ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} > at > org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues( > ResteasyUriBuilder.java:749) > at > org.jboss.resteasy.specimpl.ResteasyUriBuilder.build( > ResteasyUriBuilder.java:721) > at > org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUriInfo.java:58) > at org.jboss.resteasy.spi.ResteasyUriInfo.(ResteasyUriInfo.java:53) > at > org.jboss.resteasy.plugins.server.servlet.ServletUtil. > extractUriInfo(ServletUtil.java:41) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:200) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run( > HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:748) > Caused by: java.net.URISyntaxException: Illegal character in path at index > 67: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ > "port":null,"host":"mail.rdmedia.com > ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} > at java.net.URI$Parser.fail(URI.java:2848) > at java.net.URI$Parser.checkChars(URI.java:3021) > at java.net.URI$Parser.parseHierarchical(URI.java:3105) > at java.net.URI$Parser.parse(URI.java:3053) > at java.net.URI.(URI.java:588) > at > org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues( > ResteasyUriBuilder.java:744) > ... 40 more > > The 67th character is the slash after testSMTPConnection. Is this a bug > and/or is there a workaround/fix? > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From marc.tempelmeier at flane.de Tue Jul 11 04:15:28 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Tue, 11 Jul 2017 08:15:28 +0000 Subject: [keycloak-user] Domain Clustered Mode Message-ID: <444cd1a4798a43c58738b656cad9a8af@dehamex2013.europe.flane.local> Hi again, We fixed the bearer error, it was different time settings in the cluster... But the liquibase errors remains, it seems we have exactly this problem: https://stackoverflow.com/questions/26235744/liquibase-case-insensitivity-in-postgresql. As far as I see it all table names are upper case in the liquibase change files. Any idea? -----Urspr?ngliche Nachricht----- Von: Marc Tempelmeier Gesendet: Monday, July 10, 2017 9:28 AM An: keycloak-user at lists.jboss.org Betreff: Domain Clustered Mode Hi, Is there anyone here who has this working with 1 Master and 2-3 Slaves on Version 3.2.0? I frequently get 2 errors: Error 1 (results in unregistering the slave): Position: 22 [Server:slave1] Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist [Server:slave1] Position: 22 [Server:slave1] Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist Error 2 (results in immediate logout, sometimes after 1 sec or later): 10:08:22,066 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-18) RESTEASY002005: Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer If anyone has a working config, it would be really great to share :) Best regards Marc Tempelmeier From marc.tempelmeier at flane.de Tue Jul 11 08:10:47 2017 From: marc.tempelmeier at flane.de (Marc Tempelmeier) Date: Tue, 11 Jul 2017 12:10:47 +0000 Subject: [keycloak-user] Domain Clustered Mode In-Reply-To: <444cd1a4798a43c58738b656cad9a8af@dehamex2013.europe.flane.local> References: <444cd1a4798a43c58738b656cad9a8af@dehamex2013.europe.flane.local> Message-ID: Also we get this errors on docker-compose startup from the postgres nodes: postgresql-node2_1 | ERROR: relation "public.databasechangeloglock" does not exist at character 22 postgresql-node2_1 | STATEMENT: select count(*) from public.databasechangeloglock postgresql-node1_1 | ERROR: portal "pgpool_error_portal" does not exist postgresql-node1_1 | ERROR: relation "public.databasechangelog" does not exist at character 22 postgresql-node1_1 | STATEMENT: select count(*) from public.databasechangelog postgresql-node1_1 | ERROR: relation "public.databasechangelog" does not exist at character 22 postgresql-node1_1 | STATEMENT: select count(*) from public.databasechangelog Seems really to be liquibase connected issue -----Urspr?ngliche Nachricht----- Von: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] Im Auftrag von Marc Tempelmeier Gesendet: Tuesday, July 11, 2017 10:15 AM An: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Domain Clustered Mode Hi again, We fixed the bearer error, it was different time settings in the cluster... But the liquibase errors remains, it seems we have exactly this problem: https://stackoverflow.com/questions/26235744/liquibase-case-insensitivity-in-postgresql. As far as I see it all table names are upper case in the liquibase change files. Any idea? -----Urspr?ngliche Nachricht----- Von: Marc Tempelmeier Gesendet: Monday, July 10, 2017 9:28 AM An: keycloak-user at lists.jboss.org Betreff: Domain Clustered Mode Hi, Is there anyone here who has this working with 1 Master and 2-3 Slaves on Version 3.2.0? I frequently get 2 errors: Error 1 (results in unregistering the slave): Position: 22 [Server:slave1] Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist [Server:slave1] Position: 22 [Server:slave1] Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist Error 2 (results in immediate logout, sometimes after 1 sec or later): 10:08:22,066 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-18) RESTEASY002005: Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer If anyone has a working config, it would be really great to share :) Best regards Marc Tempelmeier _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From reza.shams at axis.com Tue Jul 11 08:48:45 2017 From: reza.shams at axis.com (Reza Shams Amiri) Date: Tue, 11 Jul 2017 12:48:45 +0000 Subject: [keycloak-user] KeyCloak Clustering and High Availability question Message-ID: <838293A9-2EC7-438F-A58C-88ACE407F7B6@axis.com> Hi, I am also evaluating KeyCloak for my organization. I have a question about how failover in KeyCloak works. From what I understood from the documentation, it says that the application scalability is handled by wildfly clustering but with a shared database. I couldn?t find a documentation about what we should do in case of database failure? We want to have two different clustered nodes in two different continents for idp and we mainly have mysql databases. Clustering them is actually painful and done through rabbitMQ synced messages and in some custom ways. So how can we handle database failure in KeyCloak let?s say if the link between Sweden and USA is completely broken? Thanks a lot /Reza From nicolaouantonia at gmail.com Tue Jul 11 10:08:56 2017 From: nicolaouantonia at gmail.com (Antonia Nicolaou) Date: Tue, 11 Jul 2017 17:08:56 +0300 Subject: [keycloak-user] redhat sso get baseurl in custom theme for email registration In-Reply-To: References: Message-ID: Kind reminder 2017-07-10 9:21 GMT+03:00 Antonia Nicolaou : > Hello all, > > > > Your help would be greatly appreciated. > > > I am using single sign on service from redhat v7.1 and I am developing a > custom template (in a custom theme) for registration email. In the email, > Unfortunately, I didn?t find the proper way to get the client baseUrl or > the url.registrationUrl . > > Could you please help me? > > > > Thank you in advanced. > > Sincerely, > > Antonia Nicolaou > From federico at info.nl Tue Jul 11 10:38:33 2017 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Tue, 11 Jul 2017 14:38:33 +0000 Subject: [keycloak-user] error=pkce_verification_failed Message-ID: <285AAEA2-C62A-4235-BC7D-4AB99F93A412@info.nl> Hello, After upgrading our Keycloak version to 3.1.0, we?ve started seeing the following error in one of our use cases (using AppAuth). 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting Client, codeVerifier = KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE codeChallengeMethod = S256 2017-07-11 16:21:12,135 WARN [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername = someone at somewhere.nl 2017-07-11 16:21:12,136 WARN [org.keycloak.events] (default task-24) type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x, userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x, error=pkce_verification_failed, grant_type=authorization_code, code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret I saw this bug report, which could be related to the issue (still open for 3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956 Is it possible to disable PKCE from Keycloak configuration? Met vriendelijke groet, Federico Navarro backend developer federico at info.nl | LinkedIn | +31 (0)2 05 30 91 61 info.nl Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 From bburke at redhat.com Tue Jul 11 10:46:51 2017 From: bburke at redhat.com (Bill Burke) Date: Tue, 11 Jul 2017 10:46:51 -0400 Subject: [keycloak-user] KeyCloak Clustering and High Availability question In-Reply-To: <838293A9-2EC7-438F-A58C-88ACE407F7B6@axis.com> References: <838293A9-2EC7-438F-A58C-88ACE407F7B6@axis.com> Message-ID: <25710b88-ad20-fa93-2409-3c6c5c7976c2@redhat.com> Wildfly clustering handles user login session replication as well as the caching layer for information stored in the shared database and/or LDAP and/or any other external user store. Shared database is required for storing realm configuration data and user data and imported user data. So Wildfly clustering handles anything in-memory related and for database stuff you have to rely on your database vendor for whatever solution they have for this. On 7/11/17 8:48 AM, Reza Shams Amiri wrote: > Hi, > > I am also evaluating KeyCloak for my organization. I have a question about how failover in KeyCloak works. > From what I understood from the documentation, it says that the application scalability is handled by wildfly clustering but with a shared database. > I couldn?t find a documentation about what we should do in case of database failure? > We want to have two different clustered nodes in two different continents for idp and we mainly have mysql databases. Clustering them is actually painful and done through rabbitMQ synced messages and in some custom ways. So how can we handle database failure in KeyCloak let?s say if the link between Sweden and USA is completely broken? > > Thanks a lot > /Reza > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From max.catarino at rps.com.br Tue Jul 11 13:54:33 2017 From: max.catarino at rps.com.br (Maximiliano) Date: Tue, 11 Jul 2017 10:54:33 -0700 (MST) Subject: [keycloak-user] how to Check if User is logged in or not? In-Reply-To: <1499750307617-3943.post@n6.nabble.com> References: <1499750307617-3943.post@n6.nabble.com> Message-ID: <1499795673796-3944.post@n6.nabble.com> Take a look at this post: CURL login . -- View this message in context: http://keycloak-user.88327.x6.nabble.com/how-to-Check-if-User-is-logged-in-or-not-tp3943p3944.html Sent from the keycloak-user mailing list archive at Nabble.com. From dennishonders at gmail.com Tue Jul 11 14:00:12 2017 From: dennishonders at gmail.com (Dennis H) Date: Tue, 11 Jul 2017 20:00:12 +0200 Subject: [keycloak-user] Error 403 Java Spring Boot Message-ID: I receive a http error 403 when accessing a bearer-only resource with Postman that is secured with keycloak. The user has the needed role. Debug logs: BEARER AUTHENTICATED. What could be the problem here? *Application.properties* keycloak.realm=myrealm keycloak.bearer-only=true keycloak.auth-server-url=http://localhost:8080/auth keycloak.ssl-required=external keycloak.resource=my-app keycloak.use-resource-role-mappings=true keycloak.securityConstraints[0].securityCollections[0].name=secured keycloak.securityConstraints[0].authRoles[0]=app-user keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/secured/* logging.level.org.keycloak=DEBUG *Postman* http://localhost:8081/secured/posts/0/10 Authorization: Bearer aDSFla56s... *Debug* 2017-07-11 19:53:41.306 DEBUG 22556 --- [nio-8081-exec-1] o.k.adapters.PreAuthActionsHandler : adminRequest http://localhost:8081/secured/posts/0/10 2017-07-11 19:53:41.313 DEBUG 22556 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for authentication of client 'my-app' 2017-07-11 19:53:41.314 DEBUG 22556 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret 2017-07-11 19:53:41.315 DEBUG 22556 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt 2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider secret 2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1] o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider jwt 2017-07-11 19:53:41.354 DEBUG 22556 --- [nio-8081-exec-1] o.keycloak.adapters.KeycloakDeployment : resolveUrls 2017-07-11 19:53:41.356 DEBUG 22556 --- [nio-8081-exec-1] o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: http://localhost:8080/auth, tokenUrl: http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token, relativeUrls: NEVER 2017-07-11 19:53:41.631 DEBUG 22556 --- [nio-8081-exec-1] o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully retrieved for client my-app. New kids: [NsYwvDAUJYY3ioS9-0mpo] 2017-07-11 19:53:41.641 DEBUG 22556 --- [nio-8081-exec-1] o.k.adapters.RequestAuthenticator : User 'c1ed6bf7-5dd-988-94fab8ecf' invoking ' http://localhost:8081/secured/posts/0/10' on client 'my-app' 2017-07-11 19:53:41.642 DEBUG 22556 --- [nio-8081-exec-1] o.k.adapters.RequestAuthenticator : *Bearer AUTHENTICATED* From max.catarino at rps.com.br Tue Jul 11 14:08:46 2017 From: max.catarino at rps.com.br (Maximiliano) Date: Tue, 11 Jul 2017 11:08:46 -0700 (MST) Subject: [keycloak-user] how to Check if User is logged in or not? In-Reply-To: <1499795673796-3944.post@n6.nabble.com> References: <1499750307617-3943.post@n6.nabble.com> <1499795673796-3944.post@n6.nabble.com> Message-ID: <1499796526856-3945.post@n6.nabble.com> To check if the token is valid, use introspect endpoint. Introspect -- View this message in context: http://keycloak-user.88327.x6.nabble.com/how-to-Check-if-User-is-logged-in-or-not-tp3943p3945.html Sent from the keycloak-user mailing list archive at Nabble.com. From mposolda at redhat.com Tue Jul 11 16:56:20 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 11 Jul 2017 22:56:20 +0200 Subject: [keycloak-user] error=pkce_verification_failed In-Reply-To: <285AAEA2-C62A-4235-BC7D-4AB99F93A412@info.nl> References: <285AAEA2-C62A-4235-BC7D-4AB99F93A412@info.nl> Message-ID: <67434e71-ba6a-18a1-cca2-fd6c93dc1882@redhat.com> Still I would try to upgrade to 3.2.0.Final if possible. AFAIK there was some related fixes in there, so worth to try if it's not a lot of work for you. Otherwise workaround is to disable PKCE for your adapter, which will also remove all related parameters from the initial request to Keycloak. Marek On 11/07/17 16:38, Federico Navarro Polo - Info.nl wrote: > Hello, > > After upgrading our Keycloak version to 3.1.0, we?ve started seeing the following error in one of our use cases (using AppAuth). > > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting Client, codeVerifier = KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE codeChallengeMethod = S256 > 2017-07-11 16:21:12,135 WARN [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername = someone at somewhere.nl > 2017-07-11 16:21:12,136 WARN [org.keycloak.events] (default task-24) type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x, userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x, error=pkce_verification_failed, grant_type=authorization_code, code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret > > > I saw this bug report, which could be related to the issue (still open for 3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956 > > Is it possible to disable PKCE from Keycloak configuration? > > > Met vriendelijke groet, > > Federico Navarro > > backend developer > > federico at info.nl | LinkedIn | +31 (0)2 05 30 91 61 > > info.nl > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Jul 11 16:59:31 2017 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 11 Jul 2017 22:59:31 +0200 Subject: [keycloak-user] Consent Required how it works exatly In-Reply-To: References: Message-ID: <46c0a439-dee0-a3bb-1cce-97f781cfbb37@redhat.com> It means that after successful login to this client, the Keycloak will display the screen where user needs to confirm if he wants to share his personal informations and roles with the client applications. Something like "application XY wants to see your email, firstName, lastName and roles user and administrator". You may know this type of screen from vendors like Facebook or Google. Marek On 04/07/17 17:35, Nikolaj Majorov wrote: > Hi all, > > I see that for sample app-jee-html5 application in the the client > configuration the property > "Consent Required" is configured. How does it implemented ? doest it > mean that application get cookie first after user logged-in with > user-name password or other js Iframe ? and only after login with > user-name& password the client can ask for token ? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From brahima at gmail.com Tue Jul 11 20:10:00 2017 From: brahima at gmail.com (Brahim Ait elhaj) Date: Wed, 12 Jul 2017 02:10:00 +0200 Subject: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) Message-ID: Hi everyone, Lately i was playing with Keycloak (KC), evaluating it for an IoT project and i have a question regarding the authorization services. One of my use case is : devices that connect to an MQTT Broker using X.509 client authentication. Note : when i talk about device, you must understand KC user (device = user). For several reasons/constraints that i won't explain here, i can't have my devices connect first to Keycloak to obtain a token (using their X.509 certificates as KC supports it) and then connect to the MQTT Broker passing this token. They connect directly to the MQTT Broker, each device presenting its X.509 certificate to the Broker. After connection, the Broker doesn't know client private key. My need is to have my MQTT Broker (ideally through KC) authorize/reject MQTT client to publish/subscribe to specific topic. MQTT Topic being some kind of uri/path, i already have an idea of how to configure KC (client, resource, policy, permission ...) to authorize/reject these access. However, as i understand it, the starting point for all the ? authorization services ? (Authorization API, Entitlement API ... ) is a ? user Access Token ?. In my case, i don't have a user access token ... so i'm kind of stuck to use any of the K.C API (unless i missed something). Hence, My question is how can i make my MQTT Broker (.ie : resource server) interact with KC to enforce/evaluate policy ? Is it possible without the user access token ? Hope i made myself clear and thanks in advance for any help ... Best regards, Brahim From mposolda at redhat.com Wed Jul 12 02:51:18 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Jul 2017 08:51:18 +0200 Subject: [keycloak-user] Kerberos Authentication throws Exception In-Reply-To: References: <0d8e7bae-a4b5-2b59-96f4-634e2635bc8e@finsterwalder.name>

Message-ID: Do you have "/etc/krb5.conf" file on the server where your Keycloak is deployed? In this file you need to have configuration of kerberos realm corresponding to the kerberos realm you used in the Keycloak LDAP storage provider configuration. The host/port of kdc needs to be accessible through network. The configuration of kdc in the /etc/krb5.conf file can look like this for example: KEYCLOAK.ORG={ kdc = localhost:6088 } Marek On 06/07/17 19:26, Malte Finsterwalder wrote: > I tweaked my config a bit and fixed an error there. It still doesn't work > correctly, but now I get an ICMP Error, after the SPNEGO Failure and a try > to login with username and password; > > 17:23:54,184 INFO [stdout] (default task-21) [Krb5LoginModule] > authentication failed > 17:23:54,184 INFO [stdout] (default task-21) ICMP Port Unreachable > 17:23:54,185 WARN [org.keycloak.services] (default task-21) > KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException: > Kerberos unreachable > at > org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108) > at > org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:94) > at > org.keycloak.storage.ldap.LDAPStorageProvider.validPassword(LDAPStorageProvider.java:512) > at > org.keycloak.storage.ldap.LDAPStorageProvider.isValid(LDAPStorageProvider.java:602) > at > org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:140) > at > org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:121) > at > org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:175) > at > org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:151) > at > org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56) > at > org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49) > at > org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92) > at > org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76) > at > org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759) > at > org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365) > at > org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347) > at > org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) > at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) > at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) > at javax.security.auth.login.LoginContext.login(LoginContext.java:587) > at > org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject(KerberosUsernamePasswordAuthenticator.java:128) > at > org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:90) > ... 61 more > Caused by: java.net.PortUnreachableException: ICMP Port Unreachable > at java.net.PlainDatagramSocketImpl.receive0(Native Method) > at > java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143) > at java.net.DatagramSocket.receive(DatagramSocket.java:812) > at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206) > at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411) > at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364) > at java.security.AccessController.doPrivileged(Native Method) > at sun.security.krb5.KdcComm.send(KdcComm.java:348) > at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253) > at sun.security.krb5.KdcComm.send(KdcComm.java:229) > at sun.security.krb5.KdcComm.send(KdcComm.java:200) > at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766) > ... 75 more > > > On 6 July 2017 at 17:21, Malte Finsterwalder wrote: > >> Hi there, >> >> I tried to configure Keycloak to authenticate against Windows Active >> Directory using Kerberos credentials. >> But I keep getting an Exception. >> >> Setup is as follows: >> >> I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final. >> In addition I installed freeipa-client and added a /etc/krb5.conf file as >> well as my keytab file. >> >> But when I configure Kerberos as required in the browser flow, I get the >> following Exception and the browser shows me a basic auth login dialog, >> that does not allow me to log in at all. >> >> Any ideas? How can gather more information? >> >> 13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true >> useTicketCache false useKeyTab true doNotPrompt true ticketCache is null >> isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab >> refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANS >> EMERKUR.DE at HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false >> storePass is false clearPass is false >> 13:26:25,796 INFO [stdout] (default task-64) principal is >> HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE at HH.HANSEMERKUR.DE >> 13:26:25,796 INFO [stdout] (default task-64) Will use keytab >> 13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded >> 13:26:25,796 INFO [stdout] (default task-64) >> >> 13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] >> (default task-47) SPNEGO login failed: java.security.PrivilegedActionException: >> GSSException: Defective token detected (Mechanism level: GSSHeader did not >> find the right tag) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAs(Subject.java:422) >> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.au >> thenticate(SPNEGOAuthenticator.java:68) >> at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(L >> DAPStorageProvider.java:542) >> at org.keycloak.credential.UserCredentialStoreManager.authentic >> ate(UserCredentialStoreManager.java:323) >> at org.keycloak.authentication.authenticators.browser.SpnegoAut >> henticator.authenticate(SpnegoAuthenticator.java:90) >> at org.keycloak.authentication.DefaultAuthenticationFlow.proces >> sFlow(DefaultAuthenticationFlow.java:184) >> at org.keycloak.authentication.AuthenticationProcessor.authenti >> cateOnly(AuthenticationProcessor.java:792) >> at org.keycloak.authentication.AuthenticationProcessor.authenti >> cate(AuthenticationProcessor.java:667) >> at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowse >> rAuthenticationRequest(AuthorizationEndpointBase.java:123) >> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.b >> uildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317) >> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint. >> build(AuthorizationEndpoint.java:125) >> at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >> thodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje >> ctorImpl.java:139) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget >> (ResourceMethodInvoker.java:295) >> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc >> eMethodInvoker.java:249) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >> tObject(ResourceLocatorInvoker.java:138) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >> ceLocatorInvoker.java:107) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge >> tObject(ResourceLocatorInvoker.java:133) >> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour >> ceLocatorInvoker.java:101) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >> nousDispatcher.java:395) >> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro >> nousDispatcher.java:202) >> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher.service(ServletContainerDispatcher.java:221) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.service(HttpServletDispatcher.java:56) >> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >> rvletHandler.java:85) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >> oFilter(FilterHandler.java:129) >> at org.keycloak.services.filters.KeycloakSessionServletFilter.d >> oFilter(KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >> oFilter(FilterHandler.java:131) >> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >> terHandler.java:84) >> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan >> dler.handleRequest(ServletSecurityRoleHandler.java:62) >> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl >> eRequest(ServletDispatchingHandler.java:36) >> at org.wildfly.extension.undertow.security.SecurityContextAssoc >> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.servlet.handlers.security.SSLInformationAssociat >> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at io.undertow.servlet.handlers.security.ServletAuthenticationC >> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.security.handlers.AbstractConfidentialityHandler >> .handleRequest(AbstractConfidentialityHandler.java:46) >> at io.undertow.servlet.handlers.security.ServletConfidentiality >> ConstraintHandler.handleRequest(ServletConfident >> ialityConstraintHandler.java:64) >> at io.undertow.security.handlers.AuthenticationMechanismsHandle >> r.handleRequest(AuthenticationMechanismsHandler.java:60) >> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes >> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at io.undertow.security.handlers.NotificationReceiverHandler.ha >> ndleRequest(NotificationReceiverHandler.java:50) >> at io.undertow.security.handlers.AbstractSecurityContextAssocia >> tionHandler.handleRequest(AbstractSecurityContextAssociation >> Handler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >> ndler.handleRequest(JACCContextIdHandler.java:61) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir >> stRequest(ServletInitialHandler.java:284) >> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >> equest(ServletInitialHandler.java:263) >> at io.undertow.servlet.handlers.ServletInitialHandler.access$00 >> 0(ServletInitialHandler.java:81) >> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >> equest(ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >> ge.java:793) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> Caused by: GSSException: Defective token detected (Mechanism level: >> GSSHeader did not find the right tag) >> at sun.security.jgss.GSSHeader.(GSSHeader.java:97) >> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext >> Impl.java:306) >> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext >> Impl.java:285) >> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.es >> tablishContext(SPNEGOAuthenticator.java:172) >> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac >> ceptSecContext.run(SPNEGOAuthenticator.java:135) >> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac >> ceptSecContext.run(SPNEGOAuthenticator.java:125) >> ... 60 more >> >> 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]: >> Entering logout >> 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]: >> logged out Subject >> >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Jul 12 02:59:37 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Jul 2017 08:59:37 +0200 Subject: [keycloak-user] SAML HttpServletRequest.logout() support In-Reply-To: <1263738321.6142511.1499280048359@mail.yahoo.com> References: <1263738321.6142511.1499280048359.ref@mail.yahoo.com> <1263738321.6142511.1499280048359@mail.yahoo.com> Message-ID: You can check our SAML examples in the keycloak-examples distribution. They're doing logout. Marek On 05/07/17 20:40, Jason Spittel wrote: > I'm having trouble with SAML Logout. I have a JEE app that uses Keycloak as an identity broker to ADFS. > Following these instructions:Logout | Keycloak Documentation > > > | > | > | | > Logout | Keycloak Documentation > > > | > > | > > | > > > > I should be able to just call HttpServletRequest.logout(). But that doesn't do anything. > Searching Jira I see this a reported issue. > [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue Tracker > > > | > | > | | > [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue T... > > > | > > | > > | > > > > While that's being worked on, are there workarounds to do a SAML logout through Keycloak? > > Thanks, > Jason > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Jul 12 03:10:01 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Jul 2017 09:10:01 +0200 Subject: [keycloak-user] Application to application: could Keycloak implement this? In-Reply-To: <7d4227a7-9bc4-0a93-dffb-c1daa725b0fa@psynd.net> References: <7d4227a7-9bc4-0a93-dffb-c1daa725b0fa@psynd.net> Message-ID: Hi, We have example in documentation for EJB propagation from web application where Keycloak. See https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java/jboss-adapter.html and especially the last paragraph "Security domain" . We have unofficial example I've written to propagate identity from fat client through remote EJB calls: https://github.com/mposolda/keycloak-remote-ejb Marek On 04/07/17 18:42, Tech wrote: > Dear experts, > > I want to bring you this use case to understand if you might be able to > support me. > > Our architecture is based in java, where we might have two kind of clients: > > * Fat java clients > * Browsers > > Application servers with: > > * Web containers performing local and remote EJB calls + remote WS calls > * EJB container performing local and remote EJB calls + remote WS calls > * A remote EJB server performing local and remote EJB calls + remote > WS calls > * Ws implemeting SOAP or REST > * Server SSO able to protect what described above > > The goal is to allow the clients (thin and fat) to authenticate on the > SSO server and to propagate the user identity on these requests: > > * Fat client authenticated -> EJB secure -> WS secure > * Browser authenticated -> Web container -> EJB secure -> WS secure > > The solution could use a secure token OAuth, OIDC or SAML. > > The token propagation should be based on standards JAAS and WS-Security. > > We saw that is possible to implement something similar in some SAML > Login Modules on JBoss Enterprise server, but we are not finding > anything equivalent in Keycloak. > > We cannot neither find, for example, not neither for a STS server, that > are the required elements to transform this kind of tokens. > > > Did anybody faced a similar experience? > > Thanks for your support! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From reza.shams at axis.com Wed Jul 12 03:48:04 2017 From: reza.shams at axis.com (Reza Shams Amiri) Date: Wed, 12 Jul 2017 07:48:04 +0000 Subject: [keycloak-user] KeyCloak Clustering and High Availability question In-Reply-To: <25710b88-ad20-fa93-2409-3c6c5c7976c2@redhat.com> References: <838293A9-2EC7-438F-A58C-88ACE407F7B6@axis.com> <25710b88-ad20-fa93-2409-3c6c5c7976c2@redhat.com> Message-ID: <85D40823-BAAD-4888-9797-5041BFCD4B9F@axis.com> Thanks a lot Bill, so my question specifically is: if for instance, mysql database is down for an hour but wildfly clusters, and ldaps are up, the idp still can operate because of caching? And will resync the configuration when the database is up again? You said about *database stuff*, what exactly will not work if database is not accessible for a while? Thanks in advance On 2017-07-11, 17:40, "keycloak-user-bounces at lists.jboss.org on behalf of Bill Burke" wrote: Wildfly clustering handles user login session replication as well as the caching layer for information stored in the shared database and/or LDAP and/or any other external user store. Shared database is required for storing realm configuration data and user data and imported user data. So Wildfly clustering handles anything in-memory related and for database stuff you have to rely on your database vendor for whatever solution they have for this. On 7/11/17 8:48 AM, Reza Shams Amiri wrote: > Hi, > > I am also evaluating KeyCloak for my organization. I have a question about how failover in KeyCloak works. > From what I understood from the documentation, it says that the application scalability is handled by wildfly clustering but with a shared database. > I couldn?t find a documentation about what we should do in case of database failure? > We want to have two different clustered nodes in two different continents for idp and we mainly have mysql databases. Clustering them is actually painful and done through rabbitMQ synced messages and in some custom ways. So how can we handle database failure in KeyCloak let?s say if the link between Sweden and USA is completely broken? > > Thanks a lot > /Reza > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sblanc at redhat.com Wed Jul 12 04:09:57 2017 From: sblanc at redhat.com (Sebastien Blanc) Date: Wed, 12 Jul 2017 10:09:57 +0200 Subject: [keycloak-user] Error 403 Java Spring Boot In-Reply-To: References: Message-ID: Could you try to add this as well ? keycloak.public-client=true On Tue, Jul 11, 2017 at 8:00 PM, Dennis H wrote: > I receive a http error 403 when accessing a bearer-only resource with > Postman that is secured with keycloak. > The user has the needed role. > Debug logs: BEARER AUTHENTICATED. > What could be the problem here? > > *Application.properties* > > keycloak.realm=myrealm > keycloak.bearer-only=true > keycloak.auth-server-url=http://localhost:8080/auth > keycloak.ssl-required=external > keycloak.resource=my-app > keycloak.use-resource-role-mappings=true > keycloak.securityConstraints[0].securityCollections[0].name=secured > keycloak.securityConstraints[0].authRoles[0]=app-user > keycloak.securityConstraints[0].securityCollections[0]. > patterns[0]=/secured/* > > logging.level.org.keycloak=DEBUG > > *Postman* > http://localhost:8081/secured/posts/0/10 > Authorization: Bearer aDSFla56s... > > *Debug* > 2017-07-11 19:53:41.306 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.PreAuthActionsHandler : adminRequest > http://localhost:8081/secured/posts/0/10 > 2017-07-11 19:53:41.313 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for > authentication of client 'my-app' > 2017-07-11 19:53:41.314 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded > clientCredentialsProvider > secret > 2017-07-11 19:53:41.315 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded > clientCredentialsProvider > jwt > 2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded > clientCredentialsProvider > secret > 2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded > clientCredentialsProvider > jwt > 2017-07-11 19:53:41.354 DEBUG 22556 --- [nio-8081-exec-1] > o.keycloak.adapters.KeycloakDeployment : resolveUrls > 2017-07-11 19:53:41.356 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: > http://localhost:8080/auth, tokenUrl: > http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token, > relativeUrls: NEVER > 2017-07-11 19:53:41.631 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully > retrieved for client my-app. New kids: [NsYwvDAUJYY3ioS9-0mpo] > 2017-07-11 19:53:41.641 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.RequestAuthenticator : User > 'c1ed6bf7-5dd-988-94fab8ecf' invoking ' > http://localhost:8081/secured/posts/0/10' on client 'my-app' > 2017-07-11 19:53:41.642 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.RequestAuthenticator : *Bearer AUTHENTICATED* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From K.Buler at adbglobal.com Wed Jul 12 04:24:20 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Wed, 12 Jul 2017 10:24:20 +0200 Subject: [keycloak-user] Error 403 Java Spring Boot In-Reply-To: References: Message-ID: <3783e075-b126-33af-5254-41d419033c92@adbglobal.com> I had similar problem. You are using "keycloak.use-resource-role-mappings=true", check that the user has the client's role instead realm's role. On 11.07.2017 20:00, Dennis H wrote: > I receive a http error 403 when accessing a bearer-only resource with > Postman that is secured with keycloak. > The user has the needed role. > Debug logs: BEARER AUTHENTICATED. > What could be the problem here? > > *Application.properties* > > keycloak.realm=myrealm > keycloak.bearer-only=true > keycloak.auth-server-url=http://localhost:8080/auth > keycloak.ssl-required=external > keycloak.resource=my-app > keycloak.use-resource-role-mappings=true > keycloak.securityConstraints[0].securityCollections[0].name=secured > keycloak.securityConstraints[0].authRoles[0]=app-user > keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/secured/* > > logging.level.org.keycloak=DEBUG > > *Postman* > http://localhost:8081/secured/posts/0/10 > Authorization: Bearer aDSFla56s... > > *Debug* > 2017-07-11 19:53:41.306 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.PreAuthActionsHandler : adminRequest > http://localhost:8081/secured/posts/0/10 > 2017-07-11 19:53:41.313 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Using provider 'secret' for > authentication of client 'my-app' > 2017-07-11 19:53:41.314 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider > secret > 2017-07-11 19:53:41.315 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider > jwt > 2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider > secret > 2017-07-11 19:53:41.317 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.a.ClientCredentialsProviderUtils : Loaded clientCredentialsProvider > jwt > 2017-07-11 19:53:41.354 DEBUG 22556 --- [nio-8081-exec-1] > o.keycloak.adapters.KeycloakDeployment : resolveUrls > 2017-07-11 19:53:41.356 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.KeycloakDeploymentBuilder : Use authServerUrl: > http://localhost:8080/auth, tokenUrl: > http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/token, > relativeUrls: NEVER > 2017-07-11 19:53:41.631 DEBUG 22556 --- [nio-8081-exec-1] > o.k.a.rotation.JWKPublicKeyLocator : Realm public keys successfully > retrieved for client my-app. New kids: [NsYwvDAUJYY3ioS9-0mpo] > 2017-07-11 19:53:41.641 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.RequestAuthenticator : User > 'c1ed6bf7-5dd-988-94fab8ecf' invoking' > http://localhost:8081/secured/posts/0/10' on client 'my-app' > 2017-07-11 19:53:41.642 DEBUG 22556 --- [nio-8081-exec-1] > o.k.adapters.RequestAuthenticator : *Bearer AUTHENTICATED* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user [https://www.adbglobal.com/wp-content/uploads/adb.png] connecting lives connecting worlds From t.ruiten at rdmedia.com Wed Jul 12 05:43:09 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 12 Jul 2017 11:43:09 +0200 Subject: [keycloak-user] illegal character in path when testing email setup In-Reply-To: References:

Message-ID: Hm, it's an almost vanilla Keycloak setup (however upgraded from 3.1.0 to 3.2.0), in fact the only changes in standalone.xml are related to the keystore and database. I'll see if I can setup another instance and reproduce there. On 11 July 2017 at 07:35, Stian Thorgersen wrote: > Tried to reproduce this, but can't and it's working just fine here. Do you > have steps to reproduce? > > On 10 July 2017 at 16:04, Tiemen Ruiten wrote: > >> Hello, >> >> I get the following error when hitting the 'Test connection' button on the >> email tab in Realm settings: >> >> 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot Thread) >> WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)* started in >> >> 21731ms - Started 449 of 824 services (561 services are lazy, passive or >> on-demand) >> 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] >> (default task-11) RESTEASY002130: Failed to parse request.: >> javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to create >> URI: >> https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ >> "port":null,"host":"mail.rdmedia.com >> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >> at >> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >> es(ResteasyUriBuilder.java:749) >> at >> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(Resteas >> yUriBuilder.java:721) >> at >> org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUr >> iInfo.java:58) >> at org.jboss.resteasy.spi.ResteasyUriInfo.(ResteasyUriInfo.java:53) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletUtil.extrac >> tUriInfo(ServletUtil.java:41) >> at >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >> spatcher.service(ServletContainerDispatcher.java:200) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.service(HttpServletDispatcher.java:56) >> at >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >> her.service(HttpServletDispatcher.java:51) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >> at >> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >> rvletHandler.java:85) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >> oFilter(FilterHandler.java:129) >> at >> org.keycloak.services.filters.KeycloakSessionServletFilter.d >> oFilter(KeycloakSessionServletFilter.java:90) >> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> at >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >> oFilter(FilterHandler.java:131) >> at >> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >> terHandler.java:84) >> at >> io.undertow.servlet.handlers.security.ServletSecurityRoleHan >> dler.handleRequest(ServletSecurityRoleHandler.java:62) >> at >> io.undertow.servlet.handlers.ServletDispatchingHandler.handl >> eRequest(ServletDispatchingHandler.java:36) >> at >> org.wildfly.extension.undertow.security.SecurityContextAssoc >> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at >> io.undertow.servlet.handlers.security.SSLInformationAssociat >> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >> at >> io.undertow.servlet.handlers.security.ServletAuthenticationC >> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at >> io.undertow.security.handlers.AbstractConfidentialityHandler >> .handleRequest(AbstractConfidentialityHandler.java:46) >> at >> io.undertow.servlet.handlers.security.ServletConfidentiality >> ConstraintHandler.handleRequest(ServletConfidentialityConstr >> aintHandler.java:64) >> at >> io.undertow.security.handlers.AuthenticationMechanismsHandle >> r.handleRequest(AuthenticationMechanismsHandler.java:60) >> at >> io.undertow.servlet.handlers.security.CachedAuthenticatedSes >> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >> at >> io.undertow.security.handlers.NotificationReceiverHandler.ha >> ndleRequest(NotificationReceiverHandler.java:50) >> at >> io.undertow.security.handlers.AbstractSecurityContextAssocia >> tionHandler.handleRequest(AbstractSecurityContextAssociation >> Handler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >> ndler.handleRequest(JACCContextIdHandler.java:61) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at >> io.undertow.server.handlers.PredicateHandler.handleRequest(P >> redicateHandler.java:43) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.handleFir >> stRequest(ServletInitialHandler.java:284) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >> equest(ServletInitialHandler.java:263) >> at >> io.undertow.servlet.handlers.ServletInitialHandler.access$00 >> 0(ServletInitialHandler.java:81) >> at >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >> equest(ServletInitialHandler.java:174) >> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >> ge.java:793) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:748) >> Caused by: java.net.URISyntaxException: Illegal character in path at index >> 67: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ >> "port":null,"host":"mail.rdmedia.com >> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >> at java.net.URI$Parser.fail(URI.java:2848) >> at java.net.URI$Parser.checkChars(URI.java:3021) >> at java.net.URI$Parser.parseHierarchical(URI.java:3105) >> at java.net.URI$Parser.parse(URI.java:3053) >> at java.net.URI.(URI.java:588) >> at >> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >> es(ResteasyUriBuilder.java:744) >> ... 40 more >> >> The 67th character is the slash after testSMTPConnection. Is this a bug >> and/or is there a workaround/fix? >> >> -- >> Tiemen Ruiten >> Systems Engineer >> R&D Media >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Tiemen Ruiten Systems Engineer R&D Media From t.ruiten at rdmedia.com Wed Jul 12 07:09:01 2017 From: t.ruiten at rdmedia.com (Tiemen Ruiten) Date: Wed, 12 Jul 2017 13:09:01 +0200 Subject: [keycloak-user] illegal character in path when testing email setup In-Reply-To: References:

Message-ID: OK, so I rolled a new Keycloak instance and it gives me the exact same error. Reproducing is trivial: - login - click Realm Settings - click Email tab - Fill in Host and From fields - Hit 'Test connection' I can share the Ansible playbook I used to setup the VM privately if you'd like. On 12 July 2017 at 11:43, Tiemen Ruiten wrote: > Hm, it's an almost vanilla Keycloak setup (however upgraded from 3.1.0 to > 3.2.0), in fact the only changes in standalone.xml are related to the > keystore and database. I'll see if I can setup another instance and > reproduce there. > > On 11 July 2017 at 07:35, Stian Thorgersen wrote: > >> Tried to reproduce this, but can't and it's working just fine here. Do >> you have steps to reproduce? >> >> On 10 July 2017 at 16:04, Tiemen Ruiten wrote: >> >>> Hello, >>> >>> I get the following error when hitting the 'Test connection' button on >>> the >>> email tab in Realm settings: >>> >>> 2017-07-10 15:55:27,316 INFO [org.jboss.as] (Controller Boot Thread) >>> WFLYSRV0025: *Keycloak 3.2.0.Final (WildFly Core 2.0.10.Final)* started >>> in >>> >>> 21731ms - Started 449 of 824 services (561 services are lazy, passive or >>> on-demand) >>> 2017-07-10 15:56:48,997 WARN [org.jboss.resteasy.resteasy_jaxrs.i18n] >>> (default task-11) RESTEASY002130: Failed to parse request.: >>> javax.ws.rs.core.UriBuilderException: RESTEASY003330: Failed to create >>> URI: >>> https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ >>> "port":null,"host":"mail.rdmedia.com >>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >>> at >>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >>> es(ResteasyUriBuilder.java:749) >>> at >>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(Resteas >>> yUriBuilder.java:721) >>> at >>> org.jboss.resteasy.spi.ResteasyUriInfo.initialize(ResteasyUr >>> iInfo.java:58) >>> at org.jboss.resteasy.spi.ResteasyUriInfo.(ResteasyUriInf >>> o.java:53) >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletUtil.extrac >>> tUriInfo(ServletUtil.java:41) >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDi >>> spatcher.service(ServletContainerDispatcher.java:200) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>> her.service(HttpServletDispatcher.java:56) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc >>> her.service(HttpServletDispatcher.java:51) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> at >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(Se >>> rvletHandler.java:85) >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>> oFilter(FilterHandler.java:129) >>> at >>> org.keycloak.services.filters.KeycloakSessionServletFilter.d >>> oFilter(KeycloakSessionServletFilter.java:90) >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilte >>> r.java:60) >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d >>> oFilter(FilterHandler.java:131) >>> at >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil >>> terHandler.java:84) >>> at >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHan >>> dler.handleRequest(ServletSecurityRoleHandler.java:62) >>> at >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handl >>> eRequest(ServletDispatchingHandler.java:36) >>> at >>> org.wildfly.extension.undertow.security.SecurityContextAssoc >>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at >>> io.undertow.servlet.handlers.security.SSLInformationAssociat >>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131) >>> at >>> io.undertow.servlet.handlers.security.ServletAuthenticationC >>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at >>> io.undertow.security.handlers.AbstractConfidentialityHandler >>> .handleRequest(AbstractConfidentialityHandler.java:46) >>> at >>> io.undertow.servlet.handlers.security.ServletConfidentiality >>> ConstraintHandler.handleRequest(ServletConfidentialityConstr >>> aintHandler.java:64) >>> at >>> io.undertow.security.handlers.AuthenticationMechanismsHandle >>> r.handleRequest(AuthenticationMechanismsHandler.java:60) >>> at >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes >>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) >>> at >>> io.undertow.security.handlers.NotificationReceiverHandler.ha >>> ndleRequest(NotificationReceiverHandler.java:50) >>> at >>> io.undertow.security.handlers.AbstractSecurityContextAssocia >>> tionHandler.handleRequest(AbstractSecurityContextAssociation >>> Handler.java:43) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa >>> ndler.handleRequest(JACCContextIdHandler.java:61) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(P >>> redicateHandler.java:43) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir >>> stRequest(ServletInitialHandler.java:284) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR >>> equest(ServletInitialHandler.java:263) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.access$00 >>> 0(ServletInitialHandler.java:81) >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR >>> equest(ServletInitialHandler.java:174) >>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) >>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan >>> ge.java:793) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:748) >>> Caused by: java.net.URISyntaxException: Illegal character in path at >>> index >>> 67: https://kc.rdmedia.com/auth/admin/realms/master/testSMTPConnection/{ >>> "port":null,"host":"mail.rdmedia.com >>> ","ssl":"","starttls":"","auth":"","from":"account at rdmedia.com"} >>> at java.net.URI$Parser.fail(URI.java:2848) >>> at java.net.URI$Parser.checkChars(URI.java:3021) >>> at java.net.URI$Parser.parseHierarchical(URI.java:3105) >>> at java.net.URI$Parser.parse(URI.java:3053) >>> at java.net.URI.(URI.java:588) >>> at >>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValu >>> es(ResteasyUriBuilder.java:744) >>> ... 40 more >>> >>> The 67th character is the slash after testSMTPConnection. Is this a bug >>> and/or is there a workaround/fix? >>> >>> -- >>> Tiemen Ruiten >>> Systems Engineer >>> R&D Media >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > Tiemen Ruiten > Systems Engineer > R&D Media > -- Tiemen Ruiten Systems Engineer R&D Media From mposolda at redhat.com Wed Jul 12 07:17:40 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Jul 2017 13:17:40 +0200 Subject: [keycloak-user] Identity provider, keycloak js adapter and session management In-Reply-To: <1727835614.580304.1499443610670@mail.yahoo.com> References: <1727835614.580304.1499443610670.ref@mail.yahoo.com> <1727835614.580304.1499443610670@mail.yahoo.com> Message-ID: <219ed4ff-fd22-0f2a-2231-cdbe8480cf86@redhat.com> There was some related fix in latest master https://issues.jboss.org/browse/KEYCLOAK-5139 . However your issue with iframe looks like something different. Feel free to create JIRA if it won't help. Ideally you can also send PR. We have tests for pairwise in OIDCPairwiseClientRegistrationTest.java and there are some IFrame related tests in LoginStatusIframeEndpointTest . Marek On 07/07/17 18:06, Peter Nalyvayko wrote: > Some additional info: we can also reproduce the same behavior using the Pairwise subject identifier, i.e. users keep getting logged out after 5 seconds. > > -------------------------------------------- > On Thu, 7/6/17, Peter Nalyvayko wrote: > > Subject: Identity provider, keycloak js adapter and session management > To: keycloak-user at lists.jboss.org > Date: Thursday, July 6, 2017, 12:10 PM > > Hi, > > We've hit a bit of a snag while setting > up our one page js client. Changing the value of the "sub" > claim to anything other than the unique identifier of the > keycloak user causes the keycloak adapter to detect the > changes to the session and clear out the tokens, forcing the > users to re-log in after every 5 seconds. > > We are using the version 2.3.0 of > keycloak. Our app is set up to use keycloak.js adapter for > all things related to OIDC. The adapter is configured to use > the "code authorization" (standard) flow. The instance of > keycloak is configured to use an external OIDC identity > provider and the users are uniquely identified by their > e-mails. Naturally, we wanted that the "sub" claim in the > claim set returned by calling the keycloak's OIDC /token > endpoint would return the unique identity of the external > user rather than the internal identifier of the keycloak > user, so we re-configured the keycloak client by adding a > property mapper to map the user's email to the "sub" claim, > here the example of the access token: > { > "sub": "user at company.com", > "iat": 223235098325, > "email": "user at company.com", > ... > } > > Once we had implemented these changes > on the keycloak side, our users were able to initially sign > into the application, but when they tried to access any > functionality within the app, they would be prompted to sign > in again. The problem seems to related to the OIDC session > management and the assumption and the "sub" claim always > matches the keycloak user's unique identifier. > > We narrowed the problem down to four > components: > > - keycloak.js > - login-status-iframe.html > - > services\srv\main\java\org\keycloak\protocol\oidc\endpoints\LoginStatusIframeEndpoint.java > - > services\src\main\java\org\keycloak\services\managers\AuthenticationManager.java > > In keycloak.js, line 637, the > implementation creates a session id to be used to check the > session state. Notice that the code uses the value from the > "sub" claim: > var sessionId = kc.realm + "/" > + kc.tokenParsed.sub; > > In > AuthenticationManager.createLoginCookie, line 306, the value > of the "SESSION_COOKIE" is set to: > > String sessionCookieValue = > realm.getName() + "/" + user.getId(); > > Sadly, in our configuration, the value > returned of by user.getId() is not the same as the value > stored in the "sub" claim, thus causing the session > management code in login-status-iframe.html, line 53 to > clear out any tokens and force the users to re-login the > next time it checks the session state (default is 5 second > intervals): > > var cookie = getCookie(); > if (sessionState == cookie) { > ... } else { callback("changed"); } > > > Looking at the > LoginStatusIframeEndpoint.preCheck > (LoginSatusIframeEndpoint.java, lines 71-93), we've noticed > that the implementation does not even make use of the user > identity, only the session id. > > The workaround, at least temporary, for > us was to add the "id" claim containing the user identity > internal to keycloak, and modify the keycloak JS adapter > code to look for the "id" claim and use its value instead of > the value in the "sub" claim when creating the session id, > i.e.: > > > var sessionId; > if (kc.tokenParsed.id) { > sessionId = > kc.realm + "/" + kc.tokenParsed.id; > } else { > sessionId = > kc.realm + "/" + kc.tokenParsed.sub; > } > > Is this a bug, or does it work as > intended, i.e. the users should never set the "sub" claim to > anything other than the keycloak's user identity? If this is > a bug, I can submit a JIRA request and a fix as long as the > workaround above seems like an acceptable solution > > Any comments are welcome > Regards, > Peter > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Jul 12 07:24:14 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Jul 2017 13:24:14 +0200 Subject: [keycloak-user] LDAP attributes & caching In-Reply-To: <1499337987.2966.2.camel@cargosoft.ru> References: <1499289029.2978.3.camel@cargosoft.ru> <1499337987.2966.2.camel@cargosoft.ru> Message-ID: <1488d902-6af3-893a-5936-807402fa4b5a@redhat.com> "Always Read Value From LDAP" means that attribute is read from LDAP instead of from DB. However the cache is still there. You will need to disable cache or change it to low value if you want the user updated immediately after attribute change in LDAP. Marek On 06/07/17 12:46, Dmitry Telegin wrote: > https://issues.jboss.org/browse/KEYCLOAK-5156 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Jul 12 07:29:23 2017 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 12 Jul 2017 13:29:23 +0200 Subject: [keycloak-user] LDAP User Federation: Issue with Hardcoded Roles In-Reply-To: References: Message-ID: <36248726-62a8-4117-6fc6-99365de6f59f@redhat.com> Looks like a bug to me. Feel free to create JIRA. Marek On 06/07/17 20:45, Gabriel Lavoie wrote: > Hi, > I've been trying to setup a LDAP user federation with a hardcoded > admin role on Keycloak 2.1.0.Final, on the master realm. The role is > granted to the user as expected, but not the composite roles attached to > the "admin" role. > > I tried reproducing the issue with the latest Keycloak but encountered a > different problem. When I try to add the hardcoded role mapper and add the > "admin" role to it, the role displays as "a" in the field (after > selection), and I get an error on save. I get the following exception in > the log: > > 2017-07-06 14:43:36,727 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] > (default task-18) RESTEASY002005: Failed executing POST > /admin/realms/master/components: org.jboss.resteasy.spi.ReaderException: > com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize > instance of java.util.ArrayList out of VALUE_STRING token > at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1611369f; > line: 1, column: 12] (through reference chain: > org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["role"]) > at > org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184) > at > org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not > deserialize instance of java.util.ArrayList out of VALUE_STRING token > at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1611369f; > line: 1, column: 12] (through reference chain: > org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["role"]) > at > com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148) > at > com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835) > at > com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831) > at > com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240) > at > com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171) > at > com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161) > at > com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19) > at > com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485) > at > com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342) > at > com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26) > at > com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523) > at > com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95) > at > com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285) > at > com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248) > at > com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136) > at > com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410) > at > com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860) > at > org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61) > at > org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) > at > org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) > at > org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) > at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55) > at > org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) > ... 48 more > > > Any idea of what could be wrong? Bug? > > Thank you, > > Gabriel > From K.Buler at adbglobal.com Wed Jul 12 08:23:28 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Wed, 12 Jul 2017 14:23:28 +0200 Subject: [keycloak-user] Fwd: CORS's problem with JavaScript's library In-Reply-To: References: <430dc3ea-ebdd-4503-494a-eac0607ae0c1@adbglobal.com>

Message-ID: Kevin you have 100% right! But we didn't modify Keycloak server and JS lib at all. Clean server and clean library have a problem with communication. On 29.06.2017 13:24, Kevin Berendsen wrote: > Hi, > > This is a perfect response from your browser. X-client is a custom header and not allowed out of the box. > I think either you should strip that header from your request to Keycloak or modify Keycloak to allow that header or some sort (not recommend). > > You could also modify your standalone configuration to add a response header but that's not really recommended either. > >> -----Oorspronkelijk bericht----- >> Van: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user- >> bounces at lists.jboss.org] Namens Karol Buler >> Verzonden: donderdag 29 juni 2017 10:30 >> Aan: keycloak-user at lists.jboss.org >> Onderwerp: Re: [keycloak-user] Fwd: CORS's problem with JavaScript's >> library >> >> We are using keycloak-auth-utils because our application isn't strict frontend. >> It is something like "middle-end" app. We can't use e.g. code flow >> authentication. >> >> Secondly... yes, We applied "*" to "Web Origins". >> >> >> On 28.06.2017 16:47, Sebastien Blanc wrote: >>> (forgot including user list) >>> >>> Are you using keycloak-auth-utils on your frontend application ? Why >>> not the JavaScript library ? >>> Also have you configured the "Web Origins" field of your client in the >>> Keycloak Web Console ? >>> >>> On Wed, Jun 28, 2017 at 3:09 PM, Karol Buler >> wrote: >>>> Hi Everyone, >>>> >>>> We have problem with CORS. We are using this lib: >>>> https://www.npmjs.com/package/keycloak-auth-utils in our JavaScript >>>> application. >>>> >>>> When we try to get AccessToken we are getting this message: >>>> >>>> Fetch API cannot load http:///auth >>>> /realms/master/protocol/openid-connect/token. Request header field >>>> x-client is not allowed by Access-Control-Allow-Headers in preflight >>>> response. >>>> >>>> We tried to modify CORS headers in standalone.xml file of Keycloak's >>>> server, but we found that CORS headers are hardcoded and added "in >> air". >>>> Best regards, >>>> Karol Buler >>>> >>>> [https://www.adbglobal.com/wp-content/uploads/adb.png] >>>> connecting lives >>>> connecting worlds >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Jul 12 09:08:22 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 12 Jul 2017 10:08:22 -0300 Subject: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) In-Reply-To: References: Message-ID: Hi, Some questions inline ... On Tue, Jul 11, 2017 at 9:10 PM, Brahim Ait elhaj wrote: > Hi everyone, > > Lately i was playing with Keycloak (KC), evaluating it for an IoT project > and i have a question regarding the authorization services. > > One of my use case is : devices that connect to an MQTT Broker using X.509 > client authentication. > Note : when i talk about device, you must understand KC user (device = > user). > Do clients connect to your MQTT on behalf of an human ? If a device is actually an user, who are your clients ? The same devices ? > > For several reasons/constraints that i won't explain here, i can't have my > devices connect first to Keycloak to obtain a token (using their X.509 > certificates as KC supports it) and then connect to the MQTT Broker passing > this token. They connect directly to the MQTT Broker, each device > presenting its X.509 certificate to the Broker. After connection, the > Broker doesn't know client private key. Now I'm curious :) > > My need is to have my MQTT Broker (ideally through KC) authorize/reject > MQTT client to publish/subscribe to specific topic. > MQTT Topic being some kind of uri/path, i already have an idea of how to > configure KC (client, resource, policy, permission ...) to authorize/reject > these access. > However, as i understand it, the starting point for all the ? authorization > services ? (Authorization API, Entitlement API ... ) is a ? user Access > Token ?. > In my case, i don't have a user access token ... so i'm kind of stuck to > use any of the K.C API (unless i missed something). > Considering your devices are actually users in your realm, you should be able to obtain access tokens from Keycloak. With this access token you can then use Entitlement API, for instance to obtain a RPT that you can finally send to your MQTT broker. But I think you have constraints that block this approach ... The point here is that our APIs need to identify the identity associated with a permission request somehow, hence the need for an access token when using any of our APIs to obtain the RPT. If I understood your use correctly, the only thing you have that identifies the user/device is a certificate. But we only support access tokens previously issued by Keycloak to your clients/users. However, I think we could support your use case with UMA 2.0 changes we are planning. In the new version of the specs, the client don't actually need an access token in order to obtain RPTs from AS. There is a specific OAuth2 Grant Type, which you can use just like any other grant type. The tricky here is that instead of using an OAuth2 Access Token to gain access to our APIs, you basically authenticate the client using whatever client authentication method we support. For instance, id/secret, jwt or even using a bearer token (as it stands today). In addition to that, you are allowed to send tokens with claims associated with a requesting party (e.g.: your devices). That would allow you to send your devices certificates. In a nutshell, in a single request to the server you would provide your client credentials + device certificate. And we would need to support extracting requesting party information (the user) from certificates. > > Hence, My question is how can i make my MQTT Broker (.ie : resource server) > interact with KC to enforce/evaluate policy ? Is it possible without the > user access token ? > Hope i made myself clear and thanks in advance for any help ... > Btw, have you considered OAuth2 Device Flow ? > > Best regards, > Brahim > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Wed Jul 12 09:20:32 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 12 Jul 2017 10:20:32 -0300 Subject: [keycloak-user] Application to application: could Keycloak implement this? In-Reply-To: References: <7d4227a7-9bc4-0a93-dffb-c1daa725b0fa@psynd.net> Message-ID: FYI, in Wildfly 11 and Elytron identity propagation will be supported OOTB. This is one of the main features brought to you by Elytron. Your client should be able to authenticate with a remote server using a OAuth2 Access Token (remoting + SASL OAUTHBEARER), which in turn can be automatically propagated to other servers in the topology. In fact, you can even propagate credentials if using other authentication mechanism such as PLAIN or Kerberos. On Wed, Jul 12, 2017 at 4:10 AM, Marek Posolda wrote: > Hi, > > We have example in documentation for EJB propagation from web > application where Keycloak. See > https://keycloak.gitbooks.io/documentation/securing_apps/ > topics/oidc/java/jboss-adapter.html > and especially the last paragraph "Security domain" . > > We have unofficial example I've written to propagate identity from fat > client through remote EJB calls: > https://github.com/mposolda/keycloak-remote-ejb > > Marek > > On 04/07/17 18:42, Tech wrote: > > Dear experts, > > > > I want to bring you this use case to understand if you might be able to > > support me. > > > > Our architecture is based in java, where we might have two kind of > clients: > > > > * Fat java clients > > * Browsers > > > > Application servers with: > > > > * Web containers performing local and remote EJB calls + remote WS > calls > > * EJB container performing local and remote EJB calls + remote WS > calls > > * A remote EJB server performing local and remote EJB calls + remote > > WS calls > > * Ws implemeting SOAP or REST > > * Server SSO able to protect what described above > > > > The goal is to allow the clients (thin and fat) to authenticate on the > > SSO server and to propagate the user identity on these requests: > > > > * Fat client authenticated -> EJB secure -> WS secure > > * Browser authenticated -> Web container -> EJB secure -> WS secure > > > > The solution could use a secure token OAuth, OIDC or SAML. > > > > The token propagation should be based on standards JAAS and WS-Security. > > > > We saw that is possible to implement something similar in some SAML > > Login Modules on JBoss Enterprise server, but we are not finding > > anything equivalent in Keycloak. > > > > We cannot neither find, for example, not neither for a STS server, that > > are the required elements to transform this kind of tokens. > > > > > > Did anybody faced a similar experience? > > > > Thanks for your support! > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jasonspittel at yahoo.com Wed Jul 12 10:29:58 2017 From: jasonspittel at yahoo.com (Jason Spittel) Date: Wed, 12 Jul 2017 14:29:58 +0000 (UTC) Subject: [keycloak-user] SAML HttpServletRequest.logout() support In-Reply-To: References: <1263738321.6142511.1499280048359.ref@mail.yahoo.com> <1263738321.6142511.1499280048359@mail.yahoo.com> Message-ID: <558367677.4396667.1499869798560@mail.yahoo.com> Hi Mark, You can see my other thread to Hynek Mlnarik about logout and cookies. It's sort of a JSF issue, I suppose, more than a KC issue. Actually, I'l just copy the email here. The TLDR; version is : JSF redirect on logout loses cookies, so has to re-auth with KC before logging out. Which means the first logout doesn't 'take'. Hi Hynek, My setup is exactly from that tutorial. And I found the problem with logging out, I'm not sure how to report the issue (not sure if it's really a KC issue at all), raise a Jira ticket? Setup: JEE app running JSF calling EJBs. JEE app using wildfly keycloak saml adapters to talk to Keycloak (KC)Keycloak setup to use ADFS as its IdP. Problem: JEE app needs to logout twice to logout. (That is, after first logout, you can still hit the protected resource on the JEE app without logging in again) Cause: 1) first logout:- JSF's redirects (externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" );) removes the jsessionId cookie, which causes an initial auth from JEE to KC when logout is hit. -rest of logout proceeds properly, Realm Session ID is removed from KC, ADFS logs use out. 2) second logout-JSF's redirect again removes the jsessionId cookie, tries to do an initial auth from JEE to KC, but KC doesn't have any sessions to auth user with, and user is kicked out, 'successfully' logging out. Solution: preserve the jsessionid on redirect, initial auth to KC doesn't occur on logout. ?? public void logout() throws IOException, ServletException ?? { ??????ExternalContext externalContext = _context.getExternalContext(); ??????try ??????{ ???????? externalContext.invalidateSession(); ???????? _httpRequest.logout(); ??????} ??????catch (Exception ex) ??????{ ???????? _logger.error(ex); ??????} ??????finally ??????{ ???????? // need to set the cookie for the jsessionid, or will re-auth with KC, and will require two logouts to logout completely ???????? preserveJsessionidCookie(externalContext); ???????? externalContext.redirect(externalContext.getRequestContextPath() + "/?GLO=true" ); ??????} ?? } ?? private void preserveJsessionidCookie(ExternalContext externalContext) ?? { ??????for (Cookie cookie : ((HttpServletRequest)externalContext.getRequest()).getCookies()) ??????{ ???????? if (cookie.getName().equalsIgnoreCase("jsessionid")) ???????? { ????????????((HttpServletResponse)externalContext.getResponse()).addCookie(cookie); ????????????break; ???????? } ??????} ?? } Cheers, Thanks, Jason On Tuesday, July 11, 2017, 11:59:41 PM PDT, Marek Posolda wrote: You can check our SAML examples in the keycloak-examples distribution. They're doing logout. Marek On 05/07/17 20:40, Jason Spittel wrote: > I'm having trouble with SAML Logout.? I have a JEE app that uses Keycloak as an identity broker to ADFS. > Following these instructions:Logout | Keycloak Documentation > > > | > | > |? | > Logout | Keycloak Documentation > > >? | > >? | > >? | > > > > I should be able to just call HttpServletRequest.logout(). But that doesn't do anything. > Searching Jira I see this a reported issue. > [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue Tracker > > > | > | > |? | > [KEYCLOAK-2191] SAML HttpServletRequest.logout() support - JBoss Issue T... > > >? | > >? | > >? | > > > > While that's being worked on, are there workarounds to do a SAML logout through Keycloak? > > Thanks, > Jason > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From brahima at gmail.com Wed Jul 12 12:23:48 2017 From: brahima at gmail.com (Brahim Ait elhaj) Date: Wed, 12 Jul 2017 18:23:48 +0200 Subject: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) In-Reply-To: References:

Message-ID: Hi and thanks a lot for your feedback. My answers/questions below ... On Wed, Jul 12, 2017 at 3:08 PM, Pedro Igor Silva wrote: > Hi, > > Some questions inline ... > > On Tue, Jul 11, 2017 at 9:10 PM, Brahim Ait elhaj > wrote: > >> Hi everyone, >> >> Lately i was playing with Keycloak (KC), evaluating it for an IoT project >> and i have a question regarding the authorization services. >> >> One of my use case is : devices that connect to an MQTT Broker using X.509 >> client authentication. > > >> Note : when i talk about device, you must understand KC user (device = >> user). >> > > Do clients connect to your MQTT on behalf of an human ? > Once device are provisioned in the platform (done once through an app), they become autonomous and can start connecting/talking to the MQTT Server at any moment ... > > If a device is actually an user, who are your clients ? The same devices ? > My client is the MQTT Server in this use case (as the *photoz-restful-api* in the *photoz* example). I want to protect access to MQTT topics (paths/resources) of this MQTT server. I was initially asking myself whereas devices should be ? users ? or ? clients ? but we could end with a lot of clients in the latter scenario ... also after playing with KC and reading through the mailing list questions/answers, i think that's a better approach to have devices be users and not clients. However, did you have something in mind when asking this question ? > > >> >> For several reasons/constraints that i won't explain here, i can't have my >> devices connect first to Keycloak to obtain a token (using their X.509 >> certificates as KC supports it) and then connect to the MQTT Broker >> passing >> this token. They connect directly to the MQTT Broker, each device >> presenting its X.509 certificate to the Broker. After connection, the >> Broker doesn't know client private key. > > > Now I'm curious :) > Ok, the main reason is that the one thing that can be guaranteed about devices is that they have a certificate to authenticate themselves. They're not necessarily http or even mqtt capable. They can be able to communicate only via a low power wide area network (Lora / Sigfox ... ie. not connected to internet directly) So we know how to deal with a user (be it a human or a device) that can authenticate and get an access token. My concern here is how to deal with a user (device) that can not. > > >> >> My need is to have my MQTT Broker (ideally through KC) authorize/reject >> MQTT client to publish/subscribe to specific topic. >> MQTT Topic being some kind of uri/path, i already have an idea of how to >> configure KC (client, resource, policy, permission ...) to >> authorize/reject >> these access. > > >> However, as i understand it, the starting point for all the ? >> authorization >> services ? (Authorization API, Entitlement API ... ) is a ? user Access >> Token ?. >> In my case, i don't have a user access token ... so i'm kind of stuck to >> use any of the K.C API (unless i missed something). >> > > Considering your devices are actually users in your realm, you should be > able to obtain access tokens from Keycloak. With this access token you can > then use Entitlement API, for instance to obtain a RPT that you can finally > send to your MQTT broker. But I think you have constraints that block this > approach ... > > The point here is that our APIs need to identify the identity associated > with a permission request somehow, hence the need for an access token when > using any of our APIs to obtain the RPT. > Exactly, i technically can have some devices (http capable) connect to KC, get a token et connect to the MQTT Broker ... but some devices cannot so i need to support this use case. > > If I understood your use correctly, the only thing you have that > identifies the user/device is a certificate. But we only support access > tokens previously issued by Keycloak to your clients/users. > Right ! > > However, I think we could support your use case with UMA 2.0 changes we > are planning. In the new version of the specs, the client don't actually > need an access token in order to obtain RPTs from AS. There is a specific > OAuth2 Grant Type, which you can use just like any other grant type. The > tricky here is that instead of using an OAuth2 Access Token to gain access > to our APIs, you basically authenticate the client using whatever client > authentication method we support. For instance, id/secret, jwt or even > using a bearer token (as it stands today). In addition to that, you are > allowed to send tokens with claims associated with a requesting party > (e.g.: your devices). That would allow you to send your devices > certificates. > > In a nutshell, in a single request to the server you would provide your > client credentials + device certificate. And we would need to support > extracting requesting party information (the user) from certificates. > Yes, it seems really interesting and corresponding to what i'd like to achieve. Since you talk about UMA, i understand this is the ? Authorization API ? that is involved here. Also, you said ? *In the new version of the specs, the client don't actually need an access token in order to obtain RPTs from AS* ?, can you please point me to the specs that talk about this specific part (if possible) ? I quickly went through the v2.0 without being able to clearly identity this specific part ... Do you have something (beta ...) that i can start playing with ? Is it already in the roadmap (maybe you have a specific ticket number in mind) ? Depending on the estimated ? landing ? date, i can contribute in many ways. So, What's the next step :-) > > > >> >> Hence, My question is how can i make my MQTT Broker (.ie : resource >> server) >> interact with KC to enforce/evaluate policy ? Is it possible without the >> user access token ? > > >> Hope i made myself clear and thanks in advance for any help ... >> > > Btw, have you considered OAuth2 Device Flow ? > Yes, can make sense for some devices (http capable, internet connected ...) but not for all devices ... Thanks again for your feedbacks. Greatly appreciated ! Brahim > > >> >> Best regards, >> Brahim >> > > _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Wed Jul 12 13:19:03 2017 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 12 Jul 2017 14:19:03 -0300 Subject: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) In-Reply-To: References:

Message-ID: On Wed, Jul 12, 2017 at 1:23 PM, Brahim Ait elhaj wrote: > >> If a device is actually an user, who are your clients ? The same devices ? >> > > My client is the MQTT Server in this use case (as the *photoz-restful-api* > in the *photoz* example). > I want to protect access to MQTT topics (paths/resources) of this MQTT > server. > > I was initially asking myself whereas devices should be ? users ? or ? > clients ? but we could end with a lot of clients in the latter scenario ... > also after playing with KC and reading through the mailing list > questions/answers, i think that's a better approach to have devices be > users and not clients. > > However, did you have something in mind when asking this question ? > I was wondering if the users you mentioned were actually service accounts associated with clients representing your devices. But yeah, the decision on whether devices should be users or not I think depend on the capabilities you want to support on them. > > >> >> >>> >>> For several reasons/constraints that i won't explain here, i can't have >>> my >>> devices connect first to Keycloak to obtain a token (using their X.509 >>> certificates as KC supports it) and then connect to the MQTT Broker >>> passing >>> this token. They connect directly to the MQTT Broker, each device >>> presenting its X.509 certificate to the Broker. After connection, the >>> Broker doesn't know client private key. >> >> >> Now I'm curious :) >> > > Ok, the main reason is that the one thing that can be guaranteed about > devices is that they have a certificate to authenticate themselves. They're > not necessarily http or even mqtt capable. They can be able to communicate > only via a low power wide area network (Lora / Sigfox ... ie. not connected > to internet directly) > > So we know how to deal with a user (be it a human or a device) that can > authenticate and get an access token. > My concern here is how to deal with a user (device) that can not. > Ok, so that changes things a bit ... > >> However, I think we could support your use case with UMA 2.0 changes we >> are planning. In the new version of the specs, the client don't actually >> need an access token in order to obtain RPTs from AS. There is a specific >> OAuth2 Grant Type, which you can use just like any other grant type. The >> tricky here is that instead of using an OAuth2 Access Token to gain access >> to our APIs, you basically authenticate the client using whatever client >> authentication method we support. For instance, id/secret, jwt or even >> using a bearer token (as it stands today). In addition to that, you are >> allowed to send tokens with claims associated with a requesting party >> (e.g.: your devices). That would allow you to send your devices >> certificates. >> >> In a nutshell, in a single request to the server you would provide your >> client credentials + device certificate. And we would need to support >> extracting requesting party information (the user) from certificates. >> > > Yes, it seems really interesting and corresponding to what i'd like to > achieve. Since you talk about UMA, i understand this is the ? Authorization > API ? that is involved here. > That is one of the changes introduced by UMA 2.0. The Authorization API was replaced by a UMA Grant Type [1]. We are going to deprecate the Authorization API and leave it there for a while. But remove it in future releases. My statement above also applies to our Entitlement API, which we also want to support scenarios where the identity is not really represented by an ID or access token. [1] https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-08.html#seek-authorization > > Also, you said ? *In the new version of the specs, the client don't > actually need an access token in order to obtain RPTs from AS* ?, can you > please point me to the specs that talk about this specific part (if > possible) ? I quickly went through the v2.0 without being able to clearly > identity this specific part ... > See link above. > > Do you have something (beta ...) that i can start playing with ? Is it > already in the roadmap (maybe you have a specific ticket number in mind) ? > Nothing yet ... But this is my next task in Keycloak. At the moment I'm stuck with tasks in other projects that I need to get it done. But the JIRA is https://issues.jboss.org/browse/KEYCLOAK-3169. > > Depending on the estimated ? landing ? date, i can contribute in many > ways. So, What's the next step :-) > Sure thing. Maybe you can start providing some more background to what you need in that JIRA. Although the title is related with UMA 2.0 it will also involve changes to Entitlement API. The initial plan did not include what we are discussing here. But I think we can consider your requirements during development once we agree on what we really need to do. Maybe another approach to your problem is make your MQTT Broker both a PDP and PEP. I mean, you would use some REST API in Keycloak to evaluate policies based on a set of one or more resources/topics + enforce access based on the permissions returned by the server. We do have an endpoint that you can use to evaluate policies (see https://github.com/keycloak/keycloak/blob/master/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java#L70). But it is basically accessing the API used by our Policy Evaluation Toll in the admin console. Ideally, you should use Entitlement API, Authorization API/UMA Grant Type. > >> >> >>> >>> Best regards, >>> Brahim >>> >> > > > >> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From manuel.holtgrewe at bihealth.de Wed Jul 12 14:39:03 2017 From: manuel.holtgrewe at bihealth.de (Holtgrewe, Manuel) Date: Wed, 12 Jul 2017 18:39:03 +0000 Subject: [keycloak-user] Increasing logging for debugging "Internal Server Error" response Message-ID: Dear all, I have some grief with my Keycloak 3.2.0.Final setup. I have setup my instance and connected it to my organization's AD and this part works well. I am now trying to connect a client application (that supports OAuth 2) to the Keycloak instance. The application redirects me to the Keycloak login and after successful login, I'm redirected back to the app. So far so good. The app then tries to do the equivalent of the following. curl -k --data "refresh_token=SOMEVERYLONGTOKEN&grant_type=refresh_token&client_secret=eeBoTh2hoMifooDaiyig&client_id=igv" https://KEYCLOAK.MYORGA.NET/auth/realms/MYREALM/protocol/openid-connect/token from this, the app gets a "HTTP 500" response and the curl also displays "ErrorInternal Server Error". I'm running keycloak as a standalone app and so far did not succeed in debugging the problem. How can I increase log levels as to see where things are going bad? Thanks, Manuel From nielsbne at gmail.com Thu Jul 13 01:17:23 2017 From: nielsbne at gmail.com (Niels Bertram) Date: Thu, 13 Jul 2017 15:17:23 +1000 Subject: [keycloak-user] Keycloak Adapter validating tokens issued by different realms Message-ID: Hi everyone, has anyone ever had a requirement to validate access tokens issued by 2 or more issuers in the Keycloak Java or NodeJS adapters? I found KEYCLOAK-5014 which loosely talks about it but there is no feedback. We are currently using the client adapter from MitreId (in Spring) which can be configured via StaticClientConfigurationService.java to validate an inbound token against multiple realms. Would love to find out if anyone has done this in keycloak or if there are others out there that have this need. Kind Regards, Niels From Sebastian.Schuster at bosch-si.com Thu Jul 13 03:41:44 2017 From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1)) Date: Thu, 13 Jul 2017 07:41:44 +0000 Subject: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) In-Reply-To: References:

Message-ID: <220032d0170a40aa890d4d39af67b6a7@FE-MBX1028.de.bosch.com> Hi Pedro, Since I saw you referring to "https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-08.html#seek-authorization": I think this is not latest version of UMA2. They changed the naming of the spec parts and IMHO https://docs.kantarainitiative.org/uma/ed/oauth-uma-grant-2.0-04.html and https://docs.kantarainitiative.org/uma/ed/oauth-uma-federated-authz-2.0-04.html form the current spec. Just in case you did not notice the change of names... Best regards, Sebastian Mit freundlichen Gr??en / Best regards Sebastian Schuster Engineering and Support (INST/ESY1) Bosch?Software Innovations?GmbH | Sch?neberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Gesch?ftsf?hrung: Dr.-Ing. Rainer Kallenbach, Michael Hahn -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Pedro Igor Silva Sent: Mittwoch, 12. Juli 2017 19:19 To: Brahim Ait elhaj Cc: keycloak-user Subject: Re: [keycloak-user] Authorization services without User Access token (Mqtt Broker / IoT) On Wed, Jul 12, 2017 at 1:23 PM, Brahim Ait elhaj wrote: > >> If a device is actually an user, who are your clients ? The same devices ? >> > > My client is the MQTT Server in this use case (as the > *photoz-restful-api* in the *photoz* example). > I want to protect access to MQTT topics (paths/resources) of this MQTT > server. > > I was initially asking myself whereas devices should be ? users ? or ? > clients ? but we could end with a lot of clients in the latter scenario ... > also after playing with KC and reading through the mailing list > questions/answers, i think that's a better approach to have devices be > users and not clients. > > However, did you have something in mind when asking this question ? > I was wondering if the users you mentioned were actually service accounts associated with clients representing your devices. But yeah, the decision on whether devices should be users or not I think depend on the capabilities you want to support on them. > > >> >> >>> >>> For several reasons/constraints that i won't explain here, i can't >>> have my devices connect first to Keycloak to obtain a token (using >>> their X.509 certificates as KC supports it) and then connect to the >>> MQTT Broker passing this token. They connect directly to the MQTT >>> Broker, each device presenting its X.509 certificate to the Broker. >>> After connection, the Broker doesn't know client private key. >> >> >> Now I'm curious :) >> > > Ok, the main reason is that the one thing that can be guaranteed about > devices is that they have a certificate to authenticate themselves. They're > not necessarily http or even mqtt capable. They can be able to communicate > only via a low power wide area network (Lora / Sigfox ... ie. not connected > to internet directly) > > So we know how to deal with a user (be it a human or a device) that can > authenticate and get an access token. > My concern here is how to deal with a user (device) that can not. > Ok, so that changes things a bit ... > >> However, I think we could support your use case with UMA 2.0 changes we >> are planning. In the new version of the specs, the client don't actually >> need an access token in order to obtain RPTs from AS. There is a specific >> OAuth2 Grant Type, which you can use just like any other grant type. The >> tricky here is that instead of using an OAuth2 Access Token to gain access >> to our APIs, you basically authenticate the client using whatever client >> authentication method we support. For instance, id/secret, jwt or even >> using a bearer token (as it stands today). In addition to that, you are >> allowed to send tokens with claims associated with a requesting party >> (e.g.: your devices). That would allow you to send your devices >> certificates. >> >> In a nutshell, in a single request to the server you would provide your >> client credentials + device certificate. And we would need to support >> extracting requesting party information (the user) from certificates. >> > > Yes, it seems really interesting and corresponding to what i'd like to > achieve. Since you talk about UMA, i understand this is the ? Authorization > API ? that is involved here. > That is one of the changes introduced by UMA 2.0. The Authorization API was replaced by a UMA Grant Type [1]. We are going to deprecate the Authorization API and leave it there for a while. But remove it in future releases. My statement above also applies to our Entitlement API, which we also want to support scenarios where the identity is not really represented by an ID or access token. [1] https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-08.html#seek-authorization > > Also, you said ? *In the new version of the specs, the client don't > actually need an access token in order to obtain RPTs from AS* ?, can you > please point me to the specs that talk about this specific part (if > possible) ? I quickly went through the v2.0 without being able to clearly > identity this specific part ... > See link above. > > Do you have something (beta ...) that i can start playing with ? Is it > already in the roadmap (maybe you have a specific ticket number in mind) ? > Nothing yet ... But this is my next task in Keycloak. At the moment I'm stuck with tasks in other projects that I need to get it done. But the JIRA is https://issues.jboss.org/browse/KEYCLOAK-3169. > > Depending on the estimated ? landing ? date, i can contribute in many > ways. So, What's the next step :-) > Sure thing. Maybe you can start providing some more background to what you need in that JIRA. Although the title is related with UMA 2.0 it will also involve changes to Entitlement API. The initial plan did not include what we are discussing here. But I think we can consider your requirements during development once we agree on what we really need to do. Maybe another approach to your problem is make your MQTT Broker both a PDP and PEP. I mean, you would use some REST API in Keycloak to evaluate policies based on a set of one or more resources/topics + enforce access based on the permissions returned by the server. We do have an endpoint that you can use to evaluate policies (see https://github.com/keycloak/keycloak/blob/master/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java#L70). But it is basically accessing the API used by our Policy Evaluation Toll in the admin console. Ideally, you should use Entitlement API, Authorization API/UMA Grant Type. > >> >> >>> >>> Best regards, >>> Brahim >>> >> > > > >> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From nicolaouantonia at gmail.com Thu Jul 13 03:47:13 2017 From: nicolaouantonia at gmail.com (Antonia Nicolaou) Date: Thu, 13 Jul 2017 10:47:13 +0300 Subject: [keycloak-user] ${url.resourcesPath} not working in email-verification.ftl template Message-ID: Hello, I am using single sign on service from redhat v7.1 and I am developing a custom template (in a custom theme) for verification email. In the email, I am using ${url.resourcesPath} for

and is not working. The template is not used when I use it. Could you help me? Thank you in advanced. Sincerely, Antonia Nicolaou From federico at info.nl Thu Jul 13 03:53:52 2017 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Thu, 13 Jul 2017 07:53:52 +0000 Subject: [keycloak-user] error=pkce_verification_failed In-Reply-To: <67434e71-ba6a-18a1-cca2-fd6c93dc1882@redhat.com> References: <285AAEA2-C62A-4235-BC7D-4AB99F93A412@info.nl> <67434e71-ba6a-18a1-cca2-fd6c93dc1882@redhat.com> Message-ID: <61C6D20E-C2F7-4A8E-A281-6263DEABB2A8@info.nl> Unfortunately, I got the same with 3.1.0.Final and 3.2.0.Final. When you say disabling PKCE for the adapter, you mean the client connecting to Keycloak, right? In our case, that would be configuration in AppAuth. Regards, Federico On 11/07/17 22:56, "Marek Posolda" wrote: Still I would try to upgrade to 3.2.0.Final if possible. AFAIK there was some related fixes in there, so worth to try if it's not a lot of work for you. Otherwise workaround is to disable PKCE for your adapter, which will also remove all related parameters from the initial request to Keycloak. Marek On 11/07/17 16:38, Federico Navarro Polo - Info.nl wrote: > Hello, > > After upgrading our Keycloak version to 3.1.0, we?ve started seeing the following error in one of our use cases (using AppAuth). > > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting Client, codeVerifier = KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE codeChallengeMethod = S256 > 2017-07-11 16:21:12,135 WARN [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername = someone at somewhere.nl > 2017-07-11 16:21:12,136 WARN [org.keycloak.events] (default task-24) type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x, userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x, error=pkce_verification_failed, grant_type=authorization_code, code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret > > > I saw this bug report, which could be related to the issue (still open for 3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956 > > Is it possible to disable PKCE from Keycloak configuration? > > > Met vriendelijke groet, > > Federico Navarro > > backend developer > > federico at info.nl | LinkedIn | +31 (0)2 05 30 91 61 > > info.nl > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From federico at info.nl Thu Jul 13 03:54:46 2017 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Thu, 13 Jul 2017 07:54:46 +0000 Subject: [keycloak-user] Internal System Error on screens when a code is expired In-Reply-To: References: <63F53E4C-3933-4C90-A137-DB30CD000EA5@info.nl> Message-ID: Thanks. I will take a look to the new version. Regards, Federico From: Stian Thorgersen Reply-To: "stian at redhat.com" Date: Wednesday 5 July 2017 at 20:35 To: "Federico Navarro Polo - Info.nl" Cc: "keycloak-user at lists.jboss.org" Subject: Re: [keycloak-user] Internal System Error on screens when a code is expired Try 3.2 there's been improvements around this On 5 July 2017 at 13:33, Federico Navarro Polo - Info.nl > wrote: Hello, There are some screens / links generated by Keycloak that make use of an authorization code, like registration link, forgotten password link, verification link, etc. When those codes expire or a code is already used, the feedback to the user will be just an Internal Server Error screen. This is not very user friendly, since the user doesn?t know what he has done wrong (eg: a simple refresh on the register page will trigger the issue). I wonder if there is a simple way to modify this behavior, and for instance show a different error message informing of the actual problem (eg: the code is invalid. Please go to {link} to restart the process), or this is really a new functionality to be requested to the Keycloak team via JIRA. Regards, Federico _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From federico at info.nl Thu Jul 13 03:57:03 2017 From: federico at info.nl (Federico Navarro Polo - Info.nl) Date: Thu, 13 Jul 2017 07:57:03 +0000 Subject: [keycloak-user] Recommended way to import user accounts with external identity provider information? In-Reply-To: References: <72DC34C5-A442-441F-9BCC-57A9405A70C5@info.nl> Message-ID: <6C23B81F-FEAA-41FB-8D5E-033D41FF654C@info.nl> Yes, it does indeed work, and the content of the exports was correct as well. The problem I was having was because I was using different Facebook apps to do the test. When keeping the Facebook app the same, there is no problem, which makes sense. Regards, Federico On 23/06/17 08:15, "Marek Posolda" wrote: I think it should work - unless we have a bug :) The question is if "userId" and "userName" are really filled correctly in your JSON? I suggest that you try to setup some Keycloak environment from scratch and do facebook login there. Then you can doublecheck the content from DB and how the federated link in Keycloak DB looks like. You can also export Keycloak DB and re-import to clean DB and then doublecheck if Facebook login still works after export/import. If this works, you can compare the exported JSON with your own JSON file and doublecheck if "userId" and "userName" matches. Marek On 22/06/17 15:20, Federico Navarro Polo - Info.nl wrote: > Hello, > > I?m facing currently a migration scenario where I have a group of users which need to be imported from a different system into Keycloak. For regular users everything works fine, but I wonder what would be the best approach for users which authenticate via external identity providers (eg: facebook) in order to make the transition as transparent as possible for the users (ideally, no interaction at all). > > From the source system, I have access to the facebook user id and email address, so first I tried to include that as federated identity in the users import: > > { > "realm": "test", > "users": [ > { > "createdTimestamp" : 1476191007295, > "username" : "somebody at somewhere.com", > "enabled" : true, > "totp" : false, > "emailVerified" : true, > "firstName" : "Test", > "lastName" : "Test", > "email" : "somebody at somewhere.com", > "credentials" : [ ], > "disableableCredentialTypes" : [ ], > "requiredActions" : [ ], > "federatedIdentities" : [ { > "identityProvider" : "facebook", > "userId" : "0123456789", > "userName" : "somebody at somewhere.com", > } ], > "realmRoles" : [ "offline_access", "uma_authorization" ], > "clientRoles" : { > "account" : [ "manage-account", "view-profile" ] > } > } > ] > } > > , which imports fine, and I can see the link in the admin console, but when attempting to login using Facebook, Keycloak ignores that data and redirects to the ?Account linking? screen (and in that case, if I follow the process, then I get a DB exception due to duplicate key). So it seems the best way is to not import the Facebook details, and when the user tries to login with Facebook, then the standard account linking process will be triggered, which is not ideal in a migration. > > I suppose there is some extra logic which is not taking place when doing the import as opposed to creating a new account from scratch or creating the identity provider link manually in the admin console, but can?t figure out what is it. Is there any possible way to avoid the account linking step? > > Met vriendelijke groet, > > Federico Navarro > > backend developer > > federico at info.nl | LinkedIn | +31 (0)2 05 30 91 61 > > info.nl > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From K.Buler at adbglobal.com Thu Jul 13 04:40:42 2017 From: K.Buler at adbglobal.com (Karol Buler) Date: Thu, 13 Jul 2017 10:40:42 +0200 Subject: [keycloak-user] Increasing logging for debugging "Internal Server Error" response In-Reply-To: References: Message-ID: <1930a3f7-121e-dfc8-d108-5d72d685bced@adbglobal.com> Keycloak is running on Wildfly, so go to /standalone/configuration folder and edit "standalone.xml" file. Section "urn:jboss:domain:logging:3.0" and change CONSOLE logging from INFO to e.g. DEBUG. On 12.07.2017 20:39, Holtgrewe, Manuel wrote: > Dear all, > > I have some grief with my Keycloak 3.2.0.Final setup. > > I have setup my instance and connected it to my organization's AD and this part works well. > > I am now trying to connect a client application (that supports OAuth 2) to the Keycloak instance. The application redirects me to the Keycloak login and after successful login, I'm redirected back to the app. So far so good. > > The app then tries to do the equivalent of the following. > > curl -k --data "refresh_token=SOMEVERYLONGTOKEN&grant_type=refresh_token&client_secret=eeBoTh2hoMifooDaiyig&client_id=igv" https://KEYCLOAK.MYORGA.NET/auth/realms/MYREALM/protocol/openid-connect/token > > from this, the app gets a "HTTP 500" response and the curl also displays "ErrorInternal Server Error". > > I'm running keycloak as a standalone app and so far did not succeed in debugging the problem. How can I increase log levels as to see where things are going bad? > > Thanks, > Manuel > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user [https://www.adbglobal.com/wp-content/uploads/adb.png] connecting lives connecting worlds From anunay.sinha at arvindinternet.com Thu Jul 13 05:52:53 2017 From: anunay.sinha at arvindinternet.com (Anunay Sinha) Date: Thu, 13 Jul 2017 09:52:53 +0000 Subject: [keycloak-user] Password reset link expires after clicking it once Message-ID: Hi We are sending the reset password link. Once you click on the link and for some reason do not complete the action of reseting the password, and then try again with same link it gives the following error We're *sorry* ... An error occurred, please login again through your application. There is already an issue raised and its states to be fixed in 1.9.0 I am using 2.4.0 and am still facing this issue Is this a configuration that I need to take care of? From hmlnarik at redhat.com Thu Jul 13 05:58:43 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 13 Jul 2017 11:58:43 +0200 Subject: [keycloak-user] Password reset link expires after clicking it once In-Reply-To: References: Message-ID: This has been changed in 3.2. Please upgrade and try with the latest version. --Hynek On Thu, Jul 13, 2017 at 11:52 AM, Anunay Sinha wrote: > Hi > We are sending the reset password link. > Once you click on the link and for some reason do not complete the action > of reseting the password, and then try again with same link it gives the > following error > > We're *sorry* ... > An error occurred, please login again through your application. > > > There is already an issue raised and its states to be fixed in 1.9.0 > > I am using 2.4.0 and am still facing this issue > > Is this a configuration that I need to take care of? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From petervn1 at yahoo.com Thu Jul 13 08:29:56 2017 From: petervn1 at yahoo.com (Peter Nalyvayko) Date: Thu, 13 Jul 2017 12:29:56 +0000 (UTC) Subject: [keycloak-user] Identity provider, keycloak js adapter and session management References: <559623611.4196979.1499948996529.ref@mail.yahoo.com> Message-ID: <559623611.4196979.1499948996529@mail.yahoo.com> Thanks, Marek. -------------------------------------------- On Wed, 7/12/17, Marek Posolda wrote: Subject: Re: [keycloak-user] Identity provider, keycloak js adapter and session management To: "Peter Nalyvayko" , keycloak-user at lists.jboss.org Date: Wednesday, July 12, 2017, 7:17 AM There was some related fix in latest master https://issues.jboss.org/browse/KEYCLOAK-5139 . However your issue with iframe looks like something different. Feel free to create JIRA if it won't help. Ideally you can also send PR. We have tests for pairwise in OIDCPairwiseClientRegistrationTest.java and there are some IFrame related tests in LoginStatusIframeEndpointTest . Marek On 07/07/17 18:06, Peter Nalyvayko wrote: Some additional info: we can also reproduce the same behavior using the Pairwise subject identifier, i.e. users keep getting logged out after 5 seconds. -------------------------------------------- On Thu, 7/6/17, Peter Nalyvayko wrote: Subject: Identity provider, keycloak js adapter and session management To: keycloak-user at lists.jboss.org Date: Thursday, July 6, 2017, 12:10 PM Hi, We've hit a bit of a snag while setting up our one page js client. Changing the value of the "sub" claim to anything other than the unique identifier of the keycloak user causes the keycloak adapter to detect the changes to the session and clear out the tokens, forcing the users to re-log in after every 5 seconds. We are using the version 2.3.0 of keycloak. Our app is set up to use keycloak.js adapter for all things related to OIDC. The adapter is configured to use the "code authorization" (standard) flow. The instance of keycloak is configured to use an external OIDC identity provider and the users are uniquely identified by their e-mails. Naturally, we wanted that the "sub" claim in the claim set returned by calling the keycloak's OIDC /token endpoint would return the unique identity of the external user rather than the internal identifier of the keycloak user, so we re-configured the keycloak client by adding a property mapper to map the user's email to the "sub" claim, here the example of the access token: { ? "sub": "user at company.com", ? "iat": 223235098325, ? "email": "user at company.com", ? ... } Once we had implemented these changes on the keycloak side, our users were able to initially sign into the application, but when they tried to access any functionality within the app, they would be prompted to sign in again. The problem seems to related to the OIDC session management and the assumption and the "sub" claim always matches the keycloak user's unique identifier. We narrowed the problem down to four components: - keycloak.js - login-status-iframe.html - services\srv\main\java\org\keycloak\protocol\oidc\endpoints\LoginStatusIframeEndpoint.java - services\src\main\java\org\keycloak\services\managers\AuthenticationManager.java In keycloak.js, line 637, the implementation creates a session id to be used to check the session state. Notice that the code uses the value from the "sub" claim: ? var sessionId = kc.realm + "/" + kc.tokenParsed.sub; ? In AuthenticationManager.createLoginCookie, line 306, the value of the "SESSION_COOKIE" is set to: ? String sessionCookieValue = realm.getName() + "/" + user.getId(); Sadly, in our configuration, the value returned of by user.getId() is not the same as the value stored in the "sub" claim, thus causing the session management code in login-status-iframe.html, line 53 to clear out any tokens and force the users to re-login the next time it checks the session state (default is 5 second intervals): ? var cookie = getCookie(); ? if (sessionState == cookie) { ... } else { callback("changed"); }? Looking at the LoginStatusIframeEndpoint.preCheck (LoginSatusIframeEndpoint.java, lines 71-93), we've noticed that the implementation does not even make use of the user identity, only the session id. The workaround, at least temporary, for us was to add the "id" claim containing the user identity internal to keycloak, and modify the keycloak JS adapter code to look for the "id" claim and use its value instead of the value in the "sub" claim when creating the session id, i.e.: ? ? var sessionId; ? if (kc.tokenParsed.id) { ? ? ? sessionId = kc.realm + "/" + kc.tokenParsed.id; ? } else { ? ? ? sessionId = kc.realm + "/" + kc.tokenParsed.sub; ? } Is this a bug, or does it work as intended, i.e. the users should never set the "sub" claim to anything other than the keycloak's user identity? If this is a bug, I can submit a JIRA request and a fix as long as the workaround above seems like an acceptable solution Any comments are welcome Regards, Peter _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From kirmerzlikin at gmail.com Thu Jul 13 10:03:37 2017 From: kirmerzlikin at gmail.com (Kir Merzlikin) Date: Thu, 13 Jul 2017 07:03:37 -0700 (MST) Subject: [keycloak-user] Idle connections are not closed Message-ID: <1499954617778-3948.post@n6.nabble.com> Hi all, I deploy Keycloak server app to Cloud Foundry and use ClearDB service as relational database for Keycloak. ClearDB has a restriction, that it closes all connections, that are idle for 90 seconds. To not run into the situation, when Keycloak tries to use closed connection, I've added following datasource configuration (based on Pivotal recommendations ): But even after applying this configuration I see in the ClearDB management console that idle connections are closed only after 90 seconds and not after 60 seconds (1 minute) as it's specified with "idle-timeout-minutes" parameter. So, have anybody of you faced similar situation? Or maybe you have some ideas why these idle connections are not being closed. Thanks. -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Idle-connections-are-not-closed-tp3948.html Sent from the keycloak-user mailing list archive at Nabble.com. From thomas at recloux.fr Thu Jul 13 10:44:32 2017 From: thomas at recloux.fr (Thomas Recloux) Date: Thu, 13 Jul 2017 16:44:32 +0200 Subject: [keycloak-user] Customize admin console to support custom attributes Message-ID: <1499957072.1860837.1039806232.4FD36FF0@webmail.messagingengine.com> Hi All, Is there a way to extend the admin console in order to support more attributes than email, first name and last name ? We'd like to offer a guided UI, compared to the "attributes" tab. Thank you, Thomas From kirmerzlikin at gmail.com Thu Jul 13 11:02:10 2017 From: kirmerzlikin at gmail.com (=?UTF-8?B?0JrQuNGAINCc0LXRgNC30LvQuNC60LjQvQ==?=) Date: Thu, 13 Jul 2017 18:02:10 +0300 Subject: [keycloak-user] Idle connections are not closed Message-ID: Hi all, I deploy Keycloak server app to Cloud Foundry and use ClearDB service as relational database for Keycloak. ClearDB has a restriction, that it closes all connections, that are idle for 90 seconds. To not run into the situation, when Keycloak tries to use closed connection, I've added following datasource configuration (based on Pivotal recommendations ): - - - - - - - - -

jdbc:mysql:// blah.cleardb.net/blah?user=blah&password=blah

mysql

true

- - - - - - - - - But even after applying this configuration I see in the ClearDB management console that idle connections are closed only after 90 seconds and not after 60 seconds (1 minute) as it's specified with "idle-timeout-minutes" parameter. So, have anybody of you faced similar situation? Or maybe you have some ideas why these idle connections are not being closed. Thanks. Kir From Nicolas.Geadah at vec.virginia.gov Thu Jul 13 11:42:15 2017 From: Nicolas.Geadah at vec.virginia.gov (Geadah, Nicolas (VEC)) Date: Thu, 13 Jul 2017 15:42:15 +0000 Subject: [keycloak-user] User Name Complexity Message-ID: There seems to be no "out-of-the-box" support for username complexity requirements; as such, users can register with usernames as short as 1 character, which is problematic and potentially unsafe in a production environment. What is the best way to enforce a set of username complexity requirements, such as minimum/maximum length - presence of numeric/special characters - etc. Thank you From bburke at redhat.com Thu Jul 13 14:11:49 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 13 Jul 2017 14:11:49 -0400 Subject: [keycloak-user] User Name Complexity In-Reply-To: References: Message-ID: <688ee9c0-f5af-cb03-43ae-732a7ac05656@redhat.com> We don't have a way of doing this out of the box. If you're talking about browser-based registration through our registration screens, you'll have to extend this flow to validate usernames to the restrictions you want to enforce. On 7/13/17 11:42 AM, Geadah, Nicolas (VEC) wrote: > There seems to be no "out-of-the-box" support for username complexity requirements; as such, users can register with usernames as short as 1 character, which is problematic and potentially unsafe in a production environment. > > What is the best way to enforce a set of username complexity requirements, such as minimum/maximum length - presence of numeric/special characters - etc. > > Thank you > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Thu Jul 13 14:13:19 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 13 Jul 2017 14:13:19 -0400 Subject: [keycloak-user] Customize admin console to support custom attributes In-Reply-To: <1499957072.1860837.1039806232.4FD36FF0@webmail.messagingengine.com> References: <1499957072.1860837.1039806232.4FD36FF0@webmail.messagingengine.com> Message-ID: <70ff0924-6893-4721-e77a-f0ef55dc9f80@redhat.com> Its possible, but we don't have a nice way of extending the admin console other than just modifying things yourself with a custom theme. On 7/13/17 10:44 AM, Thomas Recloux wrote: > Hi All, > > Is there a way to extend the admin console in order to support more > attributes than email, first name and last name ? > > We'd like to offer a guided UI, compared to the "attributes" tab. > > Thank you, Thomas > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From bburke at redhat.com Thu Jul 13 14:14:46 2017 From: bburke at redhat.com (Bill Burke) Date: Thu, 13 Jul 2017 14:14:46 -0400 Subject: [keycloak-user] Idle connections are not closed In-Reply-To: <1499954617778-3948.post@n6.nabble.com> References: <1499954617778-3948.post@n6.nabble.com> Message-ID: <7d72f4ab-e4ea-0f8e-39d0-1ade983563f8@redhat.com> You'll have to dive into Wildfly/JBoss EAP datasource configuration documentation. I know there are a multitude of connection pool switches you can specify. On 7/13/17 10:03 AM, Kir Merzlikin wrote: > Hi all, > > I deploy Keycloak server app to Cloud Foundry and use ClearDB service as > relational database for Keycloak. > > ClearDB has a restriction, that it closes all connections, that are idle for > 90 seconds. > To not run into the situation, when Keycloak tries to use closed connection, > I've added following datasource configuration (based on Pivotal > recommendations > > ): > > > > But even after applying this configuration I see in the ClearDB management > console that idle connections are closed only after 90 seconds and not after > 60 seconds (1 minute) as it's specified with "idle-timeout-minutes" > parameter. > > So, have anybody of you faced similar situation? Or maybe you have some > ideas why these idle connections are not being closed. > > Thanks. > > > > > > -- > View this message in context: http://keycloak-user.88327.x6.nabble.com/Idle-connections-are-not-closed-tp3948.html > Sent from the keycloak-user mailing list archive at Nabble.com. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From john.d.ament at gmail.com Thu Jul 13 14:37:15 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Thu, 13 Jul 2017 18:37:15 +0000 Subject: [keycloak-user] Keycloak Cookies Message-ID: Hi, I have a use case where I need to login to my app via keycloak, but using my app's login screen. We've been using the OIDC endpoint in keycloak via a POST to authenticate the user and get an accesstoken/refreshtoken back. However, we're seeing that its then very hard to actually get into a keycloak screen (which we use to do account management). So I was wondering, is there something in the JS adapter that should fix this? We don't see any of the keycloak cookies being set. John From mposolda at redhat.com Thu Jul 13 15:49:43 2017 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 13 Jul 2017 21:49:43 +0200 Subject: [keycloak-user] error=pkce_verification_failed In-Reply-To: <61C6D20E-C2F7-4A8E-A281-6263DEABB2A8@info.nl> References: <285AAEA2-C62A-4235-BC7D-4AB99F93A412@info.nl> <67434e71-ba6a-18a1-cca2-fd6c93dc1882@redhat.com> <61C6D20E-C2F7-4A8E-A281-6263DEABB2A8@info.nl> Message-ID: <7695a412-aab1-1a39-a18d-14ea7c3b9c38@redhat.com> On 13/07/17 09:53, Federico Navarro Polo - Info.nl wrote: > Unfortunately, I got the same with 3.1.0.Final and 3.2.0.Final. > > When you say disabling PKCE for the adapter, you mean the client connecting to Keycloak, right? In our case, that would be configuration in AppAuth. Yes. Especially to ensure that parameters like "code_challenge" not present in initial request to Keycloak. Marek > > Regards, > Federico > > On 11/07/17 22:56, "Marek Posolda" wrote: > > Still I would try to upgrade to 3.2.0.Final if possible. AFAIK there was > some related fixes in there, so worth to try if it's not a lot of work > for you. Otherwise workaround is to disable PKCE for your adapter, which > will also remove all related parameters from the initial request to > Keycloak. > > Marek > > On 11/07/17 16:38, Federico Navarro Polo - Info.nl wrote: > > Hello, > > > > After upgrading our Keycloak version to 3.1.0, we?ve started seeing the following error in one of our use cases (using AppAuth). > > > > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE supporting Client, codeVerifier = KX3heFUICMscL03Xv_STmf5hgRSsvm5VxnN0DIQob5wRAIGFyVqCn6hQ6w9exPyUtFaMcue1Uole-bTdHP6KaA > > 2017-07-11 16:21:12,134 DEBUG [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE codeChallengeMethod = S256 > > 2017-07-11 16:21:12,135 WARN [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-24) PKCE verification failed. authUserId = a71bd8ee-fe4b-4259-81c5-5e8e09940f47, authUsername = someone at somewhere.nl > > 2017-07-11 16:21:12,136 WARN [org.keycloak.events] (default task-24) type=CODE_TO_TOKEN_ERROR, realmId=x, clientId=x, userId=a71bd8ee-fe4b-4259-81c5-5e8e09940f47, ipAddress=x.x.x.x, error=pkce_verification_failed, grant_type=authorization_code, code_id=1cf7b8f2-5462-4cf4-a228-ba0cc4501e82, client_auth_method=client-secret > > > > > > I saw this bug report, which could be related to the issue (still open for 3.2.0 as well): https://issues.jboss.org/browse/KEYCLOAK-4956 > > > > Is it possible to disable PKCE from Keycloak configuration? > > > > > > Met vriendelijke groet, > > > > Federico Navarro > > > > backend developer > > > > federico at info.nl | LinkedIn | +31 (0)2 05 30 91 61 > > > > info.nl > > > > Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From kirmerzlikin at gmail.com Thu Jul 13 17:25:07 2017 From: kirmerzlikin at gmail.com (=?UTF-8?B?0JrQuNGAINCc0LXRgNC30LvQuNC60LjQvQ==?=) Date: Fri, 14 Jul 2017 00:25:07 +0300 Subject: [keycloak-user] Idle connections are not closed In-Reply-To: <7d72f4ab-e4ea-0f8e-39d0-1ade983563f8@redhat.com> References: <1499954617778-3948.post@n6.nabble.com> <7d72f4ab-e4ea-0f8e-39d0-1ade983563f8@redhat.com> Message-ID: Hi Bill, Yes, I have read a lot of documentation articles and manuals regarding datasource configuration today. Basing on this material, I've created following config, which should work as I want: - - - - - - - - -

jdbc:mysql://blah.cleardb.net/blah?user= blah&password=blah

mysql

true

- - - - - - - - - But the fact is that idle connections are still able to live to 90 seconds limit, instead of 1 minute. My suggestions was that connection was not closed by some Keycloak code and then returned to the connection pool, where it wasn't considered idle and was not "closed" (terminated). Could you please share your thoughts on this? Thanks. On Thu, Jul 13, 2017 at 9:14 PM, Bill Burke wrote: > You'll have to dive into Wildfly/JBoss EAP datasource configuration > documentation. I know there are a multitude of connection pool switches > you can specify. > > > On 7/13/17 10:03 AM, Kir Merzlikin wrote: > > Hi all, > > > > I deploy Keycloak server app to Cloud Foundry and use ClearDB service as > > relational database for Keycloak. > > > > ClearDB has a restriction, that it closes all connections, that are idle > for > > 90 seconds. > > To not run into the situation, when Keycloak tries to use closed > connection, > > I've added following datasource configuration (based on Pivotal > > recommendations > > Suggested-Configuration-for-Connection-Pools-using-ClearDb> > > ): > > > > > > > > But even after applying this configuration I see in the ClearDB > management > > console that idle connections are closed only after 90 seconds and not > after > > 60 seconds (1 minute) as it's specified with "idle-timeout-minutes" > > parameter. > > > > So, have anybody of you faced similar situation? Or maybe you have some > > ideas why these idle connections are not being closed. > > > > Thanks. > > > > > > > > > > > > -- > > View this message in context: http://keycloak-user.88327.x6. > nabble.com/Idle-connections-are-not-closed-tp3948.html > > Sent from the keycloak-user mailing list archive at Nabble.com. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- ? ?????????, ????????? ?????? From mevans at aconex.com Thu Jul 13 19:11:08 2017 From: mevans at aconex.com (Matt Evans) Date: Thu, 13 Jul 2017 23:11:08 +0000 Subject: [keycloak-user] Upgrading from 2.5.4 to 3.2.0 Message-ID: Hi We're looking to upgrade keycloak from 2.5.4 to 3.2.0, but I noticed in the liquibase changesets that one of the changes in 3.2.0 jpa changelog the column OFFLINE_CLIENT_SESSION has been deleted in the OFFLINE_CLIENT_SESSION table. My question is how will 2.5.4 handle that column missing if we update the schema first? I've tested this scenario in our environment and it seems to work, but we don't request offline tokens. Will that be enough to ensure that we won't get failures because of the missing column? Thanks Matt From john.d.ament at gmail.com Thu Jul 13 22:27:19 2017 From: john.d.ament at gmail.com (John D. Ament) Date: Fri, 14 Jul 2017 02:27:19 +0000 Subject: [keycloak-user] Automatically logging in after performing an Update Password Message-ID: Hi, Based on the Required Actions guide ( https://keycloak.gitbooks.io/documentation/server_admin/topics/users/required-actions.html) we've implemented a custom required action that acts a lot like Update Password (it performs a few other sync items for us). One of our needs is to automatically log the user in to their destination application upon setting this password. This was working for us in 3.1 by creating a custom template that was rendered upon the completion of the Update Password action that forwarded the user to our application and set the necessary cookies. This no longer works in 3.2. We believe it has to do with the ability to reuse required action links. Before, the link was one time use so it was only working once, however our need is to make those links work unlimited times until consumed. By setting a new challenge to the user after updating their password, the token is no longer being marked as consumed and the link remains working. So I was wondering, what other ways could we achieve this behavior? It sounds like a challenge isn't the right approach. John From hmlnarik at redhat.com Fri Jul 14 00:20:09 2017 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 14 Jul 2017 06:20:09 +0200 Subject: [keycloak-user] Idle connections are not closed In-Reply-To: References: <1499954617778-3948.post@n6.nabble.com> <7d72f4ab-e4ea-0f8e-39d0-1ade983563f8@redhat.com> Message-ID: Can you inspect commands running in expectedly idle connections in MySQL via SHOW FULL PROCESSLIST? Have you changed any other datasource- and transaction-related configuration? Thanks On Thu, Jul 13, 2017 at 11:25 PM, ??? ????????? wrote: > Hi Bill, > > Yes, I have read a lot of documentation articles and manuals regarding > datasource configuration today. > Basing on this material, I've created following config, which should work > as I want: > > - - - - - - - - - > pool-name="KeycloakDS" enabled="true" use-java-context="true"> > jdbc:mysql://blah.cleardb.net/blah?user= > blah&password=blah > mysql > > 1 > 10 > > > 1 > > > true > > > > > - - - - - - - - - > > But the fact is that idle connections are still able to live to 90 seconds > limit, instead of 1 minute. > > My suggestions was that connection was not closed by some Keycloak code and > then returned to the connection pool, where it wasn't considered idle and > was not "closed" (terminated). > > Could you please share your thoughts on this? > > Thanks. > > > On Thu, Jul 13, 2017 at 9:14 PM, Bill Burke wrote: > >> You'll have to dive into Wildfly/JBoss EAP datasource configuration >> documentation. I know there are a multitude of connection pool switches >> you can specify. >> >> >> On 7/13/17 10:03 AM, Kir Merzlikin wrote: >> > Hi all, >> > >> > I deploy Keycloak server app to Cloud Foundry and use ClearDB service as >> > relational database for Keycloak. >> > >> > ClearDB has a restriction, that it closes all connections, that are idle >> for >> > 90 seconds. >> > To not run into the situation, when Keycloak tries to use closed >> connection, >> > I've added following datasource configuration (based on Pivotal >> > recommendations >> > > Suggested-Configuration-for-Connection-Pools-using-ClearDb> >> > ): >> > >> > >> > >> > But even after applying this configuration I see in the ClearDB >> management >> > console that idle connections are closed only after 90 seconds and not >> after >> > 60 seconds (1 minute) as it's specified with "idle-timeout-minutes" >> > parameter. >> > >> > So, have anybody of you faced similar situation? Or maybe you have some >> > ideas why these idle connections are not being closed. >> > >> > Thanks. >> > >> > >> > >> > >> > >> > -- >> > View this message in context: http://keycloak-user.88327.x6. >> nabble.com/Idle-connections-are-not-closed-tp3948.html >> > Sent from the keycloak-user mailing list archive at Nabble.com. >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > ? ?????????, > ????????? ?????? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- --Hynek From kirmerzlikin at gmail.com Fri Jul 14 01:07:05 2017 From: kirmerzlikin at gmail.com (=?UTF-8?B?0JrQuNGAINCc0LXRgNC30LvQuNC60LjQvQ==?=) Date: Fri, 14 Jul 2017 08:07:05 +0300 Subject: [keycloak-user] Idle connections are not closed In-Reply-To: References: <1499954617778-3948.post@n6.nabble.com> <7d72f4ab-e4ea-0f8e-39d0-1ade983563f8@redhat.com>

Message-ID: