From testoauth55 at gmail.com Wed Aug 1 00:31:04 2018 From: testoauth55 at gmail.com (Test Oauth) Date: Wed, 1 Aug 2018 10:01:04 +0530 Subject: [keycloak-user] KEYCLOAK_SESSION cookie not getting set in Keycloak 4.1.0. Was getting set in Keycloak 3.4.3 Message-ID: In keycloak 3,4.3: First time I run the app, AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION cookies are set and next time I run the app (before session idle timeout), I do not have to relogin as session cookie has a valid session. In keycloak 4.1.0 , First time I run the app and login: AUTH_SESSION_ID cookie is set. Next time I run the app, KC_RESTART cookie gets set and I am presented the login form again. My assumption is KC_RESTART cookie gets set because there is no valid KEYCLOAK_SESSION cookie. Am I right? How can I resolve this issue? I am sure there is some config I have missed. From testoauth55 at gmail.com Wed Aug 1 03:06:16 2018 From: testoauth55 at gmail.com (Test Oauth) Date: Wed, 1 Aug 2018 12:36:16 +0530 Subject: [keycloak-user] Obtaining KeycloakSecurityContext in case of Desktop applications (KeycloakInstalled adapter) Message-ID: How can I obtain KeycloakSecurityContext in case of Desktop applications (KeycloakInstalled adapter). I read the documentation for KeycloakSecurityContext https://www.keycloak.org/docs/3.3/authorization_services/topics/enforcer/authorization-context.html but it relies on servlet request. How can I obtain KeycloakSecurityContext if I am using keycloak to secure my desktop apps using keycloakinstalledadpater? I need it as my desktop apps interact with a server through RMI and I want to be able to do authorization on these calls. From dt at acutus.pro Wed Aug 1 04:21:35 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 01 Aug 2018 11:21:35 +0300 Subject: [keycloak-user] Need info for network security In-Reply-To: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0BC9@IN-BLR-DAGND3.corp.capgemini.com> References: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0748@IN-BLR-DAGND3.corp.capgemini.com> <1533002501.5207.12.camel@acutus.pro> <0CCF50CABB0BC0438C7672FC2C769FB4D88E0BC9@IN-BLR-DAGND3.corp.capgemini.com> Message-ID: <1533111695.5051.1.camel@acutus.pro> On Tue, 2018-07-31 at 13:34 +0000, Pakira, Ranjan wrote: > Hi, > > Thanks for your input. > > Could you please help to share how the stored user data is secured, is any hashing mechanism used? By default, Keycloak stores password hashes using?PBKDF2 algorithm: https://en.wikipedia.org/wiki/PBKDF2 The algorithms are pluggable, and can be added by imlementing PasswordHashProvider. Dmitry > > Thanks in advance! > > Regards, > Ranjan > > -----Original Message----- > > From: Dmitry Telegin [mailto:dt at acutus.pro]? > Sent: Tuesday, July 31, 2018 7:32 AM > > To: Pakira, Ranjan; 'keycloak-user at lists.jboss.org' > Cc: Hammarberg, Daniel; Sanyal, Sabyasachi > Subject: Re: [keycloak-user] Need info for network security > > Hi Ranjan, > > On Mon, 2018-07-30 at 08:00 +0000, Pakira, Ranjan wrote: > > Hi, > > We are planning to setup Keycloak in new Network and network security team need some information.??Can you please help us with the answer of the following queries? > > > > How is this user data secured in rest and in transit? > > It is recommended that the data in transit be protected with SSL/TLS. > It can be configured either in Keycloak or (preferably) on the reverse proxy / load balancer side. > > OpenID Connect and REST services use JSON message format.?No additional protection is involved aside from SSL/TLS. > > SAML protocol can use additional message-level security, like encrypted/signed assertions. > > > How is in control of Keyclock? and do you have the correct process around access, Starters movers leavers etc? > > If you meant "who is in control of Keycloak", it is developed by Red Hat with contributions from the community. I'd suggest that you contact Red Hat directly re the process. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > Thanks & Regards, > > Ranjan Pakira > > > > This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From ranjan.pakira at capgemini.com Wed Aug 1 04:27:51 2018 From: ranjan.pakira at capgemini.com (Pakira, Ranjan) Date: Wed, 1 Aug 2018 08:27:51 +0000 Subject: [keycloak-user] Need info for network security In-Reply-To: <1533111695.5051.1.camel@acutus.pro> References: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0748@IN-BLR-DAGND3.corp.capgemini.com> <1533002501.5207.12.camel@acutus.pro> <0CCF50CABB0BC0438C7672FC2C769FB4D88E0BC9@IN-BLR-DAGND3.corp.capgemini.com> <1533111695.5051.1.camel@acutus.pro> Message-ID: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0D65@IN-BLR-DAGND3.corp.capgemini.com> Hi Dmitry, Thanks for your help! Kind Regards, Ranjan -----Original Message----- From: Dmitry Telegin [mailto:dt at acutus.pro] Sent: Wednesday, August 01, 2018 1:52 PM To: Pakira, Ranjan; 'keycloak-user at lists.jboss.org' Cc: Hammarberg, Daniel; Sanyal, Sabyasachi Subject: Re: [keycloak-user] Need info for network security On Tue, 2018-07-31 at 13:34 +0000, Pakira, Ranjan wrote: > Hi, > > Thanks for your input. > > Could you please help to share how the stored user data is secured, is any hashing mechanism used? By default, Keycloak stores password hashes using?PBKDF2 algorithm: https://en.wikipedia.org/wiki/PBKDF2 The algorithms are pluggable, and can be added by imlementing PasswordHashProvider. Dmitry > > Thanks in advance! > > Regards, > Ranjan > > -----Original Message----- > > From: Dmitry Telegin [mailto:dt at acutus.pro]? > Sent: Tuesday, July 31, 2018 7:32 AM > > To: Pakira, Ranjan; 'keycloak-user at lists.jboss.org' > Cc: Hammarberg, Daniel; Sanyal, Sabyasachi > Subject: Re: [keycloak-user] Need info for network security > > Hi Ranjan, > > On Mon, 2018-07-30 at 08:00 +0000, Pakira, Ranjan wrote: > > Hi, > > We are planning to setup Keycloak in new Network and network security team need some information.??Can you please help us with the answer of the following queries? > > > > How is this user data secured in rest and in transit? > > It is recommended that the data in transit be protected with SSL/TLS. > It can be configured either in Keycloak or (preferably) on the reverse proxy / load balancer side. > > OpenID Connect and REST services use JSON message format.?No additional protection is involved aside from SSL/TLS. > > SAML protocol can use additional message-level security, like encrypted/signed assertions. > > > How is in control of Keyclock? and do you have the correct process around access, Starters movers leavers etc? > > If you meant "who is in control of Keycloak", it is developed by Red Hat with contributions from the community. I'd suggest that you contact Red Hat directly re the process. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > Thanks & Regards, > > Ranjan Pakira > > > > This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user From robert.smol at stereoit.com Wed Aug 1 04:38:19 2018 From: robert.smol at stereoit.com (Robert Smol) Date: Wed, 1 Aug 2018 10:38:19 +0200 Subject: [keycloak-user] Auth0 Lock alternative In-Reply-To: References: Message-ID: Marek thanks for hints, when building the form, how do I get to know which social providers are available? I mean on keycloak we have username+password + social providers form. I definitely need to allow the users to login with Facebook,Google+ and others. This is example of our customised form directly on the keycloak. http://account.eventival.me/auth/realms/test/protocol/openid-connect/auth?client_id=backoffice&redirect_uri=http%3A%2F%2Feventival.local%3A8000%2F%2Fbackoffice_dev.php%2Fsso-cb&scope=openid+email+profile+phone+address&response_type=code Robert On Tue, Jul 31, 2018 at 10:10 PM Marek Posolda wrote: > Hi, > > you can either look at our Themes functionality if you want to customize > look and feel of login page (See the docs and examples for the details). > In this case, page will be still displayed by Keycloak server, just will > have different L&F. > > Other possibility is to use OAuth2 > Resource-Owner-Password-Credentials-Grant (Direct grant). In this case, > you can create the form by yourself and then send the username+password > in the separate HTTP Post request to Keycloak and Keycloak will return > you back the tokens. > > Marek > > On 31/07/18 17:26, Robert Smol wrote: > > Hi, > > > > is there any similar project like Auth0 Lock? Something that would allow > me > > to embed Keycloak's login page into my classical web app? Currently > > whenever I need to login the user, I forward him to Keycloak, but there > are > > demands to show the login window directly on our webpage. > > > > Robert > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- stereoIT s.r.o. He?manova 23 107 00 Praha 7 mob: +420 776 76 23 78 From mposolda at redhat.com Wed Aug 1 04:41:50 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 1 Aug 2018 10:41:50 +0200 Subject: [keycloak-user] Auth0 Lock alternative In-Reply-To: References: Message-ID: <7a6cf815-2bbd-cb97-a9df-ea972aa620a3@redhat.com> It is possible through admin REST API to know the available social providers. But this sounds like you're re-implementing Keycloak. If you have your own login form on application side, you need to figure social providers, but also other things (EG. forget password, registration of users). Having the form provided by Keycloak itself is really more recommended way for this. Marek On 01/08/18 10:38, Robert Smol wrote: > Marek thanks for hints, when building the form, how do I get to know > which social providers are available? > > I mean on keycloak we have username+password?+ social providers form. > I definitely need to allow the users to login with Facebook,Google+ > and others. > > This is example of our customised form directly on the keycloak. > > http://account.eventival.me/auth/realms/test/protocol/openid-connect/auth?client_id=backoffice&redirect_uri=http%3A%2F%2Feventival.local%3A8000%2F%2Fbackoffice_dev.php%2Fsso-cb&scope=openid+email+profile+phone+address&response_type=code > > Robert > > On Tue, Jul 31, 2018 at 10:10 PM Marek Posolda > wrote: > > Hi, > > you can either look at our Themes functionality if you want to > customize > look and feel of login page (See the docs and examples for the > details). > In this case, page will be still displayed by Keycloak server, > just will > have different L&F. > > Other possibility is to use OAuth2 > Resource-Owner-Password-Credentials-Grant (Direct grant). In this > case, > you can create the form by yourself and then send the > username+password > in the separate HTTP Post request to Keycloak and Keycloak will > return > you back the tokens. > > Marek > > On 31/07/18 17:26, Robert Smol wrote: > > Hi, > > > > is there any similar project like Auth0 Lock? Something that > would allow me > > to embed Keycloak's login page into my classical web app? Currently > > whenever I need to login the user, I forward him to Keycloak, > but there are > > demands to show the login window directly on our webpage. > > > > Robert > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > -- > stereoIT ?s.r.o. > He?manova 23 > 107 00 Praha 7 > mob: +420 776 76 23 78 > From robert.smol at stereoit.com Wed Aug 1 04:48:08 2018 From: robert.smol at stereoit.com (Robert Smol) Date: Wed, 1 Aug 2018 10:48:08 +0200 Subject: [keycloak-user] Auth0 Lock alternative In-Reply-To: <7a6cf815-2bbd-cb97-a9df-ea972aa620a3@redhat.com> References: <7a6cf815-2bbd-cb97-a9df-ea972aa620a3@redhat.com> Message-ID: Yes, exactly, that is why I was looking for any work on Auth0 Lock [1] alternative. I believe there are many use cases when you need to show the form directly on the website instead of redirecting to the page. For example here [2] we need to show some content next to login form. Would it be possible to somehow consider this as feature request in the roadmap? I believe we can even sponsor some coder work on this. [1] - https://auth0.com/lock [2] - https://vp.eventival.eu/jidff/2018 On Wed, Aug 1, 2018 at 10:41 AM Marek Posolda wrote: > It is possible through admin REST API to know the available social > providers. > > But this sounds like you're re-implementing Keycloak. If you have your own > login form on application side, you need to figure social providers, but > also other things (EG. forget password, registration of users). Having the > form provided by Keycloak itself is really more recommended way for this. > > Marek > > On 01/08/18 10:38, Robert Smol wrote: > > Marek thanks for hints, when building the form, how do I get to know which > social providers are available? > > I mean on keycloak we have username+password + social providers form. I > definitely need to allow the users to login with Facebook,Google+ and > others. > > This is example of our customised form directly on the keycloak. > > > http://account.eventival.me/auth/realms/test/protocol/openid-connect/auth?client_id=backoffice&redirect_uri=http%3A%2F%2Feventival.local%3A8000%2F%2Fbackoffice_dev.php%2Fsso-cb&scope=openid+email+profile+phone+address&response_type=code > > Robert > > On Tue, Jul 31, 2018 at 10:10 PM Marek Posolda > wrote: > >> Hi, >> >> you can either look at our Themes functionality if you want to customize >> look and feel of login page (See the docs and examples for the details). >> In this case, page will be still displayed by Keycloak server, just will >> have different L&F. >> >> Other possibility is to use OAuth2 >> Resource-Owner-Password-Credentials-Grant (Direct grant). In this case, >> you can create the form by yourself and then send the username+password >> in the separate HTTP Post request to Keycloak and Keycloak will return >> you back the tokens. >> >> Marek >> >> On 31/07/18 17:26, Robert Smol wrote: >> > Hi, >> > >> > is there any similar project like Auth0 Lock? Something that would >> allow me >> > to embed Keycloak's login page into my classical web app? Currently >> > whenever I need to login the user, I forward him to Keycloak, but there >> are >> > demands to show the login window directly on our webpage. >> > >> > Robert >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > > -- > stereoIT s.r.o. > He?manova 23 > 107 00 Praha 7 > mob: +420 776 76 23 78 > > > -- stereoIT s.r.o. He?manova 23 107 00 Praha 7 mob: +420 776 76 23 78 From daicy_duarte00 at hotmail.com Wed Aug 1 05:03:00 2018 From: daicy_duarte00 at hotmail.com (Daicy Duarte) Date: Wed, 1 Aug 2018 09:03:00 +0000 Subject: [keycloak-user] Extend user account console Message-ID: Hi! What is the best way to extend the account console? We need to add a new page where the user can manage other credentials, example U2F. Is it possible? What do you recommend? Thanks in advance Daicy From ddtxra at gmail.com Wed Aug 1 05:32:11 2018 From: ddtxra at gmail.com (Daniel Teixeira) Date: Wed, 1 Aug 2018 11:32:11 +0200 Subject: [keycloak-user] Keycloak Admin REST API not updating user.federatedIdentities attribute In-Reply-To: <1533069524.4909.4.camel@acutus.pro> References: <1533069524.4909.4.camel@acutus.pro> Message-ID: Wonderful, thank you! I should have read better the docs. Yes you remember correctly Dmitry, I am familiar with creating a custom module now :) Thanks for the trick with Firebug Marek. It will be useful in the future :) Actually I tried that trick, on the "account" interface, but the "account" interface does not use a rest api, correct? For example I don't want the user to update its password / firstName / lastName (because those fields come from LDAP) and I wanted to double-check if commenting / disabling those fields on custom ftl templates is enough or do I need to disable / comment something on the backend as well? On realm settings -> login. There is only the option "edit username", but no option for "edit firstName / edit lastName / edit password".... On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin
wrote: > Hi Daniel, > > That's what you can do with federated identities currently: > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list > federated identities configured for the user > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} > - create a new federated identity > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} > - remove federated identity > > https://github.com/keycloak/keycloak/blob/master/services/ > src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 > > Updating federated entities with PUT is not supported yet. Feel free to > file an RFE in JIRA for that. > > Meanwhile, you can implement this missing piece as a custom REST > resource and deploy it to your Keycloak. If I remember correctly, you > should be already familiar with the process :) > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > > I would like to update (and ideally create) the federatedIdentities > > attribute of a user using the Admin Rest API, but it seems like this does > > not work / or it is not supported? > > > > I am able to update normal user attributes but not the > federatedIdentities. > > > > Is this a bug or is it supposed to be like this? > > > > Is there a different way to do this? (Of course I could do an insert > into, > > in the database, but I would prefer to use the api...). I need to run > this > > for more than 200 users... > > > > My code: > > https://github.com/ddtxra/python-console-keycloak- > example/blob/master/admin-rest-api-update-user.py > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Daniel Teixeira From mangna.poutouli at gmail.com Wed Aug 1 08:25:48 2018 From: mangna.poutouli at gmail.com (Mangna POUTOULI) Date: Wed, 1 Aug 2018 14:25:48 +0200 Subject: [keycloak-user] Keycloak customised credential model Message-ID: We desire to create customised credential SPI for device fingerprinting. We developed an authenticator SPI but we got an issue about credential size. By default standard credential model limits the secret attribute to 4 KB. Our fingerprint requires around 30 KB. What is the best way to solve this issue ? Based on our research, I think there are 3 different approaches: 1. split the fingerprint in 4K blocks. Simple to develop but it will increase credential table entries by 8 ! Also, the 4K default size might change in a future release. 2. extend userstorage and credentialModel classes. I?m not sure of this solution as the users are local to Keycloak. 3. extend UsercredentialStore and create a new credential table. >From my perspective, this should be the best solution but not sure it will be possible. I?ll be happy to get community advice. Thanks, From psilva at redhat.com Wed Aug 1 08:51:31 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 1 Aug 2018 09:51:31 -0300 Subject: [keycloak-user] Keycloak customised credential model In-Reply-To: References: Message-ID: Maybe this can help? https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa On Wed, Aug 1, 2018 at 9:25 AM, Mangna POUTOULI wrote: > We desire to create customised credential SPI for device fingerprinting. We > developed an authenticator SPI but we got an issue about credential size. > By default standard credential model limits the secret attribute to 4 KB. > Our fingerprint requires around 30 KB. What is the best way to solve this > issue ? Based on our research, I think there are 3 different approaches: > > 1. split the fingerprint in 4K blocks. Simple to develop but it will > increase credential table entries by 8 ! Also, the 4K default size might > change in a future release. > 2. extend userstorage and credentialModel classes. I?m not sure of this > solution as the users are local to Keycloak. > 3. extend UsercredentialStore and create a new credential table. > > From my perspective, this should be the best solution but not sure it will > be possible. I?ll be happy to get community advice. Thanks, > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.darimont at googlemail.com Wed Aug 1 09:07:31 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Wed, 1 Aug 2018 15:07:31 +0200 Subject: [keycloak-user] Deployment of custom IdentityProviders with HTML pages for admin console Message-ID: Hello, a while ago I developed a custom IdentityProvider which comes with the required HTML pages for the custom configuration options. Currently, I need to copy the .jar together with the HTML files which is a bit annoying. Is it possible to get the admin resources for the IdentityProvider resolved from the .jar? My current deployment script contains the following: ... echo install new acme-identityprovider cp target/*.jar $KEYCLOAK_HOME/standalone/deployments echo install new theme page cp -r src/main/resources/themes/* $KEYCLOAK_HOME/themes ... This copies the associated HTML files to themes/base/admin/resources/partials/realm-identity-provider-acme.html themes/base/admin/resources/partials/realm-identity-provider-acme-ext.html Cheers, Thomas From corentin.dupont at gmail.com Wed Aug 1 09:25:05 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 1 Aug 2018 15:25:05 +0200 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: I tried to make some more performance testing. With the same settings than before (70 resources, one scope), I obtain: - User policy (3 users): 15 ms - Javascript policy 1: 41ms - Javascript policy 2: 45ms It seems that Javascript policies are very slow. Actually I think the user policy does not take more than 3 ms to run over all the resources (if we remove the time due to HTTP overhead). While the Javascript policies take around 30ms to run over the resources. Is it a problem due to loading/switching to the Javascript engine for each resource? On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont wrote: > > > On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva > wrote: > >> We have now a performance testsuite (thanks to Tomaz) that can generate >> also generate datasets to cover different scenarios. I'm the middle of >> checking Tomaz work and preparing some datasets to include in our testsuite. >> > > Great! > > >> >> I'm going to give a try to your use case and see if I can get the same >> numbers. Not sure if this is your case, but I found some performance issues >> when defining multiple resources with a type where the owner is the >> resource server itself. This causes an overhead during evaluation where the >> engine tries to consider permissions granted to any of these typed >> resources. Someone reported this some time ago, and IMO, this is an invalid >> usage of resource types ... Not sure if this is your case though. >> > > I don't really use the type of resource, actually... How do you make a > permission request based on types? > > > >> >> More answers inline. >> >> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> >>> >>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>> wrote: >>> >>>> >>>> >>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> Hi guys, >>>>> I experience some performance issue on my API server using Keycloak. >>>>> After someone issue a GET on my API server, here is what happens: >>>>> >>>>> - API server -> DB server: get requested resources >>>>> - API server -> Keycloak: get client token (to get resources) >>>>> - API server -> Keycloak: get resources (to complement DB server with >>>>> resource owner & visibility) >>>>> - API server -> Keycloak: get user token (to get permission) >>>>> - API server -> Keycloak: get permission (to filter resources) >>>>> At this point the filtered resources are returned. >>>>> >>>>> But this process is quite slow. I noticed a call to KC can take up to >>>>> 100ms. >>>>> The complete call on the API server can take up to 600ms on my laptop, >>>>> in >>>>> localhost setting. >>>>> The delays become noticeable on my UI... >>>>> >>>> >>>> Are you able to confirm the step(s) spending more time to process ? If >>>> when obtaining client tokens, resources or during evaluation ? >>>> >>> >>> I made a quick benchmark, here is the result: >>> >>> - API server -> Keycloak: get client token: 400ms >>> - API server -> Keycloak: get resources: 1356ms >>> - API server -> Keycloak: get user token: 162ms >>> - API server -> Keycloak: get permission: 2400ms >>> Total: 4366ms >>> >>> However, this timings are obtained only on the first try after I reboot >>> the server. >>> The next calls are faster. Maybe it's due to caching? >>> >> >>> - API server -> Keycloak: get client token: 17ms >>> - API server -> Keycloak: get resources: 19ms >>> - API server -> Keycloak: get user token: 92ms >>> - API server -> Keycloak: get permission: 314ms >>> Total: 476ms >>> >> >> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see >> what we can improve. >> >> Thanks for the numbers. Wondering if you have percentiles for these >> requests ? Or this happens when you send a single request ? >> > > This is a single request... I scrapped the timestamps in my traces. > > > >> >> >>> >>> So yes, it's the evaluation taking time (and user token on a lesser >>> extent). >>> On this call, I need to get permissions for all resources on one scope: >>> permissions=#sensors:view >>> Because I need to filter out the resources the user cannot see. >>> There are around 70 resources and 3 policies (one user policy and 2 >>> javascript). >>> Keycloak is in a docker container. >>> >> >> I'm working with more aggresive numbers, and results are better than >> yours. However, all depends on how you are setting up your settings. Need >> to check your setup and see if I can create a dataset based on it. >> >> Could you send me an example of those javascript policies ? Are they >> doing much ? Do you have more than one user per user policy ? >> > > I attach my 2 javascript policies. They are very simple, should be O(1). > The user policy has 3 users. > > > > > > > >> >> >>> >>> >>> >>>> >>>> Also, could you elaborate more what this step is doing: "- API server >>>> -> Keycloak: get resources (to complement DB server with >>>> resource owner & visibility)" ? >>>> >>> >>> I read the resources from Keycloak (authz/protection/resource_set/) >>> because I need to return the owner of the resource in my server response. >>> >> >>> >>> >>>> >>>> >>>>> >>>>> With a resource SPI strategy (if developed), it should be: >>>>> >>>>> - API server -> DB server: get requested resources >>>>> - API server -> Keycloak: get user token (to get permission) >>>>> - API server -> Keycloak: get permission (to filter resources) >>>>> - Keycloak -> DB server: get resources >>>>> >>>>> There is a little less requests. Additional gain is that resources are >>>>> not >>>>> split between 2 databases. >>>>> >>>>> I wonder if resources could be pushed during the permission request? >>>>> Like a >>>>> "pushed claim". >>>>> This would be even more straightforward: >>>>> >>>>> - API server -> DB server: get requested resources >>>>> - API server -> Keycloak: get user token (to get permission) >>>>> - API server -> Keycloak: get permission and push resources >>>> >>>> >>>>> Can this work? >>>>> >>>> >>>> I think this is an area we might want to improve in order to allow >>>> evaluating permissions solely based on claims pushed to the server. That >>>> means you won't need to manage resources in the server but rely on policies >>>> to process the "pushed claims". >>>> >>> >>> Yes that would be great. Let me open a Jira to track this. >>> >>> >>>> >>>> +1 >>>> >>>> >>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From corentin.dupont at gmail.com Wed Aug 1 09:46:50 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 1 Aug 2018 15:46:50 +0200 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: It also seems that Nashorn script engine will be deprecated: http://openjdk.java.net/jeps/335 On Wed, Aug 1, 2018 at 3:25 PM, Corentin Dupont wrote: > I tried to make some more performance testing. > With the same settings than before (70 resources, one scope), I obtain: > > - User policy (3 users): 15 ms > - Javascript policy 1: 41ms > - Javascript policy 2: 45ms > > It seems that Javascript policies are very slow. > Actually I think the user policy does not take more than 3 ms to run over > all the resources (if we remove the time due to HTTP overhead). > While the Javascript policies take around 30ms to run over the resources. > Is it a problem due to loading/switching to the Javascript engine for each > resource? > > > > On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> >> >> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >> wrote: >> >>> We have now a performance testsuite (thanks to Tomaz) that can generate >>> also generate datasets to cover different scenarios. I'm the middle of >>> checking Tomaz work and preparing some datasets to include in our testsuite. >>> >> >> Great! >> >> >>> >>> I'm going to give a try to your use case and see if I can get the same >>> numbers. Not sure if this is your case, but I found some performance issues >>> when defining multiple resources with a type where the owner is the >>> resource server itself. This causes an overhead during evaluation where the >>> engine tries to consider permissions granted to any of these typed >>> resources. Someone reported this some time ago, and IMO, this is an invalid >>> usage of resource types ... Not sure if this is your case though. >>> >> >> I don't really use the type of resource, actually... How do you make a >> permission request based on types? >> >> >> >>> >>> More answers inline. >>> >>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> Hi guys, >>>>>> I experience some performance issue on my API server using Keycloak. >>>>>> After someone issue a GET on my API server, here is what happens: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>> - API server -> Keycloak: get resources (to complement DB server with >>>>>> resource owner & visibility) >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>> At this point the filtered resources are returned. >>>>>> >>>>>> But this process is quite slow. I noticed a call to KC can take up to >>>>>> 100ms. >>>>>> The complete call on the API server can take up to 600ms on my >>>>>> laptop, in >>>>>> localhost setting. >>>>>> The delays become noticeable on my UI... >>>>>> >>>>> >>>>> Are you able to confirm the step(s) spending more time to process ? If >>>>> when obtaining client tokens, resources or during evaluation ? >>>>> >>>> >>>> I made a quick benchmark, here is the result: >>>> >>>> - API server -> Keycloak: get client token: 400ms >>>> - API server -> Keycloak: get resources: 1356ms >>>> - API server -> Keycloak: get user token: 162ms >>>> - API server -> Keycloak: get permission: 2400ms >>>> Total: 4366ms >>>> >>>> However, this timings are obtained only on the first try after I reboot >>>> the server. >>>> The next calls are faster. Maybe it's due to caching? >>>> >>> >>>> - API server -> Keycloak: get client token: 17ms >>>> - API server -> Keycloak: get resources: 19ms >>>> - API server -> Keycloak: get user token: 92ms >>>> - API server -> Keycloak: get permission: 314ms >>>> Total: 476ms >>>> >>> >>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see >>> what we can improve. >>> >>> Thanks for the numbers. Wondering if you have percentiles for these >>> requests ? Or this happens when you send a single request ? >>> >> >> This is a single request... I scrapped the timestamps in my traces. >> >> >> >>> >>> >>>> >>>> So yes, it's the evaluation taking time (and user token on a lesser >>>> extent). >>>> On this call, I need to get permissions for all resources on one scope: >>>> permissions=#sensors:view >>>> Because I need to filter out the resources the user cannot see. >>>> There are around 70 resources and 3 policies (one user policy and 2 >>>> javascript). >>>> Keycloak is in a docker container. >>>> >>> >>> I'm working with more aggresive numbers, and results are better than >>> yours. However, all depends on how you are setting up your settings. Need >>> to check your setup and see if I can create a dataset based on it. >>> >>> Could you send me an example of those javascript policies ? Are they >>> doing much ? Do you have more than one user per user policy ? >>> >> >> I attach my 2 javascript policies. They are very simple, should be O(1). >> The user policy has 3 users. >> >> >> >> >> >> >> >>> >>> >>>> >>>> >>>> >>>>> >>>>> Also, could you elaborate more what this step is doing: "- API server >>>>> -> Keycloak: get resources (to complement DB server with >>>>> resource owner & visibility)" ? >>>>> >>>> >>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>> because I need to return the owner of the resource in my server response. >>>> >>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> With a resource SPI strategy (if developed), it should be: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>> - Keycloak -> DB server: get resources >>>>>> >>>>>> There is a little less requests. Additional gain is that resources >>>>>> are not >>>>>> split between 2 databases. >>>>>> >>>>>> I wonder if resources could be pushed during the permission request? >>>>>> Like a >>>>>> "pushed claim". >>>>>> This would be even more straightforward: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission and push resources >>>>> >>>>> >>>>>> Can this work? >>>>>> >>>>> >>>>> I think this is an area we might want to improve in order to allow >>>>> evaluating permissions solely based on claims pushed to the server. That >>>>> means you won't need to manage resources in the server but rely on policies >>>>> to process the "pushed claims". >>>>> >>>> >>>> Yes that would be great. Let me open a Jira to track this. >>>> >>>> >>>>> >>>>> +1 >>>>> >>>>> >>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > From mposolda at redhat.com Wed Aug 1 09:47:25 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 1 Aug 2018 15:47:25 +0200 Subject: [keycloak-user] Keycloak 4.2.0.Final released! Message-ID: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> See details on the blog: http://blog.keycloak.org/2018/08/keycloak-420final-released.html From martin.devlin at pearson.com Wed Aug 1 09:50:32 2018 From: martin.devlin at pearson.com (Devlin, Martin) Date: Wed, 1 Aug 2018 14:50:32 +0100 Subject: [keycloak-user] SAML IDP seamless SSO Message-ID: Hi, I am setting up a SAML IDP. The user will already exist in Keycloak, I want that user linked to the IDP. What I want is for the user to be linked invisibly, without having to do anything. I have disabled the following in the First Broker Login flow: ``` first broker login/idp-review-profile set to DISABLED first broker login/idp-confirm-link set to DISABLED first broker login/idp-email-verification set to DISABLED ``` This gets rid of the dialogs to confirm profile and email verification. But there's another setting that I can't disable: " Username Password Form For Identity Provider Reauthentication" So as it is the user has to authenticate against the IDP (which is what I want) but then also against Keycloak (which I don;t want). Thanks, Martin From psilva at redhat.com Wed Aug 1 09:50:51 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 1 Aug 2018 10:50:51 -0300 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: Hi, I also noticed JS slow. I'm working with some changes [1] which seems to improve JS and evaluation as a whole. if you want I can give you a docker image based on 4.2.0-SNAPSHOT + changes, wdyt ? Would be nice to see how you perform with this version ... Also noticed better response time when running Keycloak on top of graalvm (maybe because of graaljs) and jdk9+. I'm using a client with 1000 resources, 1000 permissions (one for each resource) each with 10 role policies associated by default, 500 role policies and 3 permissions using a mix of 4 JS (including your publicResource and owner policies), roles and groups. Where these 3 permissions are evaluated based on scopes and they are considered to calculate access to every single resource. My tests are not making "all entitlements" requests, but several concurrent requests (trying to keep a constant of 300/400 req/s) asking for individual resources. When I try to obtain all entitlements I usually get response times from 800ms to 1200ms. Considering the number of resources I have, you should get a much better response. I've also introduced a "response_mode" parameter to the authorization request. You can now set this parameter as "decision" or "permissions". The "decision" mode returns only a json with a single claim indicating whether or not request was granted, where "permissions" just returns the permissions (no tokens). On Wed, Aug 1, 2018 at 10:25 AM, Corentin Dupont wrote: > I tried to make some more performance testing. > With the same settings than before (70 resources, one scope), I obtain: > > - User policy (3 users): 15 ms > - Javascript policy 1: 41ms > - Javascript policy 2: 45ms > > It seems that Javascript policies are very slow. > Actually I think the user policy does not take more than 3 ms to run over > all the resources (if we remove the time due to HTTP overhead). > While the Javascript policies take around 30ms to run over the resources. > Is it a problem due to loading/switching to the Javascript engine for each > resource? > > > > On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> >> >> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >> wrote: >> >>> We have now a performance testsuite (thanks to Tomaz) that can generate >>> also generate datasets to cover different scenarios. I'm the middle of >>> checking Tomaz work and preparing some datasets to include in our testsuite. >>> >> >> Great! >> >> >>> >>> I'm going to give a try to your use case and see if I can get the same >>> numbers. Not sure if this is your case, but I found some performance issues >>> when defining multiple resources with a type where the owner is the >>> resource server itself. This causes an overhead during evaluation where the >>> engine tries to consider permissions granted to any of these typed >>> resources. Someone reported this some time ago, and IMO, this is an invalid >>> usage of resource types ... Not sure if this is your case though. >>> >> >> I don't really use the type of resource, actually... How do you make a >> permission request based on types? >> >> >> >>> >>> More answers inline. >>> >>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> Hi guys, >>>>>> I experience some performance issue on my API server using Keycloak. >>>>>> After someone issue a GET on my API server, here is what happens: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>> - API server -> Keycloak: get resources (to complement DB server with >>>>>> resource owner & visibility) >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>> At this point the filtered resources are returned. >>>>>> >>>>>> But this process is quite slow. I noticed a call to KC can take up to >>>>>> 100ms. >>>>>> The complete call on the API server can take up to 600ms on my >>>>>> laptop, in >>>>>> localhost setting. >>>>>> The delays become noticeable on my UI... >>>>>> >>>>> >>>>> Are you able to confirm the step(s) spending more time to process ? If >>>>> when obtaining client tokens, resources or during evaluation ? >>>>> >>>> >>>> I made a quick benchmark, here is the result: >>>> >>>> - API server -> Keycloak: get client token: 400ms >>>> - API server -> Keycloak: get resources: 1356ms >>>> - API server -> Keycloak: get user token: 162ms >>>> - API server -> Keycloak: get permission: 2400ms >>>> Total: 4366ms >>>> >>>> However, this timings are obtained only on the first try after I reboot >>>> the server. >>>> The next calls are faster. Maybe it's due to caching? >>>> >>> >>>> - API server -> Keycloak: get client token: 17ms >>>> - API server -> Keycloak: get resources: 19ms >>>> - API server -> Keycloak: get user token: 92ms >>>> - API server -> Keycloak: get permission: 314ms >>>> Total: 476ms >>>> >>> >>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see >>> what we can improve. >>> >>> Thanks for the numbers. Wondering if you have percentiles for these >>> requests ? Or this happens when you send a single request ? >>> >> >> This is a single request... I scrapped the timestamps in my traces. >> >> >> >>> >>> >>>> >>>> So yes, it's the evaluation taking time (and user token on a lesser >>>> extent). >>>> On this call, I need to get permissions for all resources on one scope: >>>> permissions=#sensors:view >>>> Because I need to filter out the resources the user cannot see. >>>> There are around 70 resources and 3 policies (one user policy and 2 >>>> javascript). >>>> Keycloak is in a docker container. >>>> >>> >>> I'm working with more aggresive numbers, and results are better than >>> yours. However, all depends on how you are setting up your settings. Need >>> to check your setup and see if I can create a dataset based on it. >>> >>> Could you send me an example of those javascript policies ? Are they >>> doing much ? Do you have more than one user per user policy ? >>> >> >> I attach my 2 javascript policies. They are very simple, should be O(1). >> The user policy has 3 users. >> >> >> >> >> >> >> >>> >>> >>>> >>>> >>>> >>>>> >>>>> Also, could you elaborate more what this step is doing: "- API server >>>>> -> Keycloak: get resources (to complement DB server with >>>>> resource owner & visibility)" ? >>>>> >>>> >>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>> because I need to return the owner of the resource in my server response. >>>> >>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> With a resource SPI strategy (if developed), it should be: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>> - Keycloak -> DB server: get resources >>>>>> >>>>>> There is a little less requests. Additional gain is that resources >>>>>> are not >>>>>> split between 2 databases. >>>>>> >>>>>> I wonder if resources could be pushed during the permission request? >>>>>> Like a >>>>>> "pushed claim". >>>>>> This would be even more straightforward: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission and push resources >>>>> >>>>> >>>>>> Can this work? >>>>>> >>>>> >>>>> I think this is an area we might want to improve in order to allow >>>>> evaluating permissions solely based on claims pushed to the server. That >>>>> means you won't need to manage resources in the server but rely on policies >>>>> to process the "pushed claims". >>>>> >>>> >>>> Yes that would be great. Let me open a Jira to track this. >>>> >>>> >>>>> >>>>> +1 >>>>> >>>>> >>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > From psilva at redhat.com Wed Aug 1 09:55:58 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 1 Aug 2018 10:55:58 -0300 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: Yeah, that is why I'm also evaluating graaljs. But I think we will only get better results if using native images (ahead of time compiling vs jit), not sure ... But like I said, I've noticed some improvements in JS runtime when running KC on top of graalvm. I was also wondering if Groovy could be a nice language to support as an alternative/replacement to JS policies ... On Wed, Aug 1, 2018 at 10:46 AM, Corentin Dupont wrote: > It also seems that Nashorn script engine will be deprecated: > http://openjdk.java.net/jeps/335 > > > > On Wed, Aug 1, 2018 at 3:25 PM, Corentin Dupont > wrote: > >> I tried to make some more performance testing. >> With the same settings than before (70 resources, one scope), I obtain: >> >> - User policy (3 users): 15 ms >> - Javascript policy 1: 41ms >> - Javascript policy 2: 45ms >> >> It seems that Javascript policies are very slow. >> Actually I think the user policy does not take more than 3 ms to run over >> all the resources (if we remove the time due to HTTP overhead). >> While the Javascript policies take around 30ms to run over the resources. >> Is it a problem due to loading/switching to the Javascript engine for >> each resource? >> >> >> >> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> >>> >>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>> wrote: >>> >>>> We have now a performance testsuite (thanks to Tomaz) that can generate >>>> also generate datasets to cover different scenarios. I'm the middle of >>>> checking Tomaz work and preparing some datasets to include in our testsuite. >>>> >>> >>> Great! >>> >>> >>>> >>>> I'm going to give a try to your use case and see if I can get the same >>>> numbers. Not sure if this is your case, but I found some performance issues >>>> when defining multiple resources with a type where the owner is the >>>> resource server itself. This causes an overhead during evaluation where the >>>> engine tries to consider permissions granted to any of these typed >>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>> usage of resource types ... Not sure if this is your case though. >>>> >>> >>> I don't really use the type of resource, actually... How do you make a >>> permission request based on types? >>> >>> >>> >>>> >>>> More answers inline. >>>> >>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> I experience some performance issue on my API server using Keycloak. >>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>> - API server -> Keycloak: get resources (to complement DB server with >>>>>>> resource owner & visibility) >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>> At this point the filtered resources are returned. >>>>>>> >>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>> to 100ms. >>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>> laptop, in >>>>>>> localhost setting. >>>>>>> The delays become noticeable on my UI... >>>>>>> >>>>>> >>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>> >>>>> >>>>> I made a quick benchmark, here is the result: >>>>> >>>>> - API server -> Keycloak: get client token: 400ms >>>>> - API server -> Keycloak: get resources: 1356ms >>>>> - API server -> Keycloak: get user token: 162ms >>>>> - API server -> Keycloak: get permission: 2400ms >>>>> Total: 4366ms >>>>> >>>>> However, this timings are obtained only on the first try after I >>>>> reboot the server. >>>>> The next calls are faster. Maybe it's due to caching? >>>>> >>>> >>>>> - API server -> Keycloak: get client token: 17ms >>>>> - API server -> Keycloak: get resources: 19ms >>>>> - API server -> Keycloak: get user token: 92ms >>>>> - API server -> Keycloak: get permission: 314ms >>>>> Total: 476ms >>>>> >>>> >>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see >>>> what we can improve. >>>> >>>> Thanks for the numbers. Wondering if you have percentiles for these >>>> requests ? Or this happens when you send a single request ? >>>> >>> >>> This is a single request... I scrapped the timestamps in my traces. >>> >>> >>> >>>> >>>> >>>>> >>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>> extent). >>>>> On this call, I need to get permissions for all resources on one >>>>> scope: permissions=#sensors:view >>>>> Because I need to filter out the resources the user cannot see. >>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>> javascript). >>>>> Keycloak is in a docker container. >>>>> >>>> >>>> I'm working with more aggresive numbers, and results are better than >>>> yours. However, all depends on how you are setting up your settings. Need >>>> to check your setup and see if I can create a dataset based on it. >>>> >>>> Could you send me an example of those javascript policies ? Are they >>>> doing much ? Do you have more than one user per user policy ? >>>> >>> >>> I attach my 2 javascript policies. They are very simple, should be O(1). >>> The user policy has 3 users. >>> >>> >>> >>> >>> >>> >>> >>>> >>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>> resource owner & visibility)" ? >>>>>> >>>>> >>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>> because I need to return the owner of the resource in my server response. >>>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>> - Keycloak -> DB server: get resources >>>>>>> >>>>>>> There is a little less requests. Additional gain is that resources >>>>>>> are not >>>>>>> split between 2 databases. >>>>>>> >>>>>>> I wonder if resources could be pushed during the permission request? >>>>>>> Like a >>>>>>> "pushed claim". >>>>>>> This would be even more straightforward: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission and push resources >>>>>> >>>>>> >>>>>>> Can this work? >>>>>>> >>>>>> >>>>>> I think this is an area we might want to improve in order to allow >>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>> means you won't need to manage resources in the server but rely on policies >>>>>> to process the "pushed claims". >>>>>> >>>>> >>>>> Yes that would be great. Let me open a Jira to track this. >>>>> >>>>> >>>>>> >>>>>> +1 >>>>>> >>>>>> >>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > From psilva at redhat.com Wed Aug 1 09:56:43 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 1 Aug 2018 10:56:43 -0300 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: Btw, here is the PR https://github.com/keycloak/keycloak/pull/5416 On Wed, Aug 1, 2018 at 10:55 AM, Pedro Igor Silva wrote: > Yeah, that is why I'm also evaluating graaljs. But I think we will only > get better results if using native images (ahead of time compiling vs jit), > not sure ... But like I said, I've noticed some improvements in JS runtime > when running KC on top of graalvm. > > I was also wondering if Groovy could be a nice language to support as an > alternative/replacement to JS policies ... > > On Wed, Aug 1, 2018 at 10:46 AM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> It also seems that Nashorn script engine will be deprecated: >> http://openjdk.java.net/jeps/335 >> >> >> >> On Wed, Aug 1, 2018 at 3:25 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> I tried to make some more performance testing. >>> With the same settings than before (70 resources, one scope), I obtain: >>> >>> - User policy (3 users): 15 ms >>> - Javascript policy 1: 41ms >>> - Javascript policy 2: 45ms >>> >>> It seems that Javascript policies are very slow. >>> Actually I think the user policy does not take more than 3 ms to run >>> over all the resources (if we remove the time due to HTTP overhead). >>> While the Javascript policies take around 30ms to run over the resources. >>> Is it a problem due to loading/switching to the Javascript engine for >>> each resource? >>> >>> >>> >>> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> We have now a performance testsuite (thanks to Tomaz) that can >>>>> generate also generate datasets to cover different scenarios. I'm the >>>>> middle of checking Tomaz work and preparing some datasets to include in our >>>>> testsuite. >>>>> >>>> >>>> Great! >>>> >>>> >>>>> >>>>> I'm going to give a try to your use case and see if I can get the same >>>>> numbers. Not sure if this is your case, but I found some performance issues >>>>> when defining multiple resources with a type where the owner is the >>>>> resource server itself. This causes an overhead during evaluation where the >>>>> engine tries to consider permissions granted to any of these typed >>>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>>> usage of resource types ... Not sure if this is your case though. >>>>> >>>> >>>> I don't really use the type of resource, actually... How do you make a >>>> permission request based on types? >>>> >>>> >>>> >>>>> >>>>> More answers inline. >>>>> >>>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>>> > wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>> >>>>>>>> Hi guys, >>>>>>>> I experience some performance issue on my API server using Keycloak. >>>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>>> - API server -> Keycloak: get resources (to complement DB server >>>>>>>> with >>>>>>>> resource owner & visibility) >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>> At this point the filtered resources are returned. >>>>>>>> >>>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>>> to 100ms. >>>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>>> laptop, in >>>>>>>> localhost setting. >>>>>>>> The delays become noticeable on my UI... >>>>>>>> >>>>>>> >>>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>>> >>>>>> >>>>>> I made a quick benchmark, here is the result: >>>>>> >>>>>> - API server -> Keycloak: get client token: 400ms >>>>>> - API server -> Keycloak: get resources: 1356ms >>>>>> - API server -> Keycloak: get user token: 162ms >>>>>> - API server -> Keycloak: get permission: 2400ms >>>>>> Total: 4366ms >>>>>> >>>>>> However, this timings are obtained only on the first try after I >>>>>> reboot the server. >>>>>> The next calls are faster. Maybe it's due to caching? >>>>>> >>>>> >>>>>> - API server -> Keycloak: get client token: 17ms >>>>>> - API server -> Keycloak: get resources: 19ms >>>>>> - API server -> Keycloak: get user token: 92ms >>>>>> - API server -> Keycloak: get permission: 314ms >>>>>> Total: 476ms >>>>>> >>>>> >>>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will >>>>> see what we can improve. >>>>> >>>>> Thanks for the numbers. Wondering if you have percentiles for these >>>>> requests ? Or this happens when you send a single request ? >>>>> >>>> >>>> This is a single request... I scrapped the timestamps in my traces. >>>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>>> extent). >>>>>> On this call, I need to get permissions for all resources on one >>>>>> scope: permissions=#sensors:view >>>>>> Because I need to filter out the resources the user cannot see. >>>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>>> javascript). >>>>>> Keycloak is in a docker container. >>>>>> >>>>> >>>>> I'm working with more aggresive numbers, and results are better than >>>>> yours. However, all depends on how you are setting up your settings. Need >>>>> to check your setup and see if I can create a dataset based on it. >>>>> >>>>> Could you send me an example of those javascript policies ? Are they >>>>> doing much ? Do you have more than one user per user policy ? >>>>> >>>> >>>> I attach my 2 javascript policies. They are very simple, should be O(1). >>>> The user policy has 3 users. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>>> resource owner & visibility)" ? >>>>>>> >>>>>> >>>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>>> because I need to return the owner of the resource in my server response. >>>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>> - Keycloak -> DB server: get resources >>>>>>>> >>>>>>>> There is a little less requests. Additional gain is that resources >>>>>>>> are not >>>>>>>> split between 2 databases. >>>>>>>> >>>>>>>> I wonder if resources could be pushed during the permission >>>>>>>> request? Like a >>>>>>>> "pushed claim". >>>>>>>> This would be even more straightforward: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission and push resources >>>>>>> >>>>>>> >>>>>>>> Can this work? >>>>>>>> >>>>>>> >>>>>>> I think this is an area we might want to improve in order to allow >>>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>>> means you won't need to manage resources in the server but rely on policies >>>>>>> to process the "pushed claims". >>>>>>> >>>>>> >>>>>> Yes that would be great. Let me open a Jira to track this. >>>>>> >>>>>> >>>>>>> >>>>>>> +1 >>>>>>> >>>>>>> >>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From matthias.kesternich at moneymeets.com Wed Aug 1 10:11:05 2018 From: matthias.kesternich at moneymeets.com (Matthias Kesternich) Date: Wed, 1 Aug 2018 14:11:05 +0000 Subject: [keycloak-user] Keycloak 4.2.0.Final released! In-Reply-To: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> References: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> Message-ID: <46E75C78-26C4-4009-903B-4DB75D5244C3@moneymeets.com> Thanks for your work! I've already found the docker image, but maven central still lists 4.1.0.Final as latest version: http://repo1.maven.org/maven2/org/keycloak/keycloak-core/ . Will it take some time for the artifacts to appear due to sync delays or something? ?Am 01.08.18, 15:56 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Marek Posolda" : See details on the blog: http://blog.keycloak.org/2018/08/keycloak-420final-released.html _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From corentin.dupont at gmail.com Wed Aug 1 10:57:09 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 1 Aug 2018 16:57:09 +0200 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: On Wed, Aug 1, 2018 at 3:50 PM, Pedro Igor Silva wrote: > Hi, > > I also noticed JS slow. I'm working with some changes [1] which seems to > improve JS and evaluation as a whole. if you want I can give you a docker > image based on 4.2.0-SNAPSHOT + changes, wdyt ? Would be nice to see how > you perform with this version ... > OK we can try, but I'm not sure the database migration will work (I'm using 4.1.0)... Last time I tried to run 4.2.0-SNAPSHOT the migration failed. > > Also noticed better response time when running Keycloak on top of graalvm > (maybe because of graaljs) and jdk9+. > > I'm using a client with 1000 resources, 1000 permissions (one for each > resource) each with 10 role policies associated by default, 500 role > policies and 3 permissions using a mix of 4 JS (including your > publicResource and owner policies), roles and groups. Where these 3 > permissions are evaluated based on scopes and they are considered to > calculate access to every single resource. > > My tests are not making "all entitlements" requests, but several > concurrent requests (trying to keep a constant of 300/400 req/s) asking for > individual resources. > > When I try to obtain all entitlements I usually get response times from > 800ms to 1200ms. Considering the number of resources I have, you should get > a much better response. > > I've also introduced a "response_mode" parameter to the authorization > request. You can now set this parameter as "decision" or "permissions". The > "decision" mode returns only a json with a single claim indicating whether > or not request was granted, where "permissions" just returns the > permissions (no tokens). > OK, great! It would be simpler rather than decoding a token. > > > On Wed, Aug 1, 2018 at 10:25 AM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> I tried to make some more performance testing. >> With the same settings than before (70 resources, one scope), I obtain: >> >> - User policy (3 users): 15 ms >> - Javascript policy 1: 41ms >> - Javascript policy 2: 45ms >> >> It seems that Javascript policies are very slow. >> Actually I think the user policy does not take more than 3 ms to run over >> all the resources (if we remove the time due to HTTP overhead). >> While the Javascript policies take around 30ms to run over the resources. >> Is it a problem due to loading/switching to the Javascript engine for >> each resource? >> >> >> >> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> >>> >>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>> wrote: >>> >>>> We have now a performance testsuite (thanks to Tomaz) that can generate >>>> also generate datasets to cover different scenarios. I'm the middle of >>>> checking Tomaz work and preparing some datasets to include in our testsuite. >>>> >>> >>> Great! >>> >>> >>>> >>>> I'm going to give a try to your use case and see if I can get the same >>>> numbers. Not sure if this is your case, but I found some performance issues >>>> when defining multiple resources with a type where the owner is the >>>> resource server itself. This causes an overhead during evaluation where the >>>> engine tries to consider permissions granted to any of these typed >>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>> usage of resource types ... Not sure if this is your case though. >>>> >>> >>> I don't really use the type of resource, actually... How do you make a >>> permission request based on types? >>> >>> >>> >>>> >>>> More answers inline. >>>> >>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> I experience some performance issue on my API server using Keycloak. >>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>> - API server -> Keycloak: get resources (to complement DB server with >>>>>>> resource owner & visibility) >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>> At this point the filtered resources are returned. >>>>>>> >>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>> to 100ms. >>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>> laptop, in >>>>>>> localhost setting. >>>>>>> The delays become noticeable on my UI... >>>>>>> >>>>>> >>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>> >>>>> >>>>> I made a quick benchmark, here is the result: >>>>> >>>>> - API server -> Keycloak: get client token: 400ms >>>>> - API server -> Keycloak: get resources: 1356ms >>>>> - API server -> Keycloak: get user token: 162ms >>>>> - API server -> Keycloak: get permission: 2400ms >>>>> Total: 4366ms >>>>> >>>>> However, this timings are obtained only on the first try after I >>>>> reboot the server. >>>>> The next calls are faster. Maybe it's due to caching? >>>>> >>>> >>>>> - API server -> Keycloak: get client token: 17ms >>>>> - API server -> Keycloak: get resources: 19ms >>>>> - API server -> Keycloak: get user token: 92ms >>>>> - API server -> Keycloak: get permission: 314ms >>>>> Total: 476ms >>>>> >>>> >>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see >>>> what we can improve. >>>> >>>> Thanks for the numbers. Wondering if you have percentiles for these >>>> requests ? Or this happens when you send a single request ? >>>> >>> >>> This is a single request... I scrapped the timestamps in my traces. >>> >>> >>> >>>> >>>> >>>>> >>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>> extent). >>>>> On this call, I need to get permissions for all resources on one >>>>> scope: permissions=#sensors:view >>>>> Because I need to filter out the resources the user cannot see. >>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>> javascript). >>>>> Keycloak is in a docker container. >>>>> >>>> >>>> I'm working with more aggresive numbers, and results are better than >>>> yours. However, all depends on how you are setting up your settings. Need >>>> to check your setup and see if I can create a dataset based on it. >>>> >>>> Could you send me an example of those javascript policies ? Are they >>>> doing much ? Do you have more than one user per user policy ? >>>> >>> >>> I attach my 2 javascript policies. They are very simple, should be O(1). >>> The user policy has 3 users. >>> >>> >>> >>> >>> >>> >>> >>>> >>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>> resource owner & visibility)" ? >>>>>> >>>>> >>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>> because I need to return the owner of the resource in my server response. >>>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>> - Keycloak -> DB server: get resources >>>>>>> >>>>>>> There is a little less requests. Additional gain is that resources >>>>>>> are not >>>>>>> split between 2 databases. >>>>>>> >>>>>>> I wonder if resources could be pushed during the permission request? >>>>>>> Like a >>>>>>> "pushed claim". >>>>>>> This would be even more straightforward: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission and push resources >>>>>> >>>>>> >>>>>>> Can this work? >>>>>>> >>>>>> >>>>>> I think this is an area we might want to improve in order to allow >>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>> means you won't need to manage resources in the server but rely on policies >>>>>> to process the "pushed claims". >>>>>> >>>>> >>>>> Yes that would be great. Let me open a Jira to track this. >>>>> >>>>> >>>>>> >>>>>> +1 >>>>>> >>>>>> >>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > From corentin.dupont at gmail.com Wed Aug 1 10:58:58 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 1 Aug 2018 16:58:58 +0200 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: I'm trying to evaluate also Drools rules, but I have one question: how to you work with Drools in the keycloak docker container? Do you need to copy M2_HOME in the container or something like that? On Wed, Aug 1, 2018 at 3:55 PM, Pedro Igor Silva wrote: > Yeah, that is why I'm also evaluating graaljs. But I think we will only > get better results if using native images (ahead of time compiling vs jit), > not sure ... But like I said, I've noticed some improvements in JS runtime > when running KC on top of graalvm. > > I was also wondering if Groovy could be a nice language to support as an > alternative/replacement to JS policies ... > > On Wed, Aug 1, 2018 at 10:46 AM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> It also seems that Nashorn script engine will be deprecated: >> http://openjdk.java.net/jeps/335 >> >> >> >> On Wed, Aug 1, 2018 at 3:25 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> I tried to make some more performance testing. >>> With the same settings than before (70 resources, one scope), I obtain: >>> >>> - User policy (3 users): 15 ms >>> - Javascript policy 1: 41ms >>> - Javascript policy 2: 45ms >>> >>> It seems that Javascript policies are very slow. >>> Actually I think the user policy does not take more than 3 ms to run >>> over all the resources (if we remove the time due to HTTP overhead). >>> While the Javascript policies take around 30ms to run over the resources. >>> Is it a problem due to loading/switching to the Javascript engine for >>> each resource? >>> >>> >>> >>> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> We have now a performance testsuite (thanks to Tomaz) that can >>>>> generate also generate datasets to cover different scenarios. I'm the >>>>> middle of checking Tomaz work and preparing some datasets to include in our >>>>> testsuite. >>>>> >>>> >>>> Great! >>>> >>>> >>>>> >>>>> I'm going to give a try to your use case and see if I can get the same >>>>> numbers. Not sure if this is your case, but I found some performance issues >>>>> when defining multiple resources with a type where the owner is the >>>>> resource server itself. This causes an overhead during evaluation where the >>>>> engine tries to consider permissions granted to any of these typed >>>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>>> usage of resource types ... Not sure if this is your case though. >>>>> >>>> >>>> I don't really use the type of resource, actually... How do you make a >>>> permission request based on types? >>>> >>>> >>>> >>>>> >>>>> More answers inline. >>>>> >>>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>>> > wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>> >>>>>>>> Hi guys, >>>>>>>> I experience some performance issue on my API server using Keycloak. >>>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>>> - API server -> Keycloak: get resources (to complement DB server >>>>>>>> with >>>>>>>> resource owner & visibility) >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>> At this point the filtered resources are returned. >>>>>>>> >>>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>>> to 100ms. >>>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>>> laptop, in >>>>>>>> localhost setting. >>>>>>>> The delays become noticeable on my UI... >>>>>>>> >>>>>>> >>>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>>> >>>>>> >>>>>> I made a quick benchmark, here is the result: >>>>>> >>>>>> - API server -> Keycloak: get client token: 400ms >>>>>> - API server -> Keycloak: get resources: 1356ms >>>>>> - API server -> Keycloak: get user token: 162ms >>>>>> - API server -> Keycloak: get permission: 2400ms >>>>>> Total: 4366ms >>>>>> >>>>>> However, this timings are obtained only on the first try after I >>>>>> reboot the server. >>>>>> The next calls are faster. Maybe it's due to caching? >>>>>> >>>>> >>>>>> - API server -> Keycloak: get client token: 17ms >>>>>> - API server -> Keycloak: get resources: 19ms >>>>>> - API server -> Keycloak: get user token: 92ms >>>>>> - API server -> Keycloak: get permission: 314ms >>>>>> Total: 476ms >>>>>> >>>>> >>>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will >>>>> see what we can improve. >>>>> >>>>> Thanks for the numbers. Wondering if you have percentiles for these >>>>> requests ? Or this happens when you send a single request ? >>>>> >>>> >>>> This is a single request... I scrapped the timestamps in my traces. >>>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>>> extent). >>>>>> On this call, I need to get permissions for all resources on one >>>>>> scope: permissions=#sensors:view >>>>>> Because I need to filter out the resources the user cannot see. >>>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>>> javascript). >>>>>> Keycloak is in a docker container. >>>>>> >>>>> >>>>> I'm working with more aggresive numbers, and results are better than >>>>> yours. However, all depends on how you are setting up your settings. Need >>>>> to check your setup and see if I can create a dataset based on it. >>>>> >>>>> Could you send me an example of those javascript policies ? Are they >>>>> doing much ? Do you have more than one user per user policy ? >>>>> >>>> >>>> I attach my 2 javascript policies. They are very simple, should be O(1). >>>> The user policy has 3 users. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>>> resource owner & visibility)" ? >>>>>>> >>>>>> >>>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>>> because I need to return the owner of the resource in my server response. >>>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>> - Keycloak -> DB server: get resources >>>>>>>> >>>>>>>> There is a little less requests. Additional gain is that resources >>>>>>>> are not >>>>>>>> split between 2 databases. >>>>>>>> >>>>>>>> I wonder if resources could be pushed during the permission >>>>>>>> request? Like a >>>>>>>> "pushed claim". >>>>>>>> This would be even more straightforward: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission and push resources >>>>>>> >>>>>>> >>>>>>>> Can this work? >>>>>>>> >>>>>>> >>>>>>> I think this is an area we might want to improve in order to allow >>>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>>> means you won't need to manage resources in the server but rely on policies >>>>>>> to process the "pushed claims". >>>>>>> >>>>>> >>>>>> Yes that would be great. Let me open a Jira to track this. >>>>>> >>>>>> >>>>>>> >>>>>>> +1 >>>>>>> >>>>>>> >>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From corentin.dupont at gmail.com Wed Aug 1 11:16:29 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 1 Aug 2018 17:16:29 +0200 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: Regarding JVM settings, I assume they are correct? Is there a way to improve? I use docker-compose to run Keycloak docker. It should not limit the CPU? On Wed, Jul 25, 2018 at 12:07 PM, Corentin Dupont wrote: > This is what I have: > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > On Tue, Jul 24, 2018 at 11:21 PM, Pedro Igor Silva > wrote: > >> Btw, how much you set your heap? >> >> Do you have limitations on cpu ? >> >> Could you share your JVM settings ? >> >> On Tue, Jul 24, 2018 at 8:11 PM, Pedro Igor Silva >> wrote: >> >>> We have now a performance testsuite (thanks to Tomaz) that can generate >>> also generate datasets to cover different scenarios. I'm the middle of >>> checking Tomaz work and preparing some datasets to include in our testsuite. >>> >>> I'm going to give a try to your use case and see if I can get the same >>> numbers. Not sure if this is your case, but I found some performance issues >>> when defining multiple resources with a type where the owner is the >>> resource server itself. This causes an overhead during evaluation where the >>> engine tries to consider permissions granted to any of these typed >>> resources. Someone reported this some time ago, and IMO, this is an invalid >>> usage of resource types ... Not sure if this is your case though. >>> >>> More answers inline. >>> >>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> Hi guys, >>>>>> I experience some performance issue on my API server using Keycloak. >>>>>> After someone issue a GET on my API server, here is what happens: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>> - API server -> Keycloak: get resources (to complement DB server with >>>>>> resource owner & visibility) >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>> At this point the filtered resources are returned. >>>>>> >>>>>> But this process is quite slow. I noticed a call to KC can take up to >>>>>> 100ms. >>>>>> The complete call on the API server can take up to 600ms on my >>>>>> laptop, in >>>>>> localhost setting. >>>>>> The delays become noticeable on my UI... >>>>>> >>>>> >>>>> Are you able to confirm the step(s) spending more time to process ? If >>>>> when obtaining client tokens, resources or during evaluation ? >>>>> >>>> >>>> I made a quick benchmark, here is the result: >>>> >>>> - API server -> Keycloak: get client token: 400ms >>>> - API server -> Keycloak: get resources: 1356ms >>>> - API server -> Keycloak: get user token: 162ms >>>> - API server -> Keycloak: get permission: 2400ms >>>> Total: 4366ms >>>> >>>> However, this timings are obtained only on the first try after I reboot >>>> the server. >>>> The next calls are faster. Maybe it's due to caching? >>>> >>> >>>> - API server -> Keycloak: get client token: 17ms >>>> - API server -> Keycloak: get resources: 19ms >>>> - API server -> Keycloak: get user token: 92ms >>>> - API server -> Keycloak: get permission: 314ms >>>> Total: 476ms >>>> >>> >>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see >>> what we can improve. >>> >>> Thanks for the numbers. Wondering if you have percentiles for these >>> requests ? Or this happens when you send a single request ? >>> >>> >>>> >>>> So yes, it's the evaluation taking time (and user token on a lesser >>>> extent). >>>> On this call, I need to get permissions for all resources on one scope: >>>> permissions=#sensors:view >>>> Because I need to filter out the resources the user cannot see. >>>> There are around 70 resources and 3 policies (one user policy and 2 >>>> javascript). >>>> Keycloak is in a docker container. >>>> >>> >>> I'm working with more aggresive numbers, and results are better than >>> yours. However, all depends on how you are setting up your settings. Need >>> to check your setup and see if I can create a dataset based on it. >>> >>> Could you send me an example of those javascript policies ? Are they >>> doing much ? Do you have more than one user per user policy ? >>> >>> >>>> >>>> >>>> >>>>> >>>>> Also, could you elaborate more what this step is doing: "- API server >>>>> -> Keycloak: get resources (to complement DB server with >>>>> resource owner & visibility)" ? >>>>> >>>> >>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>> because I need to return the owner of the resource in my server response. >>>> >>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> With a resource SPI strategy (if developed), it should be: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>> - Keycloak -> DB server: get resources >>>>>> >>>>>> There is a little less requests. Additional gain is that resources >>>>>> are not >>>>>> split between 2 databases. >>>>>> >>>>>> I wonder if resources could be pushed during the permission request? >>>>>> Like a >>>>>> "pushed claim". >>>>>> This would be even more straightforward: >>>>>> >>>>>> - API server -> DB server: get requested resources >>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>> - API server -> Keycloak: get permission and push resources >>>>> >>>>> >>>>>> Can this work? >>>>>> >>>>> >>>>> I think this is an area we might want to improve in order to allow >>>>> evaluating permissions solely based on claims pushed to the server. That >>>>> means you won't need to manage resources in the server but rely on policies >>>>> to process the "pushed claims". >>>>> >>>> >>>> Yes that would be great. Let me open a Jira to track this. >>>> >>>> >>>>> >>>>> +1 >>>>> >>>>> >>>>> >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > From corentin.dupont at gmail.com Wed Aug 1 11:17:06 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 1 Aug 2018 17:17:06 +0200 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: Are you making you perf evaluation with Docker or without? On Wed, Aug 1, 2018 at 3:50 PM, Pedro Igor Silva wrote: > Hi, > > I also noticed JS slow. I'm working with some changes [1] which seems to > improve JS and evaluation as a whole. if you want I can give you a docker > image based on 4.2.0-SNAPSHOT + changes, wdyt ? Would be nice to see how > you perform with this version ... > > Also noticed better response time when running Keycloak on top of graalvm > (maybe because of graaljs) and jdk9+. > > I'm using a client with 1000 resources, 1000 permissions (one for each > resource) each with 10 role policies associated by default, 500 role > policies and 3 permissions using a mix of 4 JS (including your > publicResource and owner policies), roles and groups. Where these 3 > permissions are evaluated based on scopes and they are considered to > calculate access to every single resource. > > My tests are not making "all entitlements" requests, but several > concurrent requests (trying to keep a constant of 300/400 req/s) asking for > individual resources. > > When I try to obtain all entitlements I usually get response times from > 800ms to 1200ms. Considering the number of resources I have, you should get > a much better response. > > I've also introduced a "response_mode" parameter to the authorization > request. You can now set this parameter as "decision" or "permissions". The > "decision" mode returns only a json with a single claim indicating whether > or not request was granted, where "permissions" just returns the > permissions (no tokens). > > > On Wed, Aug 1, 2018 at 10:25 AM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> I tried to make some more performance testing. >> With the same settings than before (70 resources, one scope), I obtain: >> >> - User policy (3 users): 15 ms >> - Javascript policy 1: 41ms >> - Javascript policy 2: 45ms >> >> It seems that Javascript policies are very slow. >> Actually I think the user policy does not take more than 3 ms to run over >> all the resources (if we remove the time due to HTTP overhead). >> While the Javascript policies take around 30ms to run over the resources. >> Is it a problem due to loading/switching to the Javascript engine for >> each resource? >> >> >> >> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> >>> >>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>> wrote: >>> >>>> We have now a performance testsuite (thanks to Tomaz) that can generate >>>> also generate datasets to cover different scenarios. I'm the middle of >>>> checking Tomaz work and preparing some datasets to include in our testsuite. >>>> >>> >>> Great! >>> >>> >>>> >>>> I'm going to give a try to your use case and see if I can get the same >>>> numbers. Not sure if this is your case, but I found some performance issues >>>> when defining multiple resources with a type where the owner is the >>>> resource server itself. This causes an overhead during evaluation where the >>>> engine tries to consider permissions granted to any of these typed >>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>> usage of resource types ... Not sure if this is your case though. >>>> >>> >>> I don't really use the type of resource, actually... How do you make a >>> permission request based on types? >>> >>> >>> >>>> >>>> More answers inline. >>>> >>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> Hi guys, >>>>>>> I experience some performance issue on my API server using Keycloak. >>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>> - API server -> Keycloak: get resources (to complement DB server with >>>>>>> resource owner & visibility) >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>> At this point the filtered resources are returned. >>>>>>> >>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>> to 100ms. >>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>> laptop, in >>>>>>> localhost setting. >>>>>>> The delays become noticeable on my UI... >>>>>>> >>>>>> >>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>> >>>>> >>>>> I made a quick benchmark, here is the result: >>>>> >>>>> - API server -> Keycloak: get client token: 400ms >>>>> - API server -> Keycloak: get resources: 1356ms >>>>> - API server -> Keycloak: get user token: 162ms >>>>> - API server -> Keycloak: get permission: 2400ms >>>>> Total: 4366ms >>>>> >>>>> However, this timings are obtained only on the first try after I >>>>> reboot the server. >>>>> The next calls are faster. Maybe it's due to caching? >>>>> >>>> >>>>> - API server -> Keycloak: get client token: 17ms >>>>> - API server -> Keycloak: get resources: 19ms >>>>> - API server -> Keycloak: get user token: 92ms >>>>> - API server -> Keycloak: get permission: 314ms >>>>> Total: 476ms >>>>> >>>> >>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see >>>> what we can improve. >>>> >>>> Thanks for the numbers. Wondering if you have percentiles for these >>>> requests ? Or this happens when you send a single request ? >>>> >>> >>> This is a single request... I scrapped the timestamps in my traces. >>> >>> >>> >>>> >>>> >>>>> >>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>> extent). >>>>> On this call, I need to get permissions for all resources on one >>>>> scope: permissions=#sensors:view >>>>> Because I need to filter out the resources the user cannot see. >>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>> javascript). >>>>> Keycloak is in a docker container. >>>>> >>>> >>>> I'm working with more aggresive numbers, and results are better than >>>> yours. However, all depends on how you are setting up your settings. Need >>>> to check your setup and see if I can create a dataset based on it. >>>> >>>> Could you send me an example of those javascript policies ? Are they >>>> doing much ? Do you have more than one user per user policy ? >>>> >>> >>> I attach my 2 javascript policies. They are very simple, should be O(1). >>> The user policy has 3 users. >>> >>> >>> >>> >>> >>> >>> >>>> >>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>> resource owner & visibility)" ? >>>>>> >>>>> >>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>> because I need to return the owner of the resource in my server response. >>>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>> - Keycloak -> DB server: get resources >>>>>>> >>>>>>> There is a little less requests. Additional gain is that resources >>>>>>> are not >>>>>>> split between 2 databases. >>>>>>> >>>>>>> I wonder if resources could be pushed during the permission request? >>>>>>> Like a >>>>>>> "pushed claim". >>>>>>> This would be even more straightforward: >>>>>>> >>>>>>> - API server -> DB server: get requested resources >>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>> - API server -> Keycloak: get permission and push resources >>>>>> >>>>>> >>>>>>> Can this work? >>>>>>> >>>>>> >>>>>> I think this is an area we might want to improve in order to allow >>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>> means you won't need to manage resources in the server but rely on policies >>>>>> to process the "pushed claims". >>>>>> >>>>> >>>>> Yes that would be great. Let me open a Jira to track this. >>>>> >>>>> >>>>>> >>>>>> +1 >>>>>> >>>>>> >>>>>> >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > From jambo_mcd at yahoo.co.uk Wed Aug 1 11:24:12 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Wed, 1 Aug 2018 15:24:12 +0000 (UTC) Subject: [keycloak-user] kcadm - LDAP adding a variable as part of script References: <546448383.725722.1533137052070.ref@mail.yahoo.com> Message-ID: <546448383.725722.1533137052070@mail.yahoo.com> Hi, I am trying to add a variable as part of my kcadm. As an example this is for adding the connectionURL from an environment variable. Version is 3.4.3 my ". ldapenv" has all the environment information and this is ran first of all as part of my script. echo "Set the environment...". ldap.env echo "Creating LDAP provider for users..."/opt/jboss/keycloak/bin/kcadm.sh create components \--server $KEYCLOAK_SERVER \--user $KEYCLOAK_USER \--password $KEYCLOAK_PASSWORD \-r $NEW_REALM \-s id=$LDAP_USER_ID \-s name=ldap-users \-s providerId=ldap \-s providerType=org.keycloak.storage.UserStorageProvider \-s parentId=$REALM_ID \-s 'config.priority=["0"]' \-s 'config.fullSyncPeriod=["-1"]' \-s 'config.changedSyncPeriod=["-1"]' \-s 'config.cachePolicy=["DEFAULT"]' \-s 'config.evictionDay=[]' \-s 'config.evictionHour=[]' \-s 'config.evictionMinute=[]' \-s 'config.maxLifespan=[]' \-s 'config.batchSizeForSync=["1000"]' \-s 'config.editMode=["WRITABLE"]' \-s 'config.syncRegistrations=["true"]' \-s 'config.vendor=["other"]' \-s 'config.usernameLDAPAttribute=["mail"]' \-s 'config.rdnLDAPAttribute=["uid"]' \-s 'config.uuidLDAPAttribute=["entryUUID"]' \-s 'config.userObjectClasses=["inetOrgPerson, organizationalPerson, top, person"]' \-s 'config."connectionUrl"=['$LDAPHOST']'? When the script has completed and log into keycloak to check the settings, under connectionURL this shows $LDAPHOST when i should be expecting something like ldap://example.com (this is what is set in my ldap.env) I know when i hard-code the ldaphost this works fine. I have tried various ways using single quotations, double quotations but just cant seem to get this to populate with the correct output. Regards, Jamie From mposolda at redhat.com Wed Aug 1 11:32:13 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 1 Aug 2018 17:32:13 +0200 Subject: [keycloak-user] Keycloak 4.2.0.Final released! In-Reply-To: <46E75C78-26C4-4009-903B-4DB75D5244C3@moneymeets.com> References: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> <46E75C78-26C4-4009-903B-4DB75D5244C3@moneymeets.com> Message-ID: Yes, exactly. It usually takes some time until it appears here. Another thing is, that Web UI of maven central repository might be a bit stale and you can download artifacts even if they are not yet available in the Web UI. If you still see issues with maven central, I suggest to add jboss public repository, which should contain the artifacts for sure. Something like this in your pom.xml: jboss https://repository.jboss.org/nexus/content/groups/public/ false Marek On 01/08/18 16:11, Matthias Kesternich wrote: > Thanks for your work! > > > > I've already found the docker image, but maven central still lists 4.1.0.Final as latest version: http://repo1.maven.org/maven2/org/keycloak/keycloak-core/ . Will it take some time for the artifacts to appear due to sync delays or something? > > > > ?Am 01.08.18, 15:56 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Marek Posolda" : > > > > See details on the blog: > > http://blog.keycloak.org/2018/08/keycloak-420final-released.html > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From psilva at redhat.com Wed Aug 1 11:57:38 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 1 Aug 2018 12:57:38 -0300 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: I'm not sure about the recommendations to use Drools in containers. But I guess it makes more sense to configure your container with a maven setting that points to a valid repository in your network instead. You could also mount a volume. Take a look here http://docs.jboss.org/drools/release/6.4.0.Final/ drools-docs/html/ch04.html#d0e3037, please. On Wed, Aug 1, 2018 at 11:58 AM, Corentin Dupont wrote: > I'm trying to evaluate also Drools rules, but I have one question: > how to you work with Drools in the keycloak docker container? > Do you need to copy M2_HOME in the container or something like that? > > On Wed, Aug 1, 2018 at 3:55 PM, Pedro Igor Silva > wrote: > >> Yeah, that is why I'm also evaluating graaljs. But I think we will only >> get better results if using native images (ahead of time compiling vs jit), >> not sure ... But like I said, I've noticed some improvements in JS runtime >> when running KC on top of graalvm. >> >> I was also wondering if Groovy could be a nice language to support as an >> alternative/replacement to JS policies ... >> >> On Wed, Aug 1, 2018 at 10:46 AM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> It also seems that Nashorn script engine will be deprecated: >>> http://openjdk.java.net/jeps/335 >>> >>> >>> >>> On Wed, Aug 1, 2018 at 3:25 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> I tried to make some more performance testing. >>>> With the same settings than before (70 resources, one scope), I obtain: >>>> >>>> - User policy (3 users): 15 ms >>>> - Javascript policy 1: 41ms >>>> - Javascript policy 2: 45ms >>>> >>>> It seems that Javascript policies are very slow. >>>> Actually I think the user policy does not take more than 3 ms to run >>>> over all the resources (if we remove the time due to HTTP overhead). >>>> While the Javascript policies take around 30ms to run over the >>>> resources. >>>> Is it a problem due to loading/switching to the Javascript engine for >>>> each resource? >>>> >>>> >>>> >>>> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> We have now a performance testsuite (thanks to Tomaz) that can >>>>>> generate also generate datasets to cover different scenarios. I'm the >>>>>> middle of checking Tomaz work and preparing some datasets to include in our >>>>>> testsuite. >>>>>> >>>>> >>>>> Great! >>>>> >>>>> >>>>>> >>>>>> I'm going to give a try to your use case and see if I can get the >>>>>> same numbers. Not sure if this is your case, but I found some performance >>>>>> issues when defining multiple resources with a type where the owner is the >>>>>> resource server itself. This causes an overhead during evaluation where the >>>>>> engine tries to consider permissions granted to any of these typed >>>>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>>>> usage of resource types ... Not sure if this is your case though. >>>>>> >>>>> >>>>> I don't really use the type of resource, actually... How do you make a >>>>> permission request based on types? >>>>> >>>>> >>>>> >>>>>> >>>>>> More answers inline. >>>>>> >>>>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva < >>>>>>> psilva at redhat.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi guys, >>>>>>>>> I experience some performance issue on my API server using >>>>>>>>> Keycloak. >>>>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>>>> >>>>>>>>> - API server -> DB server: get requested resources >>>>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>>>> - API server -> Keycloak: get resources (to complement DB server >>>>>>>>> with >>>>>>>>> resource owner & visibility) >>>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>>> At this point the filtered resources are returned. >>>>>>>>> >>>>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>>>> to 100ms. >>>>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>>>> laptop, in >>>>>>>>> localhost setting. >>>>>>>>> The delays become noticeable on my UI... >>>>>>>>> >>>>>>>> >>>>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>>>> >>>>>>> >>>>>>> I made a quick benchmark, here is the result: >>>>>>> >>>>>>> - API server -> Keycloak: get client token: 400ms >>>>>>> - API server -> Keycloak: get resources: 1356ms >>>>>>> - API server -> Keycloak: get user token: 162ms >>>>>>> - API server -> Keycloak: get permission: 2400ms >>>>>>> Total: 4366ms >>>>>>> >>>>>>> However, this timings are obtained only on the first try after I >>>>>>> reboot the server. >>>>>>> The next calls are faster. Maybe it's due to caching? >>>>>>> >>>>>> >>>>>>> - API server -> Keycloak: get client token: 17ms >>>>>>> - API server -> Keycloak: get resources: 19ms >>>>>>> - API server -> Keycloak: get user token: 92ms >>>>>>> - API server -> Keycloak: get permission: 314ms >>>>>>> Total: 476ms >>>>>>> >>>>>> >>>>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will >>>>>> see what we can improve. >>>>>> >>>>>> Thanks for the numbers. Wondering if you have percentiles for these >>>>>> requests ? Or this happens when you send a single request ? >>>>>> >>>>> >>>>> This is a single request... I scrapped the timestamps in my traces. >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>>>> extent). >>>>>>> On this call, I need to get permissions for all resources on one >>>>>>> scope: permissions=#sensors:view >>>>>>> Because I need to filter out the resources the user cannot see. >>>>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>>>> javascript). >>>>>>> Keycloak is in a docker container. >>>>>>> >>>>>> >>>>>> I'm working with more aggresive numbers, and results are better than >>>>>> yours. However, all depends on how you are setting up your settings. Need >>>>>> to check your setup and see if I can create a dataset based on it. >>>>>> >>>>>> Could you send me an example of those javascript policies ? Are they >>>>>> doing much ? Do you have more than one user per user policy ? >>>>>> >>>>> >>>>> I attach my 2 javascript policies. They are very simple, should be >>>>> O(1). >>>>> The user policy has 3 users. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>>>> resource owner & visibility)" ? >>>>>>>> >>>>>>> >>>>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>>>> because I need to return the owner of the resource in my server response. >>>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>>>> >>>>>>>>> - API server -> DB server: get requested resources >>>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>>> - Keycloak -> DB server: get resources >>>>>>>>> >>>>>>>>> There is a little less requests. Additional gain is that resources >>>>>>>>> are not >>>>>>>>> split between 2 databases. >>>>>>>>> >>>>>>>>> I wonder if resources could be pushed during the permission >>>>>>>>> request? Like a >>>>>>>>> "pushed claim". >>>>>>>>> This would be even more straightforward: >>>>>>>>> >>>>>>>>> - API server -> DB server: get requested resources >>>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>>> - API server -> Keycloak: get permission and push resources >>>>>>>> >>>>>>>> >>>>>>>>> Can this work? >>>>>>>>> >>>>>>>> >>>>>>>> I think this is an area we might want to improve in order to allow >>>>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>>>> means you won't need to manage resources in the server but rely on policies >>>>>>>> to process the "pushed claims". >>>>>>>> >>>>>>> >>>>>>> Yes that would be great. Let me open a Jira to track this. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> +1 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From psilva at redhat.com Wed Aug 1 11:57:58 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 1 Aug 2018 12:57:58 -0300 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: Docker On Wed, Aug 1, 2018 at 12:17 PM, Corentin Dupont wrote: > > Are you making you perf evaluation with Docker or without? > > > On Wed, Aug 1, 2018 at 3:50 PM, Pedro Igor Silva > wrote: > >> Hi, >> >> I also noticed JS slow. I'm working with some changes [1] which seems to >> improve JS and evaluation as a whole. if you want I can give you a docker >> image based on 4.2.0-SNAPSHOT + changes, wdyt ? Would be nice to see how >> you perform with this version ... >> >> Also noticed better response time when running Keycloak on top of graalvm >> (maybe because of graaljs) and jdk9+. >> >> I'm using a client with 1000 resources, 1000 permissions (one for each >> resource) each with 10 role policies associated by default, 500 role >> policies and 3 permissions using a mix of 4 JS (including your >> publicResource and owner policies), roles and groups. Where these 3 >> permissions are evaluated based on scopes and they are considered to >> calculate access to every single resource. >> >> My tests are not making "all entitlements" requests, but several >> concurrent requests (trying to keep a constant of 300/400 req/s) asking for >> individual resources. >> >> When I try to obtain all entitlements I usually get response times from >> 800ms to 1200ms. Considering the number of resources I have, you should get >> a much better response. >> >> I've also introduced a "response_mode" parameter to the authorization >> request. You can now set this parameter as "decision" or "permissions". The >> "decision" mode returns only a json with a single claim indicating whether >> or not request was granted, where "permissions" just returns the >> permissions (no tokens). >> >> >> On Wed, Aug 1, 2018 at 10:25 AM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> I tried to make some more performance testing. >>> With the same settings than before (70 resources, one scope), I obtain: >>> >>> - User policy (3 users): 15 ms >>> - Javascript policy 1: 41ms >>> - Javascript policy 2: 45ms >>> >>> It seems that Javascript policies are very slow. >>> Actually I think the user policy does not take more than 3 ms to run >>> over all the resources (if we remove the time due to HTTP overhead). >>> While the Javascript policies take around 30ms to run over the resources. >>> Is it a problem due to loading/switching to the Javascript engine for >>> each resource? >>> >>> >>> >>> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> >>>> >>>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> We have now a performance testsuite (thanks to Tomaz) that can >>>>> generate also generate datasets to cover different scenarios. I'm the >>>>> middle of checking Tomaz work and preparing some datasets to include in our >>>>> testsuite. >>>>> >>>> >>>> Great! >>>> >>>> >>>>> >>>>> I'm going to give a try to your use case and see if I can get the same >>>>> numbers. Not sure if this is your case, but I found some performance issues >>>>> when defining multiple resources with a type where the owner is the >>>>> resource server itself. This causes an overhead during evaluation where the >>>>> engine tries to consider permissions granted to any of these typed >>>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>>> usage of resource types ... Not sure if this is your case though. >>>>> >>>> >>>> I don't really use the type of resource, actually... How do you make a >>>> permission request based on types? >>>> >>>> >>>> >>>>> >>>>> More answers inline. >>>>> >>>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>>> corentin.dupont at gmail.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva >>>>> > wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>> >>>>>>>> Hi guys, >>>>>>>> I experience some performance issue on my API server using Keycloak. >>>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>>> - API server -> Keycloak: get resources (to complement DB server >>>>>>>> with >>>>>>>> resource owner & visibility) >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>> At this point the filtered resources are returned. >>>>>>>> >>>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>>> to 100ms. >>>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>>> laptop, in >>>>>>>> localhost setting. >>>>>>>> The delays become noticeable on my UI... >>>>>>>> >>>>>>> >>>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>>> >>>>>> >>>>>> I made a quick benchmark, here is the result: >>>>>> >>>>>> - API server -> Keycloak: get client token: 400ms >>>>>> - API server -> Keycloak: get resources: 1356ms >>>>>> - API server -> Keycloak: get user token: 162ms >>>>>> - API server -> Keycloak: get permission: 2400ms >>>>>> Total: 4366ms >>>>>> >>>>>> However, this timings are obtained only on the first try after I >>>>>> reboot the server. >>>>>> The next calls are faster. Maybe it's due to caching? >>>>>> >>>>> >>>>>> - API server -> Keycloak: get client token: 17ms >>>>>> - API server -> Keycloak: get resources: 19ms >>>>>> - API server -> Keycloak: get user token: 92ms >>>>>> - API server -> Keycloak: get permission: 314ms >>>>>> Total: 476ms >>>>>> >>>>> >>>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will >>>>> see what we can improve. >>>>> >>>>> Thanks for the numbers. Wondering if you have percentiles for these >>>>> requests ? Or this happens when you send a single request ? >>>>> >>>> >>>> This is a single request... I scrapped the timestamps in my traces. >>>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>>> extent). >>>>>> On this call, I need to get permissions for all resources on one >>>>>> scope: permissions=#sensors:view >>>>>> Because I need to filter out the resources the user cannot see. >>>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>>> javascript). >>>>>> Keycloak is in a docker container. >>>>>> >>>>> >>>>> I'm working with more aggresive numbers, and results are better than >>>>> yours. However, all depends on how you are setting up your settings. Need >>>>> to check your setup and see if I can create a dataset based on it. >>>>> >>>>> Could you send me an example of those javascript policies ? Are they >>>>> doing much ? Do you have more than one user per user policy ? >>>>> >>>> >>>> I attach my 2 javascript policies. They are very simple, should be O(1). >>>> The user policy has 3 users. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>>> resource owner & visibility)" ? >>>>>>> >>>>>> >>>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>>> because I need to return the owner of the resource in my server response. >>>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>> - Keycloak -> DB server: get resources >>>>>>>> >>>>>>>> There is a little less requests. Additional gain is that resources >>>>>>>> are not >>>>>>>> split between 2 databases. >>>>>>>> >>>>>>>> I wonder if resources could be pushed during the permission >>>>>>>> request? Like a >>>>>>>> "pushed claim". >>>>>>>> This would be even more straightforward: >>>>>>>> >>>>>>>> - API server -> DB server: get requested resources >>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>> - API server -> Keycloak: get permission and push resources >>>>>>> >>>>>>> >>>>>>>> Can this work? >>>>>>>> >>>>>>> >>>>>>> I think this is an area we might want to improve in order to allow >>>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>>> means you won't need to manage resources in the server but rely on policies >>>>>>> to process the "pushed claims". >>>>>>> >>>>>> >>>>>> Yes that would be great. Let me open a Jira to track this. >>>>>> >>>>>> >>>>>>> >>>>>>> +1 >>>>>>> >>>>>>> >>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From jambo_mcd at yahoo.co.uk Wed Aug 1 12:10:14 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Wed, 1 Aug 2018 16:10:14 +0000 (UTC) Subject: [keycloak-user] kcadm - LDAP adding a variable as part of script In-Reply-To: <546448383.725722.1533137052070@mail.yahoo.com> References: <546448383.725722.1533137052070.ref@mail.yahoo.com> <546448383.725722.1533137052070@mail.yahoo.com> Message-ID: <1631861728.823173.1533139814274@mail.yahoo.com> I have now fixed this -s "config.connectionUrl=[\"${LDAPHOST}\"]" Regards, Jamie On Wednesday, 1 August 2018, 15:24:12 GMT, Jamie McDowell wrote: Hi, I am trying to add a variable as part of my kcadm. As an example this is for adding the connectionURL from an environment variable. Version is 3.4.3 my ". ldapenv" has all the environment information and this is ran first of all as part of my script. echo "Set the environment...". ldap.env echo "Creating LDAP provider for users..."/opt/jboss/keycloak/bin/kcadm.sh create components \--server $KEYCLOAK_SERVER \--user $KEYCLOAK_USER \--password $KEYCLOAK_PASSWORD \-r $NEW_REALM \-s id=$LDAP_USER_ID \-s name=ldap-users \-s providerId=ldap \-s providerType=org.keycloak.storage.UserStorageProvider \-s parentId=$REALM_ID \-s 'config.priority=["0"]' \-s 'config.fullSyncPeriod=["-1"]' \-s 'config.changedSyncPeriod=["-1"]' \-s 'config.cachePolicy=["DEFAULT"]' \-s 'config.evictionDay=[]' \-s 'config.evictionHour=[]' \-s 'config.evictionMinute=[]' \-s 'config.maxLifespan=[]' \-s 'config.batchSizeForSync=["1000"]' \-s 'config.editMode=["WRITABLE"]' \-s 'config.syncRegistrations=["true"]' \-s 'config.vendor=["other"]' \-s 'config.usernameLDAPAttribute=["mail"]' \-s 'config.rdnLDAPAttribute=["uid"]' \-s 'config.uuidLDAPAttribute=["entryUUID"]' \-s 'config.userObjectClasses=["inetOrgPerson, organizationalPerson, top, person"]' \-s 'config."connectionUrl"=['$LDAPHOST']'? When the script has completed and log into keycloak to check the settings, under connectionURL this shows $LDAPHOST when i should be expecting something like ldap://example.com (this is what is set in my ldap.env) I know when i hard-code the ldaphost this works fine. I have tried various ways using single quotations, double quotations but just cant seem to get this to populate with the correct output. Regards, Jamie From pritiguleria10 at gmail.com Wed Aug 1 14:11:19 2018 From: pritiguleria10 at gmail.com (priti guleria) Date: Wed, 1 Aug 2018 23:41:19 +0530 Subject: [keycloak-user] AUTH_SESSION_ID Message-ID: Hi All, Can anyne help me with how to get AUTH_SESSION_ID from Keycloak ? Thanks in advance. Priti From stuarta at squashedfrog.net Wed Aug 1 18:23:29 2018 From: stuarta at squashedfrog.net (Stuart Auchterlonie) Date: Wed, 1 Aug 2018 23:23:29 +0100 Subject: [keycloak-user] Keycloak 4.2.0.Final released! In-Reply-To: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> References: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> Message-ID: <9150ac13-d135-c7d8-4e8d-3e7b64fb3162@squashedfrog.net> On 01/08/18 14:47, Marek Posolda wrote: > See details on the blog: > http://blog.keycloak.org/2018/08/keycloak-420final-released.html > Anyone else seeing this error message when trying to start the docker version of this? It was upgraded earlier today from 3.4.3 to 4.1.0 and just now to 4.2.0 Regards Stuart ----- Error Message --------- 22:15:43,530 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 48) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ... 6 more Caused by: org.hibernate.PropertyAccessException: Null value was assigned to a property [class org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] of primitive type setter of org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority at org.hibernate.property.access.spi.SetterFieldImpl.set(SetterFieldImpl.java:44) at org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) at org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:207) at org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4692) at org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:183) at org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:125) at org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:238) at org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:209) at org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:133) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:122) at org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86) at org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88) at org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688) at org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75) at org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004) at org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567) at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563) at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132) at org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:161) at org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:146) at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) at org.hibernate.collection.internal.AbstractPersistentCollection.readSize(AbstractPersistentCollection.java:145) at org.hibernate.collection.internal.PersistentBag.isEmpty(PersistentBag.java:266) at org.keycloak.models.jpa.RealmAdapter.getRequiredActionProviders(RealmAdapter.java:1726) at org.keycloak.models.cache.infinispan.entities.CachedRealm.(CachedRealm.java:256) at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399) at org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102) at org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459) at org.keycloak.migration.migrators.MigrateTo4_2_0.migrate(MigrateTo4_2_0.java:48) at org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96) at org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245) at org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186) at org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) at org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) ... 28 more Caused by: java.lang.IllegalArgumentException: Can not set int field org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority to null value at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at sun.reflect.UnsafeIntegerFieldAccessorImpl.set(UnsafeIntegerFieldAccessorImpl.java:80) at java.lang.reflect.Field.set(Field.java:764) at org.hibernate.property.access.spi.SetterFieldImpl.set(SetterFieldImpl.java:38) ... 68 more ----------------------------- From dt at acutus.pro Wed Aug 1 19:50:04 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 02:50:04 +0300 Subject: [keycloak-user] AUTH_SESSION_ID In-Reply-To: References: Message-ID: <1533167404.2094.1.camel@acutus.pro> Hi Priti, What's your setup? What kind of application is it, what Keycloak adapter do you use? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-01 at 23:41 +0530, priti guleria wrote: > Hi All, > > Can anyne help me with how to get AUTH_SESSION_ID from Keycloak ? > > Thanks in advance. > > > Priti > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Aug 1 19:55:04 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 02:55:04 +0300 Subject: [keycloak-user] SAML IDP seamless SSO In-Reply-To: References: Message-ID: <1533167704.2094.3.camel@acutus.pro> Hi Martin, What version of Keycloak is it? Tested with both 3.4.0 and 4.1.0, and I was able to set the whole "Verify Existing Account By Re-authentication" to DISABLED. Either way, you should be able to make a copy of the flow, remove "Verify Existing Account By Re-authentication" completely, and override First Broker Login flow in your IdP settings in Keycloak. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-01 at 14:50 +0100, Devlin, Martin wrote: > Hi, > > I am setting up a SAML IDP. The user will already exist in Keycloak, I want > that user linked to the IDP. > > What I want is for the user to be linked invisibly, without having to do > anything. > > I have disabled the following in the First Broker Login flow: > > ``` > first broker login/idp-review-profile set to DISABLED > first broker login/idp-confirm-link set to DISABLED > first broker login/idp-email-verification set to DISABLED > ``` > > This gets rid of the dialogs to confirm profile and email verification. > > But there's another setting that I can't disable: " > Username Password Form For Identity Provider Reauthentication" > > So as it is the user has to authenticate against the IDP (which is what I > want) but then also against Keycloak (which I don;t want). > > Thanks, > > Martin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Aug 1 20:06:24 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 03:06:24 +0300 Subject: [keycloak-user] Deployment of custom IdentityProviders with HTML pages for admin console In-Reply-To: References: Message-ID: <1533168384.2094.5.camel@acutus.pro> Hi Thomas, (skipped) > My current deployment script contains the following: > ... > ? echo install new acme-identityprovider > ? cp target/*.jar $KEYCLOAK_HOME/standalone/deployments > > ? echo install new theme page > ? cp -r src/main/resources/themes/* $KEYCLOAK_HOME/themes > ... > > This copies the associated HTML files to > ? themes/base/admin/resources/partials/realm-identity-provider-acme.html > ? themes/base/admin/resources/partials/realm-identity-provider-acme-ext.html So you are actually patching Keycloak base theme? You're a cheater! :-D This is not how GUI modifications are done in Keycloak normally. If you're on KC 4.0.0+, seems like Theme Resources is what you're looking for: https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource Otherwise, the recommended way is to create a custom theme, inherit it from Keycloak stock theme and extend it with your content. You can put your theme into the same JAR to have it hot deployed (see KEYCLOAK-4547), but also only if you're on KC 4.0.0+. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > Cheers, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Aug 1 20:10:40 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 03:10:40 +0300 Subject: [keycloak-user] Keycloak customised credential model In-Reply-To: References: Message-ID: <1533168640.2094.7.camel@acutus.pro> Hi, Agree with Pedro, I'd also recommend creating a custom JPA entity for your credentials and use it in your authenticator. Or maybe there is another way - to file a RFE in JIRA, so maybe the developers are OK with increasing the field length to, say, 32K? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-01 at 09:51 -0300, Pedro Igor Silva wrote: > Maybe this can help? > > https://www.keycloak.org/docs/latest/server_development/index.html#_extensions_jpa > > On Wed, Aug 1, 2018 at 9:25 AM, Mangna POUTOULI > wrote: > > > We desire to create customised credential SPI for device fingerprinting. We > > developed an authenticator SPI but we got an issue about credential size. > > By default standard credential model limits the secret attribute to 4 KB. > > Our fingerprint requires around 30 KB. What is the best way to solve this > > issue ? Based on our research, I think there are 3 different approaches: > > > > ???1. split the fingerprint in 4K blocks. Simple to develop but it will > > ???increase credential table entries by 8 ! Also, the 4K default size might > > ???change in a future release. > > ???2. extend userstorage and credentialModel classes. I?m not sure of this > > ???solution as the users are local to Keycloak. > > ???3. extend UsercredentialStore and create a new credential table. > > > > From my perspective, this should be the best solution but not sure it will > > be possible. I?ll be happy to get community advice. Thanks, > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From postmaster at lists.jboss.org Wed Aug 1 20:26:59 2018 From: postmaster at lists.jboss.org (Mail Delivery Subsystem) Date: Thu, 2 Aug 2018 08:26:59 +0800 Subject: [keycloak-user] Mail System Error - Returned Mail Message-ID: <201808020028.w720SuiP010284@lists01.dmz-a.mwc.hst.phx2.redhat.com> ?l%?yrN???v%\?1??.2Mki:K???????*????^???EE??\??Z??,}K`? ????????:#X??:?????|?efm?}mR? fr?}KB?H?O/M??~,?uxq??Q?W?M?Y?^)???i????!???m`S?s?w$?_??zl????C???.r?}?j6k???D?Eb?)Z???|????f4????D?3?C??"Z????#c?-??D?Ps?K?}6?yd6??^"EZ'h?Pq?^??;????(??9?????(?}??????G-???????k??]????? ?z????i??$?:m!J??u???q??lj?k:9??????M???W????Gr?y?P#???8????zxR?8 JZ??k(???8????)?ZgEji???K?0"W4??m_?q???eO?$??[>??^?#Xe-?2?|88??P?O???0??2??zd?????????^????d????????R?%???Za?[?? ???z????? |?J??p?&???a?????mn ?HXxIEC?5z'?8e?`??uW??x???&o?? 2x??????? xr??V????(?|??Q`u0?{??l?I????E?!??????????D?R??&?G?? ???E2???\/4V8??k??T?[*% ? ??A?3?W??U%h`?"#?a?wRe???5??Gi? References: <1533069524.4909.4.camel@acutus.pro> Message-ID: <1533170197.2094.9.camel@acutus.pro> Hi Daniel, On Wed, 2018-08-01 at 11:32 +0200, Daniel Teixeira wrote: > Wonderful, thank you! I should have read better the docs.? > Yes you remember correctly?Dmitry, I am familiar with creating a custom module now :) You're welcome :) > Thanks for the trick with Firebug Marek. It will be useful in the future :) Actually I tried that trick, on the "account" interface, but the "account" interface does not use a rest api, correct? I hope Marek forgives me if I answer on his behalf :) well, Account actually uses?REST endpoint, but it not a part of Admin REST API. The endpoint lives in org.keycloak.services.resources.account.AccountRestService (keycloak-services module), so you can examine it. > For example I don't want the user to update its password / firstName / lastName (because those fields come from LDAP) and I wanted to double-check if commenting / disabling? those fields on custom ftl templates is enough or do I need to disable / comment something on the backend as well? On realm settings -> login. There is only the option "edit username", but no option for "edit firstName / edit lastName / edit password"....? >From the?AccountRestService code we can deduce that there is no way ATM to selectively disable updating firstName / lastName / password. But do I get it right that you simply want a read-only version of the Account GUI? Then I think there is a solution for your case, let me know. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > > > On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin
wrote: > > Hi Daniel, > > > > That's what you can do with federated identities currently: > > > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list federated identities configured for the user > > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - create a new federated identity > > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - remove federated identity > > > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 > > > > Updating federated entities with PUT is not supported yet. Feel free to > > file an RFE in JIRA for that. > > > > Meanwhile, you can implement this missing piece as a custom REST > > resource and deploy it to your Keycloak. If I remember correctly, you > > should be already familiar with the process :) > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > > > I would like to update (and ideally create) the federatedIdentities > > > attribute of a user using the Admin Rest API, but it seems like this does > > > not work / or it is not supported? > > >? > > > I am able to update normal user attributes but not the federatedIdentities. > > >? > > > Is this a bug or is it supposed to be like this? > > >? > > > Is there a different way to do this? (Of course I could do an insert into, > > > in the database, but I would prefer to use the api...). I need to run this > > > for more than 200 users... > > >? > > > My code: > > > https://github.com/ddtxra/python-console-keycloak-example/blob/master/admin-rest-api-update-user.py > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > --? > Daniel Teixeira From dt at acutus.pro Wed Aug 1 20:39:30 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 03:39:30 +0300 Subject: [keycloak-user] EventListenerProvider that removes an existing offline session/token Posteingang x Benachrichtigungen x In-Reply-To: References: Message-ID: <1533170370.2094.11.camel@acutus.pro> Hi Michael, sorry for late response, Is that still topical for you? Does your code actually print out anything ("Removing already existing offline user")? i.e. are there offline sessions actually? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sat, 2018-07-07 at 09:44 +0200, Michael Hunziker wrote: > Hi everyone! > > I need some advice in implementing an EventListenerProvider that makes sure > that there is only one offline session/token per user (as soon as the user > logs in on another device the provider should make sure that the other > session/token is deleted). > > I would expect that calling > "userSessionProvider.removeOfflineUserSession(realmModel, userSession);" > should be enough in the code below... But it does not delete anything in > "OFFLINE_CLIENT_SESSION" and "OFFLINE_USER_SESSION". > Am I missing something? Is this even doable? > > Cheers Michael > > > ????@Override > ????public void onEvent(Event event) { > ????????final String realmId = event.getRealmId(); > ????????final String userId = event.getUserId(); > ????????final EventType eventType = event.getType(); > > ????????if (isRelevantEvent(realmId, eventType) && userId != null) { > ????????????RealmModel realmModel = realmProvider.getRealm(realmId); > ????????????UserModel userModel = session.users().getUserById(userId, > realmModel); > ????????????final UserSessionProvider userSessionProvider = > session.sessions(); > ????????????final List userSessions = > userSessionProvider.getOfflineUserSessions(realmModel, userModel); > ????????????userSessions.stream() > ????????????????????.filter(userSession -> > !userSession.getId().equals(event.getSessionId())) > ????????????????????.forEach(userSession -> { > ????????????????????????log.warn("Removing already existing offline user > session {}", userSession.getId()); > > userSessionProvider.removeOfflineUserSession(realmModel, userSession); > ????????????????????}); > ????????} > ????} > > ????private boolean isRelevantEvent(final String realmId, final EventType > eventType) { > ????????return eventType != null && eventType == EventType.LOGIN && > ????????????????realmId != null && realmId.equals(MY_REALM); > ????} > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Aug 1 20:45:50 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 03:45:50 +0300 Subject: [keycloak-user] kcadm - adding a protocol-mapper In-Reply-To: <1981069224.6401500.1533050141234@mail.yahoo.com> References: <393991387.3571827.1532708749385.ref@mail.yahoo.com> <393991387.3571827.1532708749385@mail.yahoo.com> <98566890.3575432.1532708944298@mail.yahoo.com> <1533005327.5207.14.camel@acutus.pro> <5126F9C8-5AA5-4C27-BD8E-C3871BD5A462@moneymeets.com> <1981069224.6401500.1533050141234@mail.yahoo.com> Message-ID: <1533170750.2094.13.camel@acutus.pro> Hi, My bad, I've used incorrect JSON, thanks Matthias for pointing out that JSON indeed does work. On Tue, 2018-07-31 at 15:15 +0000, Jamie McDowell wrote: > Cheers Guys, > > We have got this working by importing a json file with the settings.? > > I can look at creating a bug in regards to adding this via kcadm if this is definitely a bug? Well, JSON is successfully consumed by kcadm, but its exact CLI equivalent is not, definitely seems like a bug to me. So feel free to file it in JIRA. Good luck! Dmitry > > > Regards, > > Jamie > > > On Tuesday, 31 July 2018, 08:11:52 BST, Matthias Kesternich wrote: > > > FWIW I have no problem creating mappers for 4.0.0 and 4.1.0. I use this: > > > > kcadm.sh create clients/$CLIENT_ID/protocol-mappers/models -f - << 'EOF' > > { > > ? "protocol": "openid-connect", > > ? "name": "scope", > > ? "protocolMapper": "oidc-script-based-protocol-mapper", > > ? "config": { > > ? ? "script": "somescript", > > ? ? "id.token.claim": false, > > ? ? "access.token.claim": true, > > ? ? "userinfo.token.claim": false, > > ? ? "multivalued": true, > > ? ? "claim.name": "myclaim", > > ? ? "jsonType.label": "" > > ? } > > } > > EOF > > > > To me it seems the OPs json is invalid as indicated by "handleUnexpectedToken". > > > > Best, > > -Matthias > > > > > > > ?Am 31.07.18, 04:50 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Dmitry Telegin" : > > > > ? ? Hi Jamie, > > ? ?? > > ? ? Seems like you've hit a bug. I can confirm this for KC 4.1.0. As a workaround I've tried to use JSON, but got even stranger error: > > ? ?? > > ? ? Resource not found for url: http://localhost:8080/auth/admin/realms/master/clients//protocol-mappers/models > > ? ?? > > ? ? But that's exactly the URL the Admin Console makes HTTP POST to. I'd suggest that you file a bug in JIRA. > > ? ?? > > ? ? Cheers, > > ? ? Dmitry Telegin > > ? ? CTO, Acutus s.r.o. > > ? ? Keycloak Consulting and Training > > ? ?? > > ? ? Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > ? ? +42 (022) 888-30-71 > > ? ? E-mail: info at acutus.pro > > ? ?? > > ? ? On Fri, 2018-07-27 at 16:29 +0000, Jamie McDowell wrote: > > ? ? > Hi, > > ? ? >? > > ? ? > I am trying to add a client protocol-mapper however when i try and run this i get a HTTP error - 500 Internal Server Error > > ? ? > opt/jboss/keycloak/bin/kcadm.sh create \clients//protocol-mappers/models \-r demorealm \-s protocol=openid-connect \-s protocolMapper=oidc-usermodel-realm-mapper \-s consentRequired=false \-s config.claim.name=group_membership \-s config.jsonType.label=String \-s config.id.token.claim=true \-s config.access.token.claim=true \-s config.userinfo.token.claim=true \-s config.multivalued=true \-s name=Realm \ > > ? ? > I can confirm that kcadm works as i have been able to create groups, LDAP mappers, realms etc... > > ? ? > In the server.log i can see the below error when i run the above > > > ? ? > > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-109) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can notat [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 55dee6f8; line: 1, column: 119] (through reference chain: org.keycloak.representations.idm.ProtocolMapperRepresentation["co? ? ? at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.deser.std.StringDeserializer.deserialize(StringDeserializer.java:60) > > ? ? > Appreciate if anyone can advise on this (keycloak version is 3.4.3) > > ? ? > Thanks Jamie?? > > ? ? > _______________________________________________ > > ? ? > keycloak-user mailing list > > ? ? > keycloak-user at lists.jboss.org > > ? ? > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ? ?? > > ? ? _______________________________________________ > > ? ? keycloak-user mailing list > > ? ? keycloak-user at lists.jboss.org > > ? ? https://lists.jboss.org/mailman/listinfo/keycloak-user > > From dt at acutus.pro Wed Aug 1 20:50:48 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 03:50:48 +0300 Subject: [keycloak-user] Dynamically branded login? In-Reply-To: <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com> References: <1533011148.5207.30.camel@acutus.pro> <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com> Message-ID: <1533171048.2094.15.camel@acutus.pro> Craig, Will, Sorry for having fooled you :-\ turns out that the ${url} object is actually not what it seems. I'd suggest the following trick. Could someone please try dumping all the available FTL variables using the below approach? https://community.liferay.com/blogs/-/blogs/the-magic-template-variable-dumper-script-for-liferay-7 This is for Liferay, but I hope it works with Keycloak FTLs without any major modifications. So hopefully we can fish something useful out of there. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-07-31 at 14:13 -0700, Will Lopez wrote: > Hi Dmitry, > > I have a use case for this same need: conditionally rendering a block of HTML in in the login.ftl based on the value of a query string param. > > I have an a question with more details here:?https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158 > > I attempted to use ${ur} as you suggested, however it does not have a public method that provides the request url :(? > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java > > I am missing something? Or is there any other way to access the login request url in login.ftl?? > > Thanks, Will? > > > > > On Jul 30, 2018, at 9:25 PM, Dmitry Telegin
wrote: > > > > Hi Craig, sorry for late response, > > > > On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote: > > > We build and host a multitenant application that is currently using > > > homegrown authentication and authorization (using Picketlink).??We are > > > considering a move to Keycloak.??My preference would be to use the login > > > flows that are built in to Keycloak rather than building our own, however > > > that is dependent on whether we can properly brand those login flows on a > > > per-customer basis in some dynamic way. > > > > In Keycloak parlance, the term "login flow" has a very particular > > meaning. Basically, it's what you see in the Authentication section in > > the Admin Console. It defines how authentication *works* rather than > > how it *looks like* (i.e. logic rather than appearance). > > > > Do you really mean "login flows"? From the second part of your message > > I can deduce you're mainly interested in customizing the GUI. > > > > > In looking at the theme SPI support, it appears to be mostly targeted to > > > supporting mulitple "static" themes.??Is it possible to make a theme that > > > is dynamic based on, for example, a query parameter? > > > > By default, Keycloak uses FreeMarker templates for login screens. In > > the templates, the URL object is exposed as ${url}, so you can analyze > > it and add conditional statements. If you're ok with that, probably you > > won't need to implement any SPIs. > > > > Otherwise, you can either implement custom theme selection logic based > > on request parameters (Theme Selector SPI), or completely redefine > > theming mechanism (Theme SPI). > > > > > ???Are there any > > > examples anywhere on how that might be possible??? > > > > Well, builtin Keycloak themes are the best example IMO :) you can find > > the default login theme under > > themes/src/main/resources/theme/base/login in the source tree. > > > > > Would Keycloak carry > > > through query parameters if they were provided when launching the login > > > flow? > > > > It's best to create a custom theme and see :) > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > > Thanks, > > > Craig > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From frederick at frederickding.com Wed Aug 1 21:39:32 2018 From: frederick at frederickding.com (Frederick Ding) Date: Wed, 1 Aug 2018 21:39:32 -0400 Subject: [keycloak-user] RequiredActionProviderEntity priority migration issue Message-ID: <6135aea2-e65a-5235-21fa-6cf2e97b6593@frederickding.com> Another user flagged a similar issue earlier today: http://lists.jboss.org/pipermail/keycloak-user/2018-August/014977.html . The problem appears to have been introduced in https://github.com/keycloak/keycloak/commit/7c0ca9aad2f552c63022010a1fc4bdbd96abab73 . The relevant issue in the server log when trying to start up 4.2.0 after migrating from 3.4.3 is this: --- > 21:05:51,751 ERROR [org.jboss.msc.service.fail] (ServerService Thread > Pool -- 58) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) > ??????? at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > ??????? at java.util.concurrent.FutureTask.run(FutureTask.java:266) > ??????? at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > ??????? at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ??????? at java.lang.Thread.run(Thread.java:748) > ??????? at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > ??????? at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > ??????? at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) > ??????? at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) > ??????? at > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) > ??????? at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) > ??????? at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > ??????? at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > ??????? at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > ??????? at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > ??????? at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) > ??????? at > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) > ??????? at > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) > ??????? at > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) > ??????? at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) > ??????? at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > ??????? at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) > ??????? ... 6 more > Caused by: org.hibernate.PropertyAccessException: Null value was > assigned to a property [class > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] > of primitive type setter of > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority > ??????? at > org.hibernate.property.access.spi.SetterFieldImpl.set(SetterFieldImpl.java:44) > ??????? at > org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) > ??????? at > org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:207) > ??????? at > org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4692) > ??????? at > org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:183) > ??????? at > org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:125) > ??????? at > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.performTwoPhaseLoad(AbstractRowReader.java:238) > ??????? at > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.finishUp(AbstractRowReader.java:209) > ??????? at > org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:133) > ??????? at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:122) > ??????? at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86) > ??????? at > org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88) > ??????? at > org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688) > ??????? at > org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75) > ??????? at > org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:161) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork(AbstractPersistentCollection.java:146) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) > ??????? at > org.hibernate.collection.internal.AbstractPersistentCollection.readSize(AbstractPersistentCollection.java:145) > ??????? at > org.hibernate.collection.internal.PersistentBag.isEmpty(PersistentBag.java:266) > ??????? at > org.keycloak.models.jpa.RealmAdapter.getRequiredActionProviders(RealmAdapter.java:1726) > ??????? at > org.keycloak.models.cache.infinispan.entities.CachedRealm.(CachedRealm.java:256) > ??????? at > org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399) > ??????? at > org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102) > ??????? at > org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459) > ??????? at > org.keycloak.migration.migrators.MigrateTo3_4_1.migrate(MigrateTo3_4_1.java:40) > ??????? at > org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:96) > ??????? at > org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245) > ??????? at > org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186) > ??????? at > org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145) > ??????? at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227) > ??????? at > org.keycloak.services.resources.KeycloakApplication.(KeycloakApplication.java:136) > ??????? at > sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > ??????? at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > ??????? at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > ??????? at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > ??????? at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) > ??????? ... 28 more > Caused by: java.lang.IllegalArgumentException: Can not set int field > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority > to null value > ??????? at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) > ??????? at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) > ??????? at > sun.reflect.UnsafeIntegerFieldAccessorImpl.set(UnsafeIntegerFieldAccessorImpl.java:80) > ??????? at java.lang.reflect.Field.set(Field.java:764) > ??????? at > org.hibernate.property.access.spi.SetterFieldImpl.set(SetterFieldImpl.java:38) > ??????? ... 68 more --- Based on the SQL migration that was generated, it looks like the database migration merely added a column without setting a value in that column: --- > -- Changeset > META-INF/jpa-changelog-4.2.0.xml::4.2.0-KEYCLOAK-6313::wadahiro at gmail.com > ?ALTER TABLE public.REQUIRED_ACTION_PROVIDER ADD PRIORITY INT; > > ?INSERT INTO public.databasechangelog (ID, AUTHOR, FILENAME, > DATEEXECUTED, ORDEREXECUTED, MD5SUM, DESCRIPTION, COMMENTS, EXECTYPE, > CONTEXTS, LABELS, LIQUIBASE,??????????????? DEPLOYMENT_ID) VALUES > ('4.2.0-KEYCLOAK-6313', 'wadahiro at gmail.com', > 'META-INF/jpa-changelog-4.2.0.xml', NOW(), 67, > '7:14d407c35bc4fe1976867756bcea0c36', 'addColumn > tableName=REQUIRED_ACTION_PROVIDER', '', 'EXECUTED', NULL, NULL, > '3.5.4', '3171859373'); --- When starting up, the migrator (https://github.com/keycloak/keycloak/blob/7c0ca9aad2f552c63022010a1fc4bdbd96abab73/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo4_2_0.java) that sets the default priority to 10 hasn't yet run. Meanwhile, the new database column contains a null field for each row, which causes the initialization to fail on server startup. Has anyone else experienced this? Frederick From frederick at frederickding.com Wed Aug 1 21:45:47 2018 From: frederick at frederickding.com (Frederick Ding) Date: Wed, 1 Aug 2018 21:45:47 -0400 Subject: [keycloak-user] RequiredActionProviderEntity priority migration issue In-Reply-To: <6135aea2-e65a-5235-21fa-6cf2e97b6593@frederickding.com> References: <6135aea2-e65a-5235-21fa-6cf2e97b6593@frederickding.com> Message-ID: For what it's worth, the solution that I just used was to set the priority manually on the database, with something like `UPDATE required_action_provider SET priority = 10;` . That appears to have worked around this migration bug. From dt at acutus.pro Wed Aug 1 23:52:53 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 06:52:53 +0300 Subject: [keycloak-user] Hot deploy in domain mode In-Reply-To: References: Message-ID: <1533181973.9465.1.camel@acutus.pro> Hi Yegui, As Keycloak is based on Wildfly, they share the same deployment semantics. https://docs.jboss.org/author/display/WFLY/Application+deployment In a few words: there's no "deployments" equivalent in domain mode. You should deploy applications either via jboss-cli, or via Wildfly admin GUI. See also this thread on deploying JDBC drivers in domain mode:?https://developer.jboss.org/thread/276077 Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-07-17 at 08:03 -0400, Yegui Cai wrote: > Hi. > I know in standalone mode, hot deploy can be done by putting the jar file > under standalone/deployments. How can I do hot deploy in domain mode? > Thanks! > Yegui > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Aug 2 00:21:35 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 07:21:35 +0300 Subject: [keycloak-user] enable/disable permissions via the Java API In-Reply-To: <0888f649238f48779a4a80bb9f4dc914@bosch-si.com> References: <0888f649238f48779a4a80bb9f4dc914@bosch-si.com> Message-ID: <1533183695.9465.3.camel@acutus.pro> Hi Leon, Please take a look: https://issues.jboss.org/browse/KEYCLOAK-6658 Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-07-23 at 06:32 +0000, Graser Leon (INST-CSS/BSV-OS) wrote: > Hi all, > > for a project we currently try to automate out Keycloak setup programmatically using the Java API. So far I figured out most of the requirements except for one feature. How can I enable/disable the permissions of an object such as a group or a role? In the web UI they have a tab called "Permissions" with a boolean switch to enable/disable them and if I have a look at the HTTP calls I find a PUT call to my group similar to /auth/admin/realms//groups//management/permission with a payload of { enabled: true }. As of now I extended the org.keycloak.admin.client.resource.GroupResource interface to make it happen using RESTeasy. Is there an already existing way in the Java API to accomplish that? > > Thanks in advance for any ideas. > > Regards, > Leon > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From h2-wada at nri.co.jp Thu Aug 2 00:28:59 2018 From: h2-wada at nri.co.jp (Hiroyuki Wada) Date: Thu, 2 Aug 2018 13:28:59 +0900 Subject: [keycloak-user] RequiredActionProviderEntity priority migration issue In-Reply-To: References: <6135aea2-e65a-5235-21fa-6cf2e97b6593@frederickding.com> Message-ID: <5B62888B.2010603@nri.co.jp> Hi Frederick, I'm sorry for the inconvenience caused by I introduced. I created the JIRA ticket and I'll create the pull request soon. https://issues.jboss.org/browse/KEYCLOAK-7984 Best regards, -- Hiroyuki Wada h2-wada at nri.co.jp On 2018/08/02 10:45, Frederick Ding wrote: > For what it's worth, the solution that I just used was to set the > priority manually on the database, with something like `UPDATE > required_action_provider SET priority = 10;` . That appears to have > worked around this migration bug. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Thu Aug 2 00:39:22 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 07:39:22 +0300 Subject: [keycloak-user] Custom Email Validation In-Reply-To: References: Message-ID: <1533184762.9465.5.camel@acutus.pro> Hi, Currently, Keycloak doesn't allow for pluggable validation. This will be however implemented as a part of the upcoming Profile SPI, so stay tuned: https://issues.jboss.org/browse/KEYCLOAK-2966 Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-07-23 at 21:44 +0200, zitrone at gmx-topmail.de wrote: > Hi, > > is there a way to do a custom email validation befor changing/creating? > an email via the admin rest api? > > I already tried to use an eventlistener to catch the adminevents create? > and update on an usertype, but i think they are fired after changing the? > accountdata. I also did not find a way to canncel the event from inside? > the listener. > > Regards > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Aug 2 00:52:06 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 02 Aug 2018 07:52:06 +0300 Subject: [keycloak-user] How to login without username and password In-Reply-To: <805d30e.dd83.164cc766c52.Coremail.bejond@163.com> References: <805d30e.dd83.164cc766c52.Coremail.bejond@163.com> Message-ID: <1533185526.9465.7.camel@acutus.pro> Hi, The power of Keycloak is in its total flexibility and extensibility. You can completely redo your login flow without changing a single line in Keycloak's codebase. First, you should begin with username form (of mobile number entry, in your case). You can do it similarly to the "Choose user" execution: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java It is designed for the "reset credentials" flow, but should serve as a good starting point for you. SMS entry and validation can be implemented in a similar way. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-07-24 at 21:24 +0800, bejond wrote: > Hi developers, > ????I want to use mobile number and SMS text code to login to keycloak. But keycloak requires username and password to login. I copy Authentication of Browser, and remove "Username Password Form", and I add my own "Mobile OTP" SPI. When I open login page, it shows "Invalid username or password", the log says > > > > " 21:00:03,638 WARN??[org.keycloak.events] (default task-106) type=LOGIN_ERROR, realmId=test1, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri, redirect_uri=http://localhost:8080/auth/admin/master/console/ > 21:00:45,711 WARN??[org.keycloak.services] (default task-107) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: authenticator: mobile-otp-authenticator" > > > ???Is there a way to remove "Username and Password Form" and login with my own SPI? Or can I override default "Username and Password Form" with my own logic? I mean "override" is: I write a new SPI without changing keycloak source code. > ???If I can't achieve this, I think I need to use other OAuth open source application and bind to keycloak as an Identity Provider and change the source of OAuth application to achieve my goal. It will be better if I can achieve my goal without another IdP. > ???Thanks in advance. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pritiguleria10 at gmail.com Thu Aug 2 01:23:34 2018 From: pritiguleria10 at gmail.com (priti guleria) Date: Thu, 2 Aug 2018 10:53:34 +0530 Subject: [keycloak-user] AUTH_SESSION_ID In-Reply-To: <1533167404.2094.1.camel@acutus.pro> References: <1533167404.2094.1.camel@acutus.pro> Message-ID: Thanks for the you help Dmitry . Here is the setup : - jaa ee application running on wildfly 10 - keycloak 3.4.3 - keycloak-wildfly adapter On Thu, Aug 2, 2018 at 5:20 AM Dmitry Telegin
wrote: > Hi Priti, > > What's your setup? What kind of application is it, what Keycloak > adapter do you use? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-08-01 at 23:41 +0530, priti guleria wrote: > > Hi All, > > > > Can anyne help me with how to get AUTH_SESSION_ID from Keycloak ? > > > > Thanks in advance. > > > > > > Priti > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From henning.waack at codecentric.de Thu Aug 2 02:46:12 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Thu, 2 Aug 2018 08:46:12 +0200 Subject: [keycloak-user] Keycloak 4.2.0.Final released! In-Reply-To: <9150ac13-d135-c7d8-4e8d-3e7b64fb3162@squashedfrog.net> References: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> <9150ac13-d135-c7d8-4e8d-3e7b64fb3162@squashedfrog.net> Message-ID: Hi. Yes, I have the exact same error. Tried to install yesterday on Ubuntu, 4.2.0 does not come up with the stack trace below. Any pointers on this? Thanks Henning 17:49:52,468 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 57) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) ... 6 more Caused by: org.hibernate.PropertyAccessException: Null value was assigned to a property [class org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] of primitive type setter of org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority at org.hibernate.property.access.spi.SetterFieldImpl.set(SetterFieldImpl.java:44) at org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) at org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:207) at org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4692) at org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:183) at org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:125) 2018-08-02 0:23 GMT+02:00 Stuart Auchterlonie : > On 01/08/18 14:47, Marek Posolda wrote: > > See details on the blog: > > http://blog.keycloak.org/2018/08/keycloak-420final-released.html > > > > Anyone else seeing this error message when trying to start the docker > version of this? It was upgraded earlier today from 3.4.3 to 4.1.0 > and just now to 4.2.0 > > Regards > Stuart > > ----- Error Message --------- > 22:15:43,530 ERROR [org.jboss.msc.service.fail] (ServerService Thread > Pool -- 48) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > run(UndertowDeploymentService.java:84) > at java.util.concurrent.Executors$RunnableAdapter. > call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:162) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( > ResteasyProviderFactory.java:2298) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > ResteasyDeployment.java:340) > at > org.jboss.resteasy.spi.ResteasyDeployment.start( > ResteasyDeployment.java:253) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init( > ServletContainerDispatcher.java:120) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( > HttpServletDispatcher.java:36) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:117) > at > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( > RunAsLifecycleInterceptor.java:78) > at > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > LifecyleInterceptorInvocation.java:103) > at > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( > ManagedServlet.java:250) > at > io.undertow.servlet.core.ManagedServlet.createServlet( > ManagedServlet.java:133) > at > io.undertow.servlet.core.DeploymentManagerImpl$2.call( > DeploymentManagerImpl.java:565) > at > io.undertow.servlet.core.DeploymentManagerImpl$2.call( > DeploymentManagerImpl.java:536) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call( > ServletRequestContextThreadSetupAction.java:42) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call( > ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupActi > on.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > java:1508) > at > io.undertow.servlet.core.DeploymentManagerImpl.start( > DeploymentManagerImpl.java:578) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService. > startContext(UndertowDeploymentService.java:100) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > run(UndertowDeploymentService.java:81) > ... 6 more > Caused by: org.hibernate.PropertyAccessException: Null value was > assigned to a property [class > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] > of primitive type setter of > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority > at > org.hibernate.property.access.spi.SetterFieldImpl.set( > SetterFieldImpl.java:44) > at > org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues( > AbstractEntityTuplizer.java:713) > at > org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues( > PojoEntityTuplizer.java:207) > at > org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues( > AbstractEntityPersister.java:4692) > at > org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity( > TwoPhaseLoad.java:183) > at > org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity( > TwoPhaseLoad.java:125) > at > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader. > performTwoPhaseLoad(AbstractRowReader.java:238) > at > org.hibernate.loader.plan.exec.process.internal. > AbstractRowReader.finishUp(AbstractRowReader.java:209) > at > org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl. > extractResults(ResultSetProcessorImpl.java:133) > at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader. > executeLoad(AbstractLoadPlanBasedLoader.java:122) > at > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader. > executeLoad(AbstractLoadPlanBasedLoader.java:86) > at > org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectio > nInitializer.initialize(AbstractLoadPlanBasedCollectio > nInitializer.java:88) > at > org.hibernate.persister.collection.AbstractCollectionPersister.initialize( > AbstractCollectionPersister.java:688) > at > org.hibernate.event.internal.DefaultInitializeCollectionEventListener. > onInitializeCollection(DefaultInitializeCollectionEventListener.java:75) > at > org.hibernate.internal.SessionImpl.initializeCollection( > SessionImpl.java:2004) > at > org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork( > AbstractPersistentCollection.java:567) > at > org.hibernate.collection.internal.AbstractPersistentCollection. > withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) > at > org.hibernate.collection.internal.AbstractPersistentCollection.initialize( > AbstractPersistentCollection.java:563) > at > org.hibernate.collection.internal.AbstractPersistentCollection.read( > AbstractPersistentCollection.java:132) > at > org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork( > AbstractPersistentCollection.java:161) > at > org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork( > AbstractPersistentCollection.java:146) > at > org.hibernate.collection.internal.AbstractPersistentCollection. > withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) > at > org.hibernate.collection.internal.AbstractPersistentCollection.readSize( > AbstractPersistentCollection.java:145) > at > org.hibernate.collection.internal.PersistentBag. > isEmpty(PersistentBag.java:266) > at > org.keycloak.models.jpa.RealmAdapter.getRequiredActionProviders( > RealmAdapter.java:1726) > at > org.keycloak.models.cache.infinispan.entities.CachedRealm.( > CachedRealm.java:256) > at > org.keycloak.models.cache.infinispan.RealmCacheSession. > getRealm(RealmCacheSession.java:399) > at > org.keycloak.models.jpa.JpaRealmProvider.getRealms( > JpaRealmProvider.java:102) > at > org.keycloak.models.cache.infinispan.RealmCacheSession. > getRealms(RealmCacheSession.java:459) > at > org.keycloak.migration.migrators.MigrateTo4_2_0. > migrate(MigrateTo4_2_0.java:48) > at > org.keycloak.migration.MigrationModelManager.migrate( > MigrationModelManager.java:96) > at > org.keycloak.services.resources.KeycloakApplication.migrateModel( > KeycloakApplication.java:245) > at > org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap( > KeycloakApplication.java:186) > at > org.keycloak.services.resources.KeycloakApplication$ > 1.run(KeycloakApplication.java:145) > at > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( > KeycloakModelUtils.java:227) > at > org.keycloak.services.resources.KeycloakApplication. > (KeycloakApplication.java:136) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance( > NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:150) > ... 28 more > Caused by: java.lang.IllegalArgumentException: Can not set int field > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority > to null value > at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentExcepti > on(UnsafeFieldAccessorImpl.java:167) > at > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentExcepti > on(UnsafeFieldAccessorImpl.java:171) > at > sun.reflect.UnsafeIntegerFieldAccessorImpl.set( > UnsafeIntegerFieldAccessorImpl.java:80) > at java.lang.reflect.Field.set(Field.java:764) > at > org.hibernate.property.access.spi.SetterFieldImpl.set( > SetterFieldImpl.java:38) > ... 68 more > > ----------------------------- > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- ----------- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From hmlnarik at redhat.com Thu Aug 2 02:53:03 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 2 Aug 2018 08:53:03 +0200 Subject: [keycloak-user] Keycloak 4.2.0.Final released! In-Reply-To: References: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> <9150ac13-d135-c7d8-4e8d-3e7b64fb3162@squashedfrog.net> Message-ID: This has been reported as https://issues.jboss.org/browse/KEYCLOAK-7984 and will be fixed soon, stay tuned. --Hynek On Thu, Aug 2, 2018 at 8:51 AM Henning Waack wrote: > Hi. > > Yes, I have the exact same error. Tried to install yesterday on Ubuntu, > 4.2.0 does not come up with the stack trace below. > > Any pointers on this? > > Thanks > > Henning > > 17:49:52,468 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 57) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct > public > > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > > org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) > at > > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) > at > > org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) > at > > org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) > at > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) > at > > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) > at > > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) > at > > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) > at > > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) > at > > io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) > at > > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) > at > > io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) > at > > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) > at > > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > > io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) > ... 6 more > Caused by: org.hibernate.PropertyAccessException: Null value was assigned > to a property [class > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] of > primitive type setter of > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority > at > > org.hibernate.property.access.spi.SetterFieldImpl.set(SetterFieldImpl.java:44) > at > > org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) > at > > org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:207) > at > > org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4692) > at > > org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:183) > at > > org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:125) > > 2018-08-02 0:23 GMT+02:00 Stuart Auchterlonie : > > > On 01/08/18 14:47, Marek Posolda wrote: > > > See details on the blog: > > > http://blog.keycloak.org/2018/08/keycloak-420final-released.html > > > > > > > Anyone else seeing this error message when trying to start the docker > > version of this? It was upgraded earlier today from 3.4.3 to 4.1.0 > > and just now to 4.2.0 > > > > Regards > > Stuart > > > > ----- Error Message --------- > > 22:15:43,530 ERROR [org.jboss.msc.service.fail] (ServerService Thread > > Pool -- 48) MSC000001: Failed to start service > > jboss.undertow.deployment.default-server.default-host./auth: > > org.jboss.msc.service.StartException in service > > jboss.undertow.deployment.default-server.default-host./auth: > > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > > org.keycloak.services.resources.KeycloakApplication( > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > > run(UndertowDeploymentService.java:84) > > at java.util.concurrent.Executors$RunnableAdapter. > > call(Executors.java:511) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > > ThreadPoolExecutor.java:1149) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > > ThreadPoolExecutor.java:624) > > at java.lang.Thread.run(Thread.java:748) > > at org.jboss.threads.JBossThread.run(JBossThread.java:320) > > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > > construct public > > org.keycloak.services.resources.KeycloakApplication( > > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > at > > org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > > ConstructorInjectorImpl.java:162) > > at > > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( > > ResteasyProviderFactory.java:2298) > > at > > org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > > ResteasyDeployment.java:340) > > at > > org.jboss.resteasy.spi.ResteasyDeployment.start( > > ResteasyDeployment.java:253) > > at > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init( > > ServletContainerDispatcher.java:120) > > at > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( > > HttpServletDispatcher.java:36) > > at > > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > > LifecyleInterceptorInvocation.java:117) > > at > > org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( > > RunAsLifecycleInterceptor.java:78) > > at > > io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( > > LifecyleInterceptorInvocation.java:103) > > at > > io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( > > ManagedServlet.java:250) > > at > > io.undertow.servlet.core.ManagedServlet.createServlet( > > ManagedServlet.java:133) > > at > > io.undertow.servlet.core.DeploymentManagerImpl$2.call( > > DeploymentManagerImpl.java:565) > > at > > io.undertow.servlet.core.DeploymentManagerImpl$2.call( > > DeploymentManagerImpl.java:536) > > at > > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call( > > ServletRequestContextThreadSetupAction.java:42) > > at > > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call( > > ContextClassLoaderSetupAction.java:43) > > at > > org.wildfly.extension.undertow.security.SecurityContextThreadSetupActi > > on.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > > java:1508) > > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > > java:1508) > > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > > java:1508) > > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ > > UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. > > java:1508) > > at > > io.undertow.servlet.core.DeploymentManagerImpl.start( > > DeploymentManagerImpl.java:578) > > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService. > > startContext(UndertowDeploymentService.java:100) > > at > > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > > run(UndertowDeploymentService.java:81) > > ... 6 more > > Caused by: org.hibernate.PropertyAccessException: Null value was > > assigned to a property [class > > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] > > of primitive type setter of > > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority > > at > > org.hibernate.property.access.spi.SetterFieldImpl.set( > > SetterFieldImpl.java:44) > > at > > org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues( > > AbstractEntityTuplizer.java:713) > > at > > org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues( > > PojoEntityTuplizer.java:207) > > at > > org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues( > > AbstractEntityPersister.java:4692) > > at > > org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity( > > TwoPhaseLoad.java:183) > > at > > org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity( > > TwoPhaseLoad.java:125) > > at > > org.hibernate.loader.plan.exec.process.internal.AbstractRowReader. > > performTwoPhaseLoad(AbstractRowReader.java:238) > > at > > org.hibernate.loader.plan.exec.process.internal. > > AbstractRowReader.finishUp(AbstractRowReader.java:209) > > at > > org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl. > > extractResults(ResultSetProcessorImpl.java:133) > > at > > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader. > > executeLoad(AbstractLoadPlanBasedLoader.java:122) > > at > > org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader. > > executeLoad(AbstractLoadPlanBasedLoader.java:86) > > at > > org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectio > > nInitializer.initialize(AbstractLoadPlanBasedCollectio > > nInitializer.java:88) > > at > > > org.hibernate.persister.collection.AbstractCollectionPersister.initialize( > > AbstractCollectionPersister.java:688) > > at > > org.hibernate.event.internal.DefaultInitializeCollectionEventListener. > > onInitializeCollection(DefaultInitializeCollectionEventListener.java:75) > > at > > org.hibernate.internal.SessionImpl.initializeCollection( > > SessionImpl.java:2004) > > at > > org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork( > > AbstractPersistentCollection.java:567) > > at > > org.hibernate.collection.internal.AbstractPersistentCollection. > > withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) > > at > > > org.hibernate.collection.internal.AbstractPersistentCollection.initialize( > > AbstractPersistentCollection.java:563) > > at > > org.hibernate.collection.internal.AbstractPersistentCollection.read( > > AbstractPersistentCollection.java:132) > > at > > org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork( > > AbstractPersistentCollection.java:161) > > at > > org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork( > > AbstractPersistentCollection.java:146) > > at > > org.hibernate.collection.internal.AbstractPersistentCollection. > > withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) > > at > > org.hibernate.collection.internal.AbstractPersistentCollection.readSize( > > AbstractPersistentCollection.java:145) > > at > > org.hibernate.collection.internal.PersistentBag. > > isEmpty(PersistentBag.java:266) > > at > > org.keycloak.models.jpa.RealmAdapter.getRequiredActionProviders( > > RealmAdapter.java:1726) > > at > > org.keycloak.models.cache.infinispan.entities.CachedRealm.( > > CachedRealm.java:256) > > at > > org.keycloak.models.cache.infinispan.RealmCacheSession. > > getRealm(RealmCacheSession.java:399) > > at > > org.keycloak.models.jpa.JpaRealmProvider.getRealms( > > JpaRealmProvider.java:102) > > at > > org.keycloak.models.cache.infinispan.RealmCacheSession. > > getRealms(RealmCacheSession.java:459) > > at > > org.keycloak.migration.migrators.MigrateTo4_2_0. > > migrate(MigrateTo4_2_0.java:48) > > at > > org.keycloak.migration.MigrationModelManager.migrate( > > MigrationModelManager.java:96) > > at > > org.keycloak.services.resources.KeycloakApplication.migrateModel( > > KeycloakApplication.java:245) > > at > > org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap( > > KeycloakApplication.java:186) > > at > > org.keycloak.services.resources.KeycloakApplication$ > > 1.run(KeycloakApplication.java:145) > > at > > org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( > > KeycloakModelUtils.java:227) > > at > > org.keycloak.services.resources.KeycloakApplication. > > (KeycloakApplication.java:136) > > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > > Method) > > at > > sun.reflect.NativeConstructorAccessorImpl.newInstance( > > NativeConstructorAccessorImpl.java:62) > > at > > sun.reflect.DelegatingConstructorAccessorImpl.newInstance( > > DelegatingConstructorAccessorImpl.java:45) > > at > java.lang.reflect.Constructor.newInstance(Constructor.java:423) > > at > > org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > > ConstructorInjectorImpl.java:150) > > ... 28 more > > Caused by: java.lang.IllegalArgumentException: Can not set int field > > org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority > > to null value > > at > > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentExcepti > > on(UnsafeFieldAccessorImpl.java:167) > > at > > sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentExcepti > > on(UnsafeFieldAccessorImpl.java:171) > > at > > sun.reflect.UnsafeIntegerFieldAccessorImpl.set( > > UnsafeIntegerFieldAccessorImpl.java:80) > > at java.lang.reflect.Field.set(Field.java:764) > > at > > org.hibernate.property.access.spi.SetterFieldImpl.set( > > SetterFieldImpl.java:38) > > ... 68 more > > > > ----------------------------- > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > > ----------- > > Henning Waack | IT Consultant > > > codecentric AG | Hochstra?e 11 > < > https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g > > > | > < > https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g > > > > < > https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g > >42697 > Solingen > < > https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g > > > |Deutschland > < > https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g > > > > > tel: +49 (0)151 108 515 29 > > www.codecentric.de | blog.codecentric.de | www.meettheexperts.de > > Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal > > Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns > Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz > > Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche > und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige > Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie > bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. > beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen > evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist > nicht gestattet. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Thu Aug 2 03:34:29 2018 From: testoauth55 at gmail.com (Test Oauth) Date: Thu, 2 Aug 2018 13:04:29 +0530 Subject: [keycloak-user] authorizationServicesEnabled flag not working from CLI Message-ID: I am using following command (on Keycloak 4.1.0): kcreg create -s clientId=test15 -s protocol=openid-connect -s "redirectUris=[\"*\"]" -s publicClient=false -s serviceAccountsEnabled=true -s authorizationServicesEnabled=true The above command successfully creates a new client and sets all the flags mentioned in the command except for the authorization option. When I check on keycloak web the ' Authorization Enabled ' option is still turned off. Next, I tried to update this flag: kcreg update test15 -s authorizationServicesEnabled=true No error is thrown but still the ' Authorization Enabled ' option is turned off. Is it even possible to set this option through CLI ? (It gets enabled if done through keycloak web) Also , am I using the correct option? In the docs : https://www.keycloak.org/docs-api/4.1/rest-api/index 2 flags are mentioned : authorizationServicesEnabled and authorizationSettings. On using the second flag I get: Failed to set attribute 'authorizationSettings' on document type 'default' which means that this option is not valid for this particular command. From eivind at jotta.no Thu Aug 2 03:46:58 2018 From: eivind at jotta.no (Eivind Larsen) Date: Thu, 2 Aug 2018 02:46:58 -0500 Subject: [keycloak-user] Upgrading 3.4.3 to 4.1 Message-ID: Hi Keycloak users! After upgrading from 3.4.3 to 4.x, client templates are converted to client scopes. The conversion of the templates themselves look correct. Many clients had a default template set. After upgrade the corresponding default template is not included in the default scopes of the client. Is this intended? Do we have to manually update each client with the default scope? Is there a way to add the default scopes using the API? Best regards, Eivind Larsen From roidelapluie at inuits.eu Thu Aug 2 03:51:49 2018 From: roidelapluie at inuits.eu (Julien Pivotto) Date: Thu, 2 Aug 2018 09:51:49 +0200 Subject: [keycloak-user] How to add executions to a flow? Message-ID: <20180802075149.GA27081@oxygen> - PART?0 -- When I run: ./bin/kcadm.sh create authentication/flows -r foo -f test.json with: { "id" : "testtest2", "alias" : "first broker login without review 2", "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId" : "basic-flow", "topLevel" : true, "builtIn" : false, "authenticationExecutions" : [ { "authenticator" : "idp-create-user-if-unique", "requirement" : "ALTERNATIVE", "priority" : 20, "userSetupAllowed" : false, "autheticatorFlow" : false } ] } Then the authenticationExecutions is discarded and the flow has no execution. -- PART 1 -- When I run: ./bin/kcadm.sh create authentication/flows/first%20broker%20login%20without%20review/executions -r foo -f test.json with: [ { "id" : "c0f4ae10-7e26-4566-a113-b1235920f69a", "requirement" : "ALTERNATIVE", "displayName" : "Create User If Unique", "requirementChoices" : [ "ALTERNATIVE", "REQUIRED", "DISABLED" ], "configurable" : true, "providerId" : "idp-create-user-if-unique", "level" : 0, "index" : 0 }, { "id" : "31882673-e8fc-4b24-8e11-4dd400acb9c7", "requirement" : "ALTERNATIVE", "displayName" : "Link IDP Login", "requirementChoices" : [ "ALTERNATIVE", "DISABLED" ], "configurable" : false, "providerId" : "link-idp-login-authenticator", "level" : 0, "index" : 1 } ] I get a 500 09:36:47,808 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: com.fasterxml.jack son.databind.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation out of START_ARRAY token at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 41d5dda8; line: 1, column: 1] at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234) at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122) at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075) at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromArray(BeanDeserializerBase.java:1371) at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:174) at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150) at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583) at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964) at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java: 66) at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:5 6) at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java: 36) at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:5 9) at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92) -- THEREFORE -- How can I create a flow with executions with the cli? -- (o- Julien Pivotto //\ Open-Source Consultant V_/_ Inuits - https://www.inuits.eu -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180802/41f29c1e/attachment-0001.bin From roidelapluie at inuits.eu Thu Aug 2 04:02:59 2018 From: roidelapluie at inuits.eu (Julien Pivotto) Date: Thu, 2 Aug 2018 10:02:59 +0200 Subject: [keycloak-user] Seamless login In-Reply-To: Message-ID: <20180802080259.GA5203@oxygen> See https://github.com/ohioit/keycloak-link-idp-with-user to achieve this (needs some updates for KC4 -- see attachment) -- (o- Julien Pivotto //\ Open-Source Consultant V_/_ Inuits - https://www.inuits.eu -------------- next part -------------- commit d1906ee1d074dc9341531e54bd97b229e855b175 Author: Julien Pivotto Date: Wed Aug 1 21:02:22 2018 +0200 Switch to new keycloak Signed-off-by: Julien Pivotto diff --git a/pom.xml b/pom.xml index 8b5c477..f29b723 100644 --- a/pom.xml +++ b/pom.xml @@ -17,14 +17,14 @@ - 1.9.0.Final + 4.1.0.Final ${project.build.directory} @@ -41,6 +41,12 @@ provided ${keycloak.version} + + org.keycloak + keycloak-server-spi-private + provided + ${keycloak.version} + org.jboss.logging jboss-logging diff --git a/src/main/java/edu/ohio/ais/keycloak/authentication/LinkIdpLoginAuthenticator.java b/src/main/java/edu/ohio/ais/keycloak/authentication/LinkIdpLoginAuthenticator.java index f9726c5..5c24f78 100644 --- a/src/main/java/edu/ohio/ais/keycloak/authentication/LinkIdpLoginAuthenticator.java +++ b/src/main/java/edu/ohio/ais/keycloak/authentication/LinkIdpLoginAuthenticator.java @@ -35,11 +35,11 @@ import org.keycloak.services.ServicesLogger; * @author Ilya Kogan */ public class LinkIdpLoginAuthenticator implements Authenticator { - protected static ServicesLogger logger = ServicesLogger.ROOT_LOGGER; + protected static ServicesLogger logger = ServicesLogger.LOGGER; public void authenticate(AuthenticationFlowContext context) { logger.debug("Auto-linking IdP login to federated identity."); - UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getClientSession()); + UserModel existingUser = AbstractIdpAuthenticator.getExistingUser(context.getSession(), context.getRealm(), context.getAuthenticationSession()); if(existingUser != null) { context.setUser(existingUser); -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180802/8bba6266/attachment.bin From cedric.couralet at gmail.com Thu Aug 2 04:21:05 2018 From: cedric.couralet at gmail.com (=?UTF-8?Q?C=C3=A9dric_Couralet?=) Date: Thu, 2 Aug 2018 10:21:05 +0200 Subject: [keycloak-user] Upgrading 3.4.3 to 4.1 In-Reply-To: References: Message-ID: Hello, >From the migrating doc, I think it was intended (https://www.keycloak.org/docs/latest/upgrading/index.html#client-templates-changed-to-client-scopes). I used a bit of code with keycloak admin client to set a client scope to all client (except default) for a given realm: " Keycloak keycloak = Keycloak.getInstance("https://", "master", "admin", "************************************", "admin-cli"); List defaultClients = Arrays.asList("account", "broker", "admin-cli", "realm-management", "security-admin-console"); List defaultScope = Arrays.asList("profile", "email"); List defaultScopes = keycloak.realm(realmName).clientScopes().findAll().stream() .filter(c -> defaultScope.contains(c.getName())).collect(Collectors.toList()); keycloak.realm(realmName).clients().findAll(true).forEach(client -> { if (!defaultClients.contains(client.getClientId()) && client.getDefaultClientScopes().isEmpty()) { client.setDefaultClientScopes(defaultScope); defaultScopes.forEach(scope -> { keycloak.realm(realmName).clients().get(client.getId()).addDefaultClientScope(scope.getId()); }); } }); " Le jeu. 2 ao?t 2018 ? 09:48, Eivind Larsen a ?crit : > > Hi Keycloak users! > > After upgrading from 3.4.3 to 4.x, client templates are converted to client > scopes. The conversion of the templates themselves look correct. > > Many clients had a default template set. After upgrade the corresponding > default template is not included in the default scopes of the client. > > Is this intended? Do we have to manually update each client with the > default scope? > Is there a way to add the default scopes using the API? > > Best regards, > Eivind Larsen > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From janci.babel at gmail.com Thu Aug 2 04:48:36 2018 From: janci.babel at gmail.com (Jan Babel) Date: Thu, 2 Aug 2018 10:48:36 +0200 Subject: [keycloak-user] Keycloak running on different domain than application Message-ID: Hi guys Sorry for long question. Maybe its silly but I have this problem. I have JBOSS *application * deployed on *domain 1* and *Keycloak *on *domain 2*. Both domains are publicly accesible. During the redirection from application to Keycloak, the redirect url consists from internal name of the domain 1. Of course the flow works for me, because I have set proxy on my computer so it can resolve the internal name and redirection happened and I am succesfully logged in into the application. But that would not work for customers while they have no proxy set up. The application (simple WAR) is secured via JBOSS Keycloak Adapter. The question is how to tell Keycloak Adapter to *resolve the external name of the domain 1* (f.i. www.portal.com) and not internal name (lp01.tda) during redirection? What I tried: * change etc/host to bind IP address to external name (works only on my local machine) * start JBOSS with application with -b parameter (works locally but not in Red Hat Linux) * put Apache Balancer between Application and Keycloak and do URL rewriting rule (redirect URL is rewritten (lp01.tda replaced by www.portal.com) but redirect back from Keycloak to Application failed saying incorrect redirect_uri.. probably Keycloak Adapter check the state variable against what comes back from Keycloak and realize the URL was changed) I quess itc common scenario that Keycloak (we are using RH-SSO 7.2) resides in different domain than applications it secures, but I cant figure it out how to do that. Many thanks in advance. From ionel.gardais at tech-advantage.com Thu Aug 2 05:06:38 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Thu, 2 Aug 2018 11:06:38 +0200 (CEST) Subject: [keycloak-user] Upgrade to 4.2.0 fails Message-ID: <493598388.106620.1533200798005.JavaMail.zimbra@tech-advantage.com> Hi, When migrating from 4.1.0 to 4.2.0 I found a bug in [ https://source.jboss.org/browse/~br=master/Keycloak/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AuthzResourceUseMoreURIs.java?r=1308a3231db3a8f9305146b8f958f99a7582a093#to26 | https://source.jboss.org/browse/~br=master/Keycloak/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AuthzResourceUseMoreURIs.java?r=1308a3231db3a8f9305146b8f958f99a7582a093#to26 ] Line 26 refers to table RESOURCE_URI whereas jpa-changelog-authz-4.2.0.Final.xml creates a table named RESOURCE_URIS thus the upgrade fails. Regards, Ionel Ionel GARDAIS CIO - IT Team manager -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 -------------- next part -------------- A non-text attachment was scrubbed... Name: GARDAIS, Ionel.vcf Type: text/directory Size: 399 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180802/8cf240d8/attachment.bin From mhajas at redhat.com Thu Aug 2 05:18:26 2018 From: mhajas at redhat.com (Michal Hajas) Date: Thu, 2 Aug 2018 11:18:26 +0200 Subject: [keycloak-user] Upgrade to 4.2.0 fails In-Reply-To: <493598388.106620.1533200798005.JavaMail.zimbra@tech-advantage.com> References: <493598388.106620.1533200798005.JavaMail.zimbra@tech-advantage.com> Message-ID: Hi, you are right, this is a bug. There is already a fix for this in upstream. Issue: https://issues.jboss.org/browse/KEYCLOAK-7985 PR: https://github.com/keycloak/keycloak/pull/5433 if you have anything to add there, feel free to comment. Best regards, Michal On Thu, Aug 2, 2018 at 11:16 AM GARDAIS Ionel < ionel.gardais at tech-advantage.com> wrote: > Hi, > > When migrating from 4.1.0 to 4.2.0 I found a bug in > [ > https://source.jboss.org/browse/~br=master/Keycloak/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AuthzResourceUseMoreURIs.java?r=1308a3231db3a8f9305146b8f958f99a7582a093#to26 > | > https://source.jboss.org/browse/~br=master/Keycloak/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AuthzResourceUseMoreURIs.java?r=1308a3231db3a8f9305146b8f958f99a7582a093#to26 > ] > > Line 26 refers to table RESOURCE_URI > whereas jpa-changelog-authz-4.2.0.Final.xml creates a table named > RESOURCE_URIS > > thus the upgrade fails. > > Regards, > Ionel > > > > Ionel GARDAIS > CIO - IT Team manager > > > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 > 301_______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From corentin.dupont at gmail.com Thu Aug 2 05:35:36 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Thu, 2 Aug 2018 11:35:36 +0200 Subject: [keycloak-user] Permissions: Slow/complex interactions In-Reply-To: References: Message-ID: I tried to use github HEAD, but on startup it gives: Table 'keycloak.RESOURCE_URI' doesn't exist On Wed, Aug 1, 2018 at 3:56 PM, Pedro Igor Silva wrote: > Btw, here is the PR https://github.com/keycloak/keycloak/pull/5416 > > On Wed, Aug 1, 2018 at 10:55 AM, Pedro Igor Silva > wrote: > >> Yeah, that is why I'm also evaluating graaljs. But I think we will only >> get better results if using native images (ahead of time compiling vs jit), >> not sure ... But like I said, I've noticed some improvements in JS runtime >> when running KC on top of graalvm. >> >> I was also wondering if Groovy could be a nice language to support as an >> alternative/replacement to JS policies ... >> >> On Wed, Aug 1, 2018 at 10:46 AM, Corentin Dupont < >> corentin.dupont at gmail.com> wrote: >> >>> It also seems that Nashorn script engine will be deprecated: >>> http://openjdk.java.net/jeps/335 >>> >>> >>> >>> On Wed, Aug 1, 2018 at 3:25 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> wrote: >>> >>>> I tried to make some more performance testing. >>>> With the same settings than before (70 resources, one scope), I obtain: >>>> >>>> - User policy (3 users): 15 ms >>>> - Javascript policy 1: 41ms >>>> - Javascript policy 2: 45ms >>>> >>>> It seems that Javascript policies are very slow. >>>> Actually I think the user policy does not take more than 3 ms to run >>>> over all the resources (if we remove the time due to HTTP overhead). >>>> While the Javascript policies take around 30ms to run over the >>>> resources. >>>> Is it a problem due to loading/switching to the Javascript engine for >>>> each resource? >>>> >>>> >>>> >>>> On Wed, Jul 25, 2018 at 12:58 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> wrote: >>>> >>>>> >>>>> >>>>> On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> We have now a performance testsuite (thanks to Tomaz) that can >>>>>> generate also generate datasets to cover different scenarios. I'm the >>>>>> middle of checking Tomaz work and preparing some datasets to include in our >>>>>> testsuite. >>>>>> >>>>> >>>>> Great! >>>>> >>>>> >>>>>> >>>>>> I'm going to give a try to your use case and see if I can get the >>>>>> same numbers. Not sure if this is your case, but I found some performance >>>>>> issues when defining multiple resources with a type where the owner is the >>>>>> resource server itself. This causes an overhead during evaluation where the >>>>>> engine tries to consider permissions granted to any of these typed >>>>>> resources. Someone reported this some time ago, and IMO, this is an invalid >>>>>> usage of resource types ... Not sure if this is your case though. >>>>>> >>>>> >>>>> I don't really use the type of resource, actually... How do you make a >>>>> permission request based on types? >>>>> >>>>> >>>>> >>>>>> >>>>>> More answers inline. >>>>>> >>>>>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont < >>>>>> corentin.dupont at gmail.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva < >>>>>>> psilva at redhat.com> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont < >>>>>>>> corentin.dupont at gmail.com> wrote: >>>>>>>> >>>>>>>>> Hi guys, >>>>>>>>> I experience some performance issue on my API server using >>>>>>>>> Keycloak. >>>>>>>>> After someone issue a GET on my API server, here is what happens: >>>>>>>>> >>>>>>>>> - API server -> DB server: get requested resources >>>>>>>>> - API server -> Keycloak: get client token (to get resources) >>>>>>>>> - API server -> Keycloak: get resources (to complement DB server >>>>>>>>> with >>>>>>>>> resource owner & visibility) >>>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>>> At this point the filtered resources are returned. >>>>>>>>> >>>>>>>>> But this process is quite slow. I noticed a call to KC can take up >>>>>>>>> to 100ms. >>>>>>>>> The complete call on the API server can take up to 600ms on my >>>>>>>>> laptop, in >>>>>>>>> localhost setting. >>>>>>>>> The delays become noticeable on my UI... >>>>>>>>> >>>>>>>> >>>>>>>> Are you able to confirm the step(s) spending more time to process ? >>>>>>>> If when obtaining client tokens, resources or during evaluation ? >>>>>>>> >>>>>>> >>>>>>> I made a quick benchmark, here is the result: >>>>>>> >>>>>>> - API server -> Keycloak: get client token: 400ms >>>>>>> - API server -> Keycloak: get resources: 1356ms >>>>>>> - API server -> Keycloak: get user token: 162ms >>>>>>> - API server -> Keycloak: get permission: 2400ms >>>>>>> Total: 4366ms >>>>>>> >>>>>>> However, this timings are obtained only on the first try after I >>>>>>> reboot the server. >>>>>>> The next calls are faster. Maybe it's due to caching? >>>>>>> >>>>>> >>>>>>> - API server -> Keycloak: get client token: 17ms >>>>>>> - API server -> Keycloak: get resources: 19ms >>>>>>> - API server -> Keycloak: get user token: 92ms >>>>>>> - API server -> Keycloak: get permission: 314ms >>>>>>> Total: 476ms >>>>>>> >>>>>> >>>>>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will >>>>>> see what we can improve. >>>>>> >>>>>> Thanks for the numbers. Wondering if you have percentiles for these >>>>>> requests ? Or this happens when you send a single request ? >>>>>> >>>>> >>>>> This is a single request... I scrapped the timestamps in my traces. >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> So yes, it's the evaluation taking time (and user token on a lesser >>>>>>> extent). >>>>>>> On this call, I need to get permissions for all resources on one >>>>>>> scope: permissions=#sensors:view >>>>>>> Because I need to filter out the resources the user cannot see. >>>>>>> There are around 70 resources and 3 policies (one user policy and 2 >>>>>>> javascript). >>>>>>> Keycloak is in a docker container. >>>>>>> >>>>>> >>>>>> I'm working with more aggresive numbers, and results are better than >>>>>> yours. However, all depends on how you are setting up your settings. Need >>>>>> to check your setup and see if I can create a dataset based on it. >>>>>> >>>>>> Could you send me an example of those javascript policies ? Are they >>>>>> doing much ? Do you have more than one user per user policy ? >>>>>> >>>>> >>>>> I attach my 2 javascript policies. They are very simple, should be >>>>> O(1). >>>>> The user policy has 3 users. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> Also, could you elaborate more what this step is doing: "- API >>>>>>>> server -> Keycloak: get resources (to complement DB server with >>>>>>>> resource owner & visibility)" ? >>>>>>>> >>>>>>> >>>>>>> I read the resources from Keycloak (authz/protection/resource_set/) >>>>>>> because I need to return the owner of the resource in my server response. >>>>>>> >>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> With a resource SPI strategy (if developed), it should be: >>>>>>>>> >>>>>>>>> - API server -> DB server: get requested resources >>>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>>> - API server -> Keycloak: get permission (to filter resources) >>>>>>>>> - Keycloak -> DB server: get resources >>>>>>>>> >>>>>>>>> There is a little less requests. Additional gain is that resources >>>>>>>>> are not >>>>>>>>> split between 2 databases. >>>>>>>>> >>>>>>>>> I wonder if resources could be pushed during the permission >>>>>>>>> request? Like a >>>>>>>>> "pushed claim". >>>>>>>>> This would be even more straightforward: >>>>>>>>> >>>>>>>>> - API server -> DB server: get requested resources >>>>>>>>> - API server -> Keycloak: get user token (to get permission) >>>>>>>>> - API server -> Keycloak: get permission and push resources >>>>>>>> >>>>>>>> >>>>>>>>> Can this work? >>>>>>>>> >>>>>>>> >>>>>>>> I think this is an area we might want to improve in order to allow >>>>>>>> evaluating permissions solely based on claims pushed to the server. That >>>>>>>> means you won't need to manage resources in the server but rely on policies >>>>>>>> to process the "pushed claims". >>>>>>>> >>>>>>> >>>>>>> Yes that would be great. Let me open a Jira to track this. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> +1 >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> > From jan.garaj at gmail.com Thu Aug 2 06:12:21 2018 From: jan.garaj at gmail.com (Jan Garaj) Date: Thu, 2 Aug 2018 11:12:21 +0100 Subject: [keycloak-user] Secure CORS configuration Message-ID: Hello, I would like to use https://github.com/damienbod/angular-auth-oidc-client/, but this library has CORS problem with userinfo endpoint query from Firefox (Chrome has a similar CORS error): *Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https:///auth/realms//protocol/openid-connect/userinfo. (Reason: CORS header ?Access-Control-Allow-Origin? missing).* All resources, which I found are recommending to configure Keycloak CORS header Access-Control-Allow-Origin: *, which is not a secure option: https://stackoverflow.com/questions/45051923/keycloak-angular-no-access-control-allow-origin-header-is-present http://lists.jboss.org/pipermail/keycloak-user/2017-September/011890.html + it looks like this insecure option is not available anymore, because https://issues.jboss.org/browse/KEYCLOAK-5946 has been implemented. So my question is: how to configure Keycloak (server, OIDC client) for secure cross requests? Fortunately, Google IdP works fine for my use case, so I'm able to check preflight headers. Google IdP: $ curl "https://www.googleapis.com/oauth2/v3/userinfo" \ -v -X OPTIONS -H "Host: www.googleapis.com" \ -H "Access-Control-Request-Method: GET" \ -H "Access-Control-Request-Headers: authorization" \ -H "Origin: https://domain.com"... < HTTP/1.1 200 OK < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: Mon, 01 Jan 1990 00:00:00 GMT < Date: Thu, 02 Aug 2018 06:29:07 GMT < Access-Control-Allow-Credentials: true < Access-Control-Allow-Headers: authorization < Access-Control-Allow-Methods: DELETE,GET,HEAD,PATCH,POST,PUT < Access-Control-Allow-Origin: https://domain.com< Access-Control-Max-Age: 3600 < Vary: Origin < Vary: X-Origin < Content-Type: application/octet-stream < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block < Content-Length: 0 < Server: GSE < Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35" My Keycloak 4.2: $ curl "https:///auth/realms//protocol/openid-connect/userinfo" \-v -X OPTIONS -H "Host: " \ -H "Access-Control-Request-Method: GET" \ -H "Access-Control-Request-Headers: authorization" \ -H "Origin: https://domain.com"... < HTTP/1.1 200 OK < Connection: keep-alive < Access-Control-Allow-Origin: https://domain.com< Access-Control-Allow-Headers: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Authorization < Access-Control-Allow-Credentials: true < Content-Length: 0 < Access-Control-Allow-Methods: GET, HEAD, OPTIONS < Access-Control-Max-Age: 3600 < Date: Thu, 02 Aug 2018 06:30:44 GMT Keycloak is not able to add additional headers into the preflight response, so I'm not able to verify, that those additional Google headers (Vary, Content-Type, ....) will be able to solve my Keycloak CORS issue. Definitely, it works in my Firefox if "CORS Everywhere" plugin is activated, so it seems to be an issue with Keycloak preflight response headers. My test setup: Docker image jboss/keycloak:4.2.0.Final (tested also with 3.x) angular-auth-oidc-client 6.x, angular 6.x Many thanks in advance. *Jan Garaj* From philip.lysenko at conceptpeople.de Thu Aug 2 06:34:20 2018 From: philip.lysenko at conceptpeople.de (Philip Lysenko) Date: Thu, 2 Aug 2018 12:34:20 +0200 Subject: [keycloak-user] Keycloak Login in Main SPA Page Message-ID: <449339E5-340D-4247-B993-428F16B72F2E@conceptpeople.de> Hello. We are evaluating Keycloak/OIDC as an authentication solution. Apart from SSO and Multi-Factor-Authentication, one use-case we have is a carousel of login-forms in our SPA: | User A | <=> | User B | <=> | User C | | Passwd | <=> | Passwd | <=> | Passwd | We want our users to quickly switch their sessions at a terminal (running our SPA-client). The main challenge here is to integrate the login form in the parent instance instead of redirecting to a new website. Our findings are that this is possible with the ?Password"-flow. But since the recommended flow for SPAs is the ?Implicit? one (for obvious security reasons), we would prefer that over Password, if the described carousel is possible with it. For the Implicit flow there is the possibility to do a silent refresh. It utilizes an invisible iframe for the redirect which provides a new token. Is it possible to do the same trick for the initial log-in? I don?t see how the refresh is different from the login. The way I get is is that for the refresh you inject the old token in the iframe and it delivers the parent app a new one. For the initial login, why would it not work to provide the iframe with credentials instead and trigger the redirect the same way as the refresh? Is there any other workaround to implement Implicit? If we have to go with the password flow, what are the implications for our security, considering we utilise HTTPS and XSS-/CSRF-measures? The main problem would be old or infected browsers, no? This website here says to use Password flow only for "highly trusted clients?: https://auth0.com/docs/api-auth/which-oauth-flow-to-use And we will be the only ones writing client code, so is Password A-OK for us? Thank you and Regards, Phil - - - - - - - - - - - - - ConceptPeople consulting gmbh Philip Lysenko Lead-Developer ConceptPeople consulting gmbh Yokohamastra?e 2 20457 Hamburg Tel: 040 - 605 33 83 53 Fax: 040 - 605 33 83 99 www.conceptpeople.de Gesch?ftsf?hrer: Bjarne Jansen, Andreas Rother Steuer-Nr: 46/712/02908 UID-NR: DE219814648 Registergericht: Hamburg, HRB 82938 From psilva at redhat.com Thu Aug 2 07:47:09 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 2 Aug 2018 08:47:09 -0300 Subject: [keycloak-user] authorizationServicesEnabled flag not working from CLI In-Reply-To: References: Message-ID: Hi. Created https://issues.jboss.org/browse/KEYCLOAK-7987. Thanks. On Thu, Aug 2, 2018 at 4:34 AM, Test Oauth wrote: > I am using following command (on Keycloak 4.1.0): > > kcreg create -s clientId=test15 -s protocol=openid-connect -s > "redirectUris=[\"*\"]" -s publicClient=false -s serviceAccountsEnabled=true > -s authorizationServicesEnabled=true > > The above command successfully creates a new client and sets all the flags > mentioned in the command except for the authorization option. When I check > on keycloak web the ' Authorization Enabled ' option is still turned off. > > Next, I tried to update this flag: > kcreg update test15 -s authorizationServicesEnabled=true > > No error is thrown but still the ' Authorization Enabled ' option is > turned off. > > Is it even possible to set this option through CLI ? (It gets enabled if > done through keycloak web) > > Also , am I using the correct option? In the docs : > https://www.keycloak.org/docs-api/4.1/rest-api/index > > 2 flags are mentioned : authorizationServicesEnabled and > authorizationSettings. > On using the second flag I get: > > Failed to set attribute 'authorizationSettings' on document type 'default' > > which means that this option is not valid for this particular command. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From max.allan+keycloak at surevine.com Thu Aug 2 09:42:44 2018 From: max.allan+keycloak at surevine.com (Max Allan) Date: Thu, 2 Aug 2018 14:42:44 +0100 Subject: [keycloak-user] Force POST setting in SAML?? Message-ID: Hi, I have a SAML SP that needs both POST and Redirect methods in the sp_metadata file. (if redirect is missing then it fails to even startup the app) A bit of fiddling and I noticed the "Force POST Binding" in the client config. If I turn if OFF then both POST and Redirect lines appear in the installation file. Nice. However, when the user tries to login, something (Keycloak I'm pretty sure) gets things wildly wrong and the browser ends up at the SP's redirect URI with the "SAMLRequest=...." in the URL. The SP doesn't know how to process that (that's for Keycloak). So it fails to login. If I leave "Force POST" ON, then the sp_metadata needs a manual edit to include the Redirect method. But at least the user can login. Can anyone explain what's going on? Why do I need to set it off to generate the xml for the SP and then back on to actually work?? Thanks, Max From rafaelweingartner at gmail.com Thu Aug 2 11:38:29 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 2 Aug 2018 12:38:29 -0300 Subject: [keycloak-user] =?utf-8?q?Keycloak=E2=80=99s_deployment_design_be?= =?utf-8?q?st_practices=2E?= Message-ID: Hello Keycloak community, Do you happen to know if there is some sort of white paper published online where I can find the best practices to deploy Keycloak? -- Rafael Weing?rtner From vandana0242 at gmail.com Thu Aug 2 16:43:43 2018 From: vandana0242 at gmail.com (vandana thota) Date: Thu, 2 Aug 2018 15:43:43 -0500 Subject: [keycloak-user] Logout page attribute in keycloak-saml.xml Message-ID: Hello Is any one looked in the Keycloak bug for the log out page attribute to be entered in keycloak-sa,l.xml file which we pull from keycloak Please refer this JIRA story for details : https://issues.jboss.org/browse/KEYCLOAK-7979 Thanks, From ddtxra at gmail.com Thu Aug 2 18:03:23 2018 From: ddtxra at gmail.com (Daniel Teixeira) Date: Fri, 3 Aug 2018 00:03:23 +0200 Subject: [keycloak-user] Keycloak Admin REST API not updating user.federatedIdentities attribute In-Reply-To: <1533170197.2094.9.camel@acutus.pro> References: <1533069524.4909.4.camel@acutus.pro> <1533170197.2094.9.camel@acutus.pro> Message-ID: Hello Dmitry, Yes you are completely right: For the moment, our requirements is that that the user can see but not update the user fields in the account interface. I have also tried to remove the role 'manage-account' for the user but keep the role 'view-profile'. But if I do this, the user gets a page that says "We are sorry, no access" if he tries to go to: {keycloakurl}/auth/realms/{realm-name}/account/ Do you have another suggestion? Thanks very much for your help! Daniel On Thu, Aug 2, 2018 at 2:36 AM, Dmitry Telegin
wrote: > Hi Daniel, > > On Wed, 2018-08-01 at 11:32 +0200, Daniel Teixeira wrote: > > Wonderful, thank you! I should have read better the docs. > > Yes you remember correctly Dmitry, I am familiar with creating a custom > module now :) > > You're welcome :) > > > Thanks for the trick with Firebug Marek. It will be useful in the future > :) Actually I tried that trick, on the "account" interface, but the > "account" interface does not use a rest api, correct? > > I hope Marek forgives me if I answer on his behalf :) well, Account > actually uses REST endpoint, but it not a part of Admin REST API. > The endpoint lives in org.keycloak.services.resources.account.AccountRestService > (keycloak-services module), so you can examine it. > > > For example I don't want the user to update its password / firstName / > lastName (because those fields come from LDAP) and I wanted to double-check > if commenting / disabling those fields on custom ftl templates is enough > or do I need to disable / comment something on the backend as well? On > realm settings -> login. There is only the option "edit username", but no > option for "edit firstName / edit lastName / edit password".... > > From the AccountRestService code we can deduce that there is no way ATM to > selectively disable updating firstName / lastName / password. > > But do I get it right that you simply want a read-only version of the > Account GUI? Then I think there is a solution for your case, let me know. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > > > > On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin
> wrote: > > > Hi Daniel, > > > > > > That's what you can do with federated identities currently: > > > > > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list > federated identities configured for the user > > > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} > - create a new federated identity > > > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} > - remove federated identity > > > > > > https://github.com/keycloak/keycloak/blob/master/services/ > src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 > > > > > > Updating federated entities with PUT is not supported yet. Feel free to > > > file an RFE in JIRA for that. > > > > > > Meanwhile, you can implement this missing piece as a custom REST > > > resource and deploy it to your Keycloak. If I remember correctly, you > > > should be already familiar with the process :) > > > > > > Good luck! > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > > > > I would like to update (and ideally create) the federatedIdentities > > > > attribute of a user using the Admin Rest API, but it seems like this > does > > > > not work / or it is not supported? > > > > > > > > I am able to update normal user attributes but not the > federatedIdentities. > > > > > > > > Is this a bug or is it supposed to be like this? > > > > > > > > Is there a different way to do this? (Of course I could do an insert > into, > > > > in the database, but I would prefer to use the api...). I need to > run this > > > > for more than 200 users... > > > > > > > > My code: > > > > https://github.com/ddtxra/python-console-keycloak- > example/blob/master/admin-rest-api-update-user.py > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > -- > > Daniel Teixeira > -- Daniel Teixeira From mposolda at redhat.com Fri Aug 3 02:31:26 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Aug 2018 08:31:26 +0200 Subject: [keycloak-user] Keycloak 4.2.1.Final released Message-ID: <69598e78-9b55-c207-f6d5-1c143fdc46c3@redhat.com> This release just fixes some DB migration related bugs. See details on the blog: http://blog.keycloak.org/2018/08/keycloak-421final-released.html From mposolda at redhat.com Fri Aug 3 02:33:08 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Aug 2018 08:33:08 +0200 Subject: [keycloak-user] Upgrade to 4.2.0 fails In-Reply-To: References: <493598388.106620.1533200798005.JavaMail.zimbra@tech-advantage.com> Message-ID: <6ac41973-c7e1-892d-9b92-5a05ff63ca73@redhat.com> There is new 4.2.1.Final release, which fixes this. See: http://blog.keycloak.org/2018/08/keycloak-421final-released.html Marek On 02/08/18 11:18, Michal Hajas wrote: > Hi, > > you are right, this is a bug. There is already a fix for this in upstream. > > Issue: https://issues.jboss.org/browse/KEYCLOAK-7985 > PR: https://github.com/keycloak/keycloak/pull/5433 > > if you have anything to add there, feel free to comment. > > Best regards, > Michal > > On Thu, Aug 2, 2018 at 11:16 AM GARDAIS Ionel < > ionel.gardais at tech-advantage.com> wrote: > >> Hi, >> >> When migrating from 4.1.0 to 4.2.0 I found a bug in >> [ >> https://source.jboss.org/browse/~br=master/Keycloak/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AuthzResourceUseMoreURIs.java?r=1308a3231db3a8f9305146b8f958f99a7582a093#to26 >> | >> https://source.jboss.org/browse/~br=master/Keycloak/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/AuthzResourceUseMoreURIs.java?r=1308a3231db3a8f9305146b8f958f99a7582a093#to26 >> ] >> >> Line 26 refers to table RESOURCE_URI >> whereas jpa-changelog-authz-4.2.0.Final.xml creates a table named >> RESOURCE_URIS >> >> thus the upgrade fails. >> >> Regards, >> Ionel >> >> >> >> Ionel GARDAIS >> CIO - IT Team manager >> >> >> -- >> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON >> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 >> 301_______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Aug 3 02:33:45 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 3 Aug 2018 08:33:45 +0200 Subject: [keycloak-user] Keycloak 4.2.0.Final released! In-Reply-To: References: <318a2684-824f-1b91-fb69-6a48d2907544@redhat.com> <9150ac13-d135-c7d8-4e8d-3e7b64fb3162@squashedfrog.net> Message-ID: <09a939c0-c2f2-ed32-262d-4142d358d852@redhat.com> There is new 4.2.1.Final release, which fixes this. See: http://blog.keycloak.org/2018/08/keycloak-421final-released.html Marek On 02/08/18 08:53, Hynek Mlnarik wrote: > This has been reported as https://issues.jboss.org/browse/KEYCLOAK-7984 and > will be fixed soon, stay tuned. > > --Hynek > > On Thu, Aug 2, 2018 at 8:51 AM Henning Waack > wrote: > >> Hi. >> >> Yes, I have the exact same error. Tried to install yesterday on Ubuntu, >> 4.2.0 does not come up with the stack trace below. >> >> Any pointers on this? >> >> Thanks >> >> Henning >> >> 17:49:52,468 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool >> -- 57) MSC000001: Failed to start service >> jboss.undertow.deployment.default-server.default-host./auth: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) >> at >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at >> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct >> public >> >> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> at >> >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) >> at >> >> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) >> at >> >> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) >> at >> >> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) >> at >> >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) >> at >> >> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) >> at >> >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) >> at >> >> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) >> at >> >> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) >> at >> >> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250) >> at >> >> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) >> at >> >> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) >> at >> >> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) >> at >> >> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) >> at >> >> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) >> at >> >> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) >> at >> >> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) >> at >> >> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) >> ... 6 more >> Caused by: org.hibernate.PropertyAccessException: Null value was assigned >> to a property [class >> org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] of >> primitive type setter of >> org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority >> at >> >> org.hibernate.property.access.spi.SetterFieldImpl.set(SetterFieldImpl.java:44) >> at >> >> org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues(AbstractEntityTuplizer.java:713) >> at >> >> org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues(PojoEntityTuplizer.java:207) >> at >> >> org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues(AbstractEntityPersister.java:4692) >> at >> >> org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity(TwoPhaseLoad.java:183) >> at >> >> org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity(TwoPhaseLoad.java:125) >> >> 2018-08-02 0:23 GMT+02:00 Stuart Auchterlonie : >> >>> On 01/08/18 14:47, Marek Posolda wrote: >>>> See details on the blog: >>>> http://blog.keycloak.org/2018/08/keycloak-420final-released.html >>>> >>> Anyone else seeing this error message when trying to start the docker >>> version of this? It was upgraded earlier today from 3.4.3 to 4.1.0 >>> and just now to 4.2.0 >>> >>> Regards >>> Stuart >>> >>> ----- Error Message --------- >>> 22:15:43,530 ERROR [org.jboss.msc.service.fail] (ServerService Thread >>> Pool -- 48) MSC000001: Failed to start service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> org.jboss.msc.service.StartException in service >>> jboss.undertow.deployment.default-server.default-host./auth: >>> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >>> org.keycloak.services.resources.KeycloakApplication( >>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. >>> run(UndertowDeploymentService.java:84) >>> at java.util.concurrent.Executors$RunnableAdapter. >>> call(Executors.java:511) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker( >>> ThreadPoolExecutor.java:1149) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run( >>> ThreadPoolExecutor.java:624) >>> at java.lang.Thread.run(Thread.java:748) >>> at org.jboss.threads.JBossThread.run(JBossThread.java:320) >>> Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to >>> construct public >>> org.keycloak.services.resources.KeycloakApplication( >>> javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >>> at >>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct( >>> ConstructorInjectorImpl.java:162) >>> at >>> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( >>> ResteasyProviderFactory.java:2298) >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >>> ResteasyDeployment.java:340) >>> at >>> org.jboss.resteasy.spi.ResteasyDeployment.start( >>> ResteasyDeployment.java:253) >>> at >>> >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init( >>> ServletContainerDispatcher.java:120) >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init( >>> HttpServletDispatcher.java:36) >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( >>> LifecyleInterceptorInvocation.java:117) >>> at >>> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init( >>> RunAsLifecycleInterceptor.java:78) >>> at >>> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed( >>> LifecyleInterceptorInvocation.java:103) >>> at >>> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start( >>> ManagedServlet.java:250) >>> at >>> io.undertow.servlet.core.ManagedServlet.createServlet( >>> ManagedServlet.java:133) >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl$2.call( >>> DeploymentManagerImpl.java:565) >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl$2.call( >>> DeploymentManagerImpl.java:536) >>> at >>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call( >>> ServletRequestContextThreadSetupAction.java:42) >>> at >>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call( >>> ContextClassLoaderSetupAction.java:43) >>> at >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupActi >>> on.lambda$create$0(SecurityContextThreadSetupAction.java:105) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ >>> UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. >>> java:1508) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ >>> UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. >>> java:1508) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ >>> UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. >>> java:1508) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$ >>> UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService. >>> java:1508) >>> at >>> io.undertow.servlet.core.DeploymentManagerImpl.start( >>> DeploymentManagerImpl.java:578) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService. >>> startContext(UndertowDeploymentService.java:100) >>> at >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. >>> run(UndertowDeploymentService.java:81) >>> ... 6 more >>> Caused by: org.hibernate.PropertyAccessException: Null value was >>> assigned to a property [class >>> org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority] >>> of primitive type setter of >>> org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority >>> at >>> org.hibernate.property.access.spi.SetterFieldImpl.set( >>> SetterFieldImpl.java:44) >>> at >>> org.hibernate.tuple.entity.AbstractEntityTuplizer.setPropertyValues( >>> AbstractEntityTuplizer.java:713) >>> at >>> org.hibernate.tuple.entity.PojoEntityTuplizer.setPropertyValues( >>> PojoEntityTuplizer.java:207) >>> at >>> org.hibernate.persister.entity.AbstractEntityPersister.setPropertyValues( >>> AbstractEntityPersister.java:4692) >>> at >>> org.hibernate.engine.internal.TwoPhaseLoad.doInitializeEntity( >>> TwoPhaseLoad.java:183) >>> at >>> org.hibernate.engine.internal.TwoPhaseLoad.initializeEntity( >>> TwoPhaseLoad.java:125) >>> at >>> org.hibernate.loader.plan.exec.process.internal.AbstractRowReader. >>> performTwoPhaseLoad(AbstractRowReader.java:238) >>> at >>> org.hibernate.loader.plan.exec.process.internal. >>> AbstractRowReader.finishUp(AbstractRowReader.java:209) >>> at >>> org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl. >>> extractResults(ResultSetProcessorImpl.java:133) >>> at >>> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader. >>> executeLoad(AbstractLoadPlanBasedLoader.java:122) >>> at >>> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader. >>> executeLoad(AbstractLoadPlanBasedLoader.java:86) >>> at >>> org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectio >>> nInitializer.initialize(AbstractLoadPlanBasedCollectio >>> nInitializer.java:88) >>> at >>> >> org.hibernate.persister.collection.AbstractCollectionPersister.initialize( >>> AbstractCollectionPersister.java:688) >>> at >>> org.hibernate.event.internal.DefaultInitializeCollectionEventListener. >>> onInitializeCollection(DefaultInitializeCollectionEventListener.java:75) >>> at >>> org.hibernate.internal.SessionImpl.initializeCollection( >>> SessionImpl.java:2004) >>> at >>> org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork( >>> AbstractPersistentCollection.java:567) >>> at >>> org.hibernate.collection.internal.AbstractPersistentCollection. >>> withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) >>> at >>> >> org.hibernate.collection.internal.AbstractPersistentCollection.initialize( >>> AbstractPersistentCollection.java:563) >>> at >>> org.hibernate.collection.internal.AbstractPersistentCollection.read( >>> AbstractPersistentCollection.java:132) >>> at >>> org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork( >>> AbstractPersistentCollection.java:161) >>> at >>> org.hibernate.collection.internal.AbstractPersistentCollection$1.doWork( >>> AbstractPersistentCollection.java:146) >>> at >>> org.hibernate.collection.internal.AbstractPersistentCollection. >>> withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249) >>> at >>> org.hibernate.collection.internal.AbstractPersistentCollection.readSize( >>> AbstractPersistentCollection.java:145) >>> at >>> org.hibernate.collection.internal.PersistentBag. >>> isEmpty(PersistentBag.java:266) >>> at >>> org.keycloak.models.jpa.RealmAdapter.getRequiredActionProviders( >>> RealmAdapter.java:1726) >>> at >>> org.keycloak.models.cache.infinispan.entities.CachedRealm.( >>> CachedRealm.java:256) >>> at >>> org.keycloak.models.cache.infinispan.RealmCacheSession. >>> getRealm(RealmCacheSession.java:399) >>> at >>> org.keycloak.models.jpa.JpaRealmProvider.getRealms( >>> JpaRealmProvider.java:102) >>> at >>> org.keycloak.models.cache.infinispan.RealmCacheSession. >>> getRealms(RealmCacheSession.java:459) >>> at >>> org.keycloak.migration.migrators.MigrateTo4_2_0. >>> migrate(MigrateTo4_2_0.java:48) >>> at >>> org.keycloak.migration.MigrationModelManager.migrate( >>> MigrationModelManager.java:96) >>> at >>> org.keycloak.services.resources.KeycloakApplication.migrateModel( >>> KeycloakApplication.java:245) >>> at >>> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap( >>> KeycloakApplication.java:186) >>> at >>> org.keycloak.services.resources.KeycloakApplication$ >>> 1.run(KeycloakApplication.java:145) >>> at >>> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction( >>> KeycloakModelUtils.java:227) >>> at >>> org.keycloak.services.resources.KeycloakApplication. >>> (KeycloakApplication.java:136) >>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>> Method) >>> at >>> sun.reflect.NativeConstructorAccessorImpl.newInstance( >>> NativeConstructorAccessorImpl.java:62) >>> at >>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance( >>> DelegatingConstructorAccessorImpl.java:45) >>> at >> java.lang.reflect.Constructor.newInstance(Constructor.java:423) >>> at >>> org.jboss.resteasy.core.ConstructorInjectorImpl.construct( >>> ConstructorInjectorImpl.java:150) >>> ... 28 more >>> Caused by: java.lang.IllegalArgumentException: Can not set int field >>> org.keycloak.models.jpa.entities.RequiredActionProviderEntity.priority >>> to null value >>> at >>> sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentExcepti >>> on(UnsafeFieldAccessorImpl.java:167) >>> at >>> sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentExcepti >>> on(UnsafeFieldAccessorImpl.java:171) >>> at >>> sun.reflect.UnsafeIntegerFieldAccessorImpl.set( >>> UnsafeIntegerFieldAccessorImpl.java:80) >>> at java.lang.reflect.Field.set(Field.java:764) >>> at >>> org.hibernate.property.access.spi.SetterFieldImpl.set( >>> SetterFieldImpl.java:38) >>> ... 68 more >>> >>> ----------------------------- >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> -- >> >> >> ----------- >> >> Henning Waack | IT Consultant >> >> >> codecentric AG | Hochstra?e 11 >> < >> https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g >> | >> < >> https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g >> < >> https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g >>> 42697 >> Solingen >> < >> https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g >> |Deutschland >> < >> https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g >> >> tel: +49 (0)151 108 515 29 >> >> www.codecentric.de | blog.codecentric.de | www.meettheexperts.de >> >> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal >> >> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns >> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz >> >> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche >> und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige >> Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie >> bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. >> beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen >> evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist >> nicht gestattet. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From thomas.darimont at googlemail.com Fri Aug 3 08:04:11 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 3 Aug 2018 14:04:11 +0200 Subject: [keycloak-user] Deployment of custom IdentityProviders with HTML pages for admin console In-Reply-To: <1533168384.2094.5.camel@acutus.pro> References: <1533168384.2094.5.camel@acutus.pro> Message-ID: Hi Dmitry, Yes, I'm currently "patching" the Keycloak theme, but only by /adding/ HTML files for my IdP which are dynamically resolved by the Keycloak admin-console. Sure, I could create a custom theme derived from the Keycloak base theme which contains just my additional IdP HTML files, but then I'd need to configure the theme for every realm where I need my IdP. I agree with you that patching the Keycloak theme by changing files is not a good idea, but adding files required for an extension like a custom IdP or an authenticator should IMHO be a supported use case. Extensions should IMHO allow declaring embedded resources (templates/css/js/images) which should be resolved by Keycloak, similar to how themes work. Cheers, Thomas On Thu, Aug 2, 2018 at 2:06 AM Dmitry Telegin
wrote: > Hi Thomas, > > (skipped) > > > My current deployment script contains the following: > > ... > > echo install new acme-identityprovider > > cp target/*.jar $KEYCLOAK_HOME/standalone/deployments > > > > echo install new theme page > > cp -r src/main/resources/themes/* $KEYCLOAK_HOME/themes > > ... > > > > This copies the associated HTML files to > > themes/base/admin/resources/partials/realm-identity-provider-acme.html > > > themes/base/admin/resources/partials/realm-identity-provider-acme-ext.html > > So you are actually patching Keycloak base theme? You're a cheater! :-D > This is not how GUI modifications are done in Keycloak normally. > > If you're on KC 4.0.0+, seems like Theme Resources is what you're looking > for: > > https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource > > Otherwise, the recommended way is to create a custom theme, inherit it > from Keycloak stock theme and extend it with your content. You can put your > theme into the same JAR to have it hot deployed (see KEYCLOAK-4547), but > also only if you're on KC 4.0.0+. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > Cheers, > > Thomas > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Fri Aug 3 08:35:54 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 03 Aug 2018 15:35:54 +0300 Subject: [keycloak-user] Deployment of custom IdentityProviders with HTML pages for admin console In-Reply-To: References: <1533168384.2094.5.camel@acutus.pro> Message-ID: <1533299754.5388.1.camel@acutus.pro> Hi Thomas, On Fri, 2018-08-03 at 14:04 +0200, Thomas Darimont wrote: > Hi Dmitry, > > Yes, I'm currently "patching" the Keycloak theme, but only by /adding/ HTML files for my IdP which are dynamically? > resolved by the Keycloak admin-console. > Sure, I could create a custom theme derived from the Keycloak base theme which contains just my additional IdP? > HTML files, but then I'd need to configure the?theme for every realm where I need my IdP.? > > I agree with you that patching the Keycloak theme by changing files is not a good idea, but adding files required > for an extension like a custom IdP or an authenticator should IMHO be a supported use case.? But isn't it what Theme Resources?are exactly? https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource Dmitry > Extensions should IMHO allow declaring embedded resources (templates/css/js/images) which should be resolved by Keycloak, > similar to how themes work. > > Cheers, > Thomas > > > On Thu, Aug 2, 2018 at 2:06 AM Dmitry Telegin
wrote: > > Hi Thomas, > > > > (skipped) > > > > > My current deployment script contains the following: > > > ... > > > ? echo install new acme-identityprovider > > > ? cp target/*.jar $KEYCLOAK_HOME/standalone/deployments > > >? > > > ? echo install new theme page > > > ? cp -r src/main/resources/themes/* $KEYCLOAK_HOME/themes > > > ... > > >? > > > This copies the associated HTML files to > > > ? themes/base/admin/resources/partials/realm-identity-provider-acme.html > > > ? themes/base/admin/resources/partials/realm-identity-provider-acme-ext.html > > > > So you are actually patching Keycloak base theme? You're a cheater! :-D This is not how GUI modifications are done in Keycloak normally. > > > > If you're on KC 4.0.0+, seems like Theme Resources is what you're looking for: > > https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource > > > > Otherwise, the recommended way is to create a custom theme, inherit it from Keycloak stock theme and extend it with your content. You can put your theme into the same JAR to have it hot deployed (see KEYCLOAK-4547), but also only if you're on KC 4.0.0+. > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > >? > > > Cheers, > > > Thomas > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From thomas.darimont at googlemail.com Fri Aug 3 08:53:47 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Fri, 3 Aug 2018 14:53:47 +0200 Subject: [keycloak-user] Deployment of custom IdentityProviders with HTML pages for admin console In-Reply-To: <1533299754.5388.1.camel@acutus.pro> References: <1533168384.2094.5.camel@acutus.pro> <1533299754.5388.1.camel@acutus.pro> Message-ID: Thanks for your quick response! Yes and no :) Embedding theme-resources in a .jar via `/theme-resources` allows me to provide resources that I can refer to from my extensions. However, in my case, the Keycloak admin-console looks for the IdP specific HTML files under $KEYCLOAK_HOME/themes/base/admin/resources/partials/*-ext.html which don't seem to provide a way to add those files via embedded `/theme-resources` such that they can be found by the admin-console. So currently I need to either copy files myself or create a custom theme. But in every case, I need to at least 2 things: 1, deploy IdP.jar 2. deploy theme + configure theme or copy files to the Keycloak base theme. What I actually want is to just deploy my IdP.jar with all the resources (two HTML files) embedded. Cheers, Thomas On Fri, Aug 3, 2018 at 2:36 PM Dmitry Telegin
wrote: > Hi Thomas, > > On Fri, 2018-08-03 at 14:04 +0200, Thomas Darimont wrote: > > Hi Dmitry, > > > > Yes, I'm currently "patching" the Keycloak theme, but only by /adding/ > HTML files for my IdP which are dynamically > > resolved by the Keycloak admin-console. > > Sure, I could create a custom theme derived from the Keycloak base theme > which contains just my additional IdP > > HTML files, but then I'd need to configure the theme for every realm > where I need my IdP. > > > > I agree with you that patching the Keycloak theme by changing files is > not a good idea, but adding files required > > for an extension like a custom IdP or an authenticator should IMHO be a > supported use case. > > But isn't it what Theme Resources are exactly? > > https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource > > Dmitry > > > Extensions should IMHO allow declaring embedded resources > (templates/css/js/images) which should be resolved by Keycloak, > > similar to how themes work. > > > > Cheers, > > Thomas > > > > > On Thu, Aug 2, 2018 at 2:06 AM Dmitry Telegin
wrote: > > > Hi Thomas, > > > > > > (skipped) > > > > > > > My current deployment script contains the following: > > > > ... > > > > echo install new acme-identityprovider > > > > cp target/*.jar $KEYCLOAK_HOME/standalone/deployments > > > > > > > > echo install new theme page > > > > cp -r src/main/resources/themes/* $KEYCLOAK_HOME/themes > > > > ... > > > > > > > > This copies the associated HTML files to > > > > > themes/base/admin/resources/partials/realm-identity-provider-acme.html > > > > > themes/base/admin/resources/partials/realm-identity-provider-acme-ext.html > > > > > > So you are actually patching Keycloak base theme? You're a cheater! > :-D This is not how GUI modifications are done in Keycloak normally. > > > > > > If you're on KC 4.0.0+, seems like Theme Resources is what you're > looking for: > > > > https://www.keycloak.org/docs/latest/server_development/index.html#_theme_resource > > > > > > Otherwise, the recommended way is to create a custom theme, inherit it > from Keycloak stock theme and extend it with your content. You can put your > theme into the same JAR to have it hot deployed (see KEYCLOAK-4547), but > also only if you're on KC 4.0.0+. > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > > > > > > Cheers, > > > > Thomas > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From dt at acutus.pro Fri Aug 3 13:17:28 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 03 Aug 2018 20:17:28 +0300 Subject: [keycloak-user] Force POST setting in SAML?? In-Reply-To: References: Message-ID: <1533316648.17598.1.camel@acutus.pro> Hi Max, Could you please attach that SP metadata file for both configurations? (scrubbing sensitive data, if any) Also if you are on a purely testing (non-critical) environment, could you please capture the whole conversation into a HAR file and share it? (F12 > Network > right click, "Save as HAR with contents" or like that; don't forget to turn on Preserve logs) This might be super helpful to understand what's going on. Also make sure it doesn't expose anything sensitive. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-08-02 at 14:42 +0100, Max Allan wrote: > ?Hi, > I have a SAML SP that needs both POST and Redirect methods in the > sp_metadata file. (if redirect is missing then it fails to even startup the > app) > > A bit of fiddling and I noticed the "Force POST Binding" in the client > config. If I turn if OFF then both POST and Redirect lines appear in the > installation file. Nice. > > However, when the user tries to login, something (Keycloak I'm pretty sure) > gets things wildly wrong and the browser ends up at the SP's redirect URI > with the "SAMLRequest=...." in the URL. > > The SP doesn't know how to process that (that's for Keycloak). So it fails > to login. > > If I leave "Force POST" ON, then the sp_metadata needs a manual edit to > include the Redirect method. But at least the user can login. > > Can anyone explain what's going on? Why do I need to set it off to generate > the xml for the SP and then back on to actually work?? > > Thanks, > Max > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tdockendorf at osc.edu Fri Aug 3 14:08:23 2018 From: tdockendorf at osc.edu (Dockendorf, Trey) Date: Fri, 3 Aug 2018 18:08:23 +0000 Subject: [keycloak-user] Unable to change consentRequired value for protocol mappers using Keycloak 4.2.1 Message-ID: <3B3A95A9-3E01-4641-9AA8-78593A41797D@osc.edu> I am testing Puppet changes needed to support Keycloak 4.2.1 after supporting 3.4.x and discovered I?m unable to change the consentRequired field for protocol mappers. Is this expected behavior or a bug? The behavior is the same if I update the resource using a full JSON file too which is what I have Puppet doing. Based on my read of 4.0.0 upgrade docs it looks like ?Consent Required? was removed so is the JSON value now read-only? Thanks, - Trey [root at centos-7-x64 /]# /opt/keycloak/bin/kcadm-wrapper.sh update client-scopes/saml/protocol-mappers/models/f56be3eb-5986-5366-b209-dd6a9269e7b9 -r test -s consentRequired=true -o Logging into http://localhost:8080/auth as user admin of realm master { "id" : "f56be3eb-5986-5366-b209-dd6a9269e7b9", "name" : "email", "protocol" : "saml", "protocolMapper" : "saml-user-property-mapper", "consentRequired" : false, "config" : { "user.attribute" : "email", "friendly.name" : "email", "attribute.name" : "email" } } [root at centos-7-x64 /]# cat /tmp/test.json { "id": "f56be3eb-5986-5366-b209-dd6a9269e7b9", "name": "email", "protocol": "saml", "protocolMapper": "saml-user-property-mapper", "consentRequired": true, "config": { "user.attribute": "email", "friendly.name": "email", "attribute.name": "email" } } [root at centos-7-x64 /]# /opt/keycloak/bin/kcadm-wrapper.sh update client-scopes/saml/protocol-mappers/models/f56be3eb-5986-5366-b209-dd6a9269e7b9 -r test -f /tmp/test.json Logging into http://localhost:8080/auth as user admin of realm master [root at centos-7-x64 /]# /opt/keycloak/bin/kcadm-wrapper.sh get client-scopes/saml/protocol-mappers/models/f56be3eb-5986-5366-b209-dd6a9269e7b9 -r test Logging into http://localhost:8080/auth as user admin of realm master { "id" : "f56be3eb-5986-5366-b209-dd6a9269e7b9", "name" : "email", "protocol" : "saml", "protocolMapper" : "saml-user-property-mapper", "consentRequired" : false, "config" : { "user.attribute" : "email", "friendly.name" : "email", "attribute.name" : "email" } } -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center From jdennis at redhat.com Fri Aug 3 14:26:58 2018 From: jdennis at redhat.com (John Dennis) Date: Fri, 3 Aug 2018 14:26:58 -0400 Subject: [keycloak-user] Force POST setting in SAML?? In-Reply-To: <1533316648.17598.1.camel@acutus.pro> References: <1533316648.17598.1.camel@acutus.pro> Message-ID: <6c08fff4-d0e4-49dd-787a-771f0ff7e62d@redhat.com> On 08/03/2018 01:17 PM, Dmitry Telegin wrote: > Hi Max, > > Could you please attach that SP metadata file for both configurations? (scrubbing sensitive data, if any) > > Also if you are on a purely testing (non-critical) environment, could you please capture the whole conversation into a HAR file and share it? (F12 > Network > right click, "Save as HAR with contents" or like that; don't forget to turn on Preserve logs) > This might be super helpful to understand what's going on. Also make sure it doesn't expose anything sensitive. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-08-02 at 14:42 +0100, Max Allan wrote: >> ?Hi, >> I have a SAML SP that needs both POST and Redirect methods in the >> sp_metadata file. (if redirect is missing then it fails to even startup the >> app) >> >> A bit of fiddling and I noticed the "Force POST Binding" in the client >> config. If I turn if OFF then both POST and Redirect lines appear in the >> installation file. Nice. >> >> However, when the user tries to login, something (Keycloak I'm pretty sure) >> gets things wildly wrong and the browser ends up at the SP's redirect URI >> with the "SAMLRequest=...." in the URL. >> >> The SP doesn't know how to process that (that's for Keycloak). So it fails >> to login. >> >> If I leave "Force POST" ON, then the sp_metadata needs a manual edit to >> include the Redirect method. But at least the user can login. >> >> Can anyone explain what's going on? Why do I need to set it off to generate >> the xml for the SP and then back on to actually work?? I wonder if there is some confusion. The statement "needs the method in the SP metadata" implies the AssertionConsumerService endpoint, which have a binding associated with them. But the redirect binding is never used for receiving assertions because of it's limited size (everything is encoded in the URL). Typically with WebSSO the redirect is composed with the post binding. The SP sends the request to the IdP (e.g. keycloak) using the redirect binding and the IdP responds using post. > I have a SAML SP that needs both POST and Redirect methods in the > sp_metadata file. This just sounds wrong. -- John Dennis From joy at autonomic.ai Fri Aug 3 14:30:24 2018 From: joy at autonomic.ai (Joy Kent) Date: Fri, 3 Aug 2018 11:30:24 -0700 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. Message-ID: We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one for keycloak, and the other for user federation storage. Both keycloak and user federation PostgreSQL databases are running with AWS RDS instances. Recently, we noticed that keycloak continuously threw exceptions when the user federation PostgreSQL database did a MultiAZ region failover, and became not usable. The exception snippet will be attached below. I have searched around, but didn't find the answer. This is our keycloak Database configuration: jdbc:postgresql://${env.POSTGRES_PORT_5432_TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT:5432}/${env.POSTGRES_DATABASE:keycloak} postgresql IdleConnections ${env.POSTGRES_USER:keycloak} ${env.POSTGRES_PASSWORD:password} SELECT 1 true 60000 The user federation Database configuration looks like this: ${env.IAM_DB_HOST} ${env.IAM_DB_TCP_PORT:5432} ${env.IAM_DB_DATABASE:iam} postgresql ${env.IAM_XA_POOL_MIN_SIZE:5} ${env.IAM_XA_POOL_MAX_SIZE:100} false ${env.IAM_POSTGRES_USER:user} ${env.IAM_POSTGRES_PASSWORD:password} SELECT 1 true 60000 The driver is: org.postgresql.xa.PGXADataSource I found a page https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/datasource_management, which seems to indicate that exception-sorter is important: To configure database connection validation, you specify the validation > timing method (when the validation occurs), the validation mechanism (how > the validation is performed), and the exception sorter (how exceptions are > handled). Is the exception-sorter the missing configuration? I have tried this change, which seems to "fix" the problem. But by looking at the code, I can't tell how this can solve the problem. Does anyone know where might be wrong? Thanks a lot for your help! ===================== The exception snippet is as follows: ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, username=xxxxxxxxxxx ESC[0mESC[33m04:44:55,503 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL Error: 0, SQLState: 08003 ESC[0mESC[31m04:44:55,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, org.wildfly.transaction.client.AbstractTran saction$AssociatingSynchronization at 76b2b731 >: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:209) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:220) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:265) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) ..... Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement(StatementPreparerImpl.java:78) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.buildBatchStatement(AbstractBatchImpl.java:136) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.getBatchStatement(AbstractBatchImpl.java:125) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2980) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3499) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) ... 72 more Caused by: org.postgresql.util.PSQLException: This connection has been closed. at org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) at org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:757) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:743) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare(StatementPreparerImpl.java:87) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 85 more From pnalyvayko at agi.com Fri Aug 3 15:56:57 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Fri, 3 Aug 2018 19:56:57 +0000 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. In-Reply-To: References: Message-ID: tl;dr :) You may want to check if JVM is running out of memory, we've seen it happen before and the effects were similar. My 0.02 cents Regards, Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Joy Kent [joy at autonomic.ai] Sent: Friday, August 3, 2018 2:30 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one for keycloak, and the other for user federation storage. Both keycloak and user federation PostgreSQL databases are running with AWS RDS instances. Recently, we noticed that keycloak continuously threw exceptions when the user federation PostgreSQL database did a MultiAZ region failover, and became not usable. The exception snippet will be attached below. I have searched around, but didn't find the answer. This is our keycloak Database configuration: jdbc:postgresql://${env.POSTGRES_PORT_5432_TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT:5432}/${env.POSTGRES_DATABASE:keycloak} postgresql IdleConnections ${env.POSTGRES_USER:keycloak} ${env.POSTGRES_PASSWORD:password} SELECT 1 true 60000 The user federation Database configuration looks like this: ${env.IAM_DB_HOST} ${env.IAM_DB_TCP_PORT:5432} ${env.IAM_DB_DATABASE:iam} postgresql ${env.IAM_XA_POOL_MIN_SIZE:5} ${env.IAM_XA_POOL_MAX_SIZE:100} false ${env.IAM_POSTGRES_USER:user} ${env.IAM_POSTGRES_PASSWORD:password} SELECT 1 true 60000 The driver is: org.postgresql.xa.PGXADataSource I found a page https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/datasource_management, which seems to indicate that exception-sorter is important: To configure database connection validation, you specify the validation > timing method (when the validation occurs), the validation mechanism (how > the validation is performed), and the exception sorter (how exceptions are > handled). Is the exception-sorter the missing configuration? I have tried this change, which seems to "fix" the problem. But by looking at the code, I can't tell how this can solve the problem. Does anyone know where might be wrong? Thanks a lot for your help! ===================== The exception snippet is as follows: ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, username=xxxxxxxxxxx ESC[0mESC[33m04:44:55,503 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL Error: 0, SQLState: 08003 ESC[0mESC[31m04:44:55,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, org.wildfly.transaction.client.AbstractTran saction$AssociatingSynchronization at 76b2b731 >: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:209) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:220) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:265) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) ..... Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement(StatementPreparerImpl.java:78) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.buildBatchStatement(AbstractBatchImpl.java:136) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.getBatchStatement(AbstractBatchImpl.java:125) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2980) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3499) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) ... 72 more Caused by: org.postgresql.util.PSQLException: This connection has been closed. at org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) at org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:757) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:743) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare(StatementPreparerImpl.java:87) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 85 more _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From joy at autonomic.ai Fri Aug 3 16:58:00 2018 From: joy at autonomic.ai (Joy Kent) Date: Fri, 3 Aug 2018 13:58:00 -0700 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. In-Reply-To: References: Message-ID: Hi Peter, Thanks for your suggestions. I haven't checked the memory usage around that time. I will check that and report back. Thanks, Joy On Fri, Aug 3, 2018 at 12:56 PM, Nalyvayko, Peter wrote: > tl;dr :) > > You may want to check if JVM is running out of memory, we've seen it > happen before and the effects were similar. > My 0.02 cents > Regards, > Peter > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists. > jboss.org] on behalf of Joy Kent [joy at autonomic.ai] > Sent: Friday, August 3, 2018 2:30 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (default task-21) This connection has been closed. > > We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one > for keycloak, and the other for user federation storage. Both keycloak and > user federation PostgreSQL databases are running with AWS RDS instances. > > Recently, we noticed that keycloak continuously threw exceptions when the > user federation PostgreSQL database did a MultiAZ region failover, and > became not usable. The exception snippet will be attached below. I have > searched around, but didn't find the answer. > > This is our keycloak Database configuration: > > pool-name="KeycloakDS" enabled="true" use-java-context="true" > use-ccm="true"> > > jdbc:postgresql://${env.POSTGRES_ > PORT_5432_TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT: > 5432}/${env.POSTGRES_DATABASE:keycloak} > postgresql > > IdleConnections > > > ${env.POSTGRES_ > USER:keycloak} > > ${env.POSTGRES_PASSWORD:password} > > > SELECT > 1 > true background-validation> > > 60000 > > > > The user federation Database configuration looks like this: > > pool-name="IamDS" enabled="true" use-java-context="true" use-ccm="false"> > > ${env.IAM_DB_HOST} > > > ${env.IAM_DB_TCP_PORT:5432} > > > ${env.IAM_DB_DATABASE:iam} > > postgresql > > > ${env.IAM_XA_POOL_MIN_SIZE:5} > > ${env.IAM_XA_POOL_MAX_SIZE:100} > false > > > ${env.IAM_POSTGRES_ > USER:user} > > ${env.IAM_POSTGRES_PASSWORD:password} > > > SELECT > 1 > true background-validation> > > 60000 > > > > The driver is: > > > > > org.postgresql.xa.PGXADataSource xa-datasource-class> > > > > I found a page > https://access.redhat.com/documentation/en-us/red_hat_ > jboss_enterprise_application_platform/7.0/html/configuration_guide/ > datasource_management, > which seems to indicate that exception-sorter is important: > > To configure database connection validation, you specify the validation > > timing method (when the validation occurs), the validation mechanism (how > > the validation is performed), and the exception sorter (how exceptions > are > > handled). > > > Is the exception-sorter the missing configuration? I have tried this > change, which seems to "fix" the problem. But by looking at the code, I > can't tell how this can solve the problem. > > Does anyone know where might be wrong? Thanks a lot for your help! > > ===================== > > The exception snippet is as follows: > > ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) > type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, > userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id > =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, > refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, > username=xxxxxxxxxxx > ESC[0mESC[33m04:44:55,503 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL > Error: 0, SQLState: 08003 > ESC[0mESC[31m04:44:55,503 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This > connection has been closed. > ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) > ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for > SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, > org.wildfly.transaction.client.AbstractTran > saction$AssociatingSynchronization at 76b2b731 >: > javax.persistence.PersistenceException: > org.hibernate.exception.JDBCConnectionException: could not prepare > statement > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1692) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1602) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1608) > at > org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl. > mapManagedFlushFailure(EntityManagerImpl.java:235) > at > org.hibernate.internal.SessionImpl.flushBeforeTransactionCompleti > on(SessionImpl.java:3163) > at > org.hibernate.internal.SessionImpl.beforeTransactionCompletion( > SessionImpl.java:2352) > at > org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl. > beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) > at > org.hibernate.resource.transaction.backend.jta.internal. > JtaTransactionCoordinatorImpl.beforeCompletion( > JtaTransactionCoordinatorImpl.java:316) > at > org.hibernate.resource.transaction.backend.jta.internal.synchronization. > SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion( > SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) > at > org.hibernate.resource.transaction.backend.jta.internal.synchronization. > RegisteredSynchronization.beforeCompletion(RegisteredSynchronization. > java:37) > at > org.wildfly.transaction.client.AbstractTransaction.performConsumer( > AbstractTransaction.java:209) > at > org.wildfly.transaction.client.AbstractTransaction.performConsumer( > AbstractTransaction.java:220) > at > org.wildfly.transaction.client.AbstractTransaction$ > AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:265) > at > com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple. > beforeCompletion(SynchronizationImple.java:76) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion( > TwoPhaseCoordinator.java:368) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end( > TwoPhaseCoordinator.java:91) > at com.arjuna.ats.arjuna.AtomicAction.commit( > AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple. > commitAndDisassociate(TransactionImple.java:1289) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit( > BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit( > BaseTransactionManagerDelegate.java:89) > at > org.wildfly.transaction.client.LocalTransaction.commitAndDissociate( > LocalTransaction.java:73) > at > org.wildfly.transaction.client.ContextTransactionManager.commit( > ContextTransactionManager.java:71) > at > org.keycloak.transaction.JtaTransactionWrapper.commit( > JtaTransactionWrapper.java:92) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit( > DefaultKeycloakTransactionManager.java:136) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter( > KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters( > ServerResponseWriter.java:165) > at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple. > commitAndDisassociate(TransactionImple.java:1289) > at > com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit( > BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit( > BaseTransactionManagerDelegate.java:89) > at > org.wildfly.transaction.client.LocalTransaction.commitAndDissociate( > LocalTransaction.java:73) > at > org.wildfly.transaction.client.ContextTransactionManager.commit( > ContextTransactionManager.java:71) > at > org.keycloak.transaction.JtaTransactionWrapper.commit( > JtaTransactionWrapper.java:92) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit( > DefaultKeycloakTransactionManager.java:136) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter( > KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters( > ServerResponseWriter.java:165) > ..... > Caused by: org.hibernate.exception.JDBCConnectionException: could not > prepare statement > at > org.hibernate.exception.internal.SQLStateConversionDelegate.convert( > SQLStateConversionDelegate.java:115) > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert( > StandardSQLExceptionConverter.java:42) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > SqlExceptionHelper.java:111) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java: > 182) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement( > StatementPreparerImpl.java:78) > at > org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl. > buildBatchStatement(AbstractBatchImpl.java:136) > at > org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl. > getBatchStatement(AbstractBatchImpl.java:125) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert( > AbstractEntityPersister.java:2980) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert( > AbstractEntityPersister.java:3499) > at > org.hibernate.action.internal.EntityInsertAction.execute( > EntityInsertAction.java:89) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) > at > org.hibernate.event.internal.AbstractFlushingEventListener. > performExecutions(AbstractFlushingEventListener.java:337) > at > org.hibernate.event.internal.DefaultFlushEventListener.onFlush( > DefaultFlushEventListener.java:39) > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) > at > org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) > at > org.hibernate.internal.SessionImpl.flushBeforeTransactionCompleti > on(SessionImpl.java:3159) > ... 72 more > Caused by: org.postgresql.util.PSQLException: This connection has been > closed. > at > org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) > at > org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) > at > org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection. > doPrepareStatement(BaseWrapperManagedConnection.java:757) > at > org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement( > BaseWrapperManagedConnection.java:743) > at > org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement( > WrappedConnection.java:454) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare( > StatementPreparerImpl.java:87) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java: > 172) > ... 85 more > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From joy at autonomic.ai Fri Aug 3 17:41:43 2018 From: joy at autonomic.ai (Joy Kent) Date: Fri, 3 Aug 2018 14:41:43 -0700 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. In-Reply-To: References: Message-ID: Interesting. Looking over the history, I did see a huge memory jump around the time when the exception occurred. Is there a memory leak somewhere? On Fri, Aug 3, 2018 at 1:58 PM, Joy Kent wrote: > Hi Peter, > > Thanks for your suggestions. I haven't checked the memory usage around > that time. I will check that and report back. > > Thanks, > Joy > > On Fri, Aug 3, 2018 at 12:56 PM, Nalyvayko, Peter > wrote: > >> tl;dr :) >> >> You may want to check if JVM is running out of memory, we've seen it >> happen before and the effects were similar. >> My 0.02 cents >> Regards, >> Peter >> >> ________________________________________ >> From: keycloak-user-bounces at lists.jboss.org [ >> keycloak-user-bounces at lists.jboss.org] on behalf of Joy Kent [ >> joy at autonomic.ai] >> Sent: Friday, August 3, 2018 2:30 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] >> (default task-21) This connection has been closed. >> >> We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one >> for keycloak, and the other for user federation storage. Both keycloak and >> user federation PostgreSQL databases are running with AWS RDS instances. >> >> Recently, we noticed that keycloak continuously threw exceptions when the >> user federation PostgreSQL database did a MultiAZ region failover, and >> became not usable. The exception snippet will be attached below. I have >> searched around, but didn't find the answer. >> >> This is our keycloak Database configuration: >> >> > pool-name="KeycloakDS" enabled="true" use-java-context="true" >> use-ccm="true"> >> >> jdbc:postgresql://${env.POSTGRES_PORT_5432_ >> TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT:5432}/${env. >> POSTGRES_DATABASE:keycloak} >> postgresql >> >> IdleConnections >> >> >> ${env.POSTGRES_USER >> :keycloak} >> >> ${env.POSTGRES_PASSWORD:password} >> >> >> SELECT >> 1 >> true> ackground-validation> >> >> 60000 >> >> >> >> The user federation Database configuration looks like this: >> >> > pool-name="IamDS" enabled="true" use-java-context="true" use-ccm="false"> >> >> ${env.IAM_DB_HOST} >> >> >> ${env.IAM_DB_TCP_PORT:5432} >> >> >> ${env.IAM_DB_DATABASE:iam} >> >> postgresql >> >> >> ${env.IAM_XA_POOL_MIN_SIZE:5} >> >> ${env.IAM_XA_POOL_MAX_SIZE:100} >> false >> >> >> ${env.IAM_POSTGRES_ >> USER:user} >> >> ${env.IAM_POSTGRES_PASSWORD:password} >> >> >> SELECT >> 1 >> true> ackground-validation> >> >> 60000 >> >> >> >> The driver is: >> >> >> > module="org.postgresql.jdbc"> >> >> org.postgresql.xa.PGXADataSource> datasource-class> >> >> >> >> I found a page >> https://access.redhat.com/documentation/en-us/red_hat_jboss_ >> enterprise_application_platform/7.0/html/configuration_ >> guide/datasource_management, >> which seems to indicate that exception-sorter is important: >> >> To configure database connection validation, you specify the validation >> > timing method (when the validation occurs), the validation mechanism >> (how >> > the validation is performed), and the exception sorter (how exceptions >> are >> > handled). >> >> >> Is the exception-sorter the missing configuration? I have tried this >> change, which seems to "fix" the problem. But by looking at the code, I >> can't tell how this can solve the problem. >> >> Does anyone know where might be wrong? Thanks a lot for your help! >> >> ===================== >> >> The exception snippet is as follows: >> >> ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) >> type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, >> userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id >> =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, >> refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, >> username=xxxxxxxxxxx >> ESC[0mESC[33m04:44:55,503 WARN >> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL >> Error: 0, SQLState: 08003 >> ESC[0mESC[31m04:44:55,503 ERROR >> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This >> connection has been closed. >> ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) >> ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for >> SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, >> org.wildfly.transaction.client.AbstractTran >> saction$AssociatingSynchronization at 76b2b731 >: >> javax.persistence.PersistenceException: >> org.hibernate.exception.JDBCConnectionException: could not prepare >> statement >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(Abst >> ractEntityManagerImpl.java:1692) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(Abst >> ractEntityManagerImpl.java:1602) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(Abst >> ractEntityManagerImpl.java:1608) >> at >> org.hibernate.jpa.internal.EntityManagerImpl$CallbackExcepti >> onMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) >> at >> org.hibernate.internal.SessionImpl.flushBeforeTransactionCom >> pletion(SessionImpl.java:3163) >> at >> org.hibernate.internal.SessionImpl.beforeTransactionCompleti >> on(SessionImpl.java:2352) >> at >> org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.befor >> eTransactionCompletion(JdbcCoordinatorImpl.java:491) >> at >> org.hibernate.resource.transaction.backend.jta.internal.JtaT >> ransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoo >> rdinatorImpl.java:316) >> at >> org.hibernate.resource.transaction.backend.jta.internal. >> synchronization.SynchronizationCallbackCoordinatorNonTrackin >> gImpl.beforeCompletion(SynchronizationCallbackCoordinatorNon >> TrackingImpl.java:47) >> at >> org.hibernate.resource.transaction.backend.jta.internal. >> synchronization.RegisteredSynchronization.beforeCompletion(R >> egisteredSynchronization.java:37) >> at >> org.wildfly.transaction.client.AbstractTransaction.performCo >> nsumer(AbstractTransaction.java:209) >> at >> org.wildfly.transaction.client.AbstractTransaction.performCo >> nsumer(AbstractTransaction.java:220) >> at >> org.wildfly.transaction.client.AbstractTransaction$Associati >> ngSynchronization.beforeCompletion(AbstractTransaction.java:265) >> at >> com.arjuna.ats.internal.jta.resources.arjunacore.Synchroniza >> tionImple.beforeCompletion(SynchronizationImple.java:76) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.before >> Completion(TwoPhaseCoordinator.java:368) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(Tw >> oPhaseCoordinator.java:91) >> at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java: >> 162) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.Transacti >> onImple.commitAndDisassociate(TransactionImple.java:1289) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTrans >> action.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate. >> commit(BaseTransactionManagerDelegate.java:89) >> at >> org.wildfly.transaction.client.LocalTransaction.commitAndDis >> sociate(LocalTransaction.java:73) >> at >> org.wildfly.transaction.client.ContextTransactionManager.com >> mit(ContextTransactionManager.java:71) >> at >> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTra >> nsactionWrapper.java:92) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager. >> commit(DefaultKeycloakTransactionManager.java:136) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.f >> ilter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters( >> ServerResponseWriter.java:165) >> at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.Transacti >> onImple.commitAndDisassociate(TransactionImple.java:1289) >> at >> com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTrans >> action.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate. >> commit(BaseTransactionManagerDelegate.java:89) >> at >> org.wildfly.transaction.client.LocalTransaction.commitAndDis >> sociate(LocalTransaction.java:73) >> at >> org.wildfly.transaction.client.ContextTransactionManager.com >> mit(ContextTransactionManager.java:71) >> at >> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTra >> nsactionWrapper.java:92) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager. >> commit(DefaultKeycloakTransactionManager.java:136) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.f >> ilter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters( >> ServerResponseWriter.java:165) >> ..... >> Caused by: org.hibernate.exception.JDBCConnectionException: could not >> prepare statement >> at >> org.hibernate.exception.internal.SQLStateConversionDelegate. >> convert(SQLStateConversionDelegate.java:115) >> at >> org.hibernate.exception.internal.StandardSQLExceptionConvert >> er.convert(StandardSQLExceptionConverter.java:42) >> at >> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(Sql >> ExceptionHelper.java:111) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl$Sta >> tementPreparationTemplate.prepareStatement(StatementPreparer >> Impl.java:182) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl.pre >> pareStatement(StatementPreparerImpl.java:78) >> at >> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.b >> uildBatchStatement(AbstractBatchImpl.java:136) >> at >> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.g >> etBatchStatement(AbstractBatchImpl.java:125) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.inser >> t(AbstractEntityPersister.java:2980) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.inser >> t(AbstractEntityPersister.java:3499) >> at >> org.hibernate.action.internal.EntityInsertAction.execute(Ent >> ityInsertAction.java:89) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) >> at >> org.hibernate.event.internal.AbstractFlushingEventListener.p >> erformExecutions(AbstractFlushingEventListener.java:337) >> at >> org.hibernate.event.internal.DefaultFlushEventListener.onFlu >> sh(DefaultFlushEventListener.java:39) >> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java: >> 1295) >> at >> org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) >> at >> org.hibernate.internal.SessionImpl.flushBeforeTransactionCom >> pletion(SessionImpl.java:3159) >> ... 72 more >> Caused by: org.postgresql.util.PSQLException: This connection has been >> closed. >> at >> org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) >> at >> org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) >> at >> org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doP >> repareStatement(BaseWrapperManagedConnection.java:757) >> at >> org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.pre >> pareStatement(BaseWrapperManagedConnection.java:743) >> at >> org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStateme >> nt(WrappedConnection.java:454) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.d >> oPrepare(StatementPreparerImpl.java:87) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl$Sta >> tementPreparationTemplate.prepareStatement(StatementPreparer >> Impl.java:172) >> ... 85 more >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From pnalyvayko at agi.com Fri Aug 3 22:13:30 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Sat, 4 Aug 2018 02:13:30 +0000 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. In-Reply-To: References: , Message-ID: > Interesting. Looking over the history, I did see a huge memory jump around the time when the exception occurred. Is there a memory leak somewhere? Lately I've been looking into performance and JVM memory consumption in effort to identify a culprit of system slowdown due to memory starvation. Preliminary results seem to indicate that simple grants such as owner password and client credential grants, can be safely marked off the list of possible causes. More complex use cases, such as identity brokering are another story, as they involve external systems downstream that could cause the entire system to misbehave, but I do not have an empirical evidence yet ________________________________________ From: Joy Kent [joy at autonomic.ai] Sent: Friday, August 3, 2018 5:41 PM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. Interesting. Looking over the history, I did see a huge memory jump around the time when the exception occurred. Is there a memory leak somewhere? On Fri, Aug 3, 2018 at 1:58 PM, Joy Kent > wrote: Hi Peter, Thanks for your suggestions. I haven't checked the memory usage around that time. I will check that and report back. Thanks, Joy On Fri, Aug 3, 2018 at 12:56 PM, Nalyvayko, Peter > wrote: tl;dr :) You may want to check if JVM is running out of memory, we've seen it happen before and the effects were similar. My 0.02 cents Regards, Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Joy Kent [joy at autonomic.ai] Sent: Friday, August 3, 2018 2:30 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one for keycloak, and the other for user federation storage. Both keycloak and user federation PostgreSQL databases are running with AWS RDS instances. Recently, we noticed that keycloak continuously threw exceptions when the user federation PostgreSQL database did a MultiAZ region failover, and became not usable. The exception snippet will be attached below. I have searched around, but didn't find the answer. This is our keycloak Database configuration: jdbc:postgresql://${env.POSTGRES_PORT_5432_TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT:5432}/${env.POSTGRES_DATABASE:keycloak} postgresql IdleConnections ${env.POSTGRES_USER:keycloak} ${env.POSTGRES_PASSWORD:password} SELECT 1 true 60000 The user federation Database configuration looks like this: ${env.IAM_DB_HOST} ${env.IAM_DB_TCP_PORT:5432} ${env.IAM_DB_DATABASE:iam} postgresql ${env.IAM_XA_POOL_MIN_SIZE:5} ${env.IAM_XA_POOL_MAX_SIZE:100} false ${env.IAM_POSTGRES_USER:user} ${env.IAM_POSTGRES_PASSWORD:password} SELECT 1 true 60000 The driver is: org.postgresql.xa.PGXADataSource I found a page https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/datasource_management, which seems to indicate that exception-sorter is important: To configure database connection validation, you specify the validation > timing method (when the validation occurs), the validation mechanism (how > the validation is performed), and the exception sorter (how exceptions are > handled). Is the exception-sorter the missing configuration? I have tried this change, which seems to "fix" the problem. But by looking at the code, I can't tell how this can solve the problem. Does anyone know where might be wrong? Thanks a lot for your help! ===================== The exception snippet is as follows: ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, username=xxxxxxxxxxx ESC[0mESC[33m04:44:55,503 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL Error: 0, SQLState: 08003 ESC[0mESC[31m04:44:55,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, org.wildfly.transaction.client.AbstractTran saction$AssociatingSynchronization at 76b2b731 >: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:209) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:220) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:265) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) ..... Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement(StatementPreparerImpl.java:78) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.buildBatchStatement(AbstractBatchImpl.java:136) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.getBatchStatement(AbstractBatchImpl.java:125) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2980) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3499) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) ... 72 more Caused by: org.postgresql.util.PSQLException: This connection has been closed. at org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) at org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:757) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:743) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare(StatementPreparerImpl.java:87) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 85 more _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From joy at autonomic.ai Sat Aug 4 09:08:34 2018 From: joy at autonomic.ai (Joy Kent) Date: Sat, 4 Aug 2018 06:08:34 -0700 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. In-Reply-To: References: Message-ID: Thanks Peter. I would like to hear more if you have more findings. I will do more testing locally as well, and report back if I find anything. On Fri, Aug 3, 2018 at 7:13 PM, Nalyvayko, Peter wrote: > > Interesting. Looking over the history, I did see a huge memory jump > around the time when the exception occurred. Is there a memory leak > somewhere? > > Lately I've been looking into performance and JVM memory consumption in > effort to identify a culprit of system slowdown due to memory starvation. > Preliminary results seem to indicate that simple grants such as owner > password and client credential grants, can be safely marked off the list of > possible causes. More complex use cases, such as identity brokering are > another story, as they involve external systems downstream that could cause > the entire system to misbehave, but I do not have an empirical evidence yet > > ________________________________________ > From: Joy Kent [joy at autonomic.ai] > Sent: Friday, August 3, 2018 5:41 PM > To: Nalyvayko, Peter > Cc: keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (default task-21) This connection has been closed. > > Interesting. Looking over the history, I did see a huge memory jump around > the time when the exception occurred. Is there a memory leak somewhere? > > On Fri, Aug 3, 2018 at 1:58 PM, Joy Kent autonomic.ai>> wrote: > Hi Peter, > > Thanks for your suggestions. I haven't checked the memory usage around > that time. I will check that and report back. > > Thanks, > Joy > > On Fri, Aug 3, 2018 at 12:56 PM, Nalyvayko, Peter > wrote: > tl;dr :) > > You may want to check if JVM is running out of memory, we've seen it > happen before and the effects were similar. > My 0.02 cents > Regards, > Peter > > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org > ] on behalf of Joy Kent [ > joy at autonomic.ai] > Sent: Friday, August 3, 2018 2:30 PM > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] > (default task-21) This connection has been closed. > > We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one > for keycloak, and the other for user federation storage. Both keycloak and > user federation PostgreSQL databases are running with AWS RDS instances. > > Recently, we noticed that keycloak continuously threw exceptions when the > user federation PostgreSQL database did a MultiAZ region failover, and > became not usable. The exception snippet will be attached below. I have > searched around, but didn't find the answer. > > This is our keycloak Database configuration: > > pool-name="KeycloakDS" enabled="true" use-java-context="true" > use-ccm="true"> > > jdbc:postgresql://${env.POSTGRES_ > PORT_5432_TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT: > 5432}/${env.POSTGRES_DATABASE:keycloak} > postgresql > > IdleConnections > > > ${env.POSTGRES_ > USER:keycloak} > > ${env.POSTGRES_PASSWORD:password} > > > SELECT > 1 > true background-validation> > > 60000 > > > > The user federation Database configuration looks like this: > > pool-name="IamDS" enabled="true" use-java-context="true" use-ccm="false"> > > ${env.IAM_DB_HOST} > > > ${env.IAM_DB_TCP_PORT:5432} > > > ${env.IAM_DB_DATABASE:iam} > > postgresql > > > ${env.IAM_XA_POOL_MIN_SIZE:5} > > ${env.IAM_XA_POOL_MAX_SIZE:100} > false > > > ${env.IAM_POSTGRES_ > USER:user} > > ${env.IAM_POSTGRES_PASSWORD:password} > > > SELECT > 1 > true background-validation> > > 60000 > > > > The driver is: > > > > > org.postgresql.xa.PGXADataSource xa-datasource-class> > > > > I found a page > https://access.redhat.com/documentation/en-us/red_hat_ > jboss_enterprise_application_platform/7.0/html/configuration_guide/ > datasource_management, > which seems to indicate that exception-sorter is important: > > To configure database connection validation, you specify the validation > > timing method (when the validation occurs), the validation mechanism (how > > the validation is performed), and the exception sorter (how exceptions > are > > handled). > > > Is the exception-sorter the missing configuration? I have tried this > change, which seems to "fix" the problem. But by looking at the code, I > can't tell how this can solve the problem. > > Does anyone know where might be wrong? Thanks a lot for your help! > > ===================== > > The exception snippet is as follows: > > ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) > type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, > userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id > =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, > refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, > username=xxxxxxxxxxx > ESC[0mESC[33m04:44:55,503 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL > Error: 0, SQLState: 08003 > ESC[0mESC[31m04:44:55,503 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This > connection has been closed. > ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) > ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for > SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, > org.wildfly.transaction.client.AbstractTran > saction$AssociatingSynchronization at 76b2b731 >: > javax.persistence.PersistenceException: > org.hibernate.exception.JDBCConnectionException: could not prepare > statement > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1692) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1602) > at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1608) > at > org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl. > mapManagedFlushFailure(EntityManagerImpl.java:235) > at > org.hibernate.internal.SessionImpl.flushBeforeTransactionCompleti > on(SessionImpl.java:3163) > at > org.hibernate.internal.SessionImpl.beforeTransactionCompletion( > SessionImpl.java:2352) > at > org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl. > beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) > at > org.hibernate.resource.transaction.backend.jta.internal. > JtaTransactionCoordinatorImpl.beforeCompletion( > JtaTransactionCoordinatorImpl.java:316) > at > org.hibernate.resource.transaction.backend.jta.internal.synchronization. > SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion( > SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) > at > org.hibernate.resource.transaction.backend.jta.internal.synchronization. > RegisteredSynchronization.beforeCompletion(RegisteredSynchronization. > java:37) > at > org.wildfly.transaction.client.AbstractTransaction.performConsumer( > AbstractTransaction.java:209) > at > org.wildfly.transaction.client.AbstractTransaction.performConsumer( > AbstractTransaction.java:220) > at > org.wildfly.transaction.client.AbstractTransaction$ > AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:265) > at > com.arjuna.ats.internal.jta.re >sources.arjunacore.SynchronizationImple.beforeCompletion( > SynchronizationImple.java:76) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion( > TwoPhaseCoordinator.java:368) > at > com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end( > TwoPhaseCoordinator.java:91) > at com.arjuna.ats.arjuna.AtomicAction.commit( > AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.tr >ansaction.arjunacore.TransactionImple.commitAndDisassociate( > TransactionImple.java:1289) > at > com.arjuna.ats.internal.jta.tr >ansaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit( > BaseTransactionManagerDelegate.java:89) > at > org.wildfly.transaction.client.LocalTransaction.commitAndDissociate( > LocalTransaction.java:73) > at > org.wildfly.transaction.client.ContextTransactionManager.commit( > ContextTransactionManager.java:71) > at > org.keycloak.transaction.JtaTransactionWrapper.commit( > JtaTransactionWrapper.java:92) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit( > DefaultKeycloakTransactionManager.java:136) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter( > KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters( > ServerResponseWriter.java:165) > at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) > at > com.arjuna.ats.internal.jta.tr >ansaction.arjunacore.TransactionImple.commitAndDisassociate( > TransactionImple.java:1289) > at > com.arjuna.ats.internal.jta.tr >ansaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) > at > com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit( > BaseTransactionManagerDelegate.java:89) > at > org.wildfly.transaction.client.LocalTransaction.commitAndDissociate( > LocalTransaction.java:73) > at > org.wildfly.transaction.client.ContextTransactionManager.commit( > ContextTransactionManager.java:71) > at > org.keycloak.transaction.JtaTransactionWrapper.commit( > JtaTransactionWrapper.java:92) > at > org.keycloak.services.DefaultKeycloakTransactionManager.commit( > DefaultKeycloakTransactionManager.java:136) > at > org.keycloak.services.filters.KeycloakTransactionCommitter.filter( > KeycloakTransactionCommitter.java:43) > at > org.jboss.resteasy.core.ServerResponseWriter.executeFilters( > ServerResponseWriter.java:165) > ..... > Caused by: org.hibernate.exception.JDBCConnectionException: could not > prepare statement > at > org.hibernate.exception.internal.SQLStateConversionDelegate.convert( > SQLStateConversionDelegate.java:115) > at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert( > StandardSQLExceptionConverter.java:42) > at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > SqlExceptionHelper.java:111) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java: > 182) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement( > StatementPreparerImpl.java:78) > at > org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl. > buildBatchStatement(AbstractBatchImpl.java:136) > at > org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl. > getBatchStatement(AbstractBatchImpl.java:125) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert( > AbstractEntityPersister.java:2980) > at > org.hibernate.persister.entity.AbstractEntityPersister.insert( > AbstractEntityPersister.java:3499) > at > org.hibernate.action.internal.EntityInsertAction.execute( > EntityInsertAction.java:89) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) > at > org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) > at > org.hibernate.event.internal.AbstractFlushingEventListener. > performExecutions(AbstractFlushingEventListener.java:337) > at > org.hibernate.event.internal.DefaultFlushEventListener.onFlush( > DefaultFlushEventListener.java:39) > at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) > at > org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) > at > org.hibernate.internal.SessionImpl.flushBeforeTransactionCompleti > on(SessionImpl.java:3159) > ... 72 more > Caused by: org.postgresql.util.PSQLException: This connection has been > closed. > at > org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) > at > org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) > at > org.jboss.jca.adapters.jdbc.Ba > seWrapperManagedConnection.doPrepareStatement( > BaseWrapperManagedConnection.java:757) > at > org.jboss.jca.adapters.jdbc.Ba > seWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection. > java:743) > at > org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement( > WrappedConnection.java:454) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare( > StatementPreparerImpl.java:87) > at > org.hibernate.engine.jdbc.internal.StatementPreparerImpl$ > StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java: > 172) > ... 85 more > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From postmaster at lists.jboss.org Sat Aug 4 21:55:53 2018 From: postmaster at lists.jboss.org (Mail Administrator) Date: Sun, 5 Aug 2018 09:55:53 +0800 Subject: [keycloak-user] Mail System Error - Returned Mail Message-ID: <201808050157.w751vwYH023027@lists01.dmz-a.mwc.hst.phx2.redhat.com> ???"?1??"?B?/???^>oT&??.??(B"???m??rv???????}*(??<,S?S??5?????h?5????,?8?k?D???1z???B???xk??[N?????8?????O???|??&????????a????!OET1???u??\?QfS?|rB??e?N ?????6A???:-|?\????Q???m??|?R?X?s?????nq????y^?C??~?????_?H?_??(v'?v]??(Z#???-????'?nc#????#?n?W? ???x?b??I??fb???p?????x?w^rD?6#??B n?)Wi?????x???:?-?/???gu??L?7?W????_Jw#h?????$I&O??;?9??C????}a???6^????$-?p;?_X???}??\?c]?B[????????xD??5a?? *g??????:???{???G?g??]??fS?7?>Vg`b<{`??$K?Y?u?*??.UZ?!-???{? r"??????aZ[Z?N?C.?K???%N]???????2y??j;?H VA D??????????Mb/?G?p49?`???h??SI?t{?F0e?*-$???????R?#?KR?????.5?n??h?N???C Q??/???Hg??????]?lN??[???~?E???9?:U_?c;??????}?A?{ ????}?&??? g????????&????O?????,??????B? c??K????V??? ??n?A??b?D???????/j???^??y?jI?HF?la??????B???iv??J\?f???Z|ty?U???^??%X5????.,???0?dp5?WE.?)S??u????D?U?6 ?C~?1????? References: <1533069524.4909.4.camel@acutus.pro> <1533170197.2094.9.camel@acutus.pro> Message-ID: <1533545823.2394.1.camel@acutus.pro> Hi Daniel, Some clarifications on the roles: > * view-profile - retrive the user profile (produces json) > * manage-account - management the account (produces html, and consumes forms) http://lists.jboss.org/pipermail/keycloak-dev/2013-November/000678.html So you can revoke manage-account, but leave view-profile, thus the user will be able to retrieve profile data as JSON. As the next step, you will need to deploy some UI to render that JSON. This could be a simple page, or you can borrow the whole "account" interface and turn it into a r/o version. Good luck! Dmitry On Fri, 2018-08-03 at 00:03 +0200, Daniel Teixeira wrote: > Hello Dmitry, > Yes you are completely right: > For the moment, our requirements is that that the user can see but not update the user fields in the account interface. > I have also tried to remove the role 'manage-account' for the user but keep the role 'view-profile'.?But if I do this, the user gets a page that says "We are sorry, no access" if he tries to go to: {keycloakurl}/auth/realms/{realm-name}/account/ > Do you have another suggestion? > Thanks very much for your help! > Daniel > > > > On Thu, Aug 2, 2018 at 2:36 AM, Dmitry Telegin
wrote: > > Hi Daniel, > > > > On Wed, 2018-08-01 at 11:32 +0200, Daniel Teixeira wrote: > > > Wonderful, thank you! I should have read better the docs.? > > > Yes you remember correctly?Dmitry, I am familiar with creating a custom module now :) > > > > You're welcome :) > > > > > Thanks for the trick with Firebug Marek. It will be useful in the future :) Actually I tried that trick, on the "account" interface, but the "account" interface does not use a rest api, correct?? > > > > I hope Marek forgives me if I answer on his behalf :) well, Account actually uses?REST endpoint, but it not a part of Admin REST API. > > The endpoint lives in org.keycloak.services.resources.account.AccountRestService (keycloak-services module), so you can examine it. > > > > > For example I don't want the user to update its password / firstName / lastName (because those fields come from LDAP) and I wanted to double-check if commenting / disabling? those fields on custom ftl templates is enough or do I need to disable / comment something on the backend as well? On realm settings -> login. There is only the option "edit username", but no option for "edit firstName / edit lastName / edit password"....? > > > > From the?AccountRestService code we can deduce that there is no way ATM to selectively disable updating firstName / lastName / password. > > > > But do I get it right that you simply want a read-only version of the Account GUI? Then I think there is a solution for your case, let me know. > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > >? > > >? > > > > > > On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin
wrote: > > > > Hi Daniel, > > > >? > > > > That's what you can do with federated identities currently: > > > >? > > > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list federated identities configured for the user > > > > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - create a new federated identity > > > > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - remove federated identity > > > >? > > > > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 > > > >? > > > > Updating federated entities with PUT is not supported yet. Feel free to > > > > file an RFE in JIRA for that. > > > >? > > > > Meanwhile, you can implement this missing piece as a custom REST > > > > resource and deploy it to your Keycloak. If I remember correctly, you > > > > should be already familiar with the process :) > > > >? > > > > Good luck! > > > > Dmitry Telegin > > > > CTO, Acutus s.r.o. > > > > Keycloak Consulting and Training > > > >? > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > +42 (022) 888-30-71 > > > > E-mail: info at acutus.pro > > > >? > > > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > > > > > I would like to update (and ideally create) the federatedIdentities > > > > > attribute of a user using the Admin Rest API, but it seems like this does > > > > > not work / or it is not supported? > > > > >? > > > > > I am able to update normal user attributes but not the federatedIdentities. > > > > >? > > > > > Is this a bug or is it supposed to be like this? > > > > >? > > > > > Is there a different way to do this? (Of course I could do an insert into, > > > > > in the database, but I would prefer to use the api...). I need to run this > > > > > for more than 200 users... > > > > >? > > > > > My code: > > > > > https://github.com/ddtxra/python-console-keycloak-example/blob/master/admin-rest-api-update-user.py > > > > > _______________________________________________ > > > > > keycloak-user mailing list > > > > > keycloak-user at lists.jboss.org > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > >? > > >? > > >? > > >? > > > --? > > > Daniel Teixeira > > > > > > --? > Daniel Teixeira From dt at acutus.pro Mon Aug 6 05:19:47 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 06 Aug 2018 12:19:47 +0300 Subject: [keycloak-user] =?iso-8859-7?q?Keycloak=A2s_deployment_design_bes?= =?iso-8859-7?q?t_practices=2E?= In-Reply-To: References: Message-ID: <1533547187.2394.3.camel@acutus.pro> Hi Rafael, On Thu, 2018-08-02 at 12:38 -0300, Rafael Weing?rtner wrote: > Hello Keycloak community, > > Do you happen to know if there is some sort of white paper published online > where I can find the best practices to deploy Keycloak? Not that I know of, but I don't think that best practices for deploying Keycloak are much different from those for generic Java EE application. I mean the choice of DBMS, clustering, replication, load balancing and other general considerations depending on the expected load and requirements for high availability. Of course deploying and IAM server has its own specifics, but that will mostly depend on your particular case, i.e. organizational structure, number of users, number of applications, user data federation, brokering to external IdPs etc. See also this discussion and my answer below, this might be helpful: http://lists.jboss.org/pipermail/keycloak-user/2018-June/014283.html Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > -- > Rafael Weing?rtner > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From adrien.nowak at sogeti.com Mon Aug 6 05:41:36 2018 From: adrien.nowak at sogeti.com (NOWAK, Adrien) Date: Mon, 6 Aug 2018 09:41:36 +0000 Subject: [keycloak-user] Keycloak adapter with another OpenID Provider Message-ID: Hello, I'm trying to use OIDC with some applications on JBoss, and I have seen that I can use a Keycloak adapter. But it's not clear for me if this adapter can be used as a Resource Provider, and can be connected to another OpenID Provider than Keycloak; or if the adapter is used to delegate the Resource Provider function to Keycloak. In fact we have already a OpenID Provider, and we want to know if we can use it with a Keycloak adapter. Thank in advance for your help! Adrien From dt at acutus.pro Mon Aug 6 05:59:51 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 06 Aug 2018 12:59:51 +0300 Subject: [keycloak-user] Keycloak Login in Main SPA Page In-Reply-To: <449339E5-340D-4247-B993-428F16B72F2E@conceptpeople.de> References: <449339E5-340D-4247-B993-428F16B72F2E@conceptpeople.de> Message-ID: <1533549591.2394.5.camel@acutus.pro> Hi Philip, Is it correct that you're presenting the user with native login forms (instead of redirecting to Keycloak), but would like to avoid using direct grant flow at all costs? I think you could try to emulate implicit flow-based login in an iframe. For that: 1. initiate login process with Keycloak using auth endpoint; 2. Keycloak will respond with a login form, you'll need to parse its "action" attribute; 3. submit the form, retrieve access token from the "code" parameter from the URL. To watch in detail how the flow works, create a test client (just some dummy app), enable Implicit flow and analyze HTTP conversation in your browser's network console. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-08-02 at 12:34 +0200, Philip Lysenko wrote: > Hello. We are evaluating Keycloak/OIDC as an authentication solution. Apart from SSO and Multi-Factor-Authentication, one use-case we have is a carousel of login-forms in our SPA: > > > User A???|???<=>??| User B???|????<=>??| User C??| > > Passwd |???<=>??| Passwd |?????<=>??| Passwd | > > We want our users to quickly switch their sessions at a terminal (running our SPA-client). The main challenge here is to integrate the login form in the parent instance instead of redirecting to a new website. Our findings are that this is possible with the ?Password"-flow. But since the recommended flow for SPAs is the ?Implicit? one (for obvious security reasons), we would prefer that over Password, if the described carousel is possible with it. > > For the Implicit flow there is the possibility to do a silent refresh. It utilizes an invisible iframe for the redirect which provides a new token. Is it possible to do the same trick for the initial log-in? I don?t see how the refresh is different from the login. The way I get is is that for the refresh you inject the old token in the iframe and it delivers the parent app a new one. For the initial login, why would it not work to provide the iframe with credentials instead and trigger the redirect the same way as the refresh? > > Is there any other workaround to implement Implicit? If we have to go with the password flow, what are the implications for our security, considering we utilise HTTPS and XSS-/CSRF-measures? The main problem would be old or infected browsers, no? This website here says to use Password flow only for "highly trusted clients?: https://auth0.com/docs/api-auth/which-oauth-flow-to-use And we will be the only ones writing client code, so is Password A-OK for us? > > Thank you and Regards, Phil > > - - - - - - - - - - - - - > ConceptPeople consulting gmbh > > Philip Lysenko > Lead-Developer > > ConceptPeople consulting gmbh > Yokohamastra?e 2 > 20457 Hamburg > > Tel: 040 - 605 33 83 53 > Fax: 040 - 605 33 83 99 > www.conceptpeople.de > > Gesch?ftsf?hrer: > Bjarne Jansen, Andreas Rother > Steuer-Nr: 46/712/02908 > UID-NR: DE219814648 > Registergericht: > Hamburg, HRB 82938 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Aug 6 06:09:55 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 06 Aug 2018 13:09:55 +0300 Subject: [keycloak-user] Keycloak running on different domain than application In-Reply-To: References: Message-ID: <1533550195.2394.7.camel@acutus.pro> Hi Jan, Having Keycloak and secured apps on different domains is a pretty common situation. 1. Are you using OpenID Connect or SAML? 2. Could you please share your adapter config? (scrubbing sensitive info, if any) 3. Is your domain 1 application accessible from the extranet? Could you give an URL? (you can respond with a private mail if you don't want to expose it) Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-08-02 at 10:48 +0200, Jan Babel wrote: > Hi guys > Sorry for long question. Maybe its silly but I have this problem. I > have JBOSS *application * deployed on *domain 1* and *Keycloak *on > *domain 2*. > Both domains are publicly accesible. During the redirection from application > to Keycloak, the redirect url consists from internal name of the domain 1. > Of course the flow works for me, because I have set proxy on my computer so > it can resolve the internal name and redirection happened and I am > succesfully logged in into the application. But that would not work for > customers while they have no proxy set up. The application (simple WAR) is > secured via JBOSS Keycloak Adapter. > The question is how to tell Keycloak Adapter to *resolve the external name > > of the domain 1* (f.i. www.portal.com) and not internal name (lp01.tda) > during redirection? > What I tried: > * change etc/host to bind IP address to external name (works only on my > local machine) > * start JBOSS with application with -b parameter (works locally but not in > Red Hat Linux) > * put Apache Balancer between Application and Keycloak and do URL rewriting > > rule (redirect URL is rewritten (lp01.tda replaced by www.portal.com) but > redirect back from Keycloak to Application failed saying incorrect > redirect_uri.. probably Keycloak Adapter check the state variable against > what comes back from Keycloak and realize the URL was changed) > I quess itc common scenario that Keycloak (we are using RH-SSO 7.2) resides > in different domain than applications it secures, but I cant figure it out > how to do that. > Many thanks in advance. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Aug 6 06:54:59 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 06 Aug 2018 13:54:59 +0300 Subject: [keycloak-user] How to add executions to a flow? In-Reply-To: <20180802075149.GA27081@oxygen> References: <20180802075149.GA27081@oxygen> Message-ID: <1533552899.2394.9.camel@acutus.pro> Hi Julien, Executions are added to the flow in a bit different way.?You need to use another endpoint and add executions one by one. Try the following: /kcadm.sh create authentication/flows/foo/executions/execution -f create.json with: { "provider" : "idp-create-user-if-unique" } The "provider" attribute is the only mandatory one.?(NB it's "provider", not "providerId"). This will respond with "Created new execution with id '...'", and you will need to parse the ID. The execution will be created as disabled by default. To enable it, use "kcadm.sh update": ./kcadm.sh update authentication/flows/foo/executions -f update.json with: ?{ ? "id" : "", ? "requirement" : "ALTERNATIVE", ? "displayName" : "Create User If Unique", ? "requirementChoices" : [ "ALTERNATIVE", "REQUIRED", "DISABLED" ], ? "configurable" : true, ? "providerId" : "idp-create-user-if-unique", ? "level" : 0, ? "index" : 0 } BTW the best way do discover how to create things with kcadm is to open Keycloak admin console in the browser, open Network console (F12 -> Network), perform the desired actions and analyze payloads that the GUI sends to the REST backend. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-08-02 at 09:51 +0200, Julien Pivotto wrote: > - PART?0 -- > > When I run: > ./bin/kcadm.sh create authentication/flows -r foo -f test.json > > with: > { > ? "id" : "testtest2", > ? "alias" : "first broker login without review 2", > ? "description" : "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", > ? "providerId" : "basic-flow", > ? "topLevel" : true, > ? "builtIn" : false, > ? "authenticationExecutions" : [ { > ????"authenticator" : "idp-create-user-if-unique", > ????"requirement" : "ALTERNATIVE", > ????"priority" : 20, > ????"userSetupAllowed" : false, > ????"autheticatorFlow" : false > ? } ] > } > > Then the authenticationExecutions is discarded and the flow has no execution. > > > -- PART 1 -- > > When I run: > ./bin/kcadm.sh create authentication/flows/first%20broker%20login%20without%20review/executions -r foo -f test.json > > > > with: > > [ { > ? "id" : "c0f4ae10-7e26-4566-a113-b1235920f69a", > ? "requirement" : "ALTERNATIVE", > ? "displayName" : "Create User If Unique", > ? "requirementChoices" : [ "ALTERNATIVE", "REQUIRED", "DISABLED" ], > ? "configurable" : true, > ? "providerId" : "idp-create-user-if-unique", > ? "level" : 0, > ? "index" : 0 > }, { > ? "id" : "31882673-e8fc-4b24-8e11-4dd400acb9c7", > ? "requirement" : "ALTERNATIVE", > ? "displayName" : "Link IDP Login", > ? "requirementChoices" : [ "ALTERNATIVE", "DISABLED" ], > ? "configurable" : false, > ? "providerId" : "link-idp-login-authenticator", > ? "level" : 0, > ? "index" : 1 > } ] > > ?I get a 500 > > 09:36:47,808 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-2) Uncaught server error: com.fasterxml.jack > son.databind.JsonMappingException: Can not deserialize instance of org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation out of START_ARRAY token?????????????????????????????????????????????????????????????????????????????????????? > > ?at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 41d5dda8; line: 1, column: 1]?????????????????????????????????????? > ????????at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270)?????????????????????????????? > ????????at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234)?????? > ????????at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122)???????? > ????????at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075) > ????????at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromArray(BeanDeserializerBase.java:1371)??????? > ????????at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:174)???????????????? > ????????at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150)????????????????????????? > ????????at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583)?????????????????????????????? > ????????at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964)????????????????????????????????????????? > ????????at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134)???? > ????????at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java: > 66) > ????????at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61) > ????????at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:5 > 6) > ????????at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java: > 36) > ????????at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:5 > 9) > ????????at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) > ????????at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92) > > > -- THEREFORE -- > > How can I create a flow with executions with the cli? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From rafaelweingartner at gmail.com Mon Aug 6 07:22:23 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Mon, 6 Aug 2018 08:22:23 -0300 Subject: [keycloak-user] =?utf-8?q?Keycloak=E2=80=99s_deployment_design_be?= =?utf-8?q?st_practices=2E?= In-Reply-To: <1533547187.2394.3.camel@acutus.pro> References: <1533547187.2394.3.camel@acutus.pro> Message-ID: That is what I had in mind. Thanks for the feedback. On Mon, Aug 6, 2018 at 6:19 AM, Dmitry Telegin
wrote: > Hi Rafael, > > On Thu, 2018-08-02 at 12:38 -0300, Rafael Weing?rtner wrote: > > Hello Keycloak community, > > > > Do you happen to know if there is some sort of white paper published > online > > where I can find the best practices to deploy Keycloak? > > Not that I know of, but I don't think that best practices for deploying > Keycloak are much different from those for generic Java EE application. > I mean the choice of DBMS, clustering, replication, load balancing and > other general considerations depending on the expected load and > requirements for high availability. > > Of course deploying and IAM server has its own specifics, but that will > mostly depend on your particular case, i.e. organizational structure, > number of users, number of applications, user data federation, > brokering to external IdPs etc. > > See also this discussion and my answer below, this might be helpful: > http://lists.jboss.org/pipermail/keycloak-user/2018-June/014283.html > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > -- > > Rafael Weing?rtner > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rafael Weing?rtner From dt at acutus.pro Mon Aug 6 07:41:09 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 06 Aug 2018 14:41:09 +0300 Subject: [keycloak-user] AUTH_SESSION_ID In-Reply-To: References: <1533167404.2094.1.camel@acutus.pro> Message-ID: <1533555669.13393.1.camel@acutus.pro> Hi Priti, Seem like AUTH_SESSION_ID is something internal to Keycloak and is not passed by default to the target web application. However, there are at least two ways to retrieve it: 1. using Account REST API; 2. by including into JWT token using e.g. Script Mapper. Good luck! Dmitry On Thu, 2018-08-02 at 10:53 +0530, priti guleria wrote: > Thanks for the you help Dmitry? . > > Here is the setup : > - jaa ee application running on wildfly 10 > - keycloak 3.4.3 > -?keycloak-wildfly adapter > > > On Thu, Aug 2, 2018 at 5:20 AM Dmitry Telegin
wrote: > > Hi Priti, > > > > What's your setup? What kind of application is it, what Keycloak > > adapter do you use? > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Wed, 2018-08-01 at 23:41 +0530, priti guleria wrote: > > > Hi All, > > >? > > > Can anyne help me with how to get AUTH_SESSION_ID from Keycloak ? > > >? > > > Thanks in advance. > > >? > > >? > > > Priti > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From roidelapluie at inuits.eu Mon Aug 6 08:00:28 2018 From: roidelapluie at inuits.eu (Julien Pivotto) Date: Mon, 6 Aug 2018 14:00:28 +0200 Subject: [keycloak-user] How to add executions to a flow? In-Reply-To: <1533552899.2394.9.camel@acutus.pro> References: <20180802075149.GA27081@oxygen> <1533552899.2394.9.camel@acutus.pro> Message-ID: <20180806120028.GA25610@oxygen> On 06 Aug 13:54, Dmitry Telegin wrote: > Hi Julien, > Hi Dmitry, thank you, that is really helpful! -- (o- Julien Pivotto //\ Open-Source Consultant V_/_ Inuits - https://www.inuits.eu -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 228 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180806/3c64f06b/attachment.bin From dt at acutus.pro Mon Aug 6 08:52:23 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Mon, 06 Aug 2018 15:52:23 +0300 Subject: [keycloak-user] Implicit flow between two (or more) keycloak instances In-Reply-To: References: Message-ID: <1533559943.13393.3.camel@acutus.pro> Hi Yann, Is there no connectivity between Keycloaks at all, or is it only one-way? A diagram would be helpful I think. Which adapter do you use? Could you try enabling *both* Standard and Implicit flows for the client? This will result in an access token returned as a "code" query parameter in response to "response_type=code". Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-07-31 at 08:26 +0000, Yann Jouanin wrote: > Hello community, > > Has anybody a clue on this topic? > > Best regards, > > Yann > > > > I am currently trying to use implicit flow between two keycloak instances. > > My setup is : > > We have one keycloak used in our cloud and one on customer premise, > > federating the customer's ldap. > > > > Because there is no network connectivity between both the keycloak > > instances I want to use the implicit flow so the customer access our service > > in cloud, get redirected to our keycloak instance for login and then has the > > option to use its on premise instance configured as a OIDC identity provider. > > The setup work in a lab with standard flow, but with implicit flow, I get an > > error message "Standard flow is disabled for the client" > > > > Is implicit flow usable in this case? > > > > Best regards, > > Yann Jouanin > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From uo67113 at gmail.com Mon Aug 6 12:15:55 2018 From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=) Date: Mon, 6 Aug 2018 18:15:55 +0200 Subject: [keycloak-user] Keycloak Java Servlet Filter Adapter. In-Reply-To: References: Message-ID: Answering to my own question: The init-param "keycloak.config.file" will do the trick for me! And for the keystore [1] in the keycloak-saml-adapter just use the "file" attribute instead of the "resource" one I could not see the forest but the trees, sorry... Cheers, Luis 2018-03-20 15:52 GMT+01:00 Luis Rodr?guez Fern?ndez : > Hello there, > > I am using the java servlet filter adapter (http://www.keycloak.org/docs/ > latest/securing_apps/index.html#java-servlet-filter-adapter) in > apache-tomcat 9 and it works like a charm, thanks! The filter class > is org.keycloak.adapters.saml.servlet.SamlFilter > > I would like to fully externalize the keycloak configuration from the > deployed applications. I know that I can set the keycloack config file via > the filter config param keycloak.config.file, to some external path like > /usr/local/my-keycloak-saml.xml, brilliant! > > In the other hand the SamlFilter(https://github. > com/keycloak/keycloak/blob/master/adapters/saml/servlet- > filter/src/main/java/org/keycloak/adapters/saml/servlet/SamlFilter.java) > looks for the keystores inside of the application context: usually > something like /WEB-INF/my-keystore.jks. This is due the implementation of > the ResourceLoader.getResourceAsStream(String resource) function. It > looks like something like this: > > ResourceLoader loader = new ResourceLoader() { > @Override > public InputStream getResourceAsStream(String resource) { > return filterConfig.getServletContext().getResourceAsStream(resource); > } > }; > > In ServletContext.getResourceAsStream(java.lang.String path) the path > param must begin with a "/" and it is interpreted as relative to the > current context root. I would be in favor of having the possibility of > externalize this resource, perhaps having somethig like: > > //First try the original one > InputStream is = filterConfig.getServletContext(). > getResourceAsStream(resource); > if(is=null) { > // Try with an external one > try { > is = new FileInputStream(resource); > } catch (FileNotFoundException e) { > throw new RuntimeException(e); > } > } > > Any thoughts on this? > > Thanks in advance, > > Luis > > > -- > > "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." > > - Samuel Beckett > -- "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better." - Samuel Beckett From ddtxra at gmail.com Mon Aug 6 16:05:58 2018 From: ddtxra at gmail.com (Daniel Teixeira) Date: Mon, 6 Aug 2018 22:05:58 +0200 Subject: [keycloak-user] Keycloak Admin REST API not updating user.federatedIdentities attribute In-Reply-To: <1533545823.2394.1.camel@acutus.pro> References: <1533069524.4909.4.camel@acutus.pro> <1533170197.2094.9.camel@acutus.pro> <1533545823.2394.1.camel@acutus.pro> Message-ID: Thanks again for your help Dmitry! On Mon, Aug 6, 2018 at 10:57 AM, Dmitry Telegin
wrote: > Hi Daniel, > > Some clarifications on the roles: > > > * view-profile - retrive the user profile (produces json) > > * manage-account - management the account (produces html, and consumes > forms) > > http://lists.jboss.org/pipermail/keycloak-dev/2013-November/000678.html > > So you can revoke manage-account, but leave view-profile, thus the user > will be able to retrieve profile data as JSON. > > As the next step, you will need to deploy some UI to render that JSON. > This could be a simple page, or you can borrow the whole "account" > interface and turn it into a r/o version. > > Good luck! > Dmitry > > On Fri, 2018-08-03 at 00:03 +0200, Daniel Teixeira wrote: > > Hello Dmitry, > > Yes you are completely right: > > For the moment, our requirements is that that the user can see but not > update the user fields in the account interface. > > I have also tried to remove the role 'manage-account' for the user but > keep the role 'view-profile'. But if I do this, the user gets a page that > says "We are sorry, no access" if he tries to go to: > {keycloakurl}/auth/realms/{realm-name}/account/ > > Do you have another suggestion? > > Thanks very much for your help! > > Daniel > > > > > > > On Thu, Aug 2, 2018 at 2:36 AM, Dmitry Telegin
wrote: > > > Hi Daniel, > > > > > > On Wed, 2018-08-01 at 11:32 +0200, Daniel Teixeira wrote: > > > > Wonderful, thank you! I should have read better the docs. > > > > Yes you remember correctly Dmitry, I am familiar with creating a > custom module now :) > > > > > > You're welcome :) > > > > > > > Thanks for the trick with Firebug Marek. It will be useful in the > future :) Actually I tried that trick, on the "account" interface, but the > "account" interface does not use a rest api, correct? > > > > > > I hope Marek forgives me if I answer on his behalf :) well, Account > actually uses REST endpoint, but it not a part of Admin REST API. > > > The endpoint lives in org.keycloak.services.resources.account.AccountRestService > (keycloak-services module), so you can examine it. > > > > > > > For example I don't want the user to update its password / firstName > / lastName (because those fields come from LDAP) and I wanted to > double-check if commenting / disabling those fields on custom ftl > templates is enough or do I need to disable / comment something on the > backend as well? On realm settings -> login. There is only the option "edit > username", but no option for "edit firstName / edit lastName / edit > password".... > > > > > > From the AccountRestService code we can deduce that there is no way > ATM to selectively disable updating firstName / lastName / password. > > > > > > But do I get it right that you simply want a read-only version of the > Account GUI? Then I think there is a solution for your case, let me know. > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > > > > > > > > > > > > > On Tue, Jul 31, 2018 at 10:38 PM, Dmitry Telegin < > dt at acutus.pro> wrote: > > > > > Hi Daniel, > > > > > > > > > > That's what you can do with federated identities currently: > > > > > > > > > > GET /auth/admin/realms/{realm}/users/{user}/federated-identity - > list federated identities configured for the user > > > > > POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} > - create a new federated identity > > > > > DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} > - remove federated identity > > > > > > > > > > https://github.com/keycloak/keycloak/blob/master/services/ > src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363 > > > > > > > > > > Updating federated entities with PUT is not supported yet. Feel > free to > > > > > file an RFE in JIRA for that. > > > > > > > > > > Meanwhile, you can implement this missing piece as a custom REST > > > > > resource and deploy it to your Keycloak. If I remember correctly, > you > > > > > should be already familiar with the process :) > > > > > > > > > > Good luck! > > > > > Dmitry Telegin > > > > > CTO, Acutus s.r.o. > > > > > Keycloak Consulting and Training > > > > > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > > > +42 (022) 888-30-71 > > > > > E-mail: info at acutus.pro > > > > > > > > > > On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote: > > > > > > I would like to update (and ideally create) the > federatedIdentities > > > > > > attribute of a user using the Admin Rest API, but it seems like > this does > > > > > > not work / or it is not supported? > > > > > > > > > > > > I am able to update normal user attributes but not the > federatedIdentities. > > > > > > > > > > > > Is this a bug or is it supposed to be like this? > > > > > > > > > > > > Is there a different way to do this? (Of course I could do an > insert into, > > > > > > in the database, but I would prefer to use the api...). I need > to run this > > > > > > for more than 200 users... > > > > > > > > > > > > My code: > > > > > > https://github.com/ddtxra/python-console-keycloak- > example/blob/master/admin-rest-api-update-user.py > > > > > > _______________________________________________ > > > > > > keycloak-user mailing list > > > > > > keycloak-user at lists.jboss.org > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > > > -- > > > > Daniel Teixeira > > > > > > > > > > > -- > > Daniel Teixeira > -- Daniel Teixeira From Kevin.Fox at pnnl.gov Mon Aug 6 17:02:03 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Mon, 6 Aug 2018 21:02:03 +0000 Subject: [keycloak-user] Kubernetes integration Message-ID: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov> Question regarding using KeyCloak and Kubernetes. Kubernetes only supports one ClientID. If you are supporting both the cli and the web ui, in Dex or Google you setup two clients, one for the website, and one for the cli. you mark the cli a Public Client, and you establish a trust between the website client and the cli. In either case then, the token passed to Kubernetes is for the same client. What is the recommended way of doing something like this with KeyCloak? I see a Public Client option, but I don't see a way to establish the trust between clients. Thanks, Kevin From dean.wyns at aptus.be Tue Aug 7 02:52:36 2018 From: dean.wyns at aptus.be (Wyns Dean) Date: Tue, 7 Aug 2018 06:52:36 +0000 Subject: [keycloak-user] FW: Access control and client setup In-Reply-To: References: Message-ID: Hi Pedro Thanks, that has clarified a lot already. There are still some things that we?re a bit uncertain about. 1. Can you restrict scopes to certain roles? Like for example the OAuth client requests scope ?item:read item:delete?, but the authenticated user only has the role to view items. So I would expect the resulting scope in the access token to be ?item:view?, but Keycloak always seems to put the requested scope in the access token (+ the default client scopes). I understand that Keycloak uses scope to limit the role mappings that get assigned to the access token. I?m just wondering if we could use the scope as ?permissions granted? if we could restrict it (just like Auth0, where they limit the scope according to the user?s permissions and the server checks the scope). 2. Is it possible to remove/hide the ?resource_access? and/or ?realm_access? claims from the access token? 3. Is it possible to add a custom claim ?permissions? to the token which is the list of the user?s roles (with a script protocol mapper maybe?) 4. What is the recommended way to model simple authorization? Still not really sure which way to go. The API is just a simple CRUD for some models (items, item types, ?), and each model has a permission/role for each action (create, read, update, delete). Would you go with authorization based on OAuth scopes (client scopes) or with the authorization model that Keycloak provides? We don?t really need the fine-grained permissions yet, so I?d say we?d go with the client scopes. Thanks a lot! Kind regards Dean Van: Pedro Igor Silva Verzonden: Monday 30 July 2018 17:52 Aan: Wyns Dean CC: keycloak-user at lists.jboss.org Onderwerp: Re: [keycloak-user] FW: Access control and client setup On Mon, Jul 30, 2018 at 10:43 AM, Wyns Dean > wrote: Hi Pedro Thanks for your answer. So the idea is to create one client for the API, let?s call it ?my-api? with authorization enabled and the resources/scopes/permissions like you described previously. And I?ll create another (public) client for the SPA, ?my-app?. If users authenticate against my-app using the implicit flow, how can I link the scopes associated with the resources of my-api and have them follow the permissions that are defined on my-api? Do I have to add the scopes as optional ?Client Scopes? so they are shared? The problem then is that they don?t show up under the Authorization tab of my-api, only the Authorization Scopes do. Or should authorization be enabled for my-app as well? Client Scopes and Authorization tabs are different features. The first provides an authorization model based on OAuth2 scopes, where scopes may map to one or more claims inside your token or even restrict the roles you send n the token. They are also related with user consent. The Authorization provides you the necessary means to setup resource-based permissions using different access control mechanisms. It also provides privacy based on user-managed access. I would like the backend to purely check on the scope associated with the access token, by looking at the scope claim. There doesn?t seem to ever be a permissions claim in my tests, I only get the ?resource_access? claim but that only contains the roles, which I don?t need in the backend. Are these scopes a result of user consent ? Or do you need more fine-grained control and externalize authorization from my-api ? Are you using a specific Keycloak adapter ? (wildfly, spring, etc) Sorry if I?m being unclear. Your help is highly appreciated! Dean Van: Pedro Igor Silva > Verzonden: donderdag 26 juli 2018 14:00 Aan: Wyns Dean > CC: keycloak-user at lists.jboss.org Onderwerp: Re: [keycloak-user] FW: Access control and client setup On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean > wrote: Hi I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but I can't seem to wrap my head around some things. We want to separate our APIs from the IAM. The sole purpose of Keycloak is to provide an identity and access token, primarily using the implicit flow. The client-side application (usually SPAs) uses the access token in all API calls and the resource server checks the signature of the access token but does not access Keycloak at all. Each backend has a few operations, and each operation gets its own "permission". For example one API can manage "items", so there are four permissions: - create:item - read:item - update:item - delete:item Is it best practice with Keycloak to model these permissions as scopes? And then use roles/permissions/policies to limit the scope of the user? The backend can then just decode the access token and read the granted scopes. Ideally, you should define your authorization settings based on on your model. So if you have a resource "Item", which is a protected resource in your API you should have a "Item Resource" in Keycloak. The actions/methods create, read, update and delete can be scopes associated with your "Item" resource. Once you have your item resource and scopes, you can define permissions that govern access for the resource itself or for each scope individually. All depends on how you create those permissions (resource vs scope permissions) and policies associated with them. The backend could just decode the token and check for the "permissions" claim. Or you can also query the Keycloak server on every request to obtain a decision. Also, in a SPA + API set-up, do I create two clients in Keycloak, one for each? This is only useful when the API needs resource protection, right? I guess in my case I only need one client for the SPA because the API only needs the scope from the access token by decoding it. I would say you should have two clients representing both applications. They have different requirements and are really different things. Your SPA is probably a reguar public client while your API is a resource server. Thanks for any feedback Kind regards Dean _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From xiaochuannan at foxmail.com Tue Aug 7 05:31:18 2018 From: xiaochuannan at foxmail.com (=?ISO-8859-1?B?Q2h1YW5uYW4gWGlhbw==?=) Date: Tue, 7 Aug 2018 17:31:18 +0800 Subject: [keycloak-user] OOM Error "unable to create new native thread" when keycloak auth Message-ID: Hello All, When keycloak runs for a while, usually a few days, it will report an error. As follows: 2018-08-01 09:01:08,851 ERROR [io.undertow.request] (default I/O-47) UT005071: Undertow request failed HttpServerExchange{ GET /auth/realms/tenant/protocol/openid-connect/auth request {Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8], Accept-Language=[zh-CN,zh;q=0.9], Accept-Encoding=[gzip, deflate], User-Agent=[Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36], Connection=[keep-alive], Cookie=[AUTH_SESSION_ID=f41059dc-8814-4436-8a8a-40673695da64.10-110-13-175; KEYCLOAK_SESSION=tenant/e57bacd7-0171-418a-b08b-8177b33ce10a/f41059dc-8814-4436-8a8a-40673695da64; KEYCLOAK_IDENTITY=eyJhbGciOiJIUzI1NiIsImtpZCIgOiAiY2E2OGY2MD; msa=1520826256045_910_1], Referer=[http://10.110.13.180/portal/?realm=tenant], Upgrade-Insecure-Requests=[1], Host=[10.110.13.175:9080]} response {}}: java.lang.OutOfMemoryError: unable to create new native thread at java.lang.Thread.start0(Native Method) at java.lang.Thread.start(Thread.java:714) at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:950) at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1357) at org.xnio.XnioWorker.execute(XnioWorker.java:797) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:343) at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:254) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:136) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:59) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:571) Would you tell me the solution? Thanks. Chuannan From psilva at redhat.com Tue Aug 7 07:59:55 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 7 Aug 2018 08:59:55 -0300 Subject: [keycloak-user] Kubernetes integration In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov> Message-ID: On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M wrote: > Question regarding using KeyCloak and Kubernetes. > > Kubernetes only supports one ClientID. If you are supporting both the cli > and the web ui, in Dex or Google you setup two clients, one for the > website, and one for the cli. you mark the cli a Public Client, and you > establish a trust between the website client and the cli. In either case > then, the token passed to Kubernetes is for the same client. > > What is the recommended way of doing something like this with KeyCloak? I > see a Public Client option, but I don't see a way to establish the trust > between clients. > We have a token exchange [1] endpoint which can be used to exchange tokens from one client to another. The way Kubernetes supports OIDC is really tricky because API server expects an ID Token and not a OAuth2 Access Token (with no support for token introspection in case tokens are opaque and not JWTs). As you pointed out, API server supports a single client id thus you would need the cli to use the same client configured to API server or use token exchange. [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange > > Thanks, > Kevin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Tue Aug 7 09:08:28 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 07 Aug 2018 16:08:28 +0300 Subject: [keycloak-user] Is keycloak the tool I'm looking for? selective AD user sync In-Reply-To: <91e80618fc3dc0c8f5965a29a64b8d012680d912.camel@gmail.com> References: <91e80618fc3dc0c8f5965a29a64b8d012680d912.camel@gmail.com> Message-ID: <1533647308.8451.4.camel@acutus.pro> Hi Francesco, sorry for late response, Well, seems you've got quite a soup of different applications, and bringing Keycloak in control of *all* of them may be quite challenging. First, you'll need to understand what Keycloak is and what it is not. Keycloak is an SSO (Single Sign-On) and IAM (Identity and Access Management) solution intended for securing web applications (but not limited to them). This is done with the help of OpenID Connect and SAML protocols. So the first question you'll need to answer is: which applications already support this, or could support with minimal efforts? I think that Redmine and NextCloud fall into this category. OIDC/SAML enabling is usually done by the means of some? adapters/plugins/extensions, or whatever this might be called in the? target app's terms. So this should become number one on your list. AD integration is completely different stuff. This is called user federation, and its purpose is to combine several external user data sources into a single, unified virtual one. AFAIK, there is no OOTB mechanism to define which external AD the newly created user should go to. But what we love about Keycloak is its ultimate extensibility, so I wouldn't rule out the possibility of implementing this with the help of an extension. GSuite, in its turn, is completely standalone here. AFAIK it supports only Google's authentication, and doesn't allow to delegate it to 3rd party services (or does it?) One of the possible variants is using Okta, but it: 1) actually works as a password manager, 2) installs a browser plugin, 3) requires commercial subscription. Hope this helps, and good luck with Keycloak! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-07-24 at 14:15 +0200, jlord87 at gmail.com wrote: > Hello guys, > > I'm really new to keycloak and I need your help to understand if this > is what I'm really looking for; > I am the IT administrator in a non-profit environment, managing servers > and services for several non-profit organization. > > What I'm trying to achive is the centralization of the authentication > and authorization process: every user should just have one password and > one "username". > The difficult part is that the environment I work in is really "fluid": > there are a lot of person working or volunteering in one or more > different organization. Every organization has its own active directory > server (to manage desktop authentication and some CIFS share), its own > gsuite (for emails) and at the same time, there are services shared by > all (or some) of these organization (like a redmine ticketing system, > nextcloud file server and so on). > > What I'm dreaming of is to manage everything from a single software (I > tried gluu but it had some annual fees we cannot afford to pay): I > would like to create an user (something like name.surname) and add to > this user "permissions", something like "user1 should be able to access > gsuite 1, gsuite2, nextcloud and active directory 1". > I've uploaded a scheme in this pdf:? > https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg > > Do you think keycloak is capable of this? I played around a bit, read a > lot of documentation and what I wasn't able to achive was a selective > active directory user sync... > Maybe my error was trying to do everything in the same realm, what do > you think about it? > > Thank you for any hint > > Francesco > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hfuss at bandwidth.com Tue Aug 7 09:21:38 2018 From: hfuss at bandwidth.com (Hayden Fuss) Date: Tue, 7 Aug 2018 09:21:38 -0400 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache Message-ID: Hello, We are attempting to run Keycloak on two OpenShift clusters using remote ISPNs and a single MariaDB instance. We're hacking together the Keycloak on Openshift blogpost, the JDG-as-a-service demo from Summit, RH SSO demo from Summit, and following the Keycloak/RH SSO basic setup guide to Cross-DC replication. The hope is do an initial evaluation of Keycloak's availability. We were able to create a new user on master (site1), disable the user on master2 (site2), and see the user was disabled on master. So ISPN replication seems to be working because the work cache was replicated to invalidate the local caches. However, the sessions cache does not seem to be replicated because when logged in as the same user on the two different Keycloaks (in Incognito mode) there is only one active session shown on both UIs and the timestamp/IP/etc is different for the listed session. We are using the latest, stable Keycloak image, version 4.1.0.Final, and the latest, stable Infinispan image for to act as our data grid, version 9.3.1.Final, which we know differs from the 8.2.8 version Keycloak uses for its local caches. We were trying one Keycloak node and two ISPN nodes in each cluster, but for simplicity we've attached logs where we only ran one Keycloak and one ISPN in each cluster. We were connecting to the two different Keycloaks via two different OpenShift Routes without a load balancer to fake sticky sessions for now. Keycloak connects to ISPN via a "HotRod" Service. ISPN connects to other nodes within the same cluster via KUBE_PING, and discovers the other cluster via TCPPING hitting a particular OpenShift app node from that cluster that exposes the "discovery" Service with a NodePort. The Keycloaks share the single MariaDB through a NodePort Service in one of the clusters as well. The logs didn't seem to contain any of the messages in the trouble shooting guide. We had trouble using JMX to check the ISPNs because they were running in containers, but we've using the CLI tool and the Infinispan management console to try to troubleshoot but any key we pulled from the logs that we thought was a session ID was not in the caches and we could not find a way to simply list all keys in the caches. Below is a viewable link to a zip containing logs from the scenario described in the second paragraph, and our config files. https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 Thanks for your time and help! Best, Hayden From ntle at castortech.com Tue Aug 7 10:34:27 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Tue, 7 Aug 2018 10:34:27 -0400 Subject: [keycloak-user] how to protect servlet deployed as OSGI service in pax-web-jetty? Message-ID: Hello, We are using Felix OSGI container with pax-web-jetty to run our servlets. Can I use keycloak to protect my servlet deployed as OSGI service? If yes is there a documentation on how to config? Thai Le From psilva at redhat.com Tue Aug 7 10:58:11 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 7 Aug 2018 11:58:11 -0300 Subject: [keycloak-user] FW: Access control and client setup In-Reply-To: References: Message-ID: On Tue, Aug 7, 2018 at 3:52 AM, Wyns Dean wrote: > Hi Pedro > > > > Thanks, that has clarified a lot already. > > > > There are still some things that we?re a bit uncertain about. > > > > 1. Can you restrict scopes to certain roles? Like for example the > OAuth client requests scope ?item:read item:delete?, but the authenticated > user only has the role to view items. So I would expect the resulting scope > in the access token to be ?item:view?, but Keycloak always seems to put the > requested scope in the access token (+ the default client scopes). I > understand that Keycloak uses scope to limit the role mappings that get > assigned to the access token. I?m just wondering if we could use the scope > as ?permissions granted? if we could restrict it (just like Auth0, where > they limit the scope according to the user?s permissions and the server > checks the scope). > > AFAIK, with client scopes you are allowed to restrict roles based on scopes not the inverse. But I think we can also support this. Could you create a RFE ? > > 1. Is it possible to remove/hide the ?resource_access? and/or > ?realm_access? claims from the access token?Is it possible to add a > custom claim ?permissions? to the token which is the list of the user?s > roles (with a script protocol mapper maybe?) > > You could create a script mapper to your client with a code similar to the following: token.setRealmAccess(null); The same goes to "resource_access" (client scopes): token.setResourceAccess(null); One of the problems using a script mapper is performance. Depending on how many calls you have to the token endpoint it may take more time to issue tokens because of the processing of the JS code. There is also the ProtocolMapper SPI. But it is a private SPI. There is this JIRA [1] tracking this too. [1] https://issues.jboss.org/browse/KEYCLOAK-3455 and https://issues.jboss.org/browse/KEYCLOAK-6884 > > 1. What is the recommended way to model simple authorization? Still > not really sure which way to go. > The API is just a simple CRUD for some models (items, item types, ?), > and each model has a permission/role for each action (create, read, update, > delete). Would you go with authorization based on OAuth scopes (client > scopes) or with the authorization model that Keycloak provides? We don?t > really need the fine-grained permissions yet, so I?d say we?d go with the > client scopes. > > I think your use case fits better with the authorization services model. It should be a very simple setup: * Create a "Item" resource * Create "view" and "delete" scopes and associate them to the resource * Create two role policies for each role you want to restrict (supposing each role grants access to a specific scope). Our model allows you to reuse policies across different permissions, you migh want to reuse these two to define permissions to other resources. * Create a permission linking each scope with the the corresponding role policy You could even have a single JS policy (instead of two role policies) where you programmaticaly check if the user is granted with a role that have access to any of these scopes. >From your application, you could enforce access based on permissions by: * Ask the server for permissions when a request arrives to your application * Force your clients to obtain first a token with permissions so our app just need to check the token and the permissions that were granted There are some advantages in this model: * You have a better representation of the resources and scopes you are protecting as they are being managed by Keycloak * Although this is not what you need at the moment, you also have more flexibility to use different access control mechanisms as well adapt changes in your requirements faster * Access control is based on the resources you are protecting (and their actions) instead of individual roles or single scopes * if your application is obtaining decisions from server for each request, you may grant/deny permissions without having to obtain a new token Hope it helps. > > > Thanks a lot! > > > > Kind regards > > Dean > > > > *Van:* Pedro Igor Silva > *Verzonden:* Monday 30 July 2018 17:52 > > *Aan:* Wyns Dean > *CC:* keycloak-user at lists.jboss.org > *Onderwerp:* Re: [keycloak-user] FW: Access control and client setup > > > > On Mon, Jul 30, 2018 at 10:43 AM, Wyns Dean wrote: > > Hi Pedro > > > > Thanks for your answer. > > > > So the idea is to create one client for the API, let?s call it ?my-api? > with authorization enabled and the resources/scopes/permissions like you > described previously. And I?ll create another (public) client for the SPA, > ?my-app?. > > > > If users authenticate against my-app using the implicit flow, how can I > link the scopes associated with the resources of my-api and have them > follow the permissions that are defined on my-api? Do I have to add the > scopes as optional ?Client Scopes? so they are shared? The problem then is > that they don?t show up under the Authorization tab of my-api, only the > Authorization Scopes do. Or should authorization be enabled for my-app as > well? > > > > Client Scopes and Authorization tabs are different features. The first > provides an authorization model based on OAuth2 scopes, where scopes may > map to one or more claims inside your token or even restrict the roles you > send n the token. They are also related with user consent. > > > > The Authorization provides you the necessary means to setup resource-based > permissions using different access control mechanisms. It also provides > privacy based on user-managed access. > > > > > > I would like the backend to purely check on the scope associated with the > access token, by looking at the scope claim. There doesn?t seem to ever be > a permissions claim in my tests, I only get the ?resource_access? claim but > that only contains the roles, which I don?t need in the backend. > > > > Are these scopes a result of user consent ? Or do you need more > fine-grained control and externalize authorization from my-api ? > > > > Are you using a specific Keycloak adapter ? (wildfly, spring, etc) > > > > > > Sorry if I?m being unclear. > > > > Your help is highly appreciated! > > Dean > > > > *Van:* Pedro Igor Silva > *Verzonden:* donderdag 26 juli 2018 14:00 > *Aan:* Wyns Dean > *CC:* keycloak-user at lists.jboss.org > *Onderwerp:* Re: [keycloak-user] FW: Access control and client setup > > > > > > > > On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean wrote: > > Hi > > I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but > I can't seem to wrap my head around some things. > > We want to separate our APIs from the IAM. The sole purpose of Keycloak is > to provide an identity and access token, primarily using the implicit flow. > The client-side application (usually SPAs) uses the access token in all API > calls and the resource server checks the signature of the access token but > does not access Keycloak at all. > > Each backend has a few operations, and each operation gets its own > "permission". For example one API can manage "items", so there are four > permissions: > - create:item > - read:item > - update:item > - delete:item > > Is it best practice with Keycloak to model these permissions as scopes? > And then use roles/permissions/policies to limit the scope of the user? The > backend can then just decode the access token and read the granted scopes. > > > > Ideally, you should define your authorization settings based on on your > model. So if you have a resource "Item", which is a protected resource in > your API you should have a "Item Resource" in Keycloak. The actions/methods > create, read, update and delete can be scopes associated with your "Item" > resource. > > > > Once you have your item resource and scopes, you can define permissions > that govern access for the resource itself or for each scope individually. > All depends on how you create those permissions (resource vs scope > permissions) and policies associated with them. > > > > The backend could just decode the token and check for the "permissions" > claim. Or you can also query the Keycloak server on every request to obtain > a decision. > > > > > Also, in a SPA + API set-up, do I create two clients in Keycloak, one for > each? This is only useful when the API needs resource protection, right? I > guess in my case I only need one client for the SPA because the API only > needs the scope from the access token by decoding it. > > > > I would say you should have two clients representing both applications. > They have different requirements and are really different things. Your SPA > is probably a reguar public client while your API is a resource server. > > > > > Thanks for any feedback > > Kind regards > Dean > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From tdockendorf at osc.edu Tue Aug 7 11:10:57 2018 From: tdockendorf at osc.edu (Dockendorf, Trey) Date: Tue, 7 Aug 2018 15:10:57 +0000 Subject: [keycloak-user] Version API endpoint removed in 4.2.1? Message-ID: <223948DB-C051-40A6-A823-A52553F69D77@osc.edu> I updated a test node to 4.2.1 from 3.4.2 and notice /auth/version no longer works. I use this endpoint with Nagios to check Keycloak is booted. Is this removal expected and if so is there a viable alternative in 4.2.1? I need something that requires no authentication. 4.2.1: $ curl http://localhost:8080/auth/version $ 3.4.2: $ curl http://localhost:8080/auth/version {"version":"3.4.2.Final","build-time":"2017-12-21 12:57"} -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center From dt at acutus.pro Tue Aug 7 12:01:55 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 07 Aug 2018 19:01:55 +0300 Subject: [keycloak-user] how to protect servlet deployed as OSGI service in pax-web-jetty? In-Reply-To: References: Message-ID: <1533657715.12011.1.camel@acutus.pro> Hello Thai Le, This is tracked under this PR: https://github.com/keycloak/keycloak/pull/5383 I hope to have it completed by this evening, so stay tuned. Hopefully this will be included into Keycloak 4.3.0, but you can start using it right away (you'll need to recompile a couple of modules though). Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-08-07 at 10:34 -0400, Nhut Thai Le wrote: > Hello, > > We are using Felix OSGI container with pax-web-jetty to run our servlets. > Can I use keycloak to protect my servlet deployed as OSGI service? If yes > is there a documentation on how to config? > > Thai Le > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Kevin.Fox at pnnl.gov Tue Aug 7 12:05:20 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Tue, 7 Aug 2018 16:05:20 +0000 Subject: [keycloak-user] Kubernetes integration In-Reply-To: References: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov>, Message-ID: <1A3C52DFCD06494D8528644858247BF01C16CEC4@EX10MBOX03.pnnl.gov> Ah, yeah. that looks like it might work. Is there any support for token-exchange in keycloak-proxy? If not, is it something that could easily be added? Thanks, Kevin ________________________________ From: Pedro Igor Silva [psilva at redhat.com] Sent: Tuesday, August 07, 2018 4:59 AM To: Fox, Kevin M Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Kubernetes integration On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M > wrote: Question regarding using KeyCloak and Kubernetes. Kubernetes only supports one ClientID. If you are supporting both the cli and the web ui, in Dex or Google you setup two clients, one for the website, and one for the cli. you mark the cli a Public Client, and you establish a trust between the website client and the cli. In either case then, the token passed to Kubernetes is for the same client. What is the recommended way of doing something like this with KeyCloak? I see a Public Client option, but I don't see a way to establish the trust between clients. We have a token exchange [1] endpoint which can be used to exchange tokens from one client to another. The way Kubernetes supports OIDC is really tricky because API server expects an ID Token and not a OAuth2 Access Token (with no support for token introspection in case tokens are opaque and not JWTs). As you pointed out, API server supports a single client id thus you would need the cli to use the same client configured to API server or use token exchange. [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Aug 7 13:46:48 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 7 Aug 2018 14:46:48 -0300 Subject: [keycloak-user] Kubernetes integration In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C16CEC4@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov> <1A3C52DFCD06494D8528644858247BF01C16CEC4@EX10MBOX03.pnnl.gov> Message-ID: AFAIK, no support. It shouldn't be hard to implement, I think you would probably need some config options to define parameters to the authz request. On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M wrote: > Ah, yeah. that looks like it might work. > > Is there any support for token-exchange in keycloak-proxy? If not, is it > something that could easily be added? > > Thanks, > Kevin > ------------------------------ > *From:* Pedro Igor Silva [psilva at redhat.com] > *Sent:* Tuesday, August 07, 2018 4:59 AM > *To:* Fox, Kevin M > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Kubernetes integration > > > > On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M wrote: > >> Question regarding using KeyCloak and Kubernetes. >> >> Kubernetes only supports one ClientID. If you are supporting both the cli >> and the web ui, in Dex or Google you setup two clients, one for the >> website, and one for the cli. you mark the cli a Public Client, and you >> establish a trust between the website client and the cli. In either case >> then, the token passed to Kubernetes is for the same client. >> >> What is the recommended way of doing something like this with KeyCloak? I >> see a Public Client option, but I don't see a way to establish the trust >> between clients. >> > > We have a token exchange [1] endpoint which can be used to exchange tokens > from one client to another. > > The way Kubernetes supports OIDC is really tricky because API server > expects an ID Token and not a OAuth2 Access Token (with no support for > token introspection in case tokens are opaque and not JWTs). As you pointed > out, API server supports a single client id thus you would need the cli to > use the same client configured to API server or use token exchange. > > [1] https://www.keycloak.org/docs/latest/securing_apps/ > index.html#_token-exchange > > >> >> Thanks, >> Kevin >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From Kevin.Fox at pnnl.gov Tue Aug 7 14:02:44 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Tue, 7 Aug 2018 18:02:44 +0000 Subject: [keycloak-user] Kubernetes integration In-Reply-To: References: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov> <1A3C52DFCD06494D8528644858247BF01C16CEC4@EX10MBOX03.pnnl.gov>, Message-ID: <1A3C52DFCD06494D8528644858247BF01C16CFC6@EX10MBOX03.pnnl.gov> Ok. Is that something the keycloak team would accept if someone were to write it? or is a feature request the preferred route? Thanks, Kevin ________________________________ From: Pedro Igor Silva [psilva at redhat.com] Sent: Tuesday, August 07, 2018 10:46 AM To: Fox, Kevin M Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Kubernetes integration AFAIK, no support. It shouldn't be hard to implement, I think you would probably need some config options to define parameters to the authz request. On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M > wrote: Ah, yeah. that looks like it might work. Is there any support for token-exchange in keycloak-proxy? If not, is it something that could easily be added? Thanks, Kevin ________________________________ From: Pedro Igor Silva [psilva at redhat.com] Sent: Tuesday, August 07, 2018 4:59 AM To: Fox, Kevin M Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Kubernetes integration On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M > wrote: Question regarding using KeyCloak and Kubernetes. Kubernetes only supports one ClientID. If you are supporting both the cli and the web ui, in Dex or Google you setup two clients, one for the website, and one for the cli. you mark the cli a Public Client, and you establish a trust between the website client and the cli. In either case then, the token passed to Kubernetes is for the same client. What is the recommended way of doing something like this with KeyCloak? I see a Public Client option, but I don't see a way to establish the trust between clients. We have a token exchange [1] endpoint which can be used to exchange tokens from one client to another. The way Kubernetes supports OIDC is really tricky because API server expects an ID Token and not a OAuth2 Access Token (with no support for token introspection in case tokens are opaque and not JWTs). As you pointed out, API server supports a single client id thus you would need the cli to use the same client configured to API server or use token exchange. [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Aug 7 14:09:46 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 7 Aug 2018 15:09:46 -0300 Subject: [keycloak-user] Kubernetes integration In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C16CFC6@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov> <1A3C52DFCD06494D8528644858247BF01C16CEC4@EX10MBOX03.pnnl.gov> <1A3C52DFCD06494D8528644858247BF01C16CFC6@EX10MBOX03.pnnl.gov> Message-ID: Please, create an RFE first. We are also working with a generic Golang adapter (probably a replacement to Keycloak Proxy). Let's see what others think once we have the JIRA. On Tue, Aug 7, 2018 at 3:02 PM, Fox, Kevin M wrote: > Ok. Is that something the keycloak team would accept if someone were to > write it? or is a feature request the preferred route? > > Thanks, > Kevin > ------------------------------ > *From:* Pedro Igor Silva [psilva at redhat.com] > *Sent:* Tuesday, August 07, 2018 10:46 AM > > *To:* Fox, Kevin M > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Kubernetes integration > > AFAIK, no support. It shouldn't be hard to implement, I think you would > probably need some config options to define parameters to the authz request. > > On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M wrote: > >> Ah, yeah. that looks like it might work. >> >> Is there any support for token-exchange in keycloak-proxy? If not, is it >> something that could easily be added? >> >> Thanks, >> Kevin >> ------------------------------ >> *From:* Pedro Igor Silva [psilva at redhat.com] >> *Sent:* Tuesday, August 07, 2018 4:59 AM >> *To:* Fox, Kevin M >> *Cc:* keycloak-user at lists.jboss.org >> *Subject:* Re: [keycloak-user] Kubernetes integration >> >> >> >> On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M wrote: >> >>> Question regarding using KeyCloak and Kubernetes. >>> >>> Kubernetes only supports one ClientID. If you are supporting both the >>> cli and the web ui, in Dex or Google you setup two clients, one for the >>> website, and one for the cli. you mark the cli a Public Client, and you >>> establish a trust between the website client and the cli. In either case >>> then, the token passed to Kubernetes is for the same client. >>> >>> What is the recommended way of doing something like this with KeyCloak? >>> I see a Public Client option, but I don't see a way to establish the trust >>> between clients. >>> >> >> We have a token exchange [1] endpoint which can be used to exchange >> tokens from one client to another. >> >> The way Kubernetes supports OIDC is really tricky because API server >> expects an ID Token and not a OAuth2 Access Token (with no support for >> token introspection in case tokens are opaque and not JWTs). As you pointed >> out, API server supports a single client id thus you would need the cli to >> use the same client configured to API server or use token exchange. >> >> [1] https://www.keycloak.org/docs/latest/securing_apps/index >> .html#_token-exchange >> >> >>> >>> Thanks, >>> Kevin >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From Kevin.Fox at pnnl.gov Tue Aug 7 14:15:18 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Tue, 7 Aug 2018 18:15:18 +0000 Subject: [keycloak-user] Kubernetes integration In-Reply-To: References: <1A3C52DFCD06494D8528644858247BF01C16C9EA@EX10MBOX03.pnnl.gov> <1A3C52DFCD06494D8528644858247BF01C16CEC4@EX10MBOX03.pnnl.gov> <1A3C52DFCD06494D8528644858247BF01C16CFC6@EX10MBOX03.pnnl.gov>, Message-ID: <1A3C52DFCD06494D8528644858247BF01C16CFE2@EX10MBOX03.pnnl.gov> Ok. Sounds good. Thanks. Kevin ________________________________ From: Pedro Igor Silva [psilva at redhat.com] Sent: Tuesday, August 07, 2018 11:09 AM To: Fox, Kevin M Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Kubernetes integration Please, create an RFE first. We are also working with a generic Golang adapter (probably a replacement to Keycloak Proxy). Let's see what others think once we have the JIRA. On Tue, Aug 7, 2018 at 3:02 PM, Fox, Kevin M > wrote: Ok. Is that something the keycloak team would accept if someone were to write it? or is a feature request the preferred route? Thanks, Kevin ________________________________ From: Pedro Igor Silva [psilva at redhat.com] Sent: Tuesday, August 07, 2018 10:46 AM To: Fox, Kevin M Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Kubernetes integration AFAIK, no support. It shouldn't be hard to implement, I think you would probably need some config options to define parameters to the authz request. On Tue, Aug 7, 2018 at 1:05 PM, Fox, Kevin M > wrote: Ah, yeah. that looks like it might work. Is there any support for token-exchange in keycloak-proxy? If not, is it something that could easily be added? Thanks, Kevin ________________________________ From: Pedro Igor Silva [psilva at redhat.com] Sent: Tuesday, August 07, 2018 4:59 AM To: Fox, Kevin M Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Kubernetes integration On Mon, Aug 6, 2018 at 6:02 PM, Fox, Kevin M > wrote: Question regarding using KeyCloak and Kubernetes. Kubernetes only supports one ClientID. If you are supporting both the cli and the web ui, in Dex or Google you setup two clients, one for the website, and one for the cli. you mark the cli a Public Client, and you establish a trust between the website client and the cli. In either case then, the token passed to Kubernetes is for the same client. What is the recommended way of doing something like this with KeyCloak? I see a Public Client option, but I don't see a way to establish the trust between clients. We have a token exchange [1] endpoint which can be used to exchange tokens from one client to another. The way Kubernetes supports OIDC is really tricky because API server expects an ID Token and not a OAuth2 Access Token (with no support for token introspection in case tokens are opaque and not JWTs). As you pointed out, API server supports a single client id thus you would need the cli to use the same client configured to API server or use token exchange. [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange Thanks, Kevin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ionel.gardais at tech-advantage.com Tue Aug 7 16:11:40 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Tue, 7 Aug 2018 22:11:40 +0200 (CEST) Subject: [keycloak-user] Still getting DB upgrade issue with 4.2.1 Message-ID: <1938872997.178496.1533672700084.JavaMail.zimbra@tech-advantage.com> Hi list, When migrating to 4.2.1 from 4.1.0, I'm still getting DB upgrade issue : 22:02:27,350 ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 58) Change Set META-INF/jpa-changelog-authz-4.2.0.Final.xml::authz-4.2.0.Final::mhajas at redhat.com failed. Error: Column 'VALUE' cannot be null [Failed SQL: INSERT INTO keycloak.RESOURCE_URIS (RESOURCE_ID, VALUE) VALUES ('e34d82f8-d106-4ec8-b235-4b895001cefb', NULL)] No more complains about table name mismatch but now about a null value. Any hints ? DB is mysql 5.7 Regards. -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From czhang at anaconda.com Tue Aug 7 16:46:26 2018 From: czhang at anaconda.com (Chenyuan Zhang) Date: Tue, 7 Aug 2018 15:46:26 -0500 Subject: [keycloak-user] Federating LDAP server to Keycloak crashed with Out Of Memory error Message-ID: <1990A56B-6B91-40FE-9740-ED608041F6E3@anaconda.com> Hi there, We were trying to add a LDAP user federation provider with around 5000 users. But the process crashed with out of memory error: 2018-06-02 06:54:35.900 UTC INFO Sync changed users finished: 393 imported users, 4532 updated users, 8 users failed sync! See server log for more details (Timer-2) [org.keycloak.storage.ldap.LDAPStorageProviderFactory] Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Brute Force Protector" Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-74" Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-330" Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Periodic Recovery" Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-332" Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "default task-324" 2018-06-05 07:08:55.594 UTC ERROR java.lang.OutOfMemoryError: Java heap space (default task-333) [stderr] Here?re the options we used: JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Duser.timezone=UTC From what I read, it seems like Keycloak import users from LDAP to our production database through a periodic background task. But I?m not sure what happened in the memory level that caused the OutOfMemory error. Does keycloak cache all data in memory during the sync process? Is there any configuration I can set to avoid this error? Is there a user number limit given our JAVA Options? Any suggestion would be appreciated. Thanks a lot, Chenyuan From imperimus_2k at hotmail.com Tue Aug 7 16:47:16 2018 From: imperimus_2k at hotmail.com (Mark Hunt) Date: Tue, 7 Aug 2018 20:47:16 +0000 Subject: [keycloak-user] LDAP Authentication - Extended Errors Message-ID: Hi, I have been doing some development with Keycloak and specifically OpenID Connect, Password Grant and an LDAP user federation with Active Directory. Overall everything is working great but I am a little surprised that on a token refresh I get told that the user account is disabled but on a login I do not. The exception to this would be if I try to login with a disabled account after a user federation sync has occurred. Is this a configuration issue or do you need to implement LDAP diagnostic messages for login? Thanks for developing a fantastic product!! Regards Mark From psilva at redhat.com Tue Aug 7 18:30:26 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 7 Aug 2018 19:30:26 -0300 Subject: [keycloak-user] Still getting DB upgrade issue with 4.2.1 In-Reply-To: <1938872997.178496.1533672700084.JavaMail.zimbra@tech-advantage.com> References: <1938872997.178496.1533672700084.JavaMail.zimbra@tech-advantage.com> Message-ID: Hi, We have a fix [1] in the queue already. Sorry for that. [1] https://issues.jboss.org/browse/KEYCLOAK-8003 Regards. Pedro Igor On Tue, Aug 7, 2018 at 5:11 PM, GARDAIS Ionel < ionel.gardais at tech-advantage.com> wrote: > Hi list, > > When migrating to 4.2.1 from 4.1.0, I'm still getting DB upgrade issue : > > 22:02:27,350 ERROR [org.keycloak.connections.jpa.updater.liquibase.conn. > DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 58) > Change Set META-INF/jpa-changelog-authz-4.2.0.Final.xml::authz-4.2.0. > Final::mhajas at redhat.com failed. Error: Column 'VALUE' cannot be null > [Failed SQL: INSERT INTO keycloak.RESOURCE_URIS (RESOURCE_ID, VALUE) VALUES > ('e34d82f8-d106-4ec8-b235-4b895001cefb', NULL)] > > No more complains about table name mismatch but now about a null value. > > Any hints ? > > DB is mysql 5.7 > > Regards. > > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From arun.velayudhan at motorolasolutions.com Wed Aug 8 01:02:23 2018 From: arun.velayudhan at motorolasolutions.com (Arun Velayudhan) Date: Wed, 8 Aug 2018 10:32:23 +0530 Subject: [keycloak-user] Uncaught server error: java.lang.OutOfMemoryError: Java heap space Message-ID: Hello, We ran keycloak with some basic load (like auth, gettoken) for few hours at theand after sometime Keycloak threw an Out-of-memory error. Has anyone faced similar kind of problem. Would be keen to know what was done to mitigate. Version of Keycloak -> 4.0.0.Final. ===== 18:32:47,716 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state RUN 18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-199) Uncaught server error: java.lang.OutOfMemoryError: Java heap space 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-219) Uncaught server error: java.lang.OutOfMemoryError: Java heap space 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-505) Uncaught server error: java.lang.OutOfMemoryError: Java heap space =============== Pls find with the startup configuration === 19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/standalone/log/server.log -Dlogging.configuration=file:/DG/activeRelease/keycloak/standalone/configuration/logging.properties ================== Arun From henning.waack at codecentric.de Wed Aug 8 03:04:20 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Wed, 8 Aug 2018 09:04:20 +0200 Subject: [keycloak-user] Setting up realm automatically -Client Service Account Roles Message-ID: Dear all. Using KC 4.2.1. I want to setup my realm and all (initial) clients automatically (using Ansible). Most things work, but right now I do not know how to set the "Client Service Account Roles". I am looking at kcadm primarily, but any other way to set this would be great, too. Thanks & greetings Henning From slaskawi at redhat.com Wed Aug 8 03:14:19 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 8 Aug 2018 09:14:19 +0200 Subject: [keycloak-user] Uncaught server error: java.lang.OutOfMemoryError: Java heap space In-Reply-To: References: Message-ID: Hey Arun, Since Keycloak uses Infinispan as a cache, and Infinispan stores everything on-heap, my lucky guess is that Xmx is simply too low (I would also advice removing Metaspace calibration parameters for now). If you wish to diagnose this further, these are the steps you might perform: 1) Turn GC Logging on: http://www.oracle.com/technetwork/articles/java/gcportal-136937.html 2) Check Infinispan JMX statistics: http://docs.jboss.org/infinispan/8.2/apidocs/jmxComponents.html#CacheContainerStats (you will be mostly interested in number of entries in individual caches) Thanks, Sebastian On Wed, Aug 8, 2018 at 7:05 AM Arun Velayudhan < arun.velayudhan at motorolasolutions.com> wrote: > Hello, > We ran keycloak with some basic load (like auth, gettoken) for few hours at > theand after sometime Keycloak threw an Out-of-memory error. Has anyone > faced similar kind of problem. Would be keen to know what was done to > mitigate. > > Version of Keycloak -> 4.0.0.Final. > > > > ===== > 18:32:47,716 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) > ARJUNA012117: TransactionReaper::check timeout for TX > 0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state RUN > > 18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-199) Uncaught server error: java.lang.OutOfMemoryError: Java > heap space > > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-219) Uncaught server error: java.lang.OutOfMemoryError: Java > heap space > > 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-505) Uncaught server error: java.lang.OutOfMemoryError: Java > heap space > =============== > > Pls find with the startup configuration > === > > 19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM > Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true > -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true > > -Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/standalone/log/server.log > > -Dlogging.configuration=file:/DG/activeRelease/keycloak/standalone/configuration/logging.properties > > ================== > > > > Arun > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From triton.oidc at gmail.com Wed Aug 8 05:47:32 2018 From: triton.oidc at gmail.com (triton oidc) Date: Wed, 8 Aug 2018 09:47:32 +0000 Subject: [keycloak-user] Set key at realm creation or replace an existing key Message-ID: Hi, i'm trying to do an openshift based implementation. Two server (Keycloak and a relying party RP) They cannot communicate, but the RP is supposed to verify Keycloak's token. For that he needs to have the public key of the realm. When my pod (Docker instance) restart, i re-create the same realm, with the same clientID, but of course the realm's key is a newly generated one. I saw in an old documentation that it was possible to upload a key https://www.keycloak.org/docs/1.9/server_admin_guide/topics/realms/keys.html I didn't found the certificate in the json from kcadm.sh get realms so i don't think it's going to help using a kcadm.sh create realm --file [my_json_with_the_certificate_in_it] What I would like to do is set the key at the realm creation, or modify it just after it's creation. If anyone has a clue, or can just confirm me that it's not possible Thanks a lot Amaury From Linda.Sauder at amdocs.com Wed Aug 8 06:07:27 2018 From: Linda.Sauder at amdocs.com (Linda Sauder) Date: Wed, 8 Aug 2018 10:07:27 +0000 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Message-ID: Hello. I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: Application Container ApplicationContainer.html KEYCLOAK-SAML keycloak Application Container Constraint All Resources /* POST GET hallo My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. How am I going to achieve to be able to locally handle the role mapping? Thanks in advance. -- Linda ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From hmlnarik at redhat.com Wed Aug 8 06:19:07 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 8 Aug 2018 12:19:07 +0200 Subject: [keycloak-user] [keycloak-dev] Error while updating jboss/keycloak from old :latest to newer :latest In-Reply-To: <5E48B917000C984B86B77170F441903A119B54E4@exch.ringler.ch> References: <5E48B917000C984B86B77170F441903A119B54E4@exch.ringler.ch> Message-ID: Fixing the target list. The changelogs between Betas were allowed to change freely so this change (which came between Beta1 and Beta2) causes the issue. Always prefer exact Final releases to :latest. To fix this issue, you would have to either delete the corresponding row in the 'databasechangelog' table and revert all the changes from [1], or update the checksum in the corresponding row in database changelog table and apply the differences from [1] manually to match the final version of that file. [1] https://github.com/keycloak/keycloak/blame/master/model/jpa/src/main/resources/META-INF/jpa-changelog-authz-4.0.0.CR1.xml On Wed, Aug 8, 2018 at 9:37 AM Lukasz Lech wrote: > Hello, > > I've started keycloak locally from docker image jboss/keycloak:latest > > Today I've pulled the image, and I've got the following error: > > Caused by: liquibase.exception.ValidationFailedException: Validation > Failed: > 1 change sets check sum > META-INF/ > jpa-changelog-authz-4.0.0.CR1.xml::authz-4.0.0.CR1::psilva at redhat.com is > now: 7:57960fc0b0f0dd0563ea6f8b2e4a1707 > > at > liquibase.changelog.DatabaseChangeLog.validate(DatabaseChangeLog.java:206) > at liquibase.Liquibase.listUnrunChangeSets(Liquibase.java:1139) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.keycloak.common.util.reflections.Reflections.invokeMethod(Reflections.java:379) > The problem is, I'm not sure what was the :latest state I was using, it > was some snapshot of 4.0.0-Beta, > I've tried to start now :latest, :4.0.0.Final, and :4.0.0.Beta3, but > neither of them can work with the old database. > > Does it mean, that my current database is unusable and I need to start > from scratch or there is some way to update it? > > Should I never ever in the future use :latest image? > > Best regards, > Lukasz Lech > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From hmlnarik at redhat.com Wed Aug 8 06:21:31 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Wed, 8 Aug 2018 12:21:31 +0200 Subject: [keycloak-user] Version API endpoint removed in 4.2.1? In-Reply-To: <223948DB-C051-40A6-A823-A52553F69D77@osc.edu> References: <223948DB-C051-40A6-A823-A52553F69D77@osc.edu> Message-ID: Version endpoint was removed to mitigate risk of revealing potentially sensitive information to an attacker. Can you use e.g. /auth/realms/master/.well-known/openid-configuration for the same? --Hynek On Tue, Aug 7, 2018 at 5:36 PM Dockendorf, Trey wrote: > I updated a test node to 4.2.1 from 3.4.2 and notice /auth/version no > longer works. I use this endpoint with Nagios to check Keycloak is > booted. Is this removal expected and if so is there a viable alternative > in 4.2.1? I need something that requires no authentication. > > 4.2.1: > $ curl http://localhost:8080/auth/version > $ > > 3.4.2: > $ curl http://localhost:8080/auth/version > {"version":"3.4.2.Final","build-time":"2017-12-21 12:57"} > > -- > Trey Dockendorf > HPC Systems Engineer > Ohio Supercomputer Center > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jlord87 at gmail.com Wed Aug 8 06:58:13 2018 From: jlord87 at gmail.com (jlord87 at gmail.com) Date: Wed, 08 Aug 2018 12:58:13 +0200 Subject: [keycloak-user] Is keycloak the tool I'm looking for? selective AD user sync In-Reply-To: <1533647308.8451.4.camel@acutus.pro> References: <91e80618fc3dc0c8f5965a29a64b8d012680d912.camel@gmail.com> <1533647308.8451.4.camel@acutus.pro> Message-ID: <657eb7e1fac830434db3594c5d69205ab472057c.camel@gmail.com> Thank you Dmitry for your reply > > I think that Redmine and NextCloud fall into this > > category.OIDC/SAML enabling is usually done by the means of > > some adapters/plugins/extensions, or whatever this might be called > > in the target app's terms. So this should become number one on your > > list. I do agree, I've already made some test, it should be quite easy > > AD integration is completely different stuff. This is called > > userfederation, and its purpose is to combine several external user > > datasources into a single, unified virtual one. AFAIK, there is no > > OOTBmechanism to define which external AD the newly created user > > should goto. Too bad, I would have probably needed the opposite, some kind of "user propagation".Would it makes any sense to create a realm for each AD and configure as Identity provider another "master" realm - acting as centralized user repository - in wich I would create a client template for every AD? > > But what we love about Keycloak is its ultimate extensibility, soI > > wouldn't rule out the possibility of implementing this with the > > help of an extension. Well, I'll be here waiting for this to happen :) > > GSuite, in its turn, is completely standalone here. AFAIK it > > supportsonly Google's authentication, and doesn't allow to delegate > > it to 3rdparty services (or does it?) Gsuite should be able to act as SAML Identity Provider or as a Service Provider (https://support.google.com/a/answer/60224?hl=en)..It would probabily be "easy" to connect also this piece of the puzzle.. Thank you again! On Tue, 2018-08-07 at 16:08 +0300, Dmitry Telegin wrote: > Hi Francesco, sorry for late response, > Well, seems you've got quite a soup of different applications, > andbringing Keycloak in control of *all* of them may be quite > challenging. > First, you'll need to understand what Keycloak is and what it is > not.Keycloak is an SSO (Single Sign-On) and IAM (Identity and > AccessManagement) solution intended for securing web applications > (but notlimited to them). > This is done with the help of OpenID Connect and SAML protocols. So > thefirst question you'll need to answer is: which applications > alreadysupport this, or could support with minimal efforts? > I think that Redmine and NextCloud fall into this category.OIDC/SAML > enabling is usually done by the means of > some adapters/plugins/extensions, or whatever this might be called in > the target app's terms. So this should become number one on your > list. > AD integration is completely different stuff. This is called > userfederation, and its purpose is to combine several external user > datasources into a single, unified virtual one. AFAIK, there is no > OOTBmechanism to define which external AD the newly created user > should goto. But what we love about Keycloak is its ultimate > extensibility, soI wouldn't rule out the possibility of implementing > this with the help of an extension. > GSuite, in its turn, is completely standalone here. AFAIK it > supportsonly Google's authentication, and doesn't allow to delegate > it to 3rdparty services (or does it?) One of the possible variants is > using Okta, but it:1) actually works as a password manager,2) > installs a browser plugin,3) requires commercial subscription. > Hope this helps, and good luck with Keycloak! > Dmitry TeleginCTO, Acutus s.r.o.Keycloak Consulting and Training > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+42 (022) > 888-30-71E-mail: info at acutus.pro > On Tue, 2018-07-24 at 14:15 +0200, jlord87 at gmail.com wrote:Hello > guys, > I'm really new to keycloak and I need your help to understand if > thisis what I'm really looking for;I am the IT administrator in a > non-profit environment, managing serversand services for several non- > profit organization. > What I'm trying to achive is the centralization of the > authenticationand authorization process: every user should just have > one password andone "username".The difficult part is that the > environment I work in is really "fluid":there are a lot of person > working or volunteering in one or moredifferent organization. Every > organization has its own active directoryserver (to manage desktop > authentication and some CIFS share), its owngsuite (for emails) and > at the same time, there are services shared byall (or some) of these > organization (like a redmine ticketing system,nextcloud file server > and so on). > What I'm dreaming of is to manage everything from a single software > (Itried gluu but it had some annual fees we cannot afford to pay): > Iwould like to create an user (something like name.surname) and add > tothis user "permissions", something like "user1 should be able to > accessgsuite 1, gsuite2, nextcloud and active directory 1".I've > uploaded a scheme in this pdf: > https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg > Do you think keycloak is capable of this? I played around a bit, read > alot of documentation and what I wasn't able to achive was a > selectiveactive directory user sync...Maybe my error was trying to do > everything in the same realm, what doyou think about it? > Thank you for any hint > Francesco > _______________________________________________keycloak-user mailing > listkeycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Paolo.Tedesco at cern.ch Wed Aug 8 07:33:03 2018 From: Paolo.Tedesco at cern.ch (Paolo Tedesco) Date: Wed, 8 Aug 2018 11:33:03 +0000 Subject: [keycloak-user] GSS delegation credential mapper Message-ID: <6D320D40264A8545A9C25EC79DE1E32501ECD19D8A@CERNXCHG43.cern.ch> Hi, I'm trying to configure the GSS credential mapper for an application. I've configured SPNEGO authentication on the server, and this is working. Then I've created an application (confidential client) and add a gss delegation credential mapper to the application, but I don't seem to get a claim with the GSS credentials in the token after I authenticate. If I understood correctly, I should see a claim in the access token named "gss_delegation_credential". Is there anything else I need to configure, like some additional mappers? Also, is it possible to get this gss_delegation_credential token only authenticating with SPNEGO, or would it be possible to get it also with other authentication mechanisms (e.g. x509 certificate, username and password)? Thanks, Paolo Tedesco From pnalyvayko at agi.com Wed Aug 8 07:56:22 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Wed, 8 Aug 2018 11:56:22 +0000 Subject: [keycloak-user] Uncaught server error: java.lang.OutOfMemoryError: Java heap space In-Reply-To: References: Message-ID: Hi Arun, Yes, we have seen this issue before. A temporary remedy has been to increase jVM's maximum heap size, among other things, like changing the eviction rate and infinispan cache sizes. --Peter -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Arun Velayudhan Sent: Wednesday, August 8, 2018 1:02 AM To: keycloak-user Subject: [keycloak-user] Uncaught server error: java.lang.OutOfMemoryError: Java heap space Hello, We ran keycloak with some basic load (like auth, gettoken) for few hours at theand after sometime Keycloak threw an Out-of-memory error. Has anyone faced similar kind of problem. Would be keen to know what was done to mitigate. Version of Keycloak -> 4.0.0.Final. ===== 18:32:47,716 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffffc0a80c38:-56b32ec9:5b6463c3:54bcab in state RUN 18:30:23,749 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-199) Uncaught server error: java.lang.OutOfMemoryError: Java heap space 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-219) Uncaught server error: java.lang.OutOfMemoryError: Java heap space 18:32:47,717 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-505) Uncaught server error: java.lang.OutOfMemoryError: Java heap space =============== Pls find with the startup configuration === 19:46:33,121 DEBUG [org.jboss.as.config] (MSC service thread 1-7) VM Arguments: -D[Standalone] -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dorg.jboss.boot.log.file=/DG/activeRelease/keycloak/standalone/log/server.log -Dlogging.configuration=file:/DG/activeRelease/keycloak/standalone/configuration/logging.properties ================== Arun _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Wed Aug 8 08:15:37 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 8 Aug 2018 14:15:37 +0200 Subject: [keycloak-user] Set key at realm creation or replace an existing key In-Reply-To: References: Message-ID: Since you're using OpenShift, you may put the exported realm in JSON (with public/private keys and other necessary things) format into a ConfigMap. Once the ConfigMap is live, just mount it into your container (as a volume). This way it will be accessible as a file inside your container. The last bit is to modify Container Args (which translate into CMD of a Dockerfile) to start the Keycloak with the following switches: ./standalone.sh \ -Dkeycloak.migration.action=import \ -Dkeycloak.migration.provider=singleFile \ -Dkeycloak.migration.file= \ -Dkeycloak.migration.strategy=OVERWRITE_EXISTING This way you will be sure that each Pod is initialized exactly the same way and you will be managing configuration by modifying the ConfigMap. However, please keep in mind, that ConfigMaps are not versioned (yet!). So you won't be able to revert changes quickly if you screw something up in the configuration. Cheers, Sebastian On Wed, Aug 8, 2018 at 11:57 AM triton oidc wrote: > Hi, > > i'm trying to do an openshift based implementation. > > Two server (Keycloak and a relying party RP) > They cannot communicate, but the RP is supposed to verify Keycloak's token. > For that he needs to have the public key of the realm. > > When my pod (Docker instance) restart, i re-create the same realm, with the > same clientID, > but of course the realm's key is a newly generated one. > > I saw in an old documentation that it was possible to upload a key > > https://www.keycloak.org/docs/1.9/server_admin_guide/topics/realms/keys.html > > I didn't found the certificate in the json from > kcadm.sh get realms > so i don't think it's going to help using a > kcadm.sh create realm --file [my_json_with_the_certificate_in_it] > > What I would like to do is set the key at the realm creation, or modify it > just after it's creation. > > If anyone has a clue, or can just confirm me that it's not possible > > Thanks a lot > > Amaury > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Wed Aug 8 08:42:58 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 08 Aug 2018 15:42:58 +0300 Subject: [keycloak-user] Set key at realm creation or replace an existing key In-Reply-To: References: Message-ID: <1533732178.2269.8.camel@acutus.pro> Hi, Sebastian has answered you already, but here's another method that might be helpful for you ore someone else... Realm keys are stored as "component configs" (o.k.models.jpa.entities.ComponentConfigEntity) If I'm not mistaken, these are exposed via REST (o.k.services.resources.admin.ComponentResource) So theoretically you should be able to modify them on a live realm. Didn't try this with kcadm, but feel free to try yourself and report :) Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-08 at 09:47 +0000, triton oidc wrote: > Hi, > > i'm trying to do an openshift based implementation. > > Two server (Keycloak and a relying party RP) > They cannot communicate, but the RP is supposed to verify Keycloak's token. > For that he needs to have the public key of the realm. > > When my pod (Docker instance) restart, i re-create the same realm, with the > same clientID, > but of course the realm's key is a newly generated one. > > I saw in an old documentation that it was possible to upload a key > https://www.keycloak.org/docs/1.9/server_admin_guide/topics/realms/keys.html > > I didn't found the certificate in the json from > kcadm.sh get realms > so i don't think it's going to help using a > kcadm.sh create realm --file [my_json_with_the_certificate_in_it] > > What I would like to do is set the key at the realm creation, or modify it > just after it's creation. > > If anyone has a clue, or can just confirm me that it's not possible > > Thanks a lot > > Amaury > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Wed Aug 8 09:07:39 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 8 Aug 2018 15:07:39 +0200 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache In-Reply-To: References: Message-ID: On Tue, Aug 7, 2018 at 3:28 PM Hayden Fuss wrote: > Hello, > > We are attempting to run Keycloak on two OpenShift clusters using remote > ISPNs and a single MariaDB instance. We're hacking together the Keycloak on > Openshift blogpost, the JDG-as-a-service demo from Summit, RH SSO demo from > Summit, and following the Keycloak/RH SSO basic setup guide to Cross-DC > replication. The hope is do an initial evaluation of Keycloak's > availability. > > We were able to create a new user on master (site1), disable the user on > master2 (site2), and see the user was disabled on master. So ISPN > replication seems to be working because the work cache was replicated to > invalidate the local caches. However, the sessions cache does not seem to > be replicated because when logged in as the same user on the two different > Keycloaks (in Incognito mode) there is only one active session shown on > both UIs and the timestamp/IP/etc is different for the listed session. > So at this point the Infinispan cluster within a single DC works correctly [1] (the one that is formed by KUBE_PING). The Cross-DC cluster (also known as the Global Cluster) also works correctly [2]. Users cache replicates fine but sessions don't. If I understood everything correctly, there might be two issues there. The first one is Infinispan misconfiguration (I briefly looked through the configuration and can not spot any mistake but there might be some typo or anything like that). That one is easy to be verified, just put an entry on one node (e.g. using REST [3]) and see if it's available on the other one (again, using REST for example [4]). If this test works fine, you can check if Keycloak forwards traffic to the Infinispan cluster. The easiest way is to set a breakpoint somewhere in org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveClientSessionToRemoteCache and org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveUserSessionToRemoteCache. [1] can be verified by calling `oc logs infinispan-app | grep view` [2] can be verified by calling `oc logs infinispan-app | grep "x-site"` [3] curl -d test ISPN_IP:8080/rest/sessions/test [4] curl ISPN_IP2:8080/rest/sessions/test > We are using the latest, stable Keycloak image, version 4.1.0.Final, and > the latest, stable Infinispan image for to act as our data grid, version > 9.3.1.Final, which we know differs from the 8.2.8 version Keycloak uses for > its local caches. > > We were trying one Keycloak node and two ISPN nodes in each cluster, but > for simplicity we've attached logs where we only ran one Keycloak and one > ISPN in each cluster. > We were connecting to the two different Keycloaks via two different > OpenShift Routes without a load balancer to fake sticky sessions for now. > Keycloak connects to ISPN via a "HotRod" Service. ISPN connects to other > nodes within the same cluster via KUBE_PING, and discovers the other > cluster via TCPPING hitting a particular OpenShift app node from that > cluster that exposes the "discovery" Service with a NodePort. The Keycloaks > share the single MariaDB through a NodePort Service in one of the clusters > as well. > > The logs didn't seem to contain any of the messages in the trouble shooting > guide. We had trouble using JMX to check the ISPNs because they were > running in containers, but we've using the CLI tool and the Infinispan > management console to try to troubleshoot but any key we pulled from the > logs that we thought was a session ID was not in the caches and we could > not find a way to simply list all keys in the caches. > > Below is a viewable link to a zip containing logs from the scenario > described in the second paragraph, and our config files. > > > https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 > > Thanks for your time and help! > > Best, > Hayden > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Wed Aug 8 09:23:16 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 08 Aug 2018 16:23:16 +0300 Subject: [keycloak-user] Setting up realm automatically -Client Service Account Roles In-Reply-To: References: Message-ID: <1533734596.2269.10.camel@acutus.pro> Hi Henning, On Wed, 2018-08-08 at 09:04 +0200, Henning Waack wrote: > Dear all. > > Using KC 4.2.1. > > I want to setup my realm and all (initial) clients automatically (using > Ansible). Most things work, but right now I do not know how to set the > "Client Service Account Roles". I am looking at kcadm primarily, but any > other way to set this would be great, too. kcadm is one of the ways to do things. It's a bit complicated with service accounts though, because first you have to retrieve service account's internal ID: ./kcadm.sh get clients/{client-id}/service-account-user You will need to parse id out of JSON and use in subsequent calls to kcadm: ./kcadm.sh create users/{service-account-id}/role-mappings/realm -f role.json [ { "clientRole": false, "composite": true, "containerId": "master", "description": "${role_foo}", "id": "", "name": "foo" } ] (Note that role id also needs to be retrieved first.) This will add a realm role; client roles are added a bit differently, you can go to Admin Console, perform actions and see actual URLs and payloads in F12 -> Network. Alternatively, you can have a realm exported in JSON file with everything pre-populated, and import it on the first run (see Sebastian's answer earlier today). Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro > > Thanks & greetings > > Henning > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Aug 8 09:35:31 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 08 Aug 2018 16:35:31 +0300 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: References: Message-ID: <1533735331.2269.12.camel@acutus.pro> Hello Linda, Seems like you need to configure SAML Attribute to Role mapper for your IdP. Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. You will need to know how exactly your IdP supplies role information. Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12 -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > Hello. > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> > ????Application Container > > ???? > ????????ApplicationContainer.html > ???? > > ???????????????? > ????????????????????????????????KEYCLOAK-SAML > ????????????????????????????????keycloak > ???????????????? > > ???? > ????????Application Container Constraint > ???????? > ????????????All Resources > ????????????/* > ????????????POST > ????????????GET > ???????? > > ???????? > ????????????hallo > ???????? > ???? > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > How am I going to achieve to be able to locally handle the role mapping? > > Thanks in advance. > -- > Linda > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Linda.Sauder at amdocs.com Wed Aug 8 09:40:34 2018 From: Linda.Sauder at amdocs.com (Linda Sauder) Date: Wed, 8 Aug 2018 13:40:34 +0000 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: <1533735331.2269.12.camel@acutus.pro> References: <1533735331.2269.12.camel@acutus.pro> Message-ID: Hi Dimitri, Thanks your response. Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. But I also thought about it. Not an option unfortunately. -- Cheers Linda -----Original Message----- From: Dmitry Telegin
Sent: Wednesday, August 08, 2018 3:36 PM To: Linda Sauder ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Hello Linda, Seems like you need to configure SAML Attribute to Role mapper for your IdP. Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. You will need to know how exactly your IdP supplies role information. Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12 -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > Hello. > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> > ????Application Container > > ???? > ????????ApplicationContainer.html > ???? > > ???????????????? > ???????????????????????????????? > KEYCLOAK-SAML > ????????????????????????????????keycloak > ???????????????? > > ???? > ????????Application Container Constraint > ???????? > ????????????All Resources > ????????????/* > ????????????POST > ????????????GET > ???????? > > ???????? > ????????????hallo > ???????? > ???? > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > How am I going to achieve to be able to locally handle the role mapping? > > Thanks in advance. > -- > Linda > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From dt at acutus.pro Wed Aug 8 09:56:07 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 08 Aug 2018 16:56:07 +0300 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: References: <1533735331.2269.12.camel@acutus.pro> Message-ID: <1533736567.2269.14.camel@acutus.pro> I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there. So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app? Dmitry On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote: > Hi Dimitri, > > Thanks your response.? > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. > > But I also thought about it. Not an option unfortunately.? > > -- > Cheers > Linda > > -----Original Message----- > > From: Dmitry Telegin
? > Sent: Wednesday, August 08, 2018 3:36 PM > > To: Linda Sauder ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly > > Hello Linda, > > Seems like you need to configure SAML Attribute to Role mapper for your IdP. > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. > > You will need to know how exactly your IdP supplies role information. > Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12 > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > > Hello. > > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > > > > > > > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > > > ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee? > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">; > > > > ????Application Container > > > > ???? > > ????????ApplicationContainer.html > > ???? > > > > ???????????????? > > ???????????????????????????????? > > KEYCLOAK-SAML > > ????????????????????????????????keycloak > > ???????????????? > > > > ???? > > ????????Application Container Constraint > > ???????? > > ????????????All Resources > > ????????????/* > > ????????????POST > > ????????????GET > > ???????? > > > > ???????? > > ????????????hallo > > ???????? > > ???? > > > > > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > > > How am I going to achieve to be able to locally handle the role mapping? > > > > Thanks in advance. > > -- > > Linda > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From Linda.Sauder at amdocs.com Wed Aug 8 06:07:27 2018 From: Linda.Sauder at amdocs.com (Linda Sauder) Date: Wed, 8 Aug 2018 10:07:27 +0000 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Message-ID: Hello. I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: Application Container ApplicationContainer.html KEYCLOAK-SAML keycloak Application Container Constraint All Resources /* POST GET hallo My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. How am I going to achieve to be able to locally handle the role mapping? Thanks in advance. -- Linda ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From Linda.Sauder at amdocs.com Wed Aug 8 10:31:21 2018 From: Linda.Sauder at amdocs.com (Linda Sauder) Date: Wed, 8 Aug 2018 14:31:21 +0000 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: <1533736567.2269.14.camel@acutus.pro> References: <1533735331.2269.12.camel@acutus.pro> <1533736567.2269.14.camel@acutus.pro> Message-ID: Hi Dmitry, Yes. That is correct. --- Linda -----Original Message----- From: Dmitry Telegin
Sent: Wednesday, August 08, 2018 3:56 PM To: Linda Sauder ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there. So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app? Dmitry On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote: > Hi Dimitri, > > Thanks your response.? > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. > > But I also thought about it. Not an option unfortunately.? > > -- > Cheers > Linda > > -----Original Message----- > > From: Dmitry Telegin
? > Sent: Wednesday, August 08, 2018 3:36 PM > > To: Linda Sauder ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly > > Hello Linda, > > Seems like you need to configure SAML Attribute to Role mapper for your IdP. > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. > > You will need to know how exactly your IdP supplies role information. > Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12 > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > > Hello. > > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > > > > > > > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > > > ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee? > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">; > > > > ????Application Container > > > > ???? > > ????????ApplicationContainer.html > > ???? > > > > ???????????????? > > ???????????????????????????????? > > KEYCLOAK-SAML > > ????????????????????????????????keycloak > > ???????????????? > > > > ???? > > ????????Application Container Constraint > > ???????? > > ????????????All Resources > > ????????????/* > > ????????????POST > > ????????????GET > > ???????? > > > > ???????? > > ????????????hallo > > ???????? > > ???? > > > > > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > > > How am I going to achieve to be able to locally handle the role mapping? > > > > Thanks in advance. > > -- > > Linda > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From triton.oidc at gmail.com Wed Aug 8 10:41:26 2018 From: triton.oidc at gmail.com (triton oidc) Date: Wed, 8 Aug 2018 14:41:26 +0000 Subject: [keycloak-user] Set key at realm creation or replace an existing key In-Reply-To: <1533732178.2269.8.camel@acutus.pro> References: <1533732178.2269.8.camel@acutus.pro> Message-ID: Hi Sebastien, Thanks a lot for the answer, that's the thing i was looking for something like this, and didn't thought looking in this direction. I should be able to make it work. @Dmitry if i can make it work, you solution seems pretty cool too Should i succeed, i'll explain how if it can help someone else Thanks again Amaury On Wed, Aug 8, 2018 at 12:42 PM, Dmitry Telegin
wrote: > Hi, > > Sebastian has answered you already, but here's another method that might > be helpful for you ore someone else... > > Realm keys are stored as "component configs" (o.k.models.jpa.entities. > ComponentConfigEntity) > If I'm not mistaken, these are exposed via REST > (o.k.services.resources.admin.ComponentResource) > So theoretically you should be able to modify them on a live realm. Didn't > try this with kcadm, but feel free to try yourself and report :) > > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Wed, 2018-08-08 at 09:47 +0000, triton oidc wrote: > > Hi, > > > > i'm trying to do an openshift based implementation. > > > > Two server (Keycloak and a relying party RP) > > They cannot communicate, but the RP is supposed to verify Keycloak's > token. > > For that he needs to have the public key of the realm. > > > > When my pod (Docker instance) restart, i re-create the same realm, with > the > > same clientID, > > but of course the realm's key is a newly generated one. > > > > I saw in an old documentation that it was possible to upload a key > > https://www.keycloak.org/docs/1.9/server_admin_guide/topics/ > realms/keys.html > > > > I didn't found the certificate in the json from > > kcadm.sh get realms > > so i don't think it's going to help using a > > kcadm.sh create realm --file [my_json_with_the_certificate_in_it] > > > > What I would like to do is set the key at the realm creation, or modify > it > > just after it's creation. > > > > If anyone has a clue, or can just confirm me that it's not possible > > > > Thanks a lot > > > > Amaury > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From henning.waack at codecentric.de Wed Aug 8 10:44:24 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Wed, 8 Aug 2018 16:44:24 +0200 Subject: [keycloak-user] Setting up realm automatically -Client Service Account Roles In-Reply-To: <1533734596.2269.10.camel@acutus.pro> References: <1533734596.2269.10.camel@acutus.pro> Message-ID: Ahh, ok, didn't know that the service-account is also just a plain old user and thus gets exported as a user and not when I export the realm from the UI. Thanks Dimitry! Am Mi., 8. Aug. 2018 um 15:23 Uhr schrieb Dmitry Telegin
: > Hi Henning, > > On Wed, 2018-08-08 at 09:04 +0200, Henning Waack wrote: > > Dear all. > > > > Using KC 4.2.1. > > > > I want to setup my realm and all (initial) clients automatically (using > > Ansible). Most things work, but right now I do not know how to set the > > "Client Service Account Roles". I am looking at kcadm primarily, but any > > other way to set this would be great, too. > > kcadm is one of the ways to do things. It's a bit complicated with service > accounts though, because first you have to retrieve service account's > internal ID: > > ./kcadm.sh get clients/{client-id}/service-account-user > > You will need to parse id out of JSON and use in subsequent calls to kcadm: > > ./kcadm.sh create users/{service-account-id}/role-mappings/realm -f > role.json > > [ > { > "clientRole": false, > "composite": true, > "containerId": "master", > "description": "${role_foo}", > "id": "", > "name": "foo" > } > ] > > (Note that role id also needs to be retrieved first.) This will add a > realm role; client roles are added a bit differently, you can go to Admin > Console, perform actions and see actual URLs and payloads in F12 -> Network. > > Alternatively, you can have a realm exported in JSON file with everything > pre-populated, and import it on the first run (see Sebastian's answer > earlier today). > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > > > > Thanks & greetings > > > > Henning > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- ----------- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From dt at acutus.pro Wed Aug 8 12:22:33 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Wed, 08 Aug 2018 19:22:33 +0300 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: References: <1533735331.2269.12.camel@acutus.pro> <1533736567.2269.14.camel@acutus.pro> Message-ID: <1533745353.10533.1.camel@acutus.pro> So, is this correct that: - your customer has the "foo" role configured in their Keycloak; - authors of the app expect that the user have the "bar" role; - neither your customer wants to create "bar" in Keycloak, nor programmers want to change their code to use "foo", and you're caught in the crossfire? Off the top of my head, there can be two solutions: 1) modify SAML adapter code and implement role mapping there - shouldn't be too tricky, but from now on you'll have to use modified adapter and update it with every Keycloak release (or maybe commit it to upstream, but I'm not sure it will be accepted); 2) deploy intermediary Keycloak, configure brokering between it and customer's one and use the role mapper trick. This could be made transparent for end-users, however will add a couple of redirects to the flow. And of course this will mean that you'll have to maintain yet another piece of software. Good luck! Dmitry On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote: > Hi Dmitry, > > Yes. That is correct. > > --- > Linda > > -----Original Message----- > > From: Dmitry Telegin
? > Sent: Wednesday, August 08, 2018 3:56 PM > > To: Linda Sauder ; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly > > I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there. > > So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app? > > Dmitry > > On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote: > > Hi Dimitri, > > > > Thanks your response.? > > > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. > > > > But I also thought about it. Not an option unfortunately.? > > > > -- > > Cheers > > Linda > > > > -----Original Message----- > > > > > > From: Dmitry Telegin
? > > > > Sent: Wednesday, August 08, 2018 3:36 PM > > > > > > To: Linda Sauder ; keycloak-user at lists.jboss.org > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly > > > > Hello Linda, > > > > Seems like you need to configure SAML Attribute to Role mapper for your IdP. > > > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. > > > > You will need to know how exactly your IdP supplies role information. > > Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12 > > > > > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. > > > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. > > > > Cheers, > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > > > Hello. > > > > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > > > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > > > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > > > > > > > > > > > > > > > > > > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > > > > > > > > > > > ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee? > > > > > > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;; > > > > > > ????Application Container > > > > > > ???? > > > ????????ApplicationContainer.html > > > ???? > > > > > > ???????????????? > > > ???????????????????????????????? > > > KEYCLOAK-SAML > > > ????????????????????????????????keycloak > > > ???????????????? > > > > > > ???? > > > ????????Application Container Constraint > > > ???????? > > > ????????????All Resources > > > ????????????/* > > > ????????????POST > > > ????????????GET > > > ???????? > > > > > > ???????? > > > ????????????hallo > > > ???????? > > > ???? > > > > > > > > > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > > > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > > > > > How am I going to achieve to be able to locally handle the role mapping? > > > > > > Thanks in advance. > > > -- > > > Linda > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From tdockendorf at osc.edu Wed Aug 8 15:49:00 2018 From: tdockendorf at osc.edu (Dockendorf, Trey) Date: Wed, 8 Aug 2018 19:49:00 +0000 Subject: [keycloak-user] Version API endpoint removed in 4.2.1? In-Reply-To: References: <223948DB-C051-40A6-A823-A52553F69D77@osc.edu> Message-ID: Yep, I already updated our Nagios checks to use that URL. Thanks, - Trey -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center From: Hynek Mlnarik Date: Wednesday, August 8, 2018 at 6:21 AM To: "Dockendorf, Trey" Cc: keycloak-user Subject: Re: [keycloak-user] Version API endpoint removed in 4.2.1? Version endpoint was removed to mitigate risk of revealing potentially sensitive information to an attacker. Can you use e.g. /auth/realms/master/.well-known/openid-configuration for the same? --Hynek On Tue, Aug 7, 2018 at 5:36 PM Dockendorf, Trey > wrote: I updated a test node to 4.2.1 from 3.4.2 and notice /auth/version no longer works. I use this endpoint with Nagios to check Keycloak is booted. Is this removal expected and if so is there a viable alternative in 4.2.1? I need something that requires no authentication. 4.2.1: $ curl http://localhost:8080/auth/version $ 3.4.2: $ curl http://localhost:8080/auth/version {"version":"3.4.2.Final","build-time":"2017-12-21 12:57"} -- Trey Dockendorf HPC Systems Engineer Ohio Supercomputer Center _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From courtney.robinson at hypi.io Wed Aug 8 16:20:24 2018 From: courtney.robinson at hypi.io (Courtney Robinson) Date: Wed, 8 Aug 2018 21:20:24 +0100 Subject: [keycloak-user] Using Keycloak for per field authorisation Message-ID: Hello, I'm trying to work out what approach may be advisable for achieving per field authorisation with Keycloak. Until now we've used it for authentication only and are now expanding our integration to take advantage of its authorisation capabilities as well with a view to replace our existing solution entirely. This being due to a need in the near future for SAML and some other enterprise integration this has become a necessity. The situation is like this: Prior to adapting Keycloak we used our own solution based on Apache Shiro. We have a GraphQL API that services multiple organisations each with multiple apps. Each organisation has its own users and thus maps directly into separate realms in Keycloak. Each user in an organisation can have different permissions. Within an organisation you can have one or more groups (usually an office/site) and they some times have different access rights. I could elaborate more but I think this should give a good picture of the setup. So far so good, I can see how to map some of these things directly to Keycloak high level constructs. It falls apart for me with the API. We're using Spring Boot but I struggle to see how I'd achieve this setup using one of the adapters. Take this scenario: App 1 defines two types A{f1:Int, f2: String} and B{f3:Int, f4: String} Org 1, User 1 can read,write A.f1 and B.f3, they can only read B.f4 and cannot see or perform any other operation on A.f2 *normally* but in one case they have had a specific instance of A shared with them and given complete read/write/share/manage permission for that one instance and thus A.f2 is available to them in this one instance. All other users get some default permission set to manage their own resources, read/write/share (within the site) shared resources, read only on resources shared with the organisation. The same app can be used by multiple organisations, each with their own access rules. One thing worth noting is that when a user doesn't have permission to a field, the entire request does not fail necessarily, we return null if the field is optional and only if it's required does the whole request fail (optional/required in the GraphQL sense where required fields must be non-null). I've been playing around with the clients auth and admin clients but frankly I'm a little lost trying to figure out how to get this setup working. It's worth noting that none of the apps so far are secure clients, they're angular/react based web apps. Our service needs to verify the user making the request and do authorisation checks on the data being queried/mutated Can anyone provide some guidance as to how I go about achieving this with Keycloak, which components I might use to achieve what and just a high level description of how I might hang the pieces together. I think one thing that is very unclear to me right now is what work the adapters do exactly, it's unclear how they perform checks, unclear what exactly it uses tokens for locally vs what and when it queries Keycloak again for. I'm still going through the sources but it's still unclear for me. Thanks in advance. From ryans at jlab.org Wed Aug 8 16:34:43 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 8 Aug 2018 16:34:43 -0400 (EDT) Subject: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost Message-ID: <795410598.16664915.1533760483853.JavaMail.zimbra@jlab.org> Hi Keycloak Users, I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com". This breaks the process with the Keycloak error "Invalid parameter: redirect_uri". How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost? When I browse my Wildfly application on unprotected pages I'm using the actual hostname already. In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1. I've also updated the host element default-host alias to match myserver.example.com to replace "localhost". Neither of those changes made a difference. Thanks, Ryan From dt at acutus.pro Wed Aug 8 17:53:06 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 09 Aug 2018 00:53:06 +0300 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: <1533745353.10533.1.camel@acutus.pro> References: <1533735331.2269.12.camel@acutus.pro> <1533736567.2269.14.camel@acutus.pro> <1533745353.10533.1.camel@acutus.pro> Message-ID: <1533765186.2054.2.camel@acutus.pro> Oh, I think I've mislead you. No, I mean all of the above should work, but there's much simpler variant - you can write a servlet filter to manipulate security context, including roles. See this thread (from 2010, but still topical): https://coderanch.com/t/466744/java/Set-user-principal-filter In this example the author manipulates user principal, you'll need to do the same with roles. Good luck! Dmitry On Wed, 2018-08-08 at 19:22 +0300, Dmitry Telegin wrote: > So, is this correct that: > - your customer has the "foo" role configured in their Keycloak; > - authors of the app expect that the user have the "bar" role; > - neither your customer wants to create "bar" in Keycloak, nor programmers want to change their code to use "foo", and you're caught in the crossfire? > > Off the top of my head, there can be two solutions: > 1) modify SAML adapter code and implement role mapping there - > shouldn't be too tricky, but from now on you'll have to use modified > adapter and update it with every Keycloak release (or maybe commit it > to upstream, but I'm not sure it will be accepted); > 2) deploy intermediary Keycloak, configure brokering between it and > customer's one and use the role mapper trick. This could be made > transparent for end-users, however will add a couple of redirects to the flow. > And of course this will mean that you'll have to maintain yet another > piece of software. > > Good luck! > Dmitry > > On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote: > > Hi Dmitry, > > > > Yes. That is correct. > > > > --- > > Linda > > > > -----Original Message----- > > > From: Dmitry Telegin
? > > > > Sent: Wednesday, August 08, 2018 3:56 PM > > > To: Linda Sauder ; keycloak-user at lists.jboss.org > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly > > > > I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there. > > > > So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app? > > > > Dmitry > > > > On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote: > > > Hi Dimitri, > > > > > > Thanks your response.? > > > > > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. > > > > > > But I also thought about it. Not an option unfortunately.? > > > > > > -- > > > Cheers > > > Linda > > > > > > -----Original Message----- > > > > > > > From: Dmitry Telegin
? > > > > > > Sent: Wednesday, August 08, 2018 3:36 PM > > > > > > > To: Linda Sauder ; keycloak-user at lists.jboss.org > > > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly > > > > > > Hello Linda, > > > > > > Seems like you need to configure SAML Attribute to Role mapper for your IdP. > > > > > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. > > > > > > You will need to know how exactly your IdP supplies role information. > > > Normally, there should be an attribute inside SAML assertion that comes with SAML response; the fastest way is to inspect SAML payload via F12 > > > > > > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. > > > > > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > > > > Hello. > > > > > > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > > > > > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > > > > > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > > > > > > > > > > > > ? xsi:schemaLocation="http://java.sun.com/xml/ns/javaee? > > > > > > > > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;;; > > > > > > > > ????Application Container > > > > > > > > ???? > > > > ????????ApplicationContainer.html > > > > ???? > > > > > > > > ???????????????? > > > > ???????????????????????????????? > > > > KEYCLOAK-SAML > > > > ????????????????????????????????keycloak > > > > ???????????????? > > > > > > > > ???? > > > > ????????Application Container Constraint > > > > ???????? > > > > ????????????All Resources > > > > ????????????/* > > > > ????????????POST > > > > ????????????GET > > > > ???????? > > > > > > > > ???????? > > > > ????????????hallo > > > > ???????? > > > > ???? > > > > > > > > > > > > > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > > > > > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > > > > > > > How am I going to achieve to be able to locally handle the role mapping? > > > > > > > > Thanks in advance. > > > > -- > > > > Linda > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Wed Aug 8 19:23:54 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 09 Aug 2018 02:23:54 +0300 Subject: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost In-Reply-To: <795410598.16664915.1533760483853.JavaMail.zimbra@jlab.org> References: <795410598.16664915.1533760483853.JavaMail.zimbra@jlab.org> Message-ID: <1533770634.2054.4.camel@acutus.pro> Hi Ryan, Is your Wildfly (not Keycloak) behind a reverse proxy? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-08 at 16:34 -0400, Ryan Slominski wrote: > Hi Keycloak Users, > ???I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com".??This breaks the process with the Keycloak error "Invalid parameter: redirect_uri".??How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost???When I browse my Wildfly application on unprotected pages I'm using the actual hostname already.??In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1.??I've also updated the host element default-host alias to match myserver.example.com to replace "localhost".??Neither of those changes made a difference. > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Thu Aug 9 00:21:07 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Thu, 9 Aug 2018 09:51:07 +0530 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> Message-ID: Another update: Though the login form appears every time but if i login with a different user the second time i.e. launch client app -> login with user1 -> relaunch client app (browser shows login form instead of already logged in message) -> now login with user2. I get following message: " We're sorry...You are already authenticated as different user 'user1' in this session. Please logout first." If it's able to know another user is logged in, then why the login form is appearing? On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth wrote: > An update on my findings: When I checked developer console: I am getting > KC_RESTART cookie in cookies section. > > On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth wrote: > >> Yes sir, >> I followed the doc https://www.keycloak.org/docs/ >> latest/securing_apps/index.html#_installed_adapter. And am seeing the >> same behavior on chrome and firefox. >> >> Also regarding the manual mode, I see the same behavior i.e I have to >> re-login for each re-run of the client app. >> >> But if I do this: >> >> System.out.println("Login through manual mode"); >> keycloak.loginManual(); >> System.out.println("Login through browser"); >> keycloak.loginDesktop(); >> >> i.e. if I call both modes in the same code or even same mode twice in the >> same code, then I don't have to re-login for second call (in the above >> example for loginDesktop). However when I re-run the application, I need to >> re-login. This might be a stupid guess but could these sessions be "java >> object specific"? >> >> >> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
wrote: >> >>> Hi, >>> >>> Did you do everything in accordance with the docs? >>> https://www.keycloak.org/docs/latest/securing_apps/index.htm >>> l#_installed_adapter >>> >>> Do you experience this in "manual" mode too? >>> >>> Cheers, >>> Dmitry Telegin >>> CTO, Acutus s.r.o. >>> Keycloak Consulting and Training >>> >>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>> +42 (022) 888-30-71 >>> E-mail: info at acutus.pro >>> >>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >>> > I am using openid-connect for authenticating users. After successful >>> > authentication, browser windows says: >>> > "Login Successful >>> > >>> > You may close this browser window and go back to your console >>> application." >>> > >>> > However, even without closing the window if I relaunch my application >>> > (using keycloak.loginDesktop();) even within 10 seconds, still the >>> login >>> > page appears instead of : you are already logged in. >>> > >>> > Browser: Firefox. >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From rackymuthu at yandex.com Thu Aug 9 02:11:53 2018 From: rackymuthu at yandex.com (Rackymuthu) Date: Thu, 09 Aug 2018 11:41:53 +0530 Subject: [keycloak-user] Keycloak domain cluster login page redirect to again login page, but works with single node(master or slave) Message-ID: <3485501533795113@sas1-640e2cc17194.qloud-c.yandex.net> From Linda.Sauder at amdocs.com Thu Aug 9 03:08:58 2018 From: Linda.Sauder at amdocs.com (Linda Sauder) Date: Thu, 9 Aug 2018 07:08:58 +0000 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: <1533765186.2054.2.camel@acutus.pro> References: <1533735331.2269.12.camel@acutus.pro> <1533736567.2269.14.camel@acutus.pro> <1533745353.10533.1.camel@acutus.pro> <1533765186.2054.2.camel@acutus.pro> Message-ID: That sounds promising. I will give it a try. Thank you. -----Original Message----- From: Dmitry Telegin
Sent: Wednesday, August 08, 2018 11:53 PM To: Linda Sauder ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Oh, I think I've mislead you. No, I mean all of the above should work, but there's much simpler variant - you can write a servlet filter to manipulate security context, including roles. See this thread (from 2010, but still topical): https://coderanch.com/t/466744/java/Set-user-principal-filter In this example the author manipulates user principal, you'll need to do the same with roles. Good luck! Dmitry On Wed, 2018-08-08 at 19:22 +0300, Dmitry Telegin wrote: > So, is this correct that: > - your customer has the "foo" role configured in their Keycloak; > - authors of the app expect that the user have the "bar" role; > - neither your customer wants to create "bar" in Keycloak, nor programmers want to change their code to use "foo", and you're caught in the crossfire? > > Off the top of my head, there can be two solutions: > 1) modify SAML adapter code and implement role mapping there - > shouldn't be too tricky, but from now on you'll have to use modified > adapter and update it with every Keycloak release (or maybe commit it > to upstream, but I'm not sure it will be accepted); > 2) deploy intermediary Keycloak, configure brokering between it and > customer's one and use the role mapper trick. This could be made > transparent for end-users, however will add a couple of redirects to the flow. > And of course this will mean that you'll have to maintain yet another > piece of software. > > Good luck! > Dmitry > > On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote: > > Hi Dmitry, > > > > Yes. That is correct. > > > > --- > > Linda > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: Wednesday, August 08, 2018 3:56 PM > > > To: Linda Sauder ; > > > keycloak-user at lists.jboss.org > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually > > when securing a web application with Keycloak/SAML/Wildfly > > > > I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there. > > > > So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app? > > > > Dmitry > > > > On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote: > > > Hi Dimitri, > > > > > > Thanks your response. > > > > > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. > > > > > > But I also thought about it. Not an option unfortunately. > > > > > > -- > > > Cheers > > > Linda > > > > > > -----Original Message----- > > > > > > > From: Dmitry Telegin
> > > > > > Sent: Wednesday, August 08, 2018 3:36 PM > > > > > > > To: Linda Sauder ; > > > > > > > keycloak-user at lists.jboss.org > > > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually > > > when securing a web application with Keycloak/SAML/Wildfly > > > > > > Hello Linda, > > > > > > Seems like you need to configure SAML Attribute to Role mapper for your IdP. > > > > > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. > > > > > > You will need to know how exactly your IdP supplies role information. > > > Normally, there should be an attribute inside SAML assertion that > > > comes with SAML response; the fastest way is to inspect SAML > > > payload via F12 > > > > > > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. > > > > > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > > > > Hello. > > > > > > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > > > > > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > > > > > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > > > > > > > > > > > > ? > > > > > > > > > > > > > > > xsi:schemaLocation="http://java.sun.com/xm > > > > > > > > > > > > > > > l/ns/javaee > > > > > > > > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;;; > > > > > > > > ????Application Container > > > > > > > > ???? > > > > ????????ApplicationContainer.html > > > > ???? > > > > > > > > ???????????????? > > > > ???????????????????????????????? > > > > KEYCLOAK-SAML > > > > ???????????????????????????????? > > > > keycloak > > > > ???????????????? > > > > > > > > ???? > > > > ????????Application Container > > > > Constraint > > > > ???????? > > > > ????????????All Resources > > > > ????????????/* > > > > ????????????POST > > > > ????????????GET > > > > ???????? > > > > > > > > ???????? > > > > ????????????hallo > > > > ???????? > > > > ???? > > > > > > > > > > > > > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > > > > > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > > > > > > > How am I going to achieve to be able to locally handle the role mapping? > > > > > > > > Thanks in advance. > > > > -- > > > > Linda > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From mposolda at redhat.com Thu Aug 9 03:27:37 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Aug 2018 09:27:37 +0200 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache In-Reply-To: References: Message-ID: <346b6795-ed86-287b-7ed5-cc7668044b35@redhat.com> Hi, I didn't check everything, but one thing I noted is, that in your keycloak-standalone-ha.xml, you don't have "alternative" providers configured. For Keycloak to work with the infinispan 9.2.X server or newer, it was needed to configure providers like this: https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 . There is also a need to add the userStorage to your realm, which can be done through admin console or by importing the realm. See: https://github.com/rhdemo/rh-sso/blob/master/realm-summit.json#L1051 Marek On 08/08/18 15:07, Sebastian Laskawiec wrote: > On Tue, Aug 7, 2018 at 3:28 PM Hayden Fuss wrote: > >> Hello, >> >> We are attempting to run Keycloak on two OpenShift clusters using remote >> ISPNs and a single MariaDB instance. We're hacking together the Keycloak on >> Openshift blogpost, the JDG-as-a-service demo from Summit, RH SSO demo from >> Summit, and following the Keycloak/RH SSO basic setup guide to Cross-DC >> replication. The hope is do an initial evaluation of Keycloak's >> availability. >> >> We were able to create a new user on master (site1), disable the user on >> master2 (site2), and see the user was disabled on master. So ISPN >> replication seems to be working because the work cache was replicated to >> invalidate the local caches. However, the sessions cache does not seem to >> be replicated because when logged in as the same user on the two different >> Keycloaks (in Incognito mode) there is only one active session shown on >> both UIs and the timestamp/IP/etc is different for the listed session. >> > So at this point the Infinispan cluster within a single DC works correctly > [1] (the one that is formed by KUBE_PING). The Cross-DC cluster (also known > as the Global Cluster) also works correctly [2]. Users cache replicates > fine but sessions don't. > > If I understood everything correctly, there might be two issues there. > > The first one is Infinispan misconfiguration (I briefly looked through the > configuration and can not spot any mistake but there might be some typo or > anything like that). That one is easy to be verified, just put an entry on > one node (e.g. using REST [3]) and see if it's available on the other one > (again, using REST for example [4]). > > If this test works fine, you can check if Keycloak forwards traffic to the > Infinispan cluster. The easiest way is to set a breakpoint somewhere > in org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveClientSessionToRemoteCache > and org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveUserSessionToRemoteCache. > > [1] can be verified by calling `oc logs infinispan-app | grep view` > [2] can be verified by calling `oc logs infinispan-app | grep "x-site"` > [3] curl -d test ISPN_IP:8080/rest/sessions/test > [4] curl ISPN_IP2:8080/rest/sessions/test > > >> We are using the latest, stable Keycloak image, version 4.1.0.Final, and >> the latest, stable Infinispan image for to act as our data grid, version >> 9.3.1.Final, which we know differs from the 8.2.8 version Keycloak uses for >> its local caches. >> >> We were trying one Keycloak node and two ISPN nodes in each cluster, but >> for simplicity we've attached logs where we only ran one Keycloak and one >> ISPN in each cluster. >> We were connecting to the two different Keycloaks via two different >> OpenShift Routes without a load balancer to fake sticky sessions for now. >> Keycloak connects to ISPN via a "HotRod" Service. ISPN connects to other >> nodes within the same cluster via KUBE_PING, and discovers the other >> cluster via TCPPING hitting a particular OpenShift app node from that >> cluster that exposes the "discovery" Service with a NodePort. The Keycloaks >> share the single MariaDB through a NodePort Service in one of the clusters >> as well. >> >> The logs didn't seem to contain any of the messages in the trouble shooting >> guide. We had trouble using JMX to check the ISPNs because they were >> running in containers, but we've using the CLI tool and the Infinispan >> management console to try to troubleshoot but any key we pulled from the >> logs that we thought was a session ID was not in the caches and we could >> not find a way to simply list all keys in the caches. >> >> Below is a viewable link to a zip containing logs from the scenario >> described in the second paragraph, and our config files. >> >> >> https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 >> >> Thanks for your time and help! >> >> Best, >> Hayden >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 9 03:37:49 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Aug 2018 09:37:49 +0200 Subject: [keycloak-user] GSS delegation credential mapper In-Reply-To: <6D320D40264A8545A9C25EC79DE1E32501ECD19D8A@CERNXCHG43.cern.ch> References: <6D320D40264A8545A9C25EC79DE1E32501ECD19D8A@CERNXCHG43.cern.ch> Message-ID: On 08/08/18 13:33, Paolo Tedesco wrote: > Hi, > > I'm trying to configure the GSS credential mapper for an application. > I've configured SPNEGO authentication on the server, and this is working. > Then I've created an application (confidential client) and add a gss delegation credential mapper to the application, but I don't seem to get a claim with the GSS credentials in the token after I authenticate. If I understood correctly, I should see a claim in the access token named "gss_delegation_credential". > > Is there anything else I need to configure, like some additional mappers? I think nothing else is needed on Keycloak side. For the Kerberos, there is a need to configure the tickets as "forwardable" in the kerberos client configuration (usually in /etc/krb5.conf ). There might be also a need to configure browser (For example in FF it is "|network.negotiate-auth.delegation-uris" ). | ||Good thing to detect, if the delegation is missing at the SPNEGO flow side or at Keycloak side is to enable DEBUG logging at least for the category: org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator . After successful login, you should see some message (see sources here): String message =new StringBuilder("SPNEGO Security context accepted with token: " +responseToken) .append(", established: ").append(gssContext.isEstablished()) .append(", credDelegState: ").append(gssContext.getCredDelegState()) .append(", mutualAuthState: ").append(gssContext.getMutualAuthState()) .append(", lifetime: ").append(gssContext.getLifetime()) .append(", confState: ").append(gssContext.getConfState()) .append(", integState: ").append(gssContext.getIntegState()) .append(", srcName: ").append(gssContext.getSrcName()) .append(", targName: ").append(gssContext.getTargName()) .toString(); log.debug(message); If you see the credDelegState is null, you know that you need to figure at the Kerberos/SPNEGO flow level. Otherwise at Keycloak level. For inspiration, you can take a look at the "kerberos" example from the Keycloak-examples distribution, which is showing delegation. Marek > Also, is it possible to get this gss_delegation_credential token only authenticating with SPNEGO, or would it be possible to get it also with other authentication mechanisms (e.g. x509 certificate, username and password)? > > Thanks, > Paolo Tedesco > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 9 03:43:37 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Aug 2018 09:43:37 +0200 Subject: [keycloak-user] Is keycloak the tool I'm looking for? selective AD user sync In-Reply-To: <657eb7e1fac830434db3594c5d69205ab472057c.camel@gmail.com> References: <91e80618fc3dc0c8f5965a29a64b8d012680d912.camel@gmail.com> <1533647308.8451.4.camel@acutus.pro> <657eb7e1fac830434db3594c5d69205ab472057c.camel@gmail.com> Message-ID: On 08/08/18 12:58, jlord87 at gmail.com wrote: > Too bad, I would have probably needed the opposite, some kind of "user > propagation".Would it makes any sense to create a realm for each AD and > configure as Identity provider another "master" realm - acting as > centralized user repository - in wich I would create a client template > for every AD? >>> But what we love about Keycloak is its ultimate extensibility, soI >>> wouldn't rule out the possibility of implementing this with the >>> help of an extension. Not sure I understand whole context. Just a note, that if you have Keycloak realm configured with multiple different MSAD servers as LDAP providers, you can then configure one of the MSAD servers with the flag "Sync registrations" to ON. Then if you create new user in Keycloak, it will be propagated to this MSAD, which you configured with the "Sync registrations" flag ON. Marek From mposolda at redhat.com Thu Aug 9 03:51:26 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Aug 2018 09:51:26 +0200 Subject: [keycloak-user] Federating LDAP server to Keycloak crashed with Out Of Memory error In-Reply-To: <1990A56B-6B91-40FE-9740-ED608041F6E3@anaconda.com> References: <1990A56B-6B91-40FE-9740-ED608041F6E3@anaconda.com> Message-ID: <04d9f175-a7d9-460c-f922-9661b7b2bf40@redhat.com> On 07/08/18 22:46, Chenyuan Zhang wrote: > Hi there, > > We were trying to add a LDAP user federation provider with around 5000 users. But the process crashed with out of memory error: > > 2018-06-02 06:54:35.900 UTC INFO Sync changed users finished: 393 imported users, 4532 updated users, 8 users failed sync! See server log for more details (Timer-2) [org.keycloak.storage.ldap.LDAPStorageProviderFactory] > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Brute Force Protector" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-74" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-330" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Periodic Recovery" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-332" > > Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "default task-324" > 2018-06-05 07:08:55.594 UTC ERROR java.lang.OutOfMemoryError: Java heap space (default task-333) [stderr] > > Here?re the options we used: > > JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Duser.timezone=UTC > > From what I read, it seems like Keycloak import users from LDAP to our production database through a periodic background task. > > But I?m not sure what happened in the memory level that caused the OutOfMemory error. Does keycloak cache all data in memory during the sync process? Is there any configuration I can set to avoid this error? Is there a user number limit given our JAVA Options? We didn't yet try to test LDAP sync with 5000 users. But looks like the count is not so big, so it's quite strange that there is OOM for this setup. Few tips: - If you use periodic synces, you can maybe try to disable periodic sync temporarily and check if it helps? Or increase the interval of sync? (For example 1 per day instead of 1 per hour etc) - Increase memory options and see if it helps - Disable user cache and see if it helps (or configure user cache eviction with the lower count of users allowed). See the docs for how to do it. Marek > > Any suggestion would be appreciated. > > Thanks a lot, > Chenyuan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 9 03:57:33 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Aug 2018 09:57:33 +0200 Subject: [keycloak-user] LDAP Authentication - Extended Errors In-Reply-To: References: Message-ID: On 07/08/18 22:47, Mark Hunt wrote: > Hi, > > I have been doing some development with Keycloak and specifically OpenID Connect, Password Grant and an LDAP user federation with Active Directory. Overall everything is working great but I am a little surprised that on a token refresh I get told that the user account is disabled but on a login I do not. The exception to this would be if I try to login with a disabled account after a user federation sync has occurred. > > Is this a configuration issue or do you need to implement LDAP diagnostic messages for login? Not sure I understand. If you go to the admin console, are you seeing the user is enabled or disabled here? Is user enabled or disabled in MSAD? One thing to note is, that if you disabled the user directly in MSAD after it was already synced to Keycloak, the user may be cached in the Keycloak. So there may be some time needed until the latest information about enabled/disabled state is propagated from MSAD to the Keycloak side. You can try to clear the cache to check if it's the case. For long term, you can tweak caching policy configuration of LDAP provider. Marek > > Thanks for developing a fantastic product!! > > Regards > > Mark > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Aug 9 04:06:37 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Aug 2018 10:06:37 +0200 Subject: [keycloak-user] Extend user account console In-Reply-To: References: Message-ID: You can either override the themes (See docs and examples for more details). If needed, you can try to add custom REST endpoints and/or override the default AccountProvider implementation based on Freemarker. For the future, we plan to add account console based on REST, which will allow better extensibility. Marek On 01/08/18 11:03, Daicy Duarte wrote: > Hi! > > What is the best way to extend the account console? > We need to add a new page where the user can manage other credentials, example U2F. > > Is it possible? What do you recommend? > > Thanks in advance > > > Daicy > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From akullpp at googlemail.com Thu Aug 9 04:36:41 2018 From: akullpp at googlemail.com (Andreas Kull) Date: Thu, 9 Aug 2018 10:36:41 +0200 Subject: [keycloak-user] Block login attempt from specific role Message-ID: I have one realm which contains two clients A1, A2 and two roles R1, R2. R1 can access A1 and A2 R2 should only be able to access A2 Is it possible way to disallow the login of R2 in A1 directly on the Keycloak login page? From mposolda at redhat.com Thu Aug 9 04:46:01 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 9 Aug 2018 10:46:01 +0200 Subject: [keycloak-user] Block login attempt from specific role In-Reply-To: References: Message-ID: <1b3b1cd4-7b12-ba20-9a75-92eca9bd9830@redhat.com> It's not allowed OOTB. Maybe it is possible with Script authenticator, but not 100% sure. But TBH I wouldn't use the approach like that to reject it even at login side. As role mappings is typically not about authentication, but about authorization. So the more correct approach is to let the authentication to finish and then, once user is redirected back to the application, let the error to be displayed here (Some page with the "Forbidden" message and 403 error). User will be then authenticated, so in case that he access R1, he will be authenticated automatically due the SSO and won't need to reauthenticate. Marek On 09/08/18 10:36, Andreas Kull wrote: > I have one realm which contains two clients A1, A2 and two roles R1, R2. > > R1 can access A1 and A2 > R2 should only be able to access A2 > > Is it possible way to disallow the login of R2 in A1 directly on the > Keycloak login page? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Thu Aug 9 04:56:32 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Thu, 9 Aug 2018 14:26:32 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit Message-ID: With all the configuration(shared below), when I test using the evaluate option under authorization tab, result is permit: *But when I make a request to this resource through postman, I get 403.* *Which part of configuration is wrong which is leading to 403 error?* CONFIGURATION: *Detailed configuration with images shown here:* *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api * *1.* Following the https://www.keycloak.org/docs/4.2/authorization_services/ , I created a realm role : *role_special_user* and created a user : *user_special* with this role and role *user*. *2.* Next, my resource server / client is with *full scope enabled*: *3.* Under authorization tab, I created a resource with the role based policy is. *4.* Now, keycloak json is: { "realm": "demo12", "auth-server-url": "http://localhost:8180/auth", "ssl-required": "none", "resource": "server12", "credentials": { "secret": "XXXXXXX" }, "confidential-port": 0, "policy-enforcer": {}} *5.* And Keycloak Jetty adapter configuration is: final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new SystemPropertiesJsonParserFactory()); mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); keyCloakConfig = mapper.readValue(is, AdapterConfig.class); KeycloakJettyAuthenticator kcAuthenticator = KeyCloakConfig;if(kcAuthenticator != null) { ConstraintSecurityHandler securityHandler = new ConstraintSecurityHandler(); ConstraintMapping constraintMapping = new ConstraintMapping(); constraintMapping.setPathSpec("/*"); Constraint constraint = new Constraint(); constraint.setAuthenticate(true); constraint.setRoles(new String[]{"**"}); constraintMapping.setConstraint(constraint); securityHandler.addConstraintMapping(constraintMapping); securityHandler.setAuthenticator(kcAuthenticator); context.setSecurityHandler(securityHandler);} *6.* Also, the decoded jwt token sample is: { "jti": "XXXXXXX", "exp": 1533798704, "nbf": 0, "iat": 1533798404, "iss": "http://localhost:8180/auth/realms/demo12", "aud": "server12", "sub": "XXXXXXX", "typ": "Bearer", "azp": "server12", "auth_time": 1533798404, "session_state": "XXXXXX", "acr": "1", "allowed-origins": [], "realm_access": { "roles": [ "role_special_user", "offline_access", "uma_authorization", "user" ] }, "resource_access": { "server12": { "roles": [ "uma_protection" ] }, "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid email profile", "email_verified": false, "preferred_username": "user_special"} From imperimus_2k at hotmail.com Thu Aug 9 07:53:21 2018 From: imperimus_2k at hotmail.com (Mark Hunt) Date: Thu, 9 Aug 2018 11:53:21 +0000 Subject: [keycloak-user] LDAP Authentication - Extended Errors In-Reply-To: References: , Message-ID: Hi, So the situation is when the user is Enabled in the cache but disabled in MSAD. When you attempt a login with a password Grant it returns Invalid Credentials. I would expect this to return Account Disabled. Extended LDAP diagnostic messages should provide this information, certainly against MSAD anyway. This is also different behaviour to when you use the refresh token grant. If the user is Enabled in the cache but disabled in AD the token request returns Account Disabled. This is the expected behaviour. The cache would naturally update and you get the right message at login (password grant), but only once the sync has occurred. We want to try and avoid resyncing too often, but still get the correct error messages. Regards Mark Sent from Mail for Windows 10 ________________________________ From: Marek Posolda Sent: Thursday, August 9, 2018 8:57:33 AM To: Mark Hunt; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] LDAP Authentication - Extended Errors On 07/08/18 22:47, Mark Hunt wrote: > Hi, > > I have been doing some development with Keycloak and specifically OpenID Connect, Password Grant and an LDAP user federation with Active Directory. Overall everything is working great but I am a little surprised that on a token refresh I get told that the user account is disabled but on a login I do not. The exception to this would be if I try to login with a disabled account after a user federation sync has occurred. > > Is this a configuration issue or do you need to implement LDAP diagnostic messages for login? Not sure I understand. If you go to the admin console, are you seeing the user is enabled or disabled here? Is user enabled or disabled in MSAD? One thing to note is, that if you disabled the user directly in MSAD after it was already synced to Keycloak, the user may be cached in the Keycloak. So there may be some time needed until the latest information about enabled/disabled state is propagated from MSAD to the Keycloak side. You can try to clear the cache to check if it's the case. For long term, you can tweak caching policy configuration of LDAP provider. Marek > > Thanks for developing a fantastic product!! > > Regards > > Mark > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ryans at jlab.org Thu Aug 9 08:06:08 2018 From: ryans at jlab.org (Ryan Slominski) Date: Thu, 9 Aug 2018 08:06:08 -0400 (EDT) Subject: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost In-Reply-To: <1739637641.16756164.1533816345181.JavaMail.zimbra@jlab.org> References: <795410598.16664915.1533760483853.JavaMail.zimbra@jlab.org> <1533770634.2054.4.camel@acutus.pro> Message-ID: <447811211.16756241.1533816368472.JavaMail.zimbra@jlab.org> Hi Dmitry, Yes, that seems to be it. I am using Apache reverse proxy to get my Wildfly application on port 8080 accessible over port 443. My proxy rule was using localhost instead of myserver.example.com and after replacing localhost with actual hostname now it seems to be working. I say seems to be working because I now get past the localhost redirect issue, but it doesn't seem like the servlet container acknowledges I'm logged in. I am redirected back to the application with a parameter session_state=. However, the EL expression on the return page: "${pageContext.request.userPrincipal eq null}" is showing true - suggesting that the Wildfly servlet container doesn't know I'm logged in. Does the Wildfly client adapter not integrate with container managed security? Thanks, Ryan ----- Original Message ----- From: "Dmitry Telegin"
To: "Ryan Slominski" , "keycloak-user" Sent: Wednesday, August 8, 2018 7:23:54 PM Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost Hi Ryan, Is your Wildfly (not Keycloak) behind a reverse proxy? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-08 at 16:34 -0400, Ryan Slominski wrote: > Hi Keycloak Users, > ???I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com".??This breaks the process with the Keycloak error "Invalid parameter: redirect_uri".??How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost???When I browse my Wildfly application on unprotected pages I'm using the actual hostname already.??In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1.??I've also updated the host element default-host alias to match myserver.example.com to replace "localhost".??Neither of those changes made a difference. > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=dy3zK_QykozR2oKV0NPiTYV0jPbZPr3oec2q3J-4sv8&s=5Oidky1NOrNuaeKqfLmmti9wN1UU1-XUGq3S605jLmU&e= From psilva at redhat.com Thu Aug 9 08:31:02 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 9 Aug 2018 09:31:02 -0300 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Hi, Your configuration looks correct. But I noticed that in the postman request you are sending requests to ` http://localhost:7200/{app}/keycloak/secure/role`. However in your resource definition the URI is configured to `/secure/role`. Both URIs should match otherwise the adapter won't be able to map the URI in your application to a resource in Keycloak (and related permissions). Regards. Pedro Igor On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo wrote: > With all the configuration(shared below), when I test using the evaluate > option under authorization tab, result is permit: > > *But when I make a request to this resource through postman, I get 403.* > > *Which part of configuration is wrong which is leading to 403 error?* > > CONFIGURATION: > > > *Detailed configuration with images shown here:* > > *https://stackoverflow.com/questions/51761779/keycloak- > 403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api > 403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* > > *1.* Following the > https://www.keycloak.org/docs/4.2/authorization_services/ , I created a > realm role : *role_special_user* and created a user : *user_special* with > this role and role *user*. > > *2.* Next, my resource server / client is with *full scope enabled*: > *3.* Under authorization tab, I created a resource with the role based > policy is. > > *4.* Now, keycloak json is: > > { > "realm": "demo12", > "auth-server-url": "http://localhost:8180/auth", > "ssl-required": "none", > "resource": "server12", > "credentials": { > "secret": "XXXXXXX" > }, > "confidential-port": 0, > "policy-enforcer": {}} > > *5.* And Keycloak Jetty adapter configuration is: > > final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; > InputStream is = > Thread.currentThread().getContextClassLoader(). > getResourceAsStream(KEYCLOAK_JSON);AdapterConfig > keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new > SystemPropertiesJsonParserFactory()); > mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); > keyCloakConfig = mapper.readValue(is, AdapterConfig.class); > KeycloakJettyAuthenticator kcAuthenticator = > KeyCloakConfig;if(kcAuthenticator != null) { > ConstraintSecurityHandler securityHandler = new > ConstraintSecurityHandler(); > ConstraintMapping constraintMapping = new ConstraintMapping(); > constraintMapping.setPathSpec("/*"); > Constraint constraint = new Constraint(); > constraint.setAuthenticate(true); > constraint.setRoles(new String[]{"**"}); > constraintMapping.setConstraint(constraint); > securityHandler.addConstraintMapping(constraintMapping); > securityHandler.setAuthenticator(kcAuthenticator); > context.setSecurityHandler(securityHandler);} > > *6.* Also, the decoded jwt token sample is: > > { > "jti": "XXXXXXX", > "exp": 1533798704, > "nbf": 0, > "iat": 1533798404, > "iss": "http://localhost:8180/auth/realms/demo12", > "aud": "server12", > "sub": "XXXXXXX", > "typ": "Bearer", > "azp": "server12", > "auth_time": 1533798404, > "session_state": "XXXXXX", > "acr": "1", > "allowed-origins": [], > "realm_access": { > "roles": [ > "role_special_user", > "offline_access", > "uma_authorization", > "user" > ] > }, > "resource_access": { > "server12": { > "roles": [ > "uma_protection" > ] > }, > "account": { > "roles": [ > "manage-account", > "manage-account-links", > "view-profile" > ] > } > }, > "scope": "openid email profile", > "email_verified": false, > "preferred_username": "user_special"} > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From thesofiane at gmail.com Thu Aug 9 08:48:01 2018 From: thesofiane at gmail.com (So Be) Date: Thu, 9 Aug 2018 14:48:01 +0200 Subject: [keycloak-user] Restrict access to client based on Group policy Message-ID: Hi, is there an option to avoid access to a client after a successful login at the external idp? I don't want tpo provide access to everyone. I created a group and want that only who are in this group can continue using the service. Any support on this? Thank you. Sofiane. From psilva at redhat.com Thu Aug 9 09:11:13 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 9 Aug 2018 10:11:13 -0300 Subject: [keycloak-user] Using Keycloak for per field authorisation In-Reply-To: References: Message-ID: On Wed, Aug 8, 2018 at 5:20 PM, Courtney Robinson wrote: > Hello, > I'm trying to work out what approach may be advisable for achieving per > field authorisation with Keycloak. > > Until now we've used it for authentication only and are now expanding our > integration to take advantage of its authorisation capabilities as well > with a view to replace our existing solution entirely. This being due to a > need in the near future for SAML and some other enterprise integration this > has become a necessity. > > The situation is like this: > Prior to adapting Keycloak we used our own solution based on Apache Shiro. > We have a GraphQL API that services multiple organisations each with > multiple apps. > > Each organisation has its own users and thus maps directly into separate > realms in Keycloak. > Each user in an organisation can have different permissions. Within an > organisation you can have one or more groups (usually an office/site) and > they some times have different access rights. I could elaborate more but I > think this should give a good picture of the setup. > > So far so good, I can see how to map some of these things directly to > Keycloak high level constructs. It falls apart for me with the API. We're > using Spring Boot but I struggle to see how I'd achieve this setup using > one of the adapters. > Did you have a chance to look our app-authz-spring* quickstarts ? > > Take this scenario: > App 1 defines two types A{f1:Int, f2: String} and B{f3:Int, f4: String} > Org 1, User 1 can read,write A.f1 and B.f3, they can only read B.f4 and > cannot see or perform any other operation on A.f2 *normally* but in one > case they have had a specific instance of A shared with them and given > complete read/write/share/manage permission for that one instance and thus > A.f2 is available to them in this one instance. > I'm a little confused about what type A and B are. You also mentioned you may have an "instance of A". Does that mean that types A and B represent generic resources which policies should be enforced on instances of A and B ? Are these instances user-managed resources ? > > All other users get some default permission set to manage their own > resources, read/write/share (within the site) shared resources, read only > on resources shared with the organisation. > The same app can be used by multiple organisations, each with their own > access rules. > One thing worth noting is that when a user doesn't have permission to a > field, the entire request does not fail necessarily, we return null if the > field is optional and only if it's required does the whole request fail > (optional/required in the GraphQL sense where required fields must be > non-null). > > I've been playing around with the clients auth and admin clients but > frankly I'm a little lost trying to figure out how to get this setup > working. > > It's worth noting that none of the apps so far are secure clients, they're > angular/react based web apps. Our service needs to verify the user making > the request and do authorisation checks on the data being queried/mutated > > Can anyone provide some guidance as to how I go about achieving this with > Keycloak, which components I might use to achieve what and just a high > level description of how I might hang the pieces together. I think one > thing that is very unclear to me right now is what work the adapters do > exactly, it's unclear how they perform checks, unclear what exactly it uses > tokens for locally vs what and when it queries Keycloak again for. I'm > still going through the sources but it's still unclear for me. > Regarding how the adapter (policy enforcer in particular) work. It verifies permissions locally in case the client is sending a bearer token with permissions, otherwise the adapter will query the server for permissions associated with resource the client is trying to access (mapping is based on URIs). > > Thanks in advance. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Thu Aug 9 09:17:17 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 9 Aug 2018 10:17:17 -0300 Subject: [keycloak-user] Restrict access to client based on Group policy In-Reply-To: References: Message-ID: Hi, Is your client a JEE application ? Regards. Pedro Igor On Thu, Aug 9, 2018 at 9:48 AM, So Be wrote: > Hi, > > is there an option to avoid access to a client after a successful login at > the external idp? > > I don't want tpo provide access to everyone. > I created a group and want that only who are in this group can continue > using the service. > > Any support on this? > > Thank you. > > Sofiane. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ryans at jlab.org Thu Aug 9 09:22:56 2018 From: ryans at jlab.org (Ryan Slominski) Date: Thu, 9 Aug 2018 09:22:56 -0400 (EDT) Subject: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost In-Reply-To: <2066610852.16773431.1533820924515.JavaMail.zimbra@jlab.org> References: <795410598.16664915.1533760483853.JavaMail.zimbra@jlab.org> <1533770634.2054.4.camel@acutus.pro> <447811211.16756241.1533816368472.JavaMail.zimbra@jlab.org> Message-ID: <48091179.16773633.1533820976404.JavaMail.zimbra@jlab.org> Hi Dmitry, I think what I am seeing now can be explained by this bug: https://issues.jboss.org/browse/KEYCLOAK-2784 Historically my application would allow non-authenticated users to browse most pages, but if you login you see more content. Before converting to Keycloak I was using the Java Servlet container managed security programmatic login. Now I have an anchor (link) to Keycloak. It seems I might need to setup some tricks as it appears the Wildfly client adapter doesn't support this use-case of tracking authenticated users on programmatically-protected (non-container protected) pages. Also, for completeness, I forgot to add in the last email that to get around the localhost proxy issue I actually had to add an Apache rule 'RequestHeader set X-Forwarded-Proto "https"' and also update Wildfly with the following commands on the CLI: /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true) /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket,value=proxy-https) I also had to configure a trust store in Wildfly (cacerts file) with my Keycloak server PKI certificate. If I navigate to one of the few fully container protected pages the username (principal) does become recognized - although it is an unfriendly format: "f::" Ryan ----- Original Message ----- From: "Ryan Slominski" To: "Dmitry Telegin"
Cc: "keycloak-user" Sent: Thursday, August 9, 2018 8:06:08 AM Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost Hi Dmitry, Yes, that seems to be it. I am using Apache reverse proxy to get my Wildfly application on port 8080 accessible over port 443. My proxy rule was using localhost instead of myserver.example.com and after replacing localhost with actual hostname now it seems to be working. I say seems to be working because I now get past the localhost redirect issue, but it doesn't seem like the servlet container acknowledges I'm logged in. I am redirected back to the application with a parameter session_state=. However, the EL expression on the return page: "${pageContext.request.userPrincipal eq null}" is showing true - suggesting that the Wildfly servlet container doesn't know I'm logged in. Does the Wildfly client adapter not integrate with container managed security? Thanks, Ryan ----- Original Message ----- From: "Dmitry Telegin"
To: "Ryan Slominski" , "keycloak-user" Sent: Wednesday, August 8, 2018 7:23:54 PM Subject: Re: [keycloak-user] Wildfly Container Managed Security Constraint Redirect localhost Hi Ryan, Is your Wildfly (not Keycloak) behind a reverse proxy? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Wed, 2018-08-08 at 16:34 -0400, Ryan Slominski wrote: > Hi Keycloak Users, > ???I'm attempting to setup a Wildfly application as a client to Keycloak and an issue I'm seeing is that if I navigate my web browser to a protected resource I am redirected to Keycloak as expected, but the return URL (redirect_uri parameter) is to localhost, not back to my actual hostname, say "myserver.example.com".??This breaks the process with the Keycloak error "Invalid parameter: redirect_uri".??How do I configure the Wildfly client adapter to generate a redirect_uri to my actual hostname instead of to localhost???When I browse my Wildfly application on unprotected pages I'm using the actual hostname already.??In Wildfly standalone.xml I've set inet-address for public to 0.0.0.0 to replace 127.0.0.1.??I've also updated the host element default-host alias to match myserver.example.com to replace "localhost".??Neither of those changes made a difference. > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=dy3zK_QykozR2oKV0NPiTYV0jPbZPr3oec2q3J-4sv8&s=5Oidky1NOrNuaeKqfLmmti9wN1UU1-XUGq3S605jLmU&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=5Qs7sCLKGN-bprt33UWpGSH3Rzuw0seVkMLl-7nbDk0&s=Jeyy03seiml3RrkcXpjYeENfdZW4IwRXoSRIG-SAO7U&e= From ntle at castortech.com Thu Aug 9 11:37:14 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Thu, 9 Aug 2018 11:37:14 -0400 Subject: [keycloak-user] Admin client in OSGI env Message-ID: Hello, I'm using the admin-client in my app running in an OSGI container to query permissions on keycloak server. However since admin-client uses resteasy which switch class loader to the current thread class loader before building proxy, some of the classes that resteasy need may not be available at runtime. Is there any way I can work around this class loader issue cause by resteasy? Thai From max.bruchmann at hotmail.com Thu Aug 9 15:39:56 2018 From: max.bruchmann at hotmail.com (Max Bruchmann) Date: Thu, 9 Aug 2018 19:39:56 +0000 Subject: [keycloak-user] attributes are not persisted Message-ID: Hi, I have a custom EventListenerProvider that consumes Register and Login events. On register it creates some external resource ...//on register String externalID = createSomethingWithUserEmail(userModel.getEmail()) userModel.setSingleAttribute("foo", externalID) ... On login I need to todo some additional calls with the already created id. ...// on login String externalID = userModel.getFirstAttribute("foo"); doSomeUpdate(externalID, userModel.getFirstName(), userModel.getLastName()) ... Unfortunatelly the retrieved id via getFirstAttribute seems to be null. Is there anything I need todo when modifying attributes so they are persisted? Kind Regards, Max From omari at fabfitfun.com Thu Aug 9 17:25:08 2018 From: omari at fabfitfun.com (Omari Christian) Date: Thu, 9 Aug 2018 14:25:08 -0700 Subject: [keycloak-user] Import User Passwords with User Storage SPI Message-ID: Hello everyone, We're currently migrating to Keycloak. We're using the user storage SPI ( https://www.keycloak.org/docs/latest/server_development/index.html#import-implementation-strategy) with the import strategy. Eventually, we will unlink all our users and no longer need the user storage SPI. The problem is: 1) We really want our users to keep their same passwords and 2) we don't store passwords in plaintext. We store them as salted hashes, using a different algorithm than Keycloak. We verify the password by performing that 1-way hash on a user's supplied password, then comparing the result against the hash in the database. Reverse-hashing our user's passwords into plaintext and importing users through the REST API or JSON file is not a solution for us. It seems there is no interface to store passwords in Keycloak's local storage after you have verified the user's password, although you can store other attributes locally. I thought there was a way to migrate users with passwords, partly because I read articles that promised you could ( https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c) before we chose Keycloak. I now realize that article (and accompanying code) are out of date. My next plan is to try some hacky code, or calling the REST API from the user storage SPI. I don't have a lot of hope those will work. I imagine this is a common issue. Is there any solution or workaround? Thanks, Omari From joy at autonomic.ai Thu Aug 9 19:01:21 2018 From: joy at autonomic.ai (Joy Kent) Date: Thu, 9 Aug 2018 16:01:21 -0700 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. In-Reply-To: References: Message-ID: Hi Peter, While debugging more on this issue, we noticed that there are other exceptions like this in the logs: [keycloak-test-6df85dc969-nr6pt] 20:13:20,661 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 in state RUN [keycloak-test-6df85dc969-nr6pt] 20:13:20,662 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 1) ARJUNA012095: Abort of action id 0:ffff646009a0:375a4efd:5b6b81d4:123b0 invoked while multiple threads active within it. [keycloak-test-6df85dc969-nr6pt] 20:13:20,663 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 1) ARJUNA012381: Action id 0:ffff646009a0:375a4efd:5b6b81d4:123b0 completed with multiple threads - thread default task-34 was in progress with java.net.SocketInputStream.socketRead0(Native Method) [keycloak-test-6df85dc969-nr6pt] java.net.SocketInputStream.socketRead(SocketInputStream.java:116) [keycloak-test-6df85dc969-nr6pt] java.net.SocketInputStream.read(SocketInputStream.java:171) [keycloak-test-6df85dc969-nr6pt] java.net.SocketInputStream.read(SocketInputStream.java:141) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.VisibleBufferedInputStream.readMore(VisibleBufferedInputStream.java:140) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.VisibleBufferedInputStream.ensureBytes(VisibleBufferedInputStream.java:109) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.VisibleBufferedInputStream.read(VisibleBufferedInputStream.java:67) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.PGStream.receiveChar(PGStream.java:288) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1963) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:300) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:428) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgStatement.execute(PgStatement.java:354) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:169) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:117) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [keycloak-test-6df85dc969-nr6pt] sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [keycloak-test-6df85dc969-nr6pt] java.lang.reflect.Method.invoke(Method.java:498) [keycloak-test-6df85dc969-nr6pt] org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:424) [keycloak-test-6df85dc969-nr6pt] com.sun.proxy.$Proxy115.executeQuery(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) [keycloak-test-6df85dc969-nr6pt] org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.getResultSet(Loader.java:2122) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1905) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1881) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doQuery(Loader.java:925) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doList(Loader.java:2622) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doList(Loader.java:2605) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2434) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.list(Loader.java:2429) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) [keycloak-test-6df85dc969-nr6pt] org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) [keycloak-test-6df85dc969-nr6pt] org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) [keycloak-test-6df85dc969-nr6pt] org.hibernate.internal.SessionImpl.list(SessionImpl.java:1339) [keycloak-test-6df85dc969-nr6pt] org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) [keycloak-test-6df85dc969-nr6pt] org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) [keycloak-test-6df85dc969-nr6pt] org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) [keycloak-test-6df85dc969-nr6pt] com.autonomic.keycloak.federation.AuUserStorageProvider.getUsers(AuUserStorageProvider.java:196) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [keycloak-test-6df85dc969-nr6pt] sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [keycloak-test-6df85dc969-nr6pt] java.lang.reflect.Method.invoke(Method.java:498) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.jpa.interceptor.SFSBInvocationInterceptor.processInvocation(SFSBInvocationInterceptor.java:57) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.processInvocation(StatefulSessionSynchronizationInterceptor.java:135) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.stateful.StatefulComponentInstanceInterceptor.processInvocation(StatefulComponentInstanceInterceptor.java:59) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:255) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:334) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) [keycloak-test-6df85dc969-nr6pt] org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) [keycloak-test-6df85dc969-nr6pt] com.autonomic.keycloak.federation.AuUserStorageProvider$$$view1.getUsers(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager.lambda$getUsers$0(UserStorageManager.java:517) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager$$Lambda$1180/1899642151.query(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager.query(UserStorageManager.java:503) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager.getUsers(UserStorageManager.java:513) [keycloak-test-6df85dc969-nr6pt] org.keycloak.models.cache.infinispan.UserCacheSession.getUsers(UserCacheSession.java:632) [keycloak-test-6df85dc969-nr6pt] org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:209) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [keycloak-test-6df85dc969-nr6pt] sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [keycloak-test-6df85dc969-nr6pt] java.lang.reflect.Method.invoke(Method.java:498) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [keycloak-test-6df85dc969-nr6pt] javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) [keycloak-test-6df85dc969-nr6pt] org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1015/1489808400.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [keycloak-test-6df85dc969-nr6pt] java.lang.Thread.run(Thread.java:748) [keycloak-test-6df85dc969-nr6pt] [keycloak-test-6df85dc969-nr6pt] 20:13:20,664 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 1) ARJUNA012108: CheckedAction::check - atomic action 0:ffff646009a0:375a4efd:5b6b81d4:123b0 aborting with 1 threads active! [keycloak-test-6df85dc969-nr6pt] 20:13:21,162 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 in state CANCEL [keycloak-test-6df85dc969-nr6pt] 20:13:21,163 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012378: ReaperElement appears to be wedged: sun.misc.Unsafe.park(Native Method) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.LockSupport.park(LockSupport.java:175) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt(AbstractQueuedSynchronizer.java:836) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireQueued(AbstractQueuedSynchronizer.java:870) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.AbstractQueuedSynchronizer.acquire(AbstractQueuedSynchronizer.java:1199) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.ReentrantLock$FairSync.lock(ReentrantLock.java:224) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.ReentrantLock.lock(ReentrantLock.java:285) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.lock(BaseWrapperManagedConnection.java:374) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.adapters.jdbc.xa.XAManagedConnection.end(XAManagedConnection.java:290) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.core.tx.jbossts.XAResourceWrapperImpl.end(XAResourceWrapperImpl.java:118) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.doEnd(TransactionImple.java:1089) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.endAssociation(TransactionImple.java:1060) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.endAssociation(XAResourceRecord.java:1287) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelAbort(XAResourceRecord.java:313) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3023) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3002) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.BasicAction.Abort(BasicAction.java:1674) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.cancel(TwoPhaseCoordinator.java:124) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.AtomicAction.cancel(AtomicAction.java:215) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.TransactionReaper.doCancellations(TransactionReaper.java:381) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.arjuna.coordinator.ReaperWorkerThread.run(ReaperWorkerThread.java:78) [keycloak-test-6df85dc969-nr6pt] [keycloak-test-6df85dc969-nr6pt] 20:13:21,663 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 in state CANCEL_INTERRUPTED [keycloak-test-6df85dc969-nr6pt] 20:13:21,663 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012120: TransactionReaper::check worker Thread[Transaction Reaper Worker 1,5,main] not responding to interrupt when cancelling TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 -- worker marked as zombie and TX scheduled for mark-as-rollback Have you seen this before? What might be causing this exception? Thanks, Joy On Sat, Aug 4, 2018 at 6:08 AM, Joy Kent wrote: > Thanks Peter. I would like to hear more if you have more findings. I will > do more testing locally as well, and report back if I find anything. > > On Fri, Aug 3, 2018 at 7:13 PM, Nalyvayko, Peter > wrote: > >> > Interesting. Looking over the history, I did see a huge memory jump >> around the time when the exception occurred. Is there a memory leak >> somewhere? >> >> Lately I've been looking into performance and JVM memory consumption in >> effort to identify a culprit of system slowdown due to memory starvation. >> Preliminary results seem to indicate that simple grants such as owner >> password and client credential grants, can be safely marked off the list of >> possible causes. More complex use cases, such as identity brokering are >> another story, as they involve external systems downstream that could cause >> the entire system to misbehave, but I do not have an empirical evidence yet >> >> ________________________________________ >> From: Joy Kent [joy at autonomic.ai] >> Sent: Friday, August 3, 2018 5:41 PM >> To: Nalyvayko, Peter >> Cc: keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] >> (default task-21) This connection has been closed. >> >> Interesting. Looking over the history, I did see a huge memory jump >> around the time when the exception occurred. Is there a memory leak >> somewhere? >> >> On Fri, Aug 3, 2018 at 1:58 PM, Joy Kent > utonomic.ai>> wrote: >> Hi Peter, >> >> Thanks for your suggestions. I haven't checked the memory usage around >> that time. I will check that and report back. >> >> Thanks, >> Joy >> >> On Fri, Aug 3, 2018 at 12:56 PM, Nalyvayko, Peter > > wrote: >> tl;dr :) >> >> You may want to check if JVM is running out of memory, we've seen it >> happen before and the effects were similar. >> My 0.02 cents >> Regards, >> Peter >> >> ________________________________________ >> From: keycloak-user-bounces at lists.jboss.org> bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org> keycloak-user-bounces at lists.jboss.org>] on behalf of Joy Kent [ >> joy at autonomic.ai] >> Sent: Friday, August 3, 2018 2:30 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] >> (default task-21) This connection has been closed. >> >> We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one >> for keycloak, and the other for user federation storage. Both keycloak and >> user federation PostgreSQL databases are running with AWS RDS instances. >> >> Recently, we noticed that keycloak continuously threw exceptions when the >> user federation PostgreSQL database did a MultiAZ region failover, and >> became not usable. The exception snippet will be attached below. I have >> searched around, but didn't find the answer. >> >> This is our keycloak Database configuration: >> >> > pool-name="KeycloakDS" enabled="true" use-java-context="true" >> use-ccm="true"> >> >> jdbc:postgresql://${env.POSTGRES_PORT_5432_ >> TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT:5432}/${env. >> POSTGRES_DATABASE:keycloak} >> postgresql >> >> IdleConnections >> >> >> ${env.POSTGRES_USER >> :keycloak} >> >> ${env.POSTGRES_PASSWORD:password} >> >> >> SELECT >> 1 >> true> ackground-validation> >> >> 60000 >> >> >> >> The user federation Database configuration looks like this: >> >> > pool-name="IamDS" enabled="true" use-java-context="true" use-ccm="false"> >> >> ${env.IAM_DB_HOST} >> >> >> ${env.IAM_DB_TCP_PORT:5432} >> >> >> ${env.IAM_DB_DATABASE:iam} >> >> postgresql >> >> >> ${env.IAM_XA_POOL_MIN_SIZE:5} >> >> ${env.IAM_XA_POOL_MAX_SIZE:100} >> false >> >> >> ${env.IAM_POSTGRES_ >> USER:user} >> >> ${env.IAM_POSTGRES_PASSWORD:password} >> >> >> SELECT >> 1 >> true> ackground-validation> >> >> 60000 >> >> >> >> The driver is: >> >> >> > module="org.postgresql.jdbc"> >> >> org.postgresql.xa.PGXADataSource> datasource-class> >> >> >> >> I found a page >> https://access.redhat.com/documentation/en-us/red_hat_jboss_ >> enterprise_application_platform/7.0/html/configuration_ >> guide/datasource_management, >> which seems to indicate that exception-sorter is important: >> >> To configure database connection validation, you specify the validation >> > timing method (when the validation occurs), the validation mechanism >> (how >> > the validation is performed), and the exception sorter (how exceptions >> are >> > handled). >> >> >> Is the exception-sorter the missing configuration? I have tried this >> change, which seems to "fix" the problem. But by looking at the code, I >> can't tell how this can solve the problem. >> >> Does anyone know where might be wrong? Thanks a lot for your help! >> >> ===================== >> >> The exception snippet is as follows: >> >> ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) >> type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, >> userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id >> =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, >> refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, >> username=xxxxxxxxxxx >> ESC[0mESC[33m04:44:55,503 WARN >> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL >> Error: 0, SQLState: 08003 >> ESC[0mESC[31m04:44:55,503 ERROR >> [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This >> connection has been closed. >> ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) >> ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for >> SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, >> org.wildfly.transaction.client.AbstractTran >> saction$AssociatingSynchronization at 76b2b731 >: >> javax.persistence.PersistenceException: >> org.hibernate.exception.JDBCConnectionException: could not prepare >> statement >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(Abst >> ractEntityManagerImpl.java:1692) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(Abst >> ractEntityManagerImpl.java:1602) >> at >> org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(Abst >> ractEntityManagerImpl.java:1608) >> at >> org.hibernate.jpa.internal.EntityManagerImpl$CallbackExcepti >> onMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) >> at >> org.hibernate.internal.SessionImpl.flushBeforeTransactionCom >> pletion(SessionImpl.java:3163) >> at >> org.hibernate.internal.SessionImpl.beforeTransactionCompleti >> on(SessionImpl.java:2352) >> at >> org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.befor >> eTransactionCompletion(JdbcCoordinatorImpl.java:491) >> at >> org.hibernate.resource.transaction.backend.jta.internal.JtaT >> ransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoo >> rdinatorImpl.java:316) >> at >> org.hibernate.resource.transaction.backend.jta.internal. >> synchronization.SynchronizationCallbackCoordinatorNonTrackin >> gImpl.beforeCompletion(SynchronizationCallbackCoordinatorNon >> TrackingImpl.java:47) >> at >> org.hibernate.resource.transaction.backend.jta.internal. >> synchronization.RegisteredSynchronization.beforeCompletion(R >> egisteredSynchronization.java:37) >> at >> org.wildfly.transaction.client.AbstractTransaction.performCo >> nsumer(AbstractTransaction.java:209) >> at >> org.wildfly.transaction.client.AbstractTransaction.performCo >> nsumer(AbstractTransaction.java:220) >> at >> org.wildfly.transaction.client.AbstractTransaction$Associati >> ngSynchronization.beforeCompletion(AbstractTransaction.java:265) >> at >> com.arjuna.ats.internal.jta.re >> sources.arjunacore.SynchronizationImple.beforeCompl >> etion(SynchronizationImple.java:76) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.before >> Completion(TwoPhaseCoordinator.java:368) >> at >> com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(Tw >> oPhaseCoordinator.java:91) >> at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java: >> 162) >> at >> com.arjuna.ats.internal.jta.tr> >ansaction.arjunacore.TransactionImple.commitAndDisa >> ssociate(TransactionImple.java:1289) >> at >> com.arjuna.ats.internal.jta.tr> >ansaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate. >> commit(BaseTransactionManagerDelegate.java:89) >> at >> org.wildfly.transaction.client.LocalTransaction.commitAndDis >> sociate(LocalTransaction.java:73) >> at >> org.wildfly.transaction.client.ContextTransactionManager.com >> mit(ContextTransactionManager.java:71) >> at >> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTra >> nsactionWrapper.java:92) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager. >> commit(DefaultKeycloakTransactionManager.java:136) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.f >> ilter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters( >> ServerResponseWriter.java:165) >> at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) >> at >> com.arjuna.ats.internal.jta.tr> >ansaction.arjunacore.TransactionImple.commitAndDisa >> ssociate(TransactionImple.java:1289) >> at >> com.arjuna.ats.internal.jta.tr> >ansaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) >> at >> com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate. >> commit(BaseTransactionManagerDelegate.java:89) >> at >> org.wildfly.transaction.client.LocalTransaction.commitAndDis >> sociate(LocalTransaction.java:73) >> at >> org.wildfly.transaction.client.ContextTransactionManager.com >> mit(ContextTransactionManager.java:71) >> at >> org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTra >> nsactionWrapper.java:92) >> at >> org.keycloak.services.DefaultKeycloakTransactionManager. >> commit(DefaultKeycloakTransactionManager.java:136) >> at >> org.keycloak.services.filters.KeycloakTransactionCommitter.f >> ilter(KeycloakTransactionCommitter.java:43) >> at >> org.jboss.resteasy.core.ServerResponseWriter.executeFilters( >> ServerResponseWriter.java:165) >> ..... >> Caused by: org.hibernate.exception.JDBCConnectionException: could not >> prepare statement >> at >> org.hibernate.exception.internal.SQLStateConversionDelegate. >> convert(SQLStateConversionDelegate.java:115) >> at >> org.hibernate.exception.internal.StandardSQLExceptionConvert >> er.convert(StandardSQLExceptionConverter.java:42) >> at >> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(Sql >> ExceptionHelper.java:111) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl$Sta >> tementPreparationTemplate.prepareStatement(StatementPreparer >> Impl.java:182) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl.pre >> pareStatement(StatementPreparerImpl.java:78) >> at >> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.b >> uildBatchStatement(AbstractBatchImpl.java:136) >> at >> org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.g >> etBatchStatement(AbstractBatchImpl.java:125) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.inser >> t(AbstractEntityPersister.java:2980) >> at >> org.hibernate.persister.entity.AbstractEntityPersister.inser >> t(AbstractEntityPersister.java:3499) >> at >> org.hibernate.action.internal.EntityInsertAction.execute(Ent >> ityInsertAction.java:89) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) >> at >> org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) >> at >> org.hibernate.event.internal.AbstractFlushingEventListener.p >> erformExecutions(AbstractFlushingEventListener.java:337) >> at >> org.hibernate.event.internal.DefaultFlushEventListener.onFlu >> sh(DefaultFlushEventListener.java:39) >> at org.hibernate.internal.SessionImpl.flush(SessionImpl.java: >> 1295) >> at >> org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) >> at >> org.hibernate.internal.SessionImpl.flushBeforeTransactionCom >> pletion(SessionImpl.java:3159) >> ... 72 more >> Caused by: org.postgresql.util.PSQLException: This connection has been >> closed. >> at >> org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) >> at >> org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) >> at >> org.jboss.jca.adapters.jdbc.Ba> >seWrapperManagedConnection.doPrepareStatement(BaseW >> rapperManagedConnection.java:757) >> at >> org.jboss.jca.adapters.jdbc.Ba> >seWrapperManagedConnection.prepareStatement(BaseWra >> pperManagedConnection.java:743) >> at >> org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStateme >> nt(WrappedConnection.java:454) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.d >> oPrepare(StatementPreparerImpl.java:87) >> at >> org.hibernate.engine.jdbc.internal.StatementPreparerImpl$Sta >> tementPreparationTemplate.prepareStatement(StatementPreparer >> Impl.java:172) >> ... 85 more >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From Kevin.Fox at pnnl.gov Thu Aug 9 20:18:49 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Fri, 10 Aug 2018 00:18:49 +0000 Subject: [keycloak-user] kerberos issue Message-ID: <1A3C52DFCD06494D8528644858247BF01C16E28F@EX10MBOX03.pnnl.gov> I'm trying to setup ldap & kerberos for username/password auth. I have a slightly unusual setup so maybe I've hit a strange edge case bug. I have a read only ldap replica with users in it, that sources from Active Directory. I setup User Federation of type ldap. I set it up with Vendor: Active Directory so the schema was right. Authentication Type is set to none. I then turned on "Use Kerberos For Password Authentication" and have Allow Kerberos authentication set to false. I ensured a proper krb5.conf and can kinit. I checked the logs and do see the proper kerberosRelm printed out of org.keycloak.storage.ldap.LDAPIdentityStoreRegistry User authentication is failing though. Through some stracing, I can see it trying to send the password to ldap. the ldap replica has no password info though, so this will always fail. Is this expected behavior in this config? It was surprising to me. Thanks, Kevin From omari at fabfitfun.com Thu Aug 9 22:04:17 2018 From: omari at fabfitfun.com (Omari Christian) Date: Thu, 9 Aug 2018 19:04:17 -0700 Subject: [keycloak-user] Import User Passwords with User Storage SPI In-Reply-To: References: Message-ID: I've figured it out. After validating, the credential (password) can be updated with: session.userCredentialManager().updateCredential(realm, user, credential); On Thu, Aug 9, 2018 at 2:25 PM Omari Christian wrote: > Hello everyone, > > We're currently migrating to Keycloak. We're using the user storage SPI ( > https://www.keycloak.org/docs/latest/server_development/index.html#import-implementation-strategy) > with the import strategy. Eventually, we will unlink all our users and no > longer need the user storage SPI. > > The problem is: 1) We really want our users to keep their same passwords > and 2) we don't store passwords in plaintext. We store them as salted > hashes, using a different algorithm than Keycloak. We verify the password > by performing that 1-way hash on a user's supplied password, then comparing > the result against the hash in the database. Reverse-hashing our user's > passwords into plaintext and importing users through the REST API or JSON > file is not a solution for us. > > It seems there is no interface to store passwords in Keycloak's local > storage after you have verified the user's password, although you can store > other attributes locally. I thought there was a way to migrate users with > passwords, partly because I read articles that promised you could ( > https://tech.smartling.com/migrate-to-keycloak-with-zero-downtime-8dcab9e7cb2c) > before we chose Keycloak. I now realize that article (and accompanying > code) are out of date. > > My next plan is to try some hacky code, or calling the REST API from the > user storage SPI. I don't have a lot of hope those will work. I imagine > this is a common issue. Is there any solution or workaround? > > Thanks, > Omari > From testoauth55 at gmail.com Thu Aug 9 23:31:35 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Fri, 10 Aug 2018 09:01:35 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Pedro, thanks for replying. I tried putting the absolute URI,but it does not work either. The documentation anyway states that the URI in resource can be relative to client root URL which I have configured to be http://localhost:7200/{app}/keycloak , therefore putting relateve URI '/secure/role' in resource should be equivalent to putting absolute URI : http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there is something else I can try? On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva wrote: > Hi, > > Your configuration looks correct. But I noticed that in the postman > request you are sending requests to `http://localhost:7200/{app}/ > keycloak/secure/role` > . However in your > resource definition the URI is configured to `/secure/role`. Both URIs > should match otherwise the adapter won't be able to map the URI in your > application to a resource in Keycloak (and related permissions). > > Regards. > Pedro Igor > > On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo > wrote: > >> With all the configuration(shared below), when I test using the evaluate >> option under authorization tab, result is permit: >> >> *But when I make a request to this resource through postman, I get 403.* >> >> *Which part of configuration is wrong which is leading to 403 error?* >> >> CONFIGURATION: >> >> >> *Detailed configuration with images shown here:* >> >> *https://stackoverflow.com/questions/51761779/keycloak-403- >> forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >> > forbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* >> >> *1.* Following the >> https://www.keycloak.org/docs/4.2/authorization_services/ , I created a >> realm role : *role_special_user* and created a user : *user_special* with >> this role and role *user*. >> >> *2.* Next, my resource server / client is with *full scope enabled*: >> *3.* Under authorization tab, I created a resource with the role based >> policy is. >> >> *4.* Now, keycloak json is: >> >> { >> "realm": "demo12", >> "auth-server-url": "http://localhost:8180/auth", >> "ssl-required": "none", >> "resource": "server12", >> "credentials": { >> "secret": "XXXXXXX" >> }, >> "confidential-port": 0, >> "policy-enforcer": {}} >> >> *5.* And Keycloak Jetty adapter configuration is: >> >> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >> InputStream is = >> Thread.currentThread().getContextClassLoader().getResourceAs >> Stream(KEYCLOAK_JSON);AdapterConfig >> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >> SystemPropertiesJsonParserFactory()); >> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >> KeycloakJettyAuthenticator kcAuthenticator = >> KeyCloakConfig;if(kcAuthenticator != null) { >> ConstraintSecurityHandler securityHandler = new >> ConstraintSecurityHandler(); >> ConstraintMapping constraintMapping = new ConstraintMapping(); >> constraintMapping.setPathSpec("/*"); >> Constraint constraint = new Constraint(); >> constraint.setAuthenticate(true); >> constraint.setRoles(new String[]{"**"}); >> constraintMapping.setConstraint(constraint); >> securityHandler.addConstraintMapping(constraintMapping); >> securityHandler.setAuthenticator(kcAuthenticator); >> context.setSecurityHandler(securityHandler);} >> >> *6.* Also, the decoded jwt token sample is: >> >> { >> "jti": "XXXXXXX", >> "exp": 1533798704, >> "nbf": 0, >> "iat": 1533798404, >> "iss": "http://localhost:8180/auth/realms/demo12", >> "aud": "server12", >> "sub": "XXXXXXX", >> "typ": "Bearer", >> "azp": "server12", >> "auth_time": 1533798404, >> "session_state": "XXXXXX", >> "acr": "1", >> "allowed-origins": [], >> "realm_access": { >> "roles": [ >> "role_special_user", >> "offline_access", >> "uma_authorization", >> "user" >> ] >> }, >> "resource_access": { >> "server12": { >> "roles": [ >> "uma_protection" >> ] >> }, >> "account": { >> "roles": [ >> "manage-account", >> "manage-account-links", >> "view-profile" >> ] >> } >> }, >> "scope": "openid email profile", >> "email_verified": false, >> "preferred_username": "user_special"} >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From czhang at anaconda.com Fri Aug 10 00:23:36 2018 From: czhang at anaconda.com (Chenyuan Zhang) Date: Thu, 9 Aug 2018 23:23:36 -0500 Subject: [keycloak-user] Federating LDAP server to Keycloak crashed with Out Of Memory error In-Reply-To: <04d9f175-a7d9-460c-f922-9661b7b2bf40@redhat.com> References: <1990A56B-6B91-40FE-9740-ED608041F6E3@anaconda.com> <04d9f175-a7d9-460c-f922-9661b7b2bf40@redhat.com> Message-ID: Thank you Marek! Best, Chenyuan > On 9 Aug 2018, at 2:51 am, Marek Posolda wrote: > >> On 07/08/18 22:46, Chenyuan Zhang wrote: >> Hi there, >> >> We were trying to add a LDAP user federation provider with around 5000 users. But the process crashed with out of memory error: >> >> 2018-06-02 06:54:35.900 UTC INFO Sync changed users finished: 393 imported users, 4532 updated users, 8 users failed sync! See server log for more details (Timer-2) [org.keycloak.storage.ldap.LDAPStorageProviderFactory] >> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Brute Force Protector" >> >> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-74" >> >> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-330" >> >> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Periodic Recovery" >> >> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "Thread-332" >> >> Exception: java.lang.OutOfMemoryError thrown from the UncaughtExceptionHandler in thread "default task-324" >> 2018-06-05 07:08:55.594 UTC ERROR java.lang.OutOfMemoryError: Java heap space (default task-333) [stderr] >> >> Here?re the options we used: >> >> JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Duser.timezone=UTC >> >> From what I read, it seems like Keycloak import users from LDAP to our production database through a periodic background task. >> >> But I?m not sure what happened in the memory level that caused the OutOfMemory error. Does keycloak cache all data in memory during the sync process? Is there any configuration I can set to avoid this error? Is there a user number limit given our JAVA Options? > We didn't yet try to test LDAP sync with 5000 users. But looks like the count is not so big, so it's quite strange that there is OOM for this setup. Few tips: > > - If you use periodic synces, you can maybe try to disable periodic sync temporarily and check if it helps? Or increase the interval of sync? (For example 1 per day instead of 1 per hour etc) > > - Increase memory options and see if it helps > > - Disable user cache and see if it helps (or configure user cache eviction with the lower count of users allowed). See the docs for how to do it. > > Marek >> >> Any suggestion would be appreciated. >> >> Thanks a lot, >> Chenyuan >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From kkcmadhu at yahoo.com Fri Aug 10 01:53:26 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Fri, 10 Aug 2018 05:53:26 +0000 (UTC) Subject: [keycloak-user] identity broker SAML logout with redirect References: <1071540179.5007571.1533880406533.ref@mail.yahoo.com> Message-ID: <1071540179.5007571.1533880406533@mail.yahoo.com> Hi I am looking at configuring keycloak as an identity broker usign SAML, the external idm i am integratin supports a logout url and also takes a queryParam for redirecting the user after logut. how can i pass the redirectURL of keyclock's logout to this external IDM in the broker configuration. i tried? parameterizing the? logouturl link in my keycloak config by specifying ${redirectURL} and this did not work out of the box, is there any way i can pass the redirect url of keycloak to external idm as a query para? e.g??https://externalIDM/logout?logoutURk=${redirectURL}? My external idm does not seem to support back channel logouts. IF i donot configure logut, the external idm does not logout the user, if id do not specify the postlogout url to external idm ,? the user is redirected to the external idms default login page. my intention is to redirect the user to keycloak login page with the app/client context.. Regards,Madhu From mposolda at redhat.com Fri Aug 10 02:51:59 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Aug 2018 08:51:59 +0200 Subject: [keycloak-user] LDAP Authentication - Extended Errors In-Reply-To: References: Message-ID: <10709772-28aa-d33a-f50b-d6d63c738164@redhat.com> On 09/08/18 13:53, Mark Hunt wrote: > > Hi, > > So the situation is when the user is Enabled in the cache but disabled > in MSAD. When you attempt a login with a password Grant it returns > Invalid Credentials. I would expect this to return Account Disabled. > Extended LDAP diagnostic messages should provide this information, > certainly against MSAD anyway. > > This is also different behaviour to when you use the refresh token > grant. If the user is Enabled in the cache but disabled in AD the > token request returns Account Disabled. This is the expected behaviour. > > The cache would naturally update and you get the right message at > login (password grant), ?but only once the sync has occurred. We want > to try and avoid resyncing too often, but still get the correct error > messages. > I see. However if you update LDAP directly, there is currently no way to tell Keycloak to update the cache and invalidate records. So it's always some compromise between performance (caching enabled with longer eviction intervals) or more accurate state in Keycloak (caching disabled or set with shorter intervals). You can try to tweak Cache policy setting of LDAP provider and temporarily set it to "NEVER" to see if disable caching will turn to expected behaviour. Long term, you may need to do some compromise in the cache settings. Maybe the possibility is that always when you do bulk update of LDAP users in your LDAP, you will manually trigger SYNC in Keycloak to update the state or manually clear the user cache in Keycloak admin console. This requires that you do all the LDAP changes "at once" instead of doing the changes continuously during whole day. Marek > > Regards > > Mark > > Sent from Mail for > Windows 10 > > ------------------------------------------------------------------------ > *From:* Marek Posolda > *Sent:* Thursday, August 9, 2018 8:57:33 AM > *To:* Mark Hunt; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] LDAP Authentication - Extended Errors > On 07/08/18 22:47, Mark Hunt wrote: > > Hi, > > > > I have been doing some development with Keycloak and specifically > OpenID Connect, Password Grant and an LDAP user federation with Active > Directory. Overall everything is working great but I am a little > surprised that on a token refresh I get told that the user account is > disabled but on a login I do not. The exception to this would be if I > try to login with a disabled account after a user federation sync has > occurred. > > > > Is this a configuration issue or do you need to implement LDAP > diagnostic messages for login? > Not sure I understand. If you go to the admin console, are you seeing > the user is enabled or disabled here? Is user enabled or disabled in MSAD? > > One thing to note is, that if you disabled the user directly in MSAD > after it was already synced to Keycloak, the user may be cached in the > Keycloak. So there may be some time needed until the latest information > about enabled/disabled state is propagated from MSAD to the Keycloak > side. You can try to clear the cache to check if it's the case. For long > term, you can tweak caching policy configuration of LDAP provider. > > Marek > > > > Thanks for developing a fantastic product!! > > > > Regards > > > > Mark > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mposolda at redhat.com Fri Aug 10 02:57:23 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Aug 2018 08:57:23 +0200 Subject: [keycloak-user] kerberos issue In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C16E28F@EX10MBOX03.pnnl.gov> References: <1A3C52DFCD06494D8528644858247BF01C16E28F@EX10MBOX03.pnnl.gov> Message-ID: <877b9421-4f84-9a8c-be92-57ae8e55f76d@redhat.com> On 10/08/18 02:18, Fox, Kevin M wrote: > I'm trying to setup ldap & kerberos for username/password auth. > > I have a slightly unusual setup so maybe I've hit a strange edge case bug. > I have a read only ldap replica with users in it, that sources from Active Directory. > > I setup User Federation of type ldap. I set it up with Vendor: Active Directory so the schema was right. Authentication Type is set to none. > > I then turned on "Use Kerberos For Password Authentication" and have Allow Kerberos authentication set to false. I've just checked that this currently won't work. If you want to use KErberos for password validation, it requires to set both "Use Kerberos For Password Authentication" and "Allow Kerberos authentication" to true. If you want to use Kerberos just for username/password validations and not for SPNEGO login, you can manually disable the "Kerberos" authenticator in the "Authentication" tab. Also if you don't set "Server Principal" and KeyTab, the SPNEGO will be effectively disabled (even though using Kerberos for username/password validation should still work) Marek > I ensured a proper krb5.conf and can kinit. > > I checked the logs and do see the proper kerberosRelm printed out of org.keycloak.storage.ldap.LDAPIdentityStoreRegistry > > User authentication is failing though. Through some stracing, I can see it trying to send the password to ldap. the ldap replica has no password info though, so this will always fail. > > Is this expected behavior in this config? It was surprising to me. > > Thanks, > Kevin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Aug 10 03:03:50 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Aug 2018 09:03:50 +0200 Subject: [keycloak-user] attributes are not persisted In-Reply-To: References: Message-ID: I am not 100% sure, but it's possible that updating users in the events don't currently work. Reason is, that transaction might be already commited. The possible solution long term is to use pre/post events for this (which we don't yet support). For the short term, it may be possible to manually trigger your own temporarily transaction (You can take a look at KeycloakModelUtils.runJobInTransaction method). Note that in the new transaction, you need to ensure to not use Hibernate entities from the "outer" transaction (EG. all the things like RealmModel, UserModel need to be look-up again through the Model API in the new transaction). Marek On 09/08/18 21:39, Max Bruchmann wrote: > Hi, > > I have a custom EventListenerProvider that consumes Register and Login events. > > On register it creates some external resource > > ...//on register > > String externalID = createSomethingWithUserEmail(userModel.getEmail()) > > userModel.setSingleAttribute("foo", externalID) > > ... > > On login I need to todo some additional calls with the already created id. > > ...// on login > > String externalID = userModel.getFirstAttribute("foo"); > > doSomeUpdate(externalID, userModel.getFirstName(), userModel.getLastName()) > > ... > > > Unfortunatelly the retrieved id via getFirstAttribute seems to be null. > > Is there anything I need todo when modifying attributes so they are persisted? > > > Kind Regards, > > Max > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From kkcmadhu at yahoo.com Fri Aug 10 03:23:50 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Fri, 10 Aug 2018 07:23:50 +0000 (UTC) Subject: [keycloak-user] OAuth 2 Identity broker References: <369517795.5089325.1533885830886.ref@mail.yahoo.com> Message-ID: <369517795.5089325.1533885830886@mail.yahoo.com> Identity broker integrates with many social sso providers out of box this is really great, i was able to use linked in integration without much effort. This is awsome.I also have a corner case, where i want to integrate with another IDM provider which supports oAuth 2.Since oidc connectors are on top of OAuth2 spec, itried using odic1.o connector to integerate with the OAuth 2 based idm provider ,but it failed. Any idea how i can connect to a OAuth2 identity provider? Madhu From Linda.Sauder at amdocs.com Fri Aug 10 03:34:48 2018 From: Linda.Sauder at amdocs.com (Linda Sauder) Date: Fri, 10 Aug 2018 07:34:48 +0000 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: References: <1533735331.2269.12.camel@acutus.pro> <1533736567.2269.14.camel@acutus.pro> <1533745353.10533.1.camel@acutus.pro> <1533765186.2054.2.camel@acutus.pro> Message-ID: Hi. Another question concerning this topic. I tried the approach that was mentioned in your link. Unfortunately, I am facing issues with the auth-method. As far as I know I need to set it to "KEYCLOAK-SAML" to able to use the keycloak plugins for Wildfly. But in combination with the filter I am never hitting my filter code. It always gets directed to the org.keycloak.adapters.saml.undertow.ServletSamlSessionStore which handles the roles itself. Any suggestions on how to handle this? -- Linda -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Linda Sauder Sent: Thursday, August 09, 2018 9:09 AM To: Dmitry Telegin
; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly That sounds promising. I will give it a try. Thank you. -----Original Message----- From: Dmitry Telegin
Sent: Wednesday, August 08, 2018 11:53 PM To: Linda Sauder ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Oh, I think I've mislead you. No, I mean all of the above should work, but there's much simpler variant - you can write a servlet filter to manipulate security context, including roles. See this thread (from 2010, but still topical): https://coderanch.com/t/466744/java/Set-user-principal-filter In this example the author manipulates user principal, you'll need to do the same with roles. Good luck! Dmitry On Wed, 2018-08-08 at 19:22 +0300, Dmitry Telegin wrote: > So, is this correct that: > - your customer has the "foo" role configured in their Keycloak; > - authors of the app expect that the user have the "bar" role; > - neither your customer wants to create "bar" in Keycloak, nor programmers want to change their code to use "foo", and you're caught in the crossfire? > > Off the top of my head, there can be two solutions: > 1) modify SAML adapter code and implement role mapping there - > shouldn't be too tricky, but from now on you'll have to use modified > adapter and update it with every Keycloak release (or maybe commit it > to upstream, but I'm not sure it will be accepted); > 2) deploy intermediary Keycloak, configure brokering between it and > customer's one and use the role mapper trick. This could be made > transparent for end-users, however will add a couple of redirects to the flow. > And of course this will mean that you'll have to maintain yet another > piece of software. > > Good luck! > Dmitry > > On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote: > > Hi Dmitry, > > > > Yes. That is correct. > > > > --- > > Linda > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: Wednesday, August 08, 2018 3:56 PM > > > To: Linda Sauder ; > > > keycloak-user at lists.jboss.org > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually > > when securing a web application with Keycloak/SAML/Wildfly > > > > I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there. > > > > So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app? > > > > Dmitry > > > > On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote: > > > Hi Dimitri, > > > > > > Thanks your response. > > > > > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. > > > > > > But I also thought about it. Not an option unfortunately. > > > > > > -- > > > Cheers > > > Linda > > > > > > -----Original Message----- > > > > > > > From: Dmitry Telegin
> > > > > > Sent: Wednesday, August 08, 2018 3:36 PM > > > > > > > To: Linda Sauder ; > > > > > > > keycloak-user at lists.jboss.org > > > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually > > > when securing a web application with Keycloak/SAML/Wildfly > > > > > > Hello Linda, > > > > > > Seems like you need to configure SAML Attribute to Role mapper for your IdP. > > > > > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. > > > > > > You will need to know how exactly your IdP supplies role information. > > > Normally, there should be an attribute inside SAML assertion that > > > comes with SAML response; the fastest way is to inspect SAML > > > payload via F12 > > > > > > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. > > > > > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > > > > Hello. > > > > > > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > > > > > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > > > > > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > > > > > > > > > > > > ? > > > > > > > > > > > > > > > xsi:schemaLocation="http://java.sun.com/xm > > > > > > > > > > > > > > > l/ns/javaee > > > > > > > > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;;; > > > > > > > > ????Application Container > > > > > > > > ???? > > > > ????????ApplicationContainer.html > > > > ???? > > > > > > > > ???????????????? > > > > ???????????????????????????????? > > > > KEYCLOAK-SAML > > > > ???????????????????????????????? > > > > keycloak > > > > ???????????????? > > > > > > > > ???? > > > > ????????Application Container > > > > Constraint > > > > ???????? > > > > ????????????All Resources > > > > ????????????/* > > > > ????????????POST > > > > ????????????GET > > > > ???????? > > > > > > > > ???????? > > > > ????????????hallo > > > > ???????? > > > > ???? > > > > > > > > > > > > > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > > > > > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > > > > > > > How am I going to achieve to be able to locally handle the role mapping? > > > > > > > > Thanks in advance. > > > > -- > > > > Linda > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From l.lech at ringler.ch Fri Aug 10 05:03:06 2018 From: l.lech at ringler.ch (Lukasz Lech) Date: Fri, 10 Aug 2018 09:03:06 +0000 Subject: [keycloak-user] Keycloak 4.2.1 - Counter based OTP Message-ID: <5E48B917000C984B86B77170F441903A119B666B@exch.ringler.ch> Hello, I'm using Keycloak 4.2.1.Final (docker image). I've defined OTP policy: Counter based, SHA1, Look Ahead 100, initial counter 1 I've tested number of digits both 6 and 8 I've tried to use Free OTP, for 6 digits Google Auth. I've deleted authentication, scanned QR once again, tested a few next codes, not only the first. Each time I get the message, the one-time code is invalid. Do counter based policy works at all in Keycloak 4.2.1? I don't see what I'm doing wrong... Best regards, Lukasz Lech From francoismaturel at dijit.fr Fri Aug 10 05:10:35 2018 From: francoismaturel at dijit.fr (francois maturel) Date: Fri, 10 Aug 2018 11:10:35 +0200 Subject: [keycloak-user] Need some guidance on authenticating from third party website In-Reply-To: <63684805-c1f9-98cc-ea9c-499d00262872@dijit.fr> References: <63684805-c1f9-98cc-ea9c-499d00262872@dijit.fr> Message-ID: Hello Keycloak Users! We have a solution based on Keycloak 3.4.3.Final where our customer used to login through to the standard Keycloak login form. This customer now wants to pre-authenticate their users to our solution when they log into their own portal. The customer provides us all their user's username / password for our solution (that we import through a batch) and they can use those to authenticate theirs users in our solution. Note that our customer have different username / password for their portal. We proposed to adapt the login form Content-Security-Policy to allow the login form to load in their portal (with login_hint), but this still requires a user action. Is there any way to log into Keycloak automatically from a third party website and get the KEYCLOAK_SESSION / IDENTITY cookies (we would like to avoid Direct Grant / Implicit Flow...) ? Could you please provide some guidance on how to achieve this? Thanks! -- Fran?ois Maturel Regards, Fran?ois Maturel From alistair.doswald at elca.ch Fri Aug 10 05:44:54 2018 From: alistair.doswald at elca.ch (Doswald Alistair) Date: Fri, 10 Aug 2018 09:44:54 +0000 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project Message-ID: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> Hello, I just wanted to let this mailing list know that for the Cloudtrust project (https://github.com/cloudtrust), we have developed a certain number modules for Keycloak. These are currently compatible with the version 3.4.3.Final of Keycloak, but we will make them compatible with Keycloak 4.X (where X will be the latest sub-version of Keycloak when we start working on this) as soon as we can. These modules are: * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an implementation of the WS-Federation protocol for keycloak. This allows to select the WS-Federation protocol for Keycloak clients and for identity brokers. * keycloak-authorization (https://github.com/cloudtrust/keycloak-authorization): this module allows the use of the client authorization system to prevent a user which is authenticated in a Keycloak realm to access a given client. It works no matter which protocol is used, and without the client having to support any extra protocol. Note: this solution is a bit hacky, but necessary for one of our use-cases. * keycloak-client-mappers (https://github.com/cloudtrust/keycloak-client-mappers): a module for adding any mappers that we might need that are not yet part of Keycloak. Currently only contains a JavaScript mapper for SAML, analogous to the OIDC script mapper. I've noticed that there's an open issue for this feature (https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could submit this code not as a module but a solution to the issue. * keycloak-export (https://github.com/cloudtrust/keycloak-export): a module adding an endpoint to fully export a realm while Keycloak is still running (no need for restarts!). Cheers, Alistair PS: I'm mailing this both dev and user mailing lists as I believe it may interest members of both mailing lists From liedtke at punkt.de Fri Aug 10 05:53:20 2018 From: liedtke at punkt.de (Lars Liedtke) Date: Fri, 10 Aug 2018 11:53:20 +0200 Subject: [keycloak-user] API-Problems creating a user Message-ID: <3a33883b-bc27-8c82-25a6-1ad1720dde02@punkt.de> Hey everyone, I am trying to create users via the REST-API and I am stuck. When I try to post a user representation to Keycloak (after successfully logging in over the API) via script (Python using the requests framework) I get a 500 back and in the logfile of my Keycloak instance I find: 10:50:40,268 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not construct instance of org.keycloak.representations.idm.UserRepresentation: no String-argument constructor/factory method to deserialize from String value ('{"username": "TNG", "enabled": true, "attributes": {"ito_BinderLevelID1": ["1ACD47D7B9AFA0A9C12582E00048F997"], "ito_BinderLevelID2": ["0D6E18BCBDD3B14BC12582E1002AE459"]}, "credentials": [{"hashedSaltedValue": "02514a38a0f3e7c7f8eed0c7d4ce7bf25e48c845", "salt": "05ef149e8ccce076e30d6388aeedc03583dd75b4c4d88f380b094ba5c06df21b", "algorithm": "pbkdf2"}], "groups": ["/Bonding.Keycloak:CompanyEditor"]}') ?at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1d3521de; line: 1, column: 1] ??????? at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) ??????? at com.fasterxml.jackson.databind.DeserializationContext.instantiationException(DeserializationContext.java:1456) ??????? at com.fasterxml.jackson.databind.DeserializationContext.handleMissingInstantiator(DeserializationContext.java:1012) ??????? at com.fasterxml.jackson.databind.deser.ValueInstantiator._createFromStringFallbacks(ValueInstantiator.java:370) ??????? at com.fasterxml.jackson.databind.deser.std.StdValueInstantiator.createFromString(StdValueInstantiator.java:315) ??????? at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromString(BeanDeserializerBase.java:1283) ??????? at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:159) ??????? at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150) ??????? at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583) ??????? at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964) ??????? at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134) ??????? at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66) ??????? at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61) ??????? at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56) ??????? at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:36) ??????? at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:59) ??????? at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) ??????? at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92) ??????? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:115) ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) ??????? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ??????? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) ??????? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) ??????? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ??????? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ??????? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ??????? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ??????? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) ??????? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ??????? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ??????? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ??????? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ??????? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) ??????? at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ??????? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ??????? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ??????? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) ??????? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) ??????? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) ??????? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) ??????? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ??????? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ??????? at java.lang.Thread.run(Thread.java:748) When I try to create a user via Postman (after logging in) with the user being: {"username": "testuser1", "enabled": true, "attributes": {"ito_BinderLevelID1": ["32523129C2061E50C12581E60033075A"], "ito_BinderLevelID2": ["3AD0E53463EBC8F1C12581E600342FA2"]}, "groups": ["/Bonding.Keycloak:CompanyEditor"], "credentials": [{"hashedSaltedValue": "aa8c848ee6ac308a24e1e1bce1559902009f988a", "salt": "ab079c7702d171a2e558f940a7edda5e4e206005b2440eaab68cf6ad6938fe76", "algorithm": "pbkdf2"}]} I get a 201 but when I try to look up the user via the Web GUI User Page tells me "*Error!* An unexpected server error has occurred" and I find in the logfile: 11:45:40,852 WARN? [org.keycloak.events] (default task-4) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret 11:45:50,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: java.lang.NullPointerException ??????? at org.keycloak.models.jpa.JpaUserProvider.lambda$getStoredCredentialsByType$0(JpaUserProvider.java:976) ??????? at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174) ??????? at java.util.Iterator.forEachRemaining(Iterator.java:116) ??????? at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) ??????? at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ??????? at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ??????? at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ??????? at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ??????? at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ??????? at org.keycloak.models.jpa.JpaUserProvider.getStoredCredentialsByType(JpaUserProvider.java:976) ??????? at org.keycloak.credential.UserCredentialStoreManager.getStoredCredentialsByType(UserCredentialStoreManager.java:87) ??????? at org.keycloak.credential.OTPCredentialProvider.configuredForTOTP(OTPCredentialProvider.java:198) ??????? at org.keycloak.credential.OTPCredentialProvider.isConfiguredFor(OTPCredentialProvider.java:179) ??????? at org.keycloak.credential.UserCredentialStoreManager.isConfiguredLocally(UserCredentialStoreManager.java:283) ??????? at org.keycloak.credential.UserCredentialStoreManager.isConfiguredFor(UserCredentialStoreManager.java:276) ??????? at org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:148) ??????? at org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:225) ??????? at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ??????? at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ??????? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ??????? at java.lang.reflect.Method.invoke(Method.java:498) ??????? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) ??????? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) ??????? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) ??????? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) ??????? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ??????? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ??????? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ??????? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ??????? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) ??????? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ??????? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ??????? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ??????? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ??????? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) ??????? at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ??????? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ??????? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ??????? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) ??????? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) ??????? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) ??????? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) ??????? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ??????? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ??????? at java.lang.Thread.run(Thread.java:748) I figure there is something wrong with my JSON, but I can't figure out what exactly it is. I tried googling this Problem, but I did could not find an answer. Could you help me please ? Best regards Lars Liedtke -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info at punkt.de https://www.punkt.de Gf: J?rgen Egeling AG Mannheim 108285 -------------- next part -------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xDD6D744EC1628062.asc Type: application/pgp-keys Size: 3082 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180810/97b1a70d/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 899 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180810/97b1a70d/attachment-0003.bin From psilva at redhat.com Fri Aug 10 07:47:20 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 10 Aug 2018 08:47:20 -0300 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Yeah, it should be relative. I was wondering if the correct URI would be '/keycloak/secure/role' instead. In any case, I would ask you to try the same deployment using tomcat or wildfly to see how it goes. We have a few quickstarts running on these two. Maybe you could also try to enable DEBUG log level to see how the policy enforcer is matching URIs to your resources. If none of them work, I can give a try and run jetty. Regards. Pedro Igor On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo wrote: > Pedro, thanks for replying. I tried putting the absolute URI,but it does > not work either. The documentation anyway states that the URI in resource > can be relative to client root URL which I have configured to be > http://localhost:7200/{app}/keycloak , therefore putting relateve URI '/secure/role' > in resource should be equivalent to putting absolute URI : > http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there is > something else I can try? > > On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva > wrote: > >> Hi, >> >> Your configuration looks correct. But I noticed that in the postman >> request you are sending requests to `http://localhost:7200/{app}/k >> eycloak/secure/role` >> . However in your >> resource definition the URI is configured to `/secure/role`. Both URIs >> should match otherwise the adapter won't be able to map the URI in your >> application to a resource in Keycloak (and related permissions). >> >> Regards. >> Pedro Igor >> >> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo >> wrote: >> >>> With all the configuration(shared below), when I test using the evaluate >>> option under authorization tab, result is permit: >>> >>> *But when I make a request to this resource through postman, I get 403.* >>> >>> *Which part of configuration is wrong which is leading to 403 error?* >>> >>> CONFIGURATION: >>> >>> >>> *Detailed configuration with images shown here:* >>> >>> *https://stackoverflow.com/questions/51761779/keycloak-403-f >>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>> >> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* >>> >>> *1.* Following the >>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created a >>> realm role : *role_special_user* and created a user : *user_special* with >>> this role and role *user*. >>> >>> *2.* Next, my resource server / client is with *full scope enabled*: >>> *3.* Under authorization tab, I created a resource with the role based >>> policy is. >>> >>> *4.* Now, keycloak json is: >>> >>> { >>> "realm": "demo12", >>> "auth-server-url": "http://localhost:8180/auth", >>> "ssl-required": "none", >>> "resource": "server12", >>> "credentials": { >>> "secret": "XXXXXXX" >>> }, >>> "confidential-port": 0, >>> "policy-enforcer": {}} >>> >>> *5.* And Keycloak Jetty adapter configuration is: >>> >>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>> InputStream is = >>> Thread.currentThread().getContextClassLoader().getResourceAs >>> Stream(KEYCLOAK_JSON);AdapterConfig >>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>> SystemPropertiesJsonParserFactory()); >>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>> KeycloakJettyAuthenticator kcAuthenticator = >>> KeyCloakConfig;if(kcAuthenticator != null) { >>> ConstraintSecurityHandler securityHandler = new >>> ConstraintSecurityHandler(); >>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>> constraintMapping.setPathSpec("/*"); >>> Constraint constraint = new Constraint(); >>> constraint.setAuthenticate(true); >>> constraint.setRoles(new String[]{"**"}); >>> constraintMapping.setConstraint(constraint); >>> securityHandler.addConstraintMapping(constraintMapping); >>> securityHandler.setAuthenticator(kcAuthenticator); >>> context.setSecurityHandler(securityHandler);} >>> >>> *6.* Also, the decoded jwt token sample is: >>> >>> { >>> "jti": "XXXXXXX", >>> "exp": 1533798704, >>> "nbf": 0, >>> "iat": 1533798404, >>> "iss": "http://localhost:8180/auth/realms/demo12", >>> "aud": "server12", >>> "sub": "XXXXXXX", >>> "typ": "Bearer", >>> "azp": "server12", >>> "auth_time": 1533798404, >>> "session_state": "XXXXXX", >>> "acr": "1", >>> "allowed-origins": [], >>> "realm_access": { >>> "roles": [ >>> "role_special_user", >>> "offline_access", >>> "uma_authorization", >>> "user" >>> ] >>> }, >>> "resource_access": { >>> "server12": { >>> "roles": [ >>> "uma_protection" >>> ] >>> }, >>> "account": { >>> "roles": [ >>> "manage-account", >>> "manage-account-links", >>> "view-profile" >>> ] >>> } >>> }, >>> "scope": "openid email profile", >>> "email_verified": false, >>> "preferred_username": "user_special"} >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From mposolda at redhat.com Fri Aug 10 08:43:52 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 10 Aug 2018 14:43:52 +0200 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project In-Reply-To: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> References: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> Message-ID: <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> Thanks for the heads up! IMO it will be cool if you send PR for the javascript mapper directly to Keycloak, however we may need automated test and also docs (separate PR needs to be sent for the docs). For the keycloak-authorization and keycloak-export (and maybe for keycloak-client-mappers too if you don't have time for the PR to upstream), it may be good to send PR to update the extensions page maybe? It's here: https://www.keycloak.org/extensions.html and sources are here: https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions . Assuming that those things are generally useful for the other users from the community (I am not 100% sure about the keycloak-authorization. Rather leaving to you to decide if it's generally useful or not). The keycloak-wsfed is already on the extensions page. Thanks! Marek On 10/08/18 11:44, Doswald Alistair wrote: > Hello, > > I just wanted to let this mailing list know that for the Cloudtrust project (https://github.com/cloudtrust), we have developed a certain number modules for Keycloak. These are currently compatible with the version 3.4.3.Final of Keycloak, but we will make them compatible with Keycloak 4.X (where X will be the latest sub-version of Keycloak when we start working on this) as soon as we can. These modules are: > > * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an implementation of the WS-Federation protocol for keycloak. This allows to select the WS-Federation protocol for Keycloak clients and for identity brokers. > > * keycloak-authorization (https://github.com/cloudtrust/keycloak-authorization): this module allows the use of the client authorization system to prevent a user which is authenticated in a Keycloak realm to access a given client. It works no matter which protocol is used, and without the client having to support any extra protocol. Note: this solution is a bit hacky, but necessary for one of our use-cases. > > * keycloak-client-mappers (https://github.com/cloudtrust/keycloak-client-mappers): a module for adding any mappers that we might need that are not yet part of Keycloak. Currently only contains a JavaScript mapper for SAML, analogous to the OIDC script mapper. I've noticed that there's an open issue for this feature (https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could submit this code not as a module but a solution to the issue. > > * keycloak-export (https://github.com/cloudtrust/keycloak-export): a module adding an endpoint to fully export a realm while Keycloak is still running (no need for restarts!). > > Cheers, > > Alistair > > PS: I'm mailing this both dev and user mailing lists as I believe it may interest members of both mailing lists > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Fri Aug 10 12:51:50 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 10 Aug 2018 13:51:50 -0300 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project In-Reply-To: <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> References: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> Message-ID: Cool stuff ! Thanks for sharing. I've looked keycloak-authorization very quickly and changes look really simple, I'm glad to start a discussion about supporting this OOTB. Maybe this can be part of the review of admin fine-grained permissions we are planning. Regards. Pedro Igor On Fri, Aug 10, 2018 at 9:43 AM, Marek Posolda wrote: > Thanks for the heads up! > > IMO it will be cool if you send PR for the javascript mapper directly to > Keycloak, however we may need automated test and also docs (separate PR > needs to be sent for the docs). > > For the keycloak-authorization and keycloak-export (and maybe for > keycloak-client-mappers too if you don't have time for the PR to > upstream), it may be good to send PR to update the extensions page > maybe? It's here: https://www.keycloak.org/extensions.html and sources > are here: > https://github.com/keycloak/keycloak-web/tree/master/src/ > main/resources/extensions > . Assuming that those things are generally useful for the other users > from the community (I am not 100% sure about the keycloak-authorization. > Rather leaving to you to decide if it's generally useful or not). The > keycloak-wsfed is already on the extensions page. > > Thanks! > Marek > > > On 10/08/18 11:44, Doswald Alistair wrote: > > Hello, > > > > I just wanted to let this mailing list know that for the Cloudtrust > project (https://github.com/cloudtrust), we have developed a certain > number modules for Keycloak. These are currently compatible with the > version 3.4.3.Final of Keycloak, but we will make them compatible with > Keycloak 4.X (where X will be the latest sub-version of Keycloak when we > start working on this) as soon as we can. These modules are: > > > > * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an > implementation of the WS-Federation protocol for keycloak. This allows to > select the WS-Federation protocol for Keycloak clients and for identity > brokers. > > > > * keycloak-authorization (https://github.com/cloudtrust/keycloak- > authorization): this module allows the use of the client authorization > system to prevent a user which is authenticated in a Keycloak realm to > access a given client. It works no matter which protocol is used, and > without the client having to support any extra protocol. Note: this > solution is a bit hacky, but necessary for one of our use-cases. > > > > * keycloak-client-mappers (https://github.com/ > cloudtrust/keycloak-client-mappers): a module for adding any mappers that > we might need that are not yet part of Keycloak. Currently only contains a > JavaScript mapper for SAML, analogous to the OIDC script mapper. I've > noticed that there's an open issue for this feature ( > https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could > submit this code not as a module but a solution to the issue. > > > > * keycloak-export (https://github.com/cloudtrust/keycloak-export): a > module adding an endpoint to fully export a realm while Keycloak is still > running (no need for restarts!). > > > > Cheers, > > > > Alistair > > > > PS: I'm mailing this both dev and user mailing lists as I believe it may > interest members of both mailing lists > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From max.bruchmann at hotmail.com Fri Aug 10 13:32:29 2018 From: max.bruchmann at hotmail.com (Max Bruchmann) Date: Fri, 10 Aug 2018 17:32:29 +0000 Subject: [keycloak-user] attributes are not persisted In-Reply-To: References: Message-ID: Hmm unfortunatelly if I use KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (session) -> { UserModel user = getUserModel(session, userId, realmId); ... The user is null :/ Max Am 10.08.18 um 09:03 schrieb Marek Posolda: I am not 100% sure, but it's possible that updating users in the events don't currently work. Reason is, that transaction might be already commited. The possible solution long term is to use pre/post events for this (which we don't yet support). For the short term, it may be possible to manually trigger your own temporarily transaction (You can take a look at KeycloakModelUtils.runJobInTransaction method). Note that in the new transaction, you need to ensure to not use Hibernate entities from the "outer" transaction (EG. all the things like RealmModel, UserModel need to be look-up again through the Model API in the new transaction). Marek On 09/08/18 21:39, Max Bruchmann wrote: Hi, I have a custom EventListenerProvider that consumes Register and Login events. On register it creates some external resource ...//on register String externalID = createSomethingWithUserEmail(userModel.getEmail()) userModel.setSingleAttribute("foo", externalID) ... On login I need to todo some additional calls with the already created id. ...// on login String externalID = userModel.getFirstAttribute("foo"); doSomeUpdate(externalID, userModel.getFirstName(), userModel.getLastName()) ... Unfortunatelly the retrieved id via getFirstAttribute seems to be null. Is there anything I need todo when modifying attributes so they are persisted? Kind Regards, Max _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From hfuss at bandwidth.com Fri Aug 10 15:58:50 2018 From: hfuss at bandwidth.com (Hayden Fuss) Date: Fri, 10 Aug 2018 15:58:50 -0400 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache In-Reply-To: <346b6795-ed86-287b-7ed5-cc7668044b35@redhat.com> References: <346b6795-ed86-287b-7ed5-cc7668044b35@redhat.com> Message-ID: Hello Sebastian and Marek, Thank you very much for suggestions. We had confirmed replication across the ISPN clusters was working with the CLI, so we tried attaching the remote debugger but didn't find anything useful to tell us why Keycloak couldn't remotely store the sessions in the ISPN cluster. Based on what Marek described, we decided to downgrade our ISPN cluster to 8.2.8 rather than use 9.3.1 and incorporate the demo code. It was our understanding that demo code would provide an SPI that enabled the ISPN cluster for persistent user storage (but not realms, clients, keys) which is not desirable for us as of now. Downgrading to 8.2.8 (had to create our own image https://github.com/brix4dayz/infinispan/tree/8.2.x) fixed our sessions replication issue, the only thing is KUBE_PING/DNS_PING isn't available with the JGroups version that comes with 8.2.8. Based on what I'm seeing from this PR https://github.com/jboss-dockerfiles/keycloak/pull/96/files its possible to add a newer version of JGroups to Keycloak so I'll attempt to do that for ISPN so we can have local clustering for ISPN and Keycloak in OpenShift. If there's a better way to go about the JGroups version issue let us know. Thanks again! Best, Hayden On Thu, Aug 9, 2018 at 3:27 AM Marek Posolda wrote: > Hi, > > I didn't check everything, but one thing I noted is, that in your > keycloak-standalone-ha.xml, you don't have "alternative" providers > configured. > > For Keycloak to work with the infinispan 9.2.X server or newer, it was > needed to configure providers like this: > > https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 > . > > There is also a need to add the userStorage to your realm, which can be > done through admin console or by importing the realm. See: > https://github.com/rhdemo/rh-sso/blob/master/realm-summit.json#L1051 > > Marek > > > On 08/08/18 15:07, Sebastian Laskawiec wrote: > > On Tue, Aug 7, 2018 at 3:28 PM Hayden Fuss wrote: > > > >> Hello, > >> > >> We are attempting to run Keycloak on two OpenShift clusters using remote > >> ISPNs and a single MariaDB instance. We're hacking together the > Keycloak on > >> Openshift blogpost, the JDG-as-a-service demo from Summit, RH SSO demo > from > >> Summit, and following the Keycloak/RH SSO basic setup guide to Cross-DC > >> replication. The hope is do an initial evaluation of Keycloak's > >> availability. > >> > >> We were able to create a new user on master (site1), disable the user on > >> master2 (site2), and see the user was disabled on master. So ISPN > >> replication seems to be working because the work cache was replicated to > >> invalidate the local caches. However, the sessions cache does not seem > to > >> be replicated because when logged in as the same user on the two > different > >> Keycloaks (in Incognito mode) there is only one active session shown on > >> both UIs and the timestamp/IP/etc is different for the listed session. > >> > > So at this point the Infinispan cluster within a single DC works > correctly > > [1] (the one that is formed by KUBE_PING). The Cross-DC cluster (also > known > > as the Global Cluster) also works correctly [2]. Users cache replicates > > fine but sessions don't. > > > > If I understood everything correctly, there might be two issues there. > > > > The first one is Infinispan misconfiguration (I briefly looked through > the > > configuration and can not spot any mistake but there might be some typo > or > > anything like that). That one is easy to be verified, just put an entry > on > > one node (e.g. using REST [3]) and see if it's available on the other one > > (again, using REST for example [4]). > > > > If this test works fine, you can check if Keycloak forwards traffic to > the > > Infinispan cluster. The easiest way is to set a breakpoint somewhere > > in > org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveClientSessionToRemoteCache > > and > org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveUserSessionToRemoteCache. > > > > [1] can be verified by calling `oc logs infinispan-app | grep view` > > [2] can be verified by calling `oc logs infinispan-app | grep "x-site"` > > [3] curl -d test ISPN_IP:8080/rest/sessions/test > > [4] curl ISPN_IP2:8080/rest/sessions/test > > > > > >> We are using the latest, stable Keycloak image, version 4.1.0.Final, and > >> the latest, stable Infinispan image for to act as our data grid, version > >> 9.3.1.Final, which we know differs from the 8.2.8 version Keycloak uses > for > >> its local caches. > >> > >> We were trying one Keycloak node and two ISPN nodes in each cluster, but > >> for simplicity we've attached logs where we only ran one Keycloak and > one > >> ISPN in each cluster. > >> We were connecting to the two different Keycloaks via two different > >> OpenShift Routes without a load balancer to fake sticky sessions for > now. > >> Keycloak connects to ISPN via a "HotRod" Service. ISPN connects to other > >> nodes within the same cluster via KUBE_PING, and discovers the other > >> cluster via TCPPING hitting a particular OpenShift app node from that > >> cluster that exposes the "discovery" Service with a NodePort. The > Keycloaks > >> share the single MariaDB through a NodePort Service in one of the > clusters > >> as well. > >> > >> The logs didn't seem to contain any of the messages in the trouble > shooting > >> guide. We had trouble using JMX to check the ISPNs because they were > >> running in containers, but we've using the CLI tool and the Infinispan > >> management console to try to troubleshoot but any key we pulled from the > >> logs that we thought was a session ID was not in the caches and we could > >> not find a way to simply list all keys in the caches. > >> > >> Below is a viewable link to a zip containing logs from the scenario > >> described in the second paragraph, and our config files. > >> > >> > >> > https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 > >> > >> Thanks for your time and help! > >> > >> Best, > >> Hayden > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From pnalyvayko at agi.com Sat Aug 11 08:18:38 2018 From: pnalyvayko at agi.com (Nalyvayko, Peter) Date: Sat, 11 Aug 2018 12:18:38 +0000 Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. In-Reply-To: References: , Message-ID: Hi Joy, Yes, we have seen similar errors, although we are yet to determine whether these errors are the cause or just a symptom ________________________________________ From: Joy Kent [joy at autonomic.ai] Sent: Thursday, August 9, 2018 7:01 PM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. Hi Peter, While debugging more on this issue, we noticed that there are other exceptions like this in the logs: [keycloak-test-6df85dc969-nr6pt] 20:13:20,661 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 in state RUN [keycloak-test-6df85dc969-nr6pt] 20:13:20,662 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 1) ARJUNA012095: Abort of action id 0:ffff646009a0:375a4efd:5b6b81d4:123b0 invoked while multiple threads active within it. [keycloak-test-6df85dc969-nr6pt] 20:13:20,663 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 1) ARJUNA012381: Action id 0:ffff646009a0:375a4efd:5b6b81d4:123b0 completed with multiple threads - thread default task-34 was in progress with java.net.SocketInputStream.socketRead0(Native Method) [keycloak-test-6df85dc969-nr6pt] java.net.SocketInputStream.socketRead(SocketInputStream.java:116) [keycloak-test-6df85dc969-nr6pt] java.net.SocketInputStream.read(SocketInputStream.java:171) [keycloak-test-6df85dc969-nr6pt] java.net.SocketInputStream.read(SocketInputStream.java:141) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.VisibleBufferedInputStream.readMore(VisibleBufferedInputStream.java:140) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.VisibleBufferedInputStream.ensureBytes(VisibleBufferedInputStream.java:109) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.VisibleBufferedInputStream.read(VisibleBufferedInputStream.java:67) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.PGStream.receiveChar(PGStream.java:288) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1963) [keycloak-test-6df85dc969-nr6pt] org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:300) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:428) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgStatement.execute(PgStatement.java:354) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:169) [keycloak-test-6df85dc969-nr6pt] org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:117) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [keycloak-test-6df85dc969-nr6pt] sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [keycloak-test-6df85dc969-nr6pt] java.lang.reflect.Method.invoke(Method.java:498) [keycloak-test-6df85dc969-nr6pt] org.postgresql.ds.PGPooledConnection$StatementHandler.invoke(PGPooledConnection.java:424) [keycloak-test-6df85dc969-nr6pt] com.sun.proxy.$Proxy115.executeQuery(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504) [keycloak-test-6df85dc969-nr6pt] org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.getResultSet(Loader.java:2122) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1905) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.executeQueryStatement(Loader.java:1881) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doQuery(Loader.java:925) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:342) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doList(Loader.java:2622) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.doList(Loader.java:2605) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2434) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.Loader.list(Loader.java:2429) [keycloak-test-6df85dc969-nr6pt] org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:501) [keycloak-test-6df85dc969-nr6pt] org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:371) [keycloak-test-6df85dc969-nr6pt] org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:216) [keycloak-test-6df85dc969-nr6pt] org.hibernate.internal.SessionImpl.list(SessionImpl.java:1339) [keycloak-test-6df85dc969-nr6pt] org.hibernate.internal.QueryImpl.list(QueryImpl.java:87) [keycloak-test-6df85dc969-nr6pt] org.hibernate.jpa.internal.QueryImpl.list(QueryImpl.java:606) [keycloak-test-6df85dc969-nr6pt] org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:483) [keycloak-test-6df85dc969-nr6pt] com.autonomic.keycloak.federation.AuUserStorageProvider.getUsers(AuUserStorageProvider.java:196) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [keycloak-test-6df85dc969-nr6pt] sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [keycloak-test-6df85dc969-nr6pt] java.lang.reflect.Method.invoke(Method.java:498) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.jpa.interceptor.SFSBInvocationInterceptor.processInvocation(SFSBInvocationInterceptor.java:57) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.stateful.StatefulSessionSynchronizationInterceptor.processInvocation(StatefulSessionSynchronizationInterceptor.java:135) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.stateful.StatefulComponentInstanceInterceptor.processInvocation(StatefulComponentInstanceInterceptor.java:59) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:255) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:334) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) [keycloak-test-6df85dc969-nr6pt] org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) [keycloak-test-6df85dc969-nr6pt] org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) [keycloak-test-6df85dc969-nr6pt] org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) [keycloak-test-6df85dc969-nr6pt] com.autonomic.keycloak.federation.AuUserStorageProvider$$$view1.getUsers(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager.lambda$getUsers$0(UserStorageManager.java:517) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager$$Lambda$1180/1899642151.query(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager.query(UserStorageManager.java:503) [keycloak-test-6df85dc969-nr6pt] org.keycloak.storage.UserStorageManager.getUsers(UserStorageManager.java:513) [keycloak-test-6df85dc969-nr6pt] org.keycloak.models.cache.infinispan.UserCacheSession.getUsers(UserCacheSession.java:632) [keycloak-test-6df85dc969-nr6pt] org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:209) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [keycloak-test-6df85dc969-nr6pt] sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [keycloak-test-6df85dc969-nr6pt] sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [keycloak-test-6df85dc969-nr6pt] java.lang.reflect.Method.invoke(Method.java:498) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [keycloak-test-6df85dc969-nr6pt] org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [keycloak-test-6df85dc969-nr6pt] javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) [keycloak-test-6df85dc969-nr6pt] org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) [keycloak-test-6df85dc969-nr6pt] io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$1015/1489808400.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) [keycloak-test-6df85dc969-nr6pt] org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$1016/1612860281.call(Unknown Source) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) [keycloak-test-6df85dc969-nr6pt] io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) [keycloak-test-6df85dc969-nr6pt] io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [keycloak-test-6df85dc969-nr6pt] java.lang.Thread.run(Thread.java:748) [keycloak-test-6df85dc969-nr6pt] [keycloak-test-6df85dc969-nr6pt] 20:13:20,664 WARN [com.arjuna.ats.arjuna] (Transaction Reaper Worker 1) ARJUNA012108: CheckedAction::check - atomic action 0:ffff646009a0:375a4efd:5b6b81d4:123b0 aborting with 1 threads active! [keycloak-test-6df85dc969-nr6pt] 20:13:21,162 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 in state CANCEL [keycloak-test-6df85dc969-nr6pt] 20:13:21,163 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012378: ReaperElement appears to be wedged: sun.misc.Unsafe.park(Native Method) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.LockSupport.park(LockSupport.java:175) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.AbstractQueuedSynchronizer.parkAndCheckInterrupt(AbstractQueuedSynchronizer.java:836) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireQueued(AbstractQueuedSynchronizer.java:870) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.AbstractQueuedSynchronizer.acquire(AbstractQueuedSynchronizer.java:1199) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.ReentrantLock$FairSync.lock(ReentrantLock.java:224) [keycloak-test-6df85dc969-nr6pt] java.util.concurrent.locks.ReentrantLock.lock(ReentrantLock.java:285) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.lock(BaseWrapperManagedConnection.java:374) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.adapters.jdbc.xa.XAManagedConnection.end(XAManagedConnection.java:290) [keycloak-test-6df85dc969-nr6pt] org.jboss.jca.core.tx.jbossts.XAResourceWrapperImpl.end(XAResourceWrapperImpl.java:118) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.doEnd(TransactionImple.java:1089) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.endAssociation(TransactionImple.java:1060) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.endAssociation(XAResourceRecord.java:1287) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelAbort(XAResourceRecord.java:313) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3023) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3002) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.BasicAction.Abort(BasicAction.java:1674) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.cancel(TwoPhaseCoordinator.java:124) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.AtomicAction.cancel(AtomicAction.java:215) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.arjuna.coordinator.TransactionReaper.doCancellations(TransactionReaper.java:381) [keycloak-test-6df85dc969-nr6pt] com.arjuna.ats.internal.arjuna.coordinator.ReaperWorkerThread.run(ReaperWorkerThread.java:78) [keycloak-test-6df85dc969-nr6pt] [keycloak-test-6df85dc969-nr6pt] 20:13:21,663 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 in state CANCEL_INTERRUPTED [keycloak-test-6df85dc969-nr6pt] 20:13:21,663 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012120: TransactionReaper::check worker Thread[Transaction Reaper Worker 1,5,main] not responding to interrupt when cancelling TX 0:ffff646009a0:375a4efd:5b6b81d4:123b0 -- worker marked as zombie and TX scheduled for mark-as-rollback Have you seen this before? What might be causing this exception? Thanks, Joy On Sat, Aug 4, 2018 at 6:08 AM, Joy Kent > wrote: Thanks Peter. I would like to hear more if you have more findings. I will do more testing locally as well, and report back if I find anything. On Fri, Aug 3, 2018 at 7:13 PM, Nalyvayko, Peter > wrote: > Interesting. Looking over the history, I did see a huge memory jump around the time when the exception occurred. Is there a memory leak somewhere? Lately I've been looking into performance and JVM memory consumption in effort to identify a culprit of system slowdown due to memory starvation. Preliminary results seem to indicate that simple grants such as owner password and client credential grants, can be safely marked off the list of possible causes. More complex use cases, such as identity brokering are another story, as they involve external systems downstream that could cause the entire system to misbehave, but I do not have an empirical evidence yet ________________________________________ From: Joy Kent [joy at autonomic.ai] Sent: Friday, August 3, 2018 5:41 PM To: Nalyvayko, Peter Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. Interesting. Looking over the history, I did see a huge memory jump around the time when the exception occurred. Is there a memory leak somewhere? On Fri, Aug 3, 2018 at 1:58 PM, Joy Kent >> wrote: Hi Peter, Thanks for your suggestions. I haven't checked the memory usage around that time. I will check that and report back. Thanks, Joy On Fri, Aug 3, 2018 at 12:56 PM, Nalyvayko, Peter >> wrote: tl;dr :) You may want to check if JVM is running out of memory, we've seen it happen before and the effects were similar. My 0.02 cents Regards, Peter ________________________________________ From: keycloak-user-bounces at lists.jboss.org> [keycloak-user-bounces at lists.jboss.org>] on behalf of Joy Kent [joy at autonomic.ai>] Sent: Friday, August 3, 2018 2:30 PM To: keycloak-user at lists.jboss.org> Subject: [keycloak-user] ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. We have a keycloak 3.4.3.Final cluster with two PostgreSQL databases, one for keycloak, and the other for user federation storage. Both keycloak and user federation PostgreSQL databases are running with AWS RDS instances. Recently, we noticed that keycloak continuously threw exceptions when the user federation PostgreSQL database did a MultiAZ region failover, and became not usable. The exception snippet will be attached below. I have searched around, but didn't find the answer. This is our keycloak Database configuration: jdbc:postgresql://${env.POSTGRES_PORT_5432_TCP_ADDR}:${env.POSTGRES_PORT_5432_TCP_PORT:5432}/${env.POSTGRES_DATABASE:keycloak} postgresql IdleConnections ${env.POSTGRES_USER:keycloak} ${env.POSTGRES_PASSWORD:password} SELECT 1 true 60000 The user federation Database configuration looks like this: ${env.IAM_DB_HOST} ${env.IAM_DB_TCP_PORT:5432} ${env.IAM_DB_DATABASE:iam} postgresql ${env.IAM_XA_POOL_MIN_SIZE:5} ${env.IAM_XA_POOL_MAX_SIZE:100} false ${env.IAM_POSTGRES_USER:user} ${env.IAM_POSTGRES_PASSWORD:password} SELECT 1 true 60000 The driver is: org.postgresql.xa.PGXADataSource I found a page https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/configuration_guide/datasource_management, which seems to indicate that exception-sorter is important: To configure database connection validation, you specify the validation > timing method (when the validation occurs), the validation mechanism (how > the validation is performed), and the exception sorter (how exceptions are > handled). Is the exception-sorter the missing configuration? I have tried this change, which seems to "fix" the problem. But by looking at the code, I can't tell how this can solve the problem. Does anyone know where might be wrong? Thanks a lot for your help! ===================== The exception snippet is as follows: ESC[0mESC[0m04:44:55,502 INFO [org.keycloak.events] (default task-21) type=CLIENT_LOGIN, realmId=xxxxxxxxxxx, clientId=xxxxxxxxxx, userId=xxxxxxxxxxxx, ipAddress=100.96.4.0, token_id =xxxxxxxxxxxx, grant_type=client_credentials, refresh_token_type=Refresh, refresh_token_id=xxxxxxxxxx, client_auth_method=client-secret, username=xxxxxxxxxxx ESC[0mESC[33m04:44:55,503 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) SQL Error: 0, SQLState: 08003 ESC[0mESC[31m04:44:55,503 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-21) This connection has been closed. ESC[0mESC[33m04:44:55,503 WARN [com.arjuna.ats.arjuna] (default task-21) ARJUNA012125: TwoPhaseCoordinator.beforeCompletion - failed for SynchronizationImple< 0:ffff646043f0:2ee9e692:5b425ae8:2c012df, org.wildfly.transaction.client.AbstractTran saction$AssociatingSynchronization at 76b2b731 >: javax.persistence.PersistenceException: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1608) at org.hibernate.jpa.internal.EntityManagerImpl$CallbackExceptionMapperImpl.mapManagedFlushFailure(EntityManagerImpl.java:235) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3163) at org.hibernate.internal.SessionImpl.beforeTransactionCompletion(SessionImpl.java:2352) at org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl.beforeTransactionCompletion(JdbcCoordinatorImpl.java:491) at org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl.beforeCompletion(JtaTransactionCoordinatorImpl.java:316) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.SynchronizationCallbackCoordinatorNonTrackingImpl.beforeCompletion(SynchronizationCallbackCoordinatorNonTrackingImpl.java:47) at org.hibernate.resource.transaction.backend.jta.internal.synchronization.RegisteredSynchronization.beforeCompletion(RegisteredSynchronization.java:37) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:209) at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:220) at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:265) at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:368) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.keycloak.transaction.JtaTransactionWrapper.commit(JtaTransactionWrapper.java:92) at org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136) at org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43) at org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:165) ..... Caused by: org.hibernate.exception.JDBCConnectionException: could not prepare statement at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:115) at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:42) at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:182) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareStatement(StatementPreparerImpl.java:78) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.buildBatchStatement(AbstractBatchImpl.java:136) at org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl.getBatchStatement(AbstractBatchImpl.java:125) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2980) at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3499) at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:89) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:589) at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:463) at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:337) at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:39) at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1295) at org.hibernate.internal.SessionImpl.managedFlush(SessionImpl.java:468) at org.hibernate.internal.SessionImpl.flushBeforeTransactionCompletion(SessionImpl.java:3159) ... 72 more Caused by: org.postgresql.util.PSQLException: This connection has been closed. at org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:766) at org.postgresql.jdbc.PgConnection.prepareStatement(PgConnection.java:1582) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.doPrepareStatement(BaseWrapperManagedConnection.java:757) at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.prepareStatement(BaseWrapperManagedConnection.java:743) at org.jboss.jca.adapters.jdbc.WrappedConnection.prepareStatement(WrappedConnection.java:454) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$1.doPrepare(StatementPreparerImpl.java:87) at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:172) ... 85 more _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Sat Aug 11 08:26:34 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Sat, 11 Aug 2018 14:26:34 +0200 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache In-Reply-To: References: <346b6795-ed86-287b-7ed5-cc7668044b35@redhat.com> Message-ID: pt., 10.08.2018, 21:59 u?ytkownik Hayden Fuss napisa?: > Hello Sebastian and Marek, > > Thank you very much for suggestions. We had confirmed replication across > the ISPN clusters was working with the CLI, so we tried attaching the > remote debugger but didn't find anything useful to tell us why Keycloak > couldn't remotely store the sessions in the ISPN cluster. > Thanks for letting us know. > Based on what Marek described, we decided to downgrade our ISPN cluster to > 8.2.8 rather than use 9.3.1 and incorporate the demo code. It was our > understanding that demo code would provide an SPI that enabled the ISPN > cluster for persistent user storage (but not realms, clients, keys) which > is not desirable for us as of now. > Hmmm that's pretty interesting. For the Summit demo we used a fresh master build. So ISPN 9.x should work without any problems. Perhaps Marek can shed some light on this issue. BTW, do you have a demo pushed into some repo, so that we could check it out? > Downgrading to 8.2.8 (had to create our own image > https://github.com/brix4dayz/infinispan/tree/8.2.x) fixed our sessions > replication issue, the only thing is KUBE_PING/DNS_PING isn't available > with the JGroups version that comes with 8.2.8. Based on what I'm seeing > from this PR https://github.com/jboss-dockerfiles/keycloak/pull/96/files > its possible to add a newer version of JGroups to Keycloak so I'll attempt > to do that for ISPN so we can have local clustering for ISPN and Keycloak > in OpenShift. > Kube ping has basically two versions, 1.x which requires JGroups 4 and 0.9.x, which works with JGroups 3 and 4. Let me know if you hit any problems incorporating kube ping into your project. I might be able to help you. > If there's a better way to go about the JGroups version issue let us know. > Thanks again! > TBH I'm really interested why keycloak doesn't store sessions in ISPN. In my opinion, we should find out how to fix this problem and stay with ISPN 9. I would recommend downgrading ISPN as the last resort approach. > Best, > Hayd > > On Thu, Aug 9, 2018 at 3:27 AM Marek Posolda wrote: > >> Hi, >> >> I didn't check everything, but one thing I noted is, that in your >> keycloak-standalone-ha.xml, you don't have "alternative" providers >> configured. >> >> For Keycloak to work with the infinispan 9.2.X server or newer, it was >> needed to configure providers like this: >> >> https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 >> . >> >> There is also a need to add the userStorage to your realm, which can be >> done through admin console or by importing the realm. See: >> https://github.com/rhdemo/rh-sso/blob/master/realm-summit.json#L1051 >> >> Marek >> >> >> On 08/08/18 15:07, Sebastian Laskawiec wrote: >> > On Tue, Aug 7, 2018 at 3:28 PM Hayden Fuss wrote: >> > >> >> Hello, >> >> >> >> We are attempting to run Keycloak on two OpenShift clusters using >> remote >> >> ISPNs and a single MariaDB instance. We're hacking together the >> Keycloak on >> >> Openshift blogpost, the JDG-as-a-service demo from Summit, RH SSO demo >> from >> >> Summit, and following the Keycloak/RH SSO basic setup guide to Cross-DC >> >> replication. The hope is do an initial evaluation of Keycloak's >> >> availability. >> >> >> >> We were able to create a new user on master (site1), disable the user >> on >> >> master2 (site2), and see the user was disabled on master. So ISPN >> >> replication seems to be working because the work cache was replicated >> to >> >> invalidate the local caches. However, the sessions cache does not seem >> to >> >> be replicated because when logged in as the same user on the two >> different >> >> Keycloaks (in Incognito mode) there is only one active session shown on >> >> both UIs and the timestamp/IP/etc is different for the listed session. >> >> >> > So at this point the Infinispan cluster within a single DC works >> correctly >> > [1] (the one that is formed by KUBE_PING). The Cross-DC cluster (also >> known >> > as the Global Cluster) also works correctly [2]. Users cache replicates >> > fine but sessions don't. >> > >> > If I understood everything correctly, there might be two issues there. >> > >> > The first one is Infinispan misconfiguration (I briefly looked through >> the >> > configuration and can not spot any mistake but there might be some typo >> or >> > anything like that). That one is easy to be verified, just put an entry >> on >> > one node (e.g. using REST [3]) and see if it's available on the other >> one >> > (again, using REST for example [4]). >> > >> > If this test works fine, you can check if Keycloak forwards traffic to >> the >> > Infinispan cluster. The easiest way is to set a breakpoint somewhere >> > in >> org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveClientSessionToRemoteCache >> > and >> org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveUserSessionToRemoteCache. >> > >> > [1] can be verified by calling `oc logs infinispan-app | grep view` >> > [2] can be verified by calling `oc logs infinispan-app | grep "x-site"` >> > [3] curl -d test ISPN_IP:8080/rest/sessions/test >> > [4] curl ISPN_IP2:8080/rest/sessions/test >> > >> > >> >> We are using the latest, stable Keycloak image, version 4.1.0.Final, >> and >> >> the latest, stable Infinispan image for to act as our data grid, >> version >> >> 9.3.1.Final, which we know differs from the 8.2.8 version Keycloak >> uses for >> >> its local caches. >> >> >> >> We were trying one Keycloak node and two ISPN nodes in each cluster, >> but >> >> for simplicity we've attached logs where we only ran one Keycloak and >> one >> >> ISPN in each cluster. >> >> We were connecting to the two different Keycloaks via two different >> >> OpenShift Routes without a load balancer to fake sticky sessions for >> now. >> >> Keycloak connects to ISPN via a "HotRod" Service. ISPN connects to >> other >> >> nodes within the same cluster via KUBE_PING, and discovers the other >> >> cluster via TCPPING hitting a particular OpenShift app node from that >> >> cluster that exposes the "discovery" Service with a NodePort. The >> Keycloaks >> >> share the single MariaDB through a NodePort Service in one of the >> clusters >> >> as well. >> >> >> >> The logs didn't seem to contain any of the messages in the trouble >> shooting >> >> guide. We had trouble using JMX to check the ISPNs because they were >> >> running in containers, but we've using the CLI tool and the Infinispan >> >> management console to try to troubleshoot but any key we pulled from >> the >> >> logs that we thought was a session ID was not in the caches and we >> could >> >> not find a way to simply list all keys in the caches. >> >> >> >> Below is a viewable link to a zip containing logs from the scenario >> >> described in the second paragraph, and our config files. >> >> >> >> >> >> >> https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 >> >> >> >> Thanks for your time and help! >> >> >> >> Best, >> >> Hayden >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> From courtney.robinson at hypi.io Sun Aug 12 03:01:10 2018 From: courtney.robinson at hypi.io (Courtney Robinson) Date: Sun, 12 Aug 2018 08:01:10 +0100 Subject: [keycloak-user] Using Keycloak for per field authorisation In-Reply-To: References: Message-ID: Checking the archives I see my response doesn't show up, I'm guessing reply-all doesn't work since the mailing list user ends up being CC'd. Sending again. So far so good, I can see how to map some of these things directly to >> Keycloak high level constructs. It falls apart for me with the API. We're >> using Spring Boot but I struggle to see how I'd achieve this setup using >> one of the adapters. >> > > Did you have a chance to look our app-authz-spring* quickstarts ? > Yes, I didn't see where any of them did per field auth or mixed system defined/default policies with user defined ones. Also bare in mind that some of the terminology is new to me so even if it has been explained in the examples or docs I may have misunderstood or not fully appreciated what something implied. > > >> >> Take this scenario: >> App 1 defines two types A{f1:Int, f2: String} and B{f3:Int, f4: String} >> Org 1, User 1 can read,write A.f1 and B.f3, they can only read B.f4 and >> cannot see or perform any other operation on A.f2 *normally* but in one >> case they have had a specific instance of A shared with them and given >> complete read/write/share/manage permission for that one instance and thus >> A.f2 is available to them in this one instance. >> > > I'm a little confused about what type A and B are. You also mentioned you > may have an "instance of A". Does that mean that types A and B represent > generic resources which policies should be enforced on instances of A and B > ? Are these instances user-managed resources ? > Types A and B are GraphQL objects. If you're not familiar then just think of them as classes A and B with only class members/fields defined. I'm not explaining this very well I think so another way to think about it is like this. By default I want to apply some global policies to classes A and B that says for example, anyone in Organisation 1 can read/write classes A and B. This is "system defined". More concretely imagine classes User and Book. Two organisations Org1 and Org2. When we create a realm for each org, we want to tell Keycloak that some app X has two types User and Book and any user in the current realm can read/write fields of both User and Book within this realm. We also want to tell Keycloak that an "admin" (I imagine a user with some role or in a specific group) in this realm can add policies that override the above behaviour. Given one or more of these admins, they can then choose to create a policy that says "Users from site A can read/write all fields of User and Book but users from site B can only read some fields from User and all fields from Book". The other case I mentioned in my first email is where, a user in an organisation has created e.g. a "Book" record. Under default policies only they can see and manage this Book they created. They can then share this book with site 2 so that users in site 2 can also read the book, they may also share it with the whole organisation so anyone in the realm can read it. The extension to this is when members of one site could normally only see a subset of fields from Book but one one occasion a user shares a single Book with one or more members giving then the permission to "manage" this one Book. This lifts the limitation on this one instance of book enabling the user it is shared with to access a field of Book they wouldn't have been able to see before. > > > Regarding how the adapter (policy enforcer in particular) work. It > verifies permissions locally in case the client is sending a bearer token > with permissions, otherwise the adapter will query the server for > permissions associated with resource the client is trying to access > (mapping is based on URIs). > I had a feeling. One of the reasons I'm so unclear about how to achieve what we want is that it feels like a mixture of the auth policies Keycloak supports is needed. I've been thinking that for each app, default Keycloak policies are created that e.g. allowed read only within an organisation. Use Keycloak groups to represent "sites" e.g. offices in an organisation and applied default policies to the groups. Then, the key thing I thought was that I'd have to register each type and it's fields in Keycloak as resources and then have a fixed list of scopes read, write, update, delete, share etc When an entry/instance (say of a Book) is shared, the model changes from being type based to being based on the ID of the object i.e. the Book's ID If I understood correctly, that means the size of the token will grow with each object shared directly with a user, surely a problem. In a similar vein, do I have to create an entry for every Book record in keycloak to be able to do per book permissions? From remy at grunblatt.org Mon Aug 13 01:09:27 2018 From: remy at grunblatt.org (=?UTF-8?Q?R=c3=a9my_Gr=c3=bcnblatt?=) Date: Mon, 13 Aug 2018 07:09:27 +0200 Subject: [keycloak-user] Unique Integer identifier in the Userinfo endpoint // automatically set up attributes? Message-ID: <5b83c7a6-881c-a187-ba4e-4d6879b3b2e6@grunblatt.org> Hello, for a specific application I need to provide a unique integer id in the information returned by the userinfo endpoint (openid connect). Using keycloak and mappers, I can return user attributes containing integers, but I failed to find how to automatically create those attributes in a way that would ensure each user would have an unique id (for example, first user would get 1, second would get 2, and so on). Is there a way to get such an unique integer id? (with either a mapper, or by automatically setting up some attributes at the account creation? Thanks, R?my From testoauth55 at gmail.com Mon Aug 13 02:40:41 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Mon, 13 Aug 2018 12:10:41 +0530 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> Message-ID: Can someone please help me on this issue? On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo wrote: > Another update: > > Though the login form appears every time but if i login with a different > user the second time i.e. launch client app -> login with user1 -> relaunch > client app (browser shows login form instead of already logged in message) > -> now login with user2. > > I get following message: > " We're sorry...You are already authenticated as different user 'user1' in > this session. Please logout first." > If it's able to know another user is logged in, then why the login form is > appearing? > > > On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth wrote: > >> An update on my findings: When I checked developer console: I am getting >> KC_RESTART cookie in cookies section. >> >> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth >> wrote: >> >>> Yes sir, >>> I followed the doc https://www.keycloak.org/docs/ >>> latest/securing_apps/index.html#_installed_adapter. And am seeing the >>> same behavior on chrome and firefox. >>> >>> Also regarding the manual mode, I see the same behavior i.e I have to >>> re-login for each re-run of the client app. >>> >>> But if I do this: >>> >>> System.out.println("Login through manual mode"); >>> keycloak.loginManual(); >>> System.out.println("Login through browser"); >>> keycloak.loginDesktop(); >>> >>> i.e. if I call both modes in the same code or even same mode twice in >>> the same code, then I don't have to re-login for second call (in the above >>> example for loginDesktop). However when I re-run the application, I need to >>> re-login. This might be a stupid guess but could these sessions be "java >>> object specific"? >>> >>> >>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
wrote: >>> >>>> Hi, >>>> >>>> Did you do everything in accordance with the docs? >>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm >>>> l#_installed_adapter >>>> >>>> Do you experience this in "manual" mode too? >>>> >>>> Cheers, >>>> Dmitry Telegin >>>> CTO, Acutus s.r.o. >>>> Keycloak Consulting and Training >>>> >>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>>> +42 (022) 888-30-71 >>>> E-mail: info at acutus.pro >>>> >>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >>>> > I am using openid-connect for authenticating users. After successful >>>> > authentication, browser windows says: >>>> > "Login Successful >>>> > >>>> > You may close this browser window and go back to your console >>>> application." >>>> > >>>> > However, even without closing the window if I relaunch my application >>>> > (using keycloak.loginDesktop();) even within 10 seconds, still the >>>> login >>>> > page appears instead of : you are already logged in. >>>> > >>>> > Browser: Firefox. >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From testoauth55 at gmail.com Mon Aug 13 04:04:51 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Mon, 13 Aug 2018 13:34:51 +0530 Subject: [keycloak-user] Keycloak auto redirect to OKTA SSO page instead of clicking on button Message-ID: I have followed the guide https://ultimatesecurity.pro/post/okta-saml/ , to configure OKTA Saml with keycloak. After this configuration, I see Okta/saml login button on login page, clicking on which, the user is redirected to Okta login/SSO. Now, is there a way to avoid clicking on this button everytime such that when the keycloak login page appears, user is auto redirected to Okta SSO automatically instead of shown keycloak login form with okta redirect button? If not, is it possible to enter okta username password within the keycloak form fields and keycloak have it validated internally from Okta? This requirement is because the customer is using only Okta as IDP and does not have any other like LDAP etc and clicking on a button seems overhead. From speechkey at gmail.com Mon Aug 13 04:06:59 2018 From: speechkey at gmail.com (Artem Grebenkin) Date: Mon, 13 Aug 2018 11:06:59 +0300 Subject: [keycloak-user] Deployment of configuration changes Message-ID: Hi folks, I?m looking for a way to deploy configuration changes. I have a following example: An existing group becomes a number of new subgroups with several new roles. If I configure the keyclaok via UI, export the updated configuration, reset the keycloak to the previous state and than import the new configuration via UI partial import with override option I get an exception that the group already exists. In general I?m looking for abilities to deploy configuration changes as a part of the build artifact (docker) like for example liquibase works. After deployment of the new container configuration have to be imported after startup. Thank you for sharing your experience. Best regards speechkey From Linda.Sauder at amdocs.com Mon Aug 13 04:33:10 2018 From: Linda.Sauder at amdocs.com (Linda Sauder) Date: Mon, 13 Aug 2018 08:33:10 +0000 Subject: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly In-Reply-To: References: <1533735331.2269.12.camel@acutus.pro> <1533736567.2269.14.camel@acutus.pro> <1533745353.10533.1.camel@acutus.pro> <1533765186.2054.2.camel@acutus.pro> Message-ID: Hi. I am still trying to figure this out. Can anybody give me a hint? -- Thanks Linda -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Linda Sauder Sent: Friday, August 10, 2018 9:35 AM To: Dmitry Telegin
; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Hi. Another question concerning this topic. I tried the approach that was mentioned in your link. Unfortunately, I am facing issues with the auth-method. As far as I know I need to set it to "KEYCLOAK-SAML" to able to use the keycloak plugins for Wildfly. But in combination with the filter I am never hitting my filter code. It always gets directed to the org.keycloak.adapters.saml.undertow.ServletSamlSessionStore which handles the roles itself. Any suggestions on how to handle this? -- Linda -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Linda Sauder Sent: Thursday, August 09, 2018 9:09 AM To: Dmitry Telegin
; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly That sounds promising. I will give it a try. Thank you. -----Original Message----- From: Dmitry Telegin
Sent: Wednesday, August 08, 2018 11:53 PM To: Linda Sauder ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to handle roles from IDP manually when securing a web application with Keycloak/SAML/Wildfly Oh, I think I've mislead you. No, I mean all of the above should work, but there's much simpler variant - you can write a servlet filter to manipulate security context, including roles. See this thread (from 2010, but still topical): https://coderanch.com/t/466744/java/Set-user-principal-filter In this example the author manipulates user principal, you'll need to do the same with roles. Good luck! Dmitry On Wed, 2018-08-08 at 19:22 +0300, Dmitry Telegin wrote: > So, is this correct that: > - your customer has the "foo" role configured in their Keycloak; > - authors of the app expect that the user have the "bar" role; > - neither your customer wants to create "bar" in Keycloak, nor programmers want to change their code to use "foo", and you're caught in the crossfire? > > Off the top of my head, there can be two solutions: > 1) modify SAML adapter code and implement role mapping there - > shouldn't be too tricky, but from now on you'll have to use modified > adapter and update it with every Keycloak release (or maybe commit it > to upstream, but I'm not sure it will be accepted); > 2) deploy intermediary Keycloak, configure brokering between it and > customer's one and use the role mapper trick. This could be made > transparent for end-users, however will add a couple of redirects to the flow. > And of course this will mean that you'll have to maintain yet another > piece of software. > > Good luck! > Dmitry > > On Wed, 2018-08-08 at 14:31 +0000, Linda Sauder wrote: > > Hi Dmitry, > > > > Yes. That is correct. > > > > --- > > Linda > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: Wednesday, August 08, 2018 3:56 PM > > > To: Linda Sauder ; > > > keycloak-user at lists.jboss.org > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually > > when securing a web application with Keycloak/SAML/Wildfly > > > > I see, probably I misunderstood. I thought you were in control of your Keycloak instance, and had external IdP configured there. > > > > So is correct that your customer runs Keycloak (that you have no control of), and you use it to secure your Wildfly app? > > > > Dmitry > > > > On Wed, 2018-08-08 at 13:40 +0000, Linda Sauder wrote: > > > Hi Dimitri, > > > > > > Thanks your response. > > > > > > Unfortunately, I am not able to configure the IDP when using the app for the customer because the customer is providing the IDP. Which means I can only handle the roles provided in the app itself and not in the server. > > > > > > But I also thought about it. Not an option unfortunately. > > > > > > -- > > > Cheers > > > Linda > > > > > > -----Original Message----- > > > > > > > From: Dmitry Telegin
> > > > > > Sent: Wednesday, August 08, 2018 3:36 PM > > > > > > > To: Linda Sauder ; > > > > > > > keycloak-user at lists.jboss.org > > > > > > Subject: Re: [keycloak-user] How to handle roles from IDP manually > > > when securing a web application with Keycloak/SAML/Wildfly > > > > > > Hello Linda, > > > > > > Seems like you need to configure SAML Attribute to Role mapper for your IdP. > > > > > > Go to IdP config -> Mappers tab and create SAML Attribute to Role mapper. > > > > > > You will need to know how exactly your IdP supplies role information. > > > Normally, there should be an attribute inside SAML assertion that > > > comes with SAML response; the fastest way is to inspect SAML > > > payload via F12 > > > > > > > -> Network in your browser. Use https://www.samltool.com to decode and pretty-print it. > > > > > > Once you have the name of the attribute that contains IdP roles, you can complete the configuration of the mapper. > > > > > > Cheers, > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Wed, 2018-08-08 at 10:07 +0000, Linda Sauder wrote: > > > > Hello. > > > > > > > > I am facing some issues. I want to secure some simple web application with Keycloak/SAML and Wildfly. > > > > > > > > My set-up is a configured Keycloak Server and a local Wildfly server (10.1.0 Final) with the Keycloak and SAML adapter installed. > > > > > > > > In my test .war file exists a simple .html file which just says "Hello World". Also in the WEB-INF folder I have the web.xml which is configured like this: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > > > > > > > > > > > > > ? > > > > > > > > > > > > > > > xsi:schemaLocation="http://java.sun.com/xm > > > > > > > > > > > > > > > l/ns/javaee > > > > > > > > > > http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">;;; > > > > > > > > ????Application Container > > > > > > > > ???? > > > > ????????ApplicationContainer.html > > > > ???? > > > > > > > > ???????????????? > > > > ???????????????????????????????? > > > > KEYCLOAK-SAML > > > > ???????????????????????????????? > > > > keycloak > > > > ???????????????? > > > > > > > > ???? > > > > ????????Application Container > > > > Constraint > > > > ???????? > > > > ????????????All Resources > > > > ????????????/* > > > > ????????????POST > > > > ????????????GET > > > > ???????? > > > > > > > > ???????? > > > > ????????????hallo > > > > ???????? > > > > ???? > > > > > > > > > > > > > > > > My issue now is that this is working as long as I am sending the requested role from the IDP. But for the actual application I need to map the roles I am receiving to some local roles. I am not getting them directly from the IDP. > > > > > > > > Which brings me to the part where I thought I could use some login-module configuration from the standalone-configuration. I tried to configured this one in a file named jboss-web.xml. > > > > > > > > How am I going to achieve to be able to locally handle the role mapping? > > > > > > > > Thanks in advance. > > > > -- > > > > Linda > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. From rackymuthu at yandex.com Mon Aug 13 06:31:33 2018 From: rackymuthu at yandex.com (Rackymuthu) Date: Mon, 13 Aug 2018 16:01:33 +0530 Subject: [keycloak-user] Keycloak domain cluster login page redirect issue, But works with single node(master or slave) Message-ID: <6313481534156293@iva3-2961a207771d.qloud-c.yandex.net> From rackymuthu at yandex.com Mon Aug 13 06:36:53 2018 From: rackymuthu at yandex.com (Rackymuthu) Date: Mon, 13 Aug 2018 16:06:53 +0530 Subject: [keycloak-user] Keycloak domain cluster login page redirect issue, But works with single node(master or slave) In-Reply-To: <6313481534156293@iva3-2961a207771d.qloud-c.yandex.net> References: <6313481534156293@iva3-2961a207771d.qloud-c.yandex.net> Message-ID: <544061534156613@iva8-60b043ae986f.qloud-c.yandex.net> From rcypavi007 at gmail.com Mon Aug 13 06:38:51 2018 From: rcypavi007 at gmail.com (Rackymuthu) Date: Mon, 13 Aug 2018 16:08:51 +0530 Subject: [keycloak-user] Keycloak domain cluster login page redirect, but works with single node(master or slave) Message-ID: I have configured keycloak domain cluster. In this setup if i am login as admin, then it is redirect to login page again and again. some time it show the whoami (unauthorized) JS script error. if we stop either slave or master in the cluster, then the login is working fine without any issues. From rcypavi007 at gmail.com Mon Aug 13 06:51:47 2018 From: rcypavi007 at gmail.com (Rackymuthu) Date: Mon, 13 Aug 2018 16:21:47 +0530 Subject: [keycloak-user] Keycloak domain cluster login page redirect, but works with single node(master or slave) In-Reply-To: References: Message-ID: Adding more detail Below is our cluster configuration. 1. Httpd loadbalancer 2. One master node and One slave node 3.Master and slave node are share the commond DB (Postgres) Httpd Configuration --------------------------- Listen 192.168.10.110:10001 ServerName xxxxxxx-xxxx.xxxxxx.xxx ManagerBalancerName cluster1 Require all granted Allow from all RequestHeader set X-Forwarded-For all KeepAliveTimeout 300 MaxKeepAliveRequests 0 AdvertiseFrequency 5 EnableMCPMReceive On SetHandler mod_cluster-manager Require all granted Allow from all Master Configuration ------------------------------------------- ....... Slave Configuration ------------------------------------------- . ... And i can see the mod_cluster-manager page and this is show the master node service and slave node service Also load balance is working. when i am trying to login the keycloak as a admin result is redirect again login page. (or) whoami unauthorized error message On Mon, 13 Aug 2018 at 16:08, Rackymuthu wrote: > > I have configured keycloak domain cluster. In this setup if i am login as > admin, then it is redirect to login page again and again. > > some time it show the whoami (unauthorized) JS script error. > > if we stop either slave or master in the cluster, then the login is > working fine without any issues. > > > > -- *Regards..,* *R Rackymuthu* *? 9788830879* From liedtke at punkt.de Mon Aug 13 07:01:02 2018 From: liedtke at punkt.de (Lars Liedtke) Date: Mon, 13 Aug 2018 13:01:02 +0200 Subject: [keycloak-user] API-Problem creating a user Message-ID: <67ec63ca-ceec-b2f2-0af1-f61af693ce15@punkt.de> Hello, last week I wrote the Mail cited down below. Now I got a bit further: I can create a User and set Attributes, but When I try to set a group, this is just ignored; no matter if I try the Groups name, path or id. The second thing I discovered was that when I provide credentials (PBKDF2 with HMAC and SHA1 in 20000 rounds) as I found here: http://lists.jboss.org/pipermail/keycloak-user/2016-November/008211.html, Keycloaks User "tab" simply breaks and refuses to show all users of a realm. Does anyone know how to correctly post a user with a group and credentials via the API? Best Regards Lars Liedtke -- punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100 info at punkt.de https://www.punkt.de Gf: J?rgen Egeling AG Mannheim 108285 > Hey everyone, > > I am trying to create users via the REST-API and I am stuck. > > When I try to post a user representation to Keycloak (after > successfully logging in over the API) via script (Python using the > requests framework) I get a 500 back and in the logfile of my Keycloak > instance I find: > > 10:50:40,268 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not construct instance of org.keycloak.representations.idm.UserRepresentation: no String-argument constructor/factory method to deserialize from String value ('{"username": "TNG", "enabled": true, "attributes": {"ito_BinderLevelID1": ["1ACD47D7B9AFA0A9C12582E00048F997"], "ito_BinderLevelID2": ["0D6E18BCBDD3B14BC12582E1002AE459"]}, "credentials": [{"hashedSaltedValue": "02514a38a0f3e7c7f8eed0c7d4ce7bf25e48c845", "salt": "05ef149e8ccce076e30d6388aeedc03583dd75b4c4d88f380b094ba5c06df21b", "algorithm": "pbkdf2"}], "groups": ["/Bonding.Keycloak:CompanyEditor"]}') > ?at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1d3521de; line: 1, column: 1] > ??????? at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) > ??????? at com.fasterxml.jackson.databind.DeserializationContext.instantiationException(DeserializationContext.java:1456) > ??????? at com.fasterxml.jackson.databind.DeserializationContext.handleMissingInstantiator(DeserializationContext.java:1012) > ??????? at com.fasterxml.jackson.databind.deser.ValueInstantiator._createFromStringFallbacks(ValueInstantiator.java:370) > ??????? at com.fasterxml.jackson.databind.deser.std.StdValueInstantiator.createFromString(StdValueInstantiator.java:315) > ??????? at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromString(BeanDeserializerBase.java:1283) > ??????? at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:159) > ??????? at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150) > ??????? at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583) > ??????? at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964) > ??????? at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134) > ??????? at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66) > ??????? at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61) > ??????? at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56) > ??????? at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:36) > ??????? at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:59) > ??????? at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) > ??????? at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92) > ??????? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:115) > ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > ??????? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > ??????? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > ??????? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > ??????? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > ??????? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > ??????? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > ??????? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > ??????? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > ??????? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > ??????? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > ??????? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > ??????? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > ??????? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > ??????? at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > ??????? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > ??????? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > ??????? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > ??????? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > ??????? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > ??????? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > ??????? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ??????? at java.lang.Thread.run(Thread.java:748) > > When I try to create a user via Postman (after logging in) with the > user being: > > {"username": "testuser1", "enabled": true, "attributes": {"ito_BinderLevelID1": ["32523129C2061E50C12581E60033075A"], "ito_BinderLevelID2": ["3AD0E53463EBC8F1C12581E600342FA2"]}, "groups": ["/Bonding.Keycloak:CompanyEditor"], "credentials": [{"hashedSaltedValue": "aa8c848ee6ac308a24e1e1bce1559902009f988a", "salt": "ab079c7702d171a2e558f940a7edda5e4e206005b2440eaab68cf6ad6938fe76", "algorithm": "pbkdf2"}]} > > I get a 201 but when I try to look up the user via the Web GUI User > Page tells me "*Error!* An unexpected server error has occurred" > > and I find in the logfile: > > 11:45:40,852 WARN? [org.keycloak.events] (default task-4) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret > 11:45:50,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-4) Uncaught server error: java.lang.NullPointerException > ??????? at org.keycloak.models.jpa.JpaUserProvider.lambda$getStoredCredentialsByType$0(JpaUserProvider.java:976) > ??????? at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174) > ??????? at java.util.Iterator.forEachRemaining(Iterator.java:116) > ??????? at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) > ??????? at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) > ??????? at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) > ??????? at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) > ??????? at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) > ??????? at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) > ??????? at org.keycloak.models.jpa.JpaUserProvider.getStoredCredentialsByType(JpaUserProvider.java:976) > ??????? at org.keycloak.credential.UserCredentialStoreManager.getStoredCredentialsByType(UserCredentialStoreManager.java:87) > ??????? at org.keycloak.credential.OTPCredentialProvider.configuredForTOTP(OTPCredentialProvider.java:198) > ??????? at org.keycloak.credential.OTPCredentialProvider.isConfiguredFor(OTPCredentialProvider.java:179) > ??????? at org.keycloak.credential.UserCredentialStoreManager.isConfiguredLocally(UserCredentialStoreManager.java:283) > ??????? at org.keycloak.credential.UserCredentialStoreManager.isConfiguredFor(UserCredentialStoreManager.java:276) > ??????? at org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:148) > ??????? at org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:225) > ??????? at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ??????? at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ??????? at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > ??????? at java.lang.reflect.Method.invoke(Method.java:498) > ??????? at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > ??????? at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > ??????? at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > ??????? at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > ??????? at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > ??????? at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > ??????? at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > ??????? at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > ??????? at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > ??????? at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > ??????? at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > ??????? at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > ??????? at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > ??????? at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > ??????? at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > ??????? at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > ??????? at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > ??????? at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > ??????? at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > ??????? at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > ??????? at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > ??????? at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > ??????? at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > ??????? at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > ??????? at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > ??????? at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > ??????? at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > ??????? at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > ??????? at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > ??????? at java.lang.Thread.run(Thread.java:748) > > I figure there is something wrong with my JSON, but I can't figure out > what exactly it is. I tried googling this Problem, but I did could not > find an answer. Could you help me please ? > > Best regards > > Lars Liedtke From hans.zandbelt at zmartzone.eu Mon Aug 13 07:14:32 2018 From: hans.zandbelt at zmartzone.eu (Hans Zandbelt) Date: Mon, 13 Aug 2018 13:14:32 +0200 Subject: [keycloak-user] keycloak-user Digest, Vol 56, Issue 43 In-Reply-To: References: Message-ID: On Mon, Aug 13, 2018, 13:04 wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Keycloak domain cluster login page redirect, but works with > single node(master or slave) (Rackymuthu) > 2. Re: Keycloak domain cluster login page redirect, but works > with single node(master or slave) (Rackymuthu) > 3. Re: API-Problem creating a user (Lars Liedtke) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 13 Aug 2018 16:08:51 +0530 > From: Rackymuthu > Subject: [keycloak-user] Keycloak domain cluster login page redirect, > but works with single node(master or slave) > To: keycloak-user at lists.jboss.org > Message-ID: > VD3AzinuPdWskNwi_gYsOtyoPXWnZHg at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > I have configured keycloak domain cluster. In this setup if i am login as > admin, then it is redirect to login page again and again. > > some time it show the whoami (unauthorized) JS script error. > > if we stop either slave or master in the cluster, then the login is working > fine without any issues. > > > ------------------------------ > > Message: 2 > Date: Mon, 13 Aug 2018 16:21:47 +0530 > From: Rackymuthu > Subject: Re: [keycloak-user] Keycloak domain cluster login page > redirect, but works with single node(master or slave) > To: keycloak-user at lists.jboss.org > Message-ID: > < > CAG6Sa0yEO4K79WZ7x679nnQ34wg9VnE5Am0JR4YwKWdKt5MvHw at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Adding more detail > > > Below is our cluster configuration. > 1. Httpd loadbalancer > > 2. One master node and One slave node > > 3.Master and slave node are share the commond DB (Postgres) > > Httpd Configuration > --------------------------- > > > Listen 192.168.10.110:10001 > > ServerName xxxxxxx-xxxx.xxxxxx.xxx > > ManagerBalancerName cluster1 > > > > > > Require all granted > > Allow from all > > > > RequestHeader set X-Forwarded-For all > > KeepAliveTimeout 300 > > MaxKeepAliveRequests 0 > > AdvertiseFrequency 5 > > EnableMCPMReceive On > > > > SetHandler mod_cluster-manager > > Require all granted > > Allow from all > > > > > > > > > Master Configuration > ------------------------------------------- > > > > ....... > > enable-http2="true" proxy-address-forwarding="true"/> > > > > > > Slave Configuration > ------------------------------------------- > . > > ... > > balancer='cluster1' advertise="true" sticky-session="true"> > > And i can see the mod_cluster-manager page and this is show the master > node service and slave node service > > > > > Also load balance is working. when i am trying to login the keycloak as a > admin result is redirect again login page. (or) whoami unauthorized error > message > > > > > > On Mon, 13 Aug 2018 at 16:08, Rackymuthu wrote: > > > > > I have configured keycloak domain cluster. In this setup if i am login as > > admin, then it is redirect to login page again and again. > > > > some time it show the whoami (unauthorized) JS script error. > > > > if we stop either slave or master in the cluster, then the login is > > working fine without any issues. > > > > > > > > > > > -- > *Regards..,* > > *R Rackymuthu* > *? 9788830879* > > > ------------------------------ > > Message: 3 > Date: Mon, 13 Aug 2018 13:01:02 +0200 > From: Lars Liedtke > Subject: Re: [keycloak-user] API-Problem creating a user > To: keycloak-user at lists.jboss.org, helzle at punkt.de, J?rg Schweizer > > Message-ID: <67ec63ca-ceec-b2f2-0af1-f61af693ce15 at punkt.de> > Content-Type: text/plain; charset=utf-8 > > Hello, > > last week I wrote the Mail cited down below. > > Now I got a bit further: > > I can create a User and set Attributes, but When I try to set a group, > this is just ignored; no matter if I try the Groups name, path or id. > > The second thing I discovered was that when I provide credentials > (PBKDF2 with HMAC and SHA1 in 20000 rounds) as I found here: > http://lists.jboss.org/pipermail/keycloak-user/2016-November/008211.html, > Keycloaks User "tab" simply breaks and refuses to show all users of a > realm. > > Does anyone know how to correctly post a user with a group and > credentials via the API? > > Best Regards > > Lars Liedtke > > -- > punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe > Tel. 0721 9109 0 * Fax 0721 9109 100 > info at punkt.de https://www.punkt.de > Gf: J?rgen Egeling AG Mannheim 108285 > > > Hey everyone, > > > > I am trying to create users via the REST-API and I am stuck. > > > > When I try to post a user representation to Keycloak (after > > successfully logging in over the API) via script (Python using the > > requests framework) I get a 500 back and in the logfile of my Keycloak > > instance I find: > > > > 10:50:40,268 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-4) Uncaught server error: > com.fasterxml.jackson.databind.JsonMappingException: Can not construct > instance of org.keycloak.representations.idm.UserRepresentation: no > String-argument constructor/factory method to deserialize from String value > ('{"username": "TNG", "enabled": true, "attributes": {"ito_BinderLevelID1": > ["1ACD47D7B9AFA0A9C12582E00048F997"], "ito_BinderLevelID2": > ["0D6E18BCBDD3B14BC12582E1002AE459"]}, "credentials": > [{"hashedSaltedValue": "02514a38a0f3e7c7f8eed0c7d4ce7bf25e48c845", "salt": > "05ef149e8ccce076e30d6388aeedc03583dd75b4c4d88f380b094ba5c06df21b", > "algorithm": "pbkdf2"}], "groups": ["/Bonding.Keycloak:CompanyEditor"]}') > > ?at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1d3521de; > line: 1, column: 1] > > ??????? at > com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) > > ??????? at > com.fasterxml.jackson.databind.DeserializationContext.instantiationException(DeserializationContext.java:1456) > > ??????? at > com.fasterxml.jackson.databind.DeserializationContext.handleMissingInstantiator(DeserializationContext.java:1012) > > ??????? at > com.fasterxml.jackson.databind.deser.ValueInstantiator._createFromStringFallbacks(ValueInstantiator.java:370) > > ??????? at > com.fasterxml.jackson.databind.deser.std.StdValueInstantiator.createFromString(StdValueInstantiator.java:315) > > ??????? at > com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromString(BeanDeserializerBase.java:1283) > > ??????? at > com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:159) > > ??????? at > com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:150) > > ??????? at > com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1583) > > ??????? at > com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:964) > > ??????? at > org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:134) > > ??????? at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:66) > > ??????? at > org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:61) > > ??????? at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:56) > > ??????? at > org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:36) > > ??????? at > org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:59) > > ??????? at > org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151) > > ??????? at > org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:92) > > ??????? at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:115) > > ??????? at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > > ??????? at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > > ??????? at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > > ??????? at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > > ??????? at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > > ??????? at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > ??????? at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > ??????? at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > > ??????? at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > > ??????? at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > > ??????? at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > > ??????? at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > > ??????? at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > > ??????? at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > ??????? at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > ??????? at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > > ??????? at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > ??????? at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > ??????? at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > > ??????? at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > > ??????? at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > ??????? at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > > ??????? at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > > ??????? at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > > ??????? at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > > ??????? at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > > ??????? at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > > ??????? at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > ??????? at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > ??????? at java.lang.Thread.run(Thread.java:748) > > > > When I try to create a user via Postman (after logging in) with the > > user being: > > > > {"username": "testuser1", "enabled": true, "attributes": > {"ito_BinderLevelID1": ["32523129C2061E50C12581E60033075A"], > "ito_BinderLevelID2": ["3AD0E53463EBC8F1C12581E600342FA2"]}, "groups": > ["/Bonding.Keycloak:CompanyEditor"], "credentials": [{"hashedSaltedValue": > "aa8c848ee6ac308a24e1e1bce1559902009f988a", "salt": > "ab079c7702d171a2e558f940a7edda5e4e206005b2440eaab68cf6ad6938fe76", > "algorithm": "pbkdf2"}]} > > > > I get a 201 but when I try to look up the user via the Web GUI User > > Page tells me "*Error!* An unexpected server error has occurred" > > > > and I find in the logfile: > > > > 11:45:40,852 WARN? [org.keycloak.events] (default task-4) > type=REFRESH_TOKEN_ERROR, realmId=master, clientId=security-admin-console, > userId=null, ipAddress=127.0.0.1, error=invalid_token, > grant_type=refresh_token, client_auth_method=client-secret > > 11:45:50,339 ERROR [org.keycloak.services.error.KeycloakErrorHandler] > (default task-4) Uncaught server error: java.lang.NullPointerException > > ??????? at > org.keycloak.models.jpa.JpaUserProvider.lambda$getStoredCredentialsByType$0(JpaUserProvider.java:976) > > ??????? at > java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174) > > ??????? at java.util.Iterator.forEachRemaining(Iterator.java:116) > > ??????? at > java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) > > ??????? at > java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) > > ??????? at > java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) > > ??????? at > java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) > > ??????? at > java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) > > ??????? at > java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) > > ??????? at > org.keycloak.models.jpa.JpaUserProvider.getStoredCredentialsByType(JpaUserProvider.java:976) > > ??????? at > org.keycloak.credential.UserCredentialStoreManager.getStoredCredentialsByType(UserCredentialStoreManager.java:87) > > ??????? at > org.keycloak.credential.OTPCredentialProvider.configuredForTOTP(OTPCredentialProvider.java:198) > > ??????? at > org.keycloak.credential.OTPCredentialProvider.isConfiguredFor(OTPCredentialProvider.java:179) > > ??????? at > org.keycloak.credential.UserCredentialStoreManager.isConfiguredLocally(UserCredentialStoreManager.java:283) > > ??????? at > org.keycloak.credential.UserCredentialStoreManager.isConfiguredFor(UserCredentialStoreManager.java:276) > > ??????? at > org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:148) > > ??????? at > org.keycloak.services.resources.admin.UsersResource.getUsers(UsersResource.java:225) > > ??????? at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > ??????? at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > ??????? at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > ??????? at java.lang.reflect.Method.invoke(Method.java:498) > > ??????? at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > > ??????? at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > > ??????? at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > > ??????? at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > > ??????? at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > > ??????? at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > > ??????? at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > > ??????? at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > > ??????? at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > > ??????? at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > > ??????? at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > > ??????? at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > > ??????? at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > > ??????? at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > > ??????? at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > > ??????? at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > > ??????? at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > > ??????? at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > > ??????? at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > > ??????? at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > > ??????? at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > > ??????? at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > > ??????? at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > > ??????? at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > > ??????? at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > > ??????? at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > > ??????? at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > > ??????? at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > > ??????? at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > > ??????? at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > > ??????? at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > > ??????? at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > > ??????? at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > > ??????? at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > > ??????? at java.lang.Thread.run(Thread.java:748) > > > > I figure there is something wrong with my JSON, but I can't figure out > > what exactly it is. I tried googling this Problem, but I did could not > > find an answer. Could you help me please ? > > > > Best regards > > > > Lars Liedtke > > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 56, Issue 43 > ********************************************* > From kkcmadhu at yahoo.com Mon Aug 13 07:35:48 2018 From: kkcmadhu at yahoo.com (Madhu) Date: Mon, 13 Aug 2018 11:35:48 +0000 (UTC) Subject: [keycloak-user] will k_logout/back channel logout be initiated when the SSO Session Idle thresh hold is reached? References: <1919691233.6361688.1534160148839.ref@mail.yahoo.com> Message-ID: <1919691233.6361688.1534160148839@mail.yahoo.com> Hi, I am pretty novice to keycloak, and from some debugging sessions and going through the code,? i think? InMemorySessionIdMapper? is where keycloak stores the mapping between user, applications he has logged in and number of active idm sessions the application/client has. When the admin force logout the user from the admin console, logout or logoutAll happens. And when? keycloak recieves logout, it invokes the logout of application through back channel. Will the backchannel logouts be called, when the? SSO Session Idle? time treshhold is reached ? If not will this not cause InMemorySessionIdMapper? to grow huge over a period of time and cause potential memory leak? Regards, Madhu From ionel.gardais at tech-advantage.com Mon Aug 13 08:46:21 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Mon, 13 Aug 2018 14:46:21 +0200 (CEST) Subject: [keycloak-user] [Conception] how to define a suitable realm Message-ID: <1878905964.236438.1534164381285.JavaMail.zimbra@tech-advantage.com> Hi list, I have a question about the creation of the realms in Keycloak. It may be SSO-101 but I can't figure the right answer. As I understand it, a realm is a collection of clients sharing the same policies. A user logged from one client in a realm will be authenticated in all other clients in the same realm. Say I have 3 apps AppA, AppB and AppC. I want a user to be SSO'ed with AppA and AppB (not AppC). I also want a user to be SSO'ed with AppB and AppC (not AppA). I guess I need a realm covering AppA and AppB and another realm covering AppB and AppC. However, most (if not all) clients I've seen only allow one IDP definition thus forbids AppB to know both realms. How to solve this ? Regards, Ionel -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From rafaelweingartner at gmail.com Mon Aug 13 08:59:43 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Mon, 13 Aug 2018 09:59:43 -0300 Subject: [keycloak-user] [Conception] how to define a suitable realm In-Reply-To: <1878905964.236438.1534164381285.JavaMail.zimbra@tech-advantage.com> References: <1878905964.236438.1534164381285.JavaMail.zimbra@tech-advantage.com> Message-ID: Well, it is an ABAC (attribute-based access control) system. You can use a single realm and add an attribute let?s say X with value Y that is requested by AppA and AppB. Then, you add this attribute to all users that need access to AppA and AppB. The same for your case of AppB and AppC. Also, bear in mind OpenID Connect and SAML are not just single sign-on tools. They are federated systems protocols. In a federation, you can have multiple SP and IdP. There is nothing that forbids SPs to work with multiple IdPs. On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel < ionel.gardais at tech-advantage.com> wrote: > Hi list, > > I have a question about the creation of the realms in Keycloak. > It may be SSO-101 but I can't figure the right answer. > > As I understand it, a realm is a collection of clients sharing the same > policies. > A user logged from one client in a realm will be authenticated in all > other clients in the same realm. > > Say I have 3 apps AppA, AppB and AppC. > I want a user to be SSO'ed with AppA and AppB (not AppC). > I also want a user to be SSO'ed with AppB and AppC (not AppA). > > I guess I need a realm covering AppA and AppB and another realm covering > AppB and AppC. > However, most (if not all) clients I've seen only allow one IDP definition > thus forbids AppB to know both realms. > > > How to solve this ? > > Regards, > Ionel > > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rafael Weing?rtner From ionel.gardais at tech-advantage.com Mon Aug 13 09:19:09 2018 From: ionel.gardais at tech-advantage.com (GARDAIS Ionel) Date: Mon, 13 Aug 2018 15:19:09 +0200 (CEST) Subject: [keycloak-user] [Conception] how to define a suitable realm In-Reply-To: References: <1878905964.236438.1534164381285.JavaMail.zimbra@tech-advantage.com> Message-ID: <948530907.236836.1534166349962.JavaMail.zimbra@tech-advantage.com> Thanks for your reply, Rafael. What are realms for if this can be solved with a single-realm and ABAC ? When are realms a better option to consider over ABAC ? De: "Rafael Weing?rtner" ?: "Ionel GARDAIS" Cc: "keycloak-user" Envoy?: Lundi 13 Ao?t 2018 14:59:43 Objet: Re: [keycloak-user] [Conception] how to define a suitable realm Well, it is an ABAC (attribute-based access control) system. You can use a single realm and add an attribute let?s say X with value Y that is requested by AppA and AppB. Then, you add this attribute to all users that need access to AppA and AppB. The same for your case of AppB and AppC. Also, bear in mind OpenID Connect and SAML are not just single sign-on tools. They are federated systems protocols. In a federation, you can have multiple SP and IdP. There is nothing that forbids SPs to work with multiple IdPs. On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel < [ mailto:ionel.gardais at tech-advantage.com | ionel.gardais at tech-advantage.com ] > wrote: Hi list, I have a question about the creation of the realms in Keycloak. It may be SSO-101 but I can't figure the right answer. As I understand it, a realm is a collection of clients sharing the same policies. A user logged from one client in a realm will be authenticated in all other clients in the same realm. Say I have 3 apps AppA, AppB and AppC. I want a user to be SSO'ed with AppA and AppB (not AppC). I also want a user to be SSO'ed with AppB and AppC (not AppA). I guess I need a realm covering AppA and AppB and another realm covering AppB and AppC. However, most (if not all) clients I've seen only allow one IDP definition thus forbids AppB to know both realms. How to solve this ? Regards, Ionel -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 _______________________________________________ keycloak-user mailing list [ mailto:keycloak-user at lists.jboss.org | keycloak-user at lists.jboss.org ] [ https://lists.jboss.org/mailman/listinfo/keycloak-user | https://lists.jboss.org/mailman/listinfo/keycloak-user ] -- Rafael Weing?rtner -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 From rafaelweingartner at gmail.com Mon Aug 13 09:23:51 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Mon, 13 Aug 2018 10:23:51 -0300 Subject: [keycloak-user] [Conception] how to define a suitable realm In-Reply-To: <948530907.236836.1534166349962.JavaMail.zimbra@tech-advantage.com> References: <1878905964.236438.1534164381285.JavaMail.zimbra@tech-advantage.com> <948530907.236836.1534166349962.JavaMail.zimbra@tech-advantage.com> Message-ID: Well, I am only starting using Keycloak (so, I do not have deeps insights of its design). However, I do have a background with Identity and access management systems (as an academic). Having said that, Keycloak does not replace ABAC. Quite the opposite, it implements/supports protocols (OpenID Connect and SAML) that enable you to execute access control of your applications using ABAC (and of course all of the identity federation stuff). Also, as far as I understood, each realm in Keycloak can behave as an independent IdP. On Mon, Aug 13, 2018 at 10:19 AM, GARDAIS Ionel < ionel.gardais at tech-advantage.com> wrote: > Thanks for your reply, Rafael. > > What are realms for if this can be solved with a single-realm and ABAC ? > When are realms a better option to consider over ABAC ? > > > ------------------------------ > *De: *"Rafael Weing?rtner" > *?: *"Ionel GARDAIS" > *Cc: *"keycloak-user" > *Envoy?: *Lundi 13 Ao?t 2018 14:59:43 > *Objet: *Re: [keycloak-user] [Conception] how to define a suitable realm > > Well, it is an ABAC (attribute-based access control) system. You can use a > single realm and add an attribute let?s say X with value Y that is > requested by AppA and AppB. Then, you add this attribute to all users that > need access to AppA and AppB. The same for your case of AppB and AppC. > > Also, bear in mind OpenID Connect and SAML are not just single sign-on > tools. They are federated systems protocols. In a federation, you can have > multiple SP and IdP. There is nothing that forbids SPs to work with > multiple IdPs. > > On Mon, Aug 13, 2018 at 9:46 AM, GARDAIS Ionel < > ionel.gardais at tech-advantage.com> wrote: > >> Hi list, >> >> I have a question about the creation of the realms in Keycloak. >> It may be SSO-101 but I can't figure the right answer. >> >> As I understand it, a realm is a collection of clients sharing the same >> policies. >> A user logged from one client in a realm will be authenticated in all >> other clients in the same realm. >> >> Say I have 3 apps AppA, AppB and AppC. >> I want a user to be SSO'ed with AppA and AppB (not AppC). >> I also want a user to be SSO'ed with AppB and AppC (not AppA). >> >> I guess I need a realm covering AppA and AppB and another realm covering >> AppB and AppC. >> However, most (if not all) clients I've seen only allow one IDP >> definition thus forbids AppB to know both realms. >> >> >> How to solve this ? >> >> Regards, >> Ionel >> >> -- >> 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON >> >> Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 >> 301 >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Rafael Weing?rtner > > > > -- Rafael Weing?rtner From ryans at jlab.org Mon Aug 13 16:19:07 2018 From: ryans at jlab.org (Ryan Slominski) Date: Mon, 13 Aug 2018 16:19:07 -0400 (EDT) Subject: [keycloak-user] How to logout Message-ID: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> Hi Keycloak Users, I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: 1. Call HttpServletRequest.logout() 2. Navigate to URL http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri See: https://www.keycloak.org/docs/latest/securing_apps/index.html#logout The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. Thanks, Ryan From ssilvert at redhat.com Mon Aug 13 19:15:15 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 13 Aug 2018 19:15:15 -0400 Subject: [keycloak-user] How to logout In-Reply-To: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> Message-ID: <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> HttpServletRequest.logout() should not be a no-op.? It was implemented a long time ago: https://issues.jboss.org/browse/KEYCLOAK-478 If there is an issue with it you should report it in JIRA. Stan On 8/13/2018 4:19 PM, Ryan Slominski wrote: > Hi Keycloak Users, > > I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: > > 1. Call HttpServletRequest.logout() > 2. Navigate to URL http://auth-server/auth/realms/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri > > See: https://www.keycloak.org/docs/latest/securing_apps/index.html#logout > > The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? > > A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Mon Aug 13 21:54:12 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 13 Aug 2018 22:54:12 -0300 Subject: [keycloak-user] Using Keycloak for per field authorisation In-Reply-To: References: Message-ID: Sorry for the late reply ... On Fri, Aug 10, 2018 at 3:46 PM, Courtney Robinson < courtney.robinson at hypi.io> wrote: > I'm a little confused about what type A and B are. You also mentioned you >>> may have an "instance of A". Does that mean that types A and B represent >>> generic resources which policies should be enforced on instances of A and B >>> ? Are these instances user-managed resources ? >>> >> > Types A and B are GraphQL objects. If you're not familiar then just think > of them as classes A and B with only class members/fields defined. > I'm not explaining this very well I think so another way to think about it > is like this. > > By default I want to apply some global policies to classes A and B that > says for example, anyone in Organisation 1 can read/write classes A and B. > This is "system defined". > More concretely imagine classes User and Book. Two organisations Org1 and > Org2. > When we create a realm for each org, we want to tell Keycloak that some > app X has two types User and Book and any user in the current realm can > read/write fields of both User and Book within this realm. > > We also want to tell Keycloak that an "admin" (I imagine a user with some > role or in a specific group) in this realm can add policies that override > the above behaviour. > Given one or more of these admins, they can then choose to create a policy > that says "Users from site A can read/write all fields of User and Book but > users from site B can only read some fields from User and all fields from > Book". > > The other case I mentioned in my first email is where, a user in an > organisation has created e.g. a "Book" record. Under default policies only > they can see and manage this Book they created. They can then share this > book with site 2 so that users in site 2 can also read the book, they may > also share it with the whole organisation so anyone in the realm can read > it. The extension to this is when members of one site could normally only > see a subset of fields from Book but one one occasion a user shares a > single Book with one or more members giving then the permission to "manage" > this one Book. This lifts the limitation on this one instance of book > enabling the user it is shared with to access a field of Book they wouldn't > have been able to see before. > Now I see, thanks. I was imagining something like that. In Keycloak, resource can have a type [1]. A "typed" resource is a resource which owner is the resource server (when I say resource server, I mean the client application you are setting up permissions). You can define permissions to these typed resources [2] where these permissions will be considered when deciding whether or not access should be granted to other resources with the same type, where these other resources are actually instances of the "typed" resource (the class example you gave). Resource instances have users as resource owners, not the resource server. That is the difference between a typed vs resource instance. Let's take the case you mentioned as an example. You have a "Book Resource" with a type "book" and permissions associated with this book. Where policies associated with this permission only grants access to the owner of the resource. Once you have this configuration, create a resource as follows: curl -X POST \ http://localhost:8180/auth/realms/{realm}/authz/protection/resource_set \ -H 'Authorization: Bearer {access_token}' \ -H 'Content-Type: application/json' \ -d '{ "name":"Alice Book", "type": "book", "resource_scopes":["read", "manage"], "owner":"alice" }' The command above is creating a book where user "alice" is the owner. Note the "type" field defined as "book". Once you do that, if you try to use the policy evaluation tool [3] to check permissions for "alice" on resource "Alice Book", access should be granted. Note that we did not define any permission for "Alice Book" directly, permissions are being processed based on what was defined for "Book Resource". We also allow you to override permissions on a per resource instance basis. So, suppose you want to also allow some other user to access "Alice Book". You just create a permission for this resource granting access to the user you want. We also support UMA, a standard focused on privacy and resource sharing requirements [4]. We have an extension to UMA (contribution from community) that allows resource servers to define custom permissions for user-managed resources [5]. When using UMA capabilities, your users are allowed to manage their resources via Keycloak Account Service. [1] https://www.keycloak.org/docs/latest/authorization_servi ces/index.html#typed-resources [2] https://www.keycloak.org/docs/latest/authorization_servi ces/index.html#_permission_typed_resource [3] https://www.keycloak.org/docs/latest/authorization_servi ces/index.html#_policy_evaluation_overview [4] https://www.keycloak.org/docs/latest/authorization_ services/index.html#_service_user_managed_access [5] https://www.keycloak.org/docs/latest/authorization_ services/index.html#_service_authorization_uma_policy_api > > >> >> >> Regarding how the adapter (policy enforcer in particular) work. It >> verifies permissions locally in case the client is sending a bearer token >> with permissions, otherwise the adapter will query the server for >> permissions associated with resource the client is trying to access >> (mapping is based on URIs). >> > > I had a feeling. One of the reasons I'm so unclear about how to achieve > what we want is that it feels like a mixture of the auth policies Keycloak > supports is needed. > I've been thinking that for each app, default Keycloak policies are > created that e.g. allowed read only within an organisation. > Use Keycloak groups to represent "sites" e.g. offices in an organisation > and applied default policies to the groups. > Then, the key thing I thought was that I'd have to register each type and > it's fields in Keycloak as resources and then have a fixed list of scopes > read, write, update, delete, share etc > When an entry/instance (say of a Book) is shared, the model changes from > being type based to being based on the ID of the object i.e. the Book's ID > It makes sense. However, I don't think the model needs to change. Your typed resource will always be there. What you need to do is create new resources (with their corresponding types) representing those "entries/instances". > > If I understood correctly, that means the size of the token will grow with > each object shared directly with a user, surely a problem. > Not really. It depends on how you want to enforce ermissions. If you don't want to evaluate permissions all the time, you can obtain a token with some initial permissions. Then you can perform incremental authorization to obtain more permissions in addition to those previously granted. We also support limiting the number of permissions in a response from the server. [4] In next release, we are also supporting a response_mode parameter that you could use to define the format of responses from server. These formats are specially useful in case you don't want to use permissions from access tokens but invoke server to only obtain permissions. [4] https://www.keycloak.org/docs/latest/authorization_services/ index.html#_service_obtaining_permissions > In a similar vein, do I have to create an entry for every Book record in > keycloak to be able to do per book permissions? > Yes. You could use a single resource + JS policy too, but there are several issues doing that. People suggested a Resource SPI, which could be used to fetch resources from external databases ... From courtney.robinson at hypi.io Mon Aug 13 23:27:52 2018 From: courtney.robinson at hypi.io (Courtney Robinson) Date: Tue, 14 Aug 2018 04:27:52 +0100 Subject: [keycloak-user] Using Keycloak for per field authorisation In-Reply-To: References: Message-ID: On Tue, Aug 14, 2018 at 2:54 AM, Pedro Igor Silva wrote: > Sorry for the late reply ... > Not at all. Thank you for the detailed response. > The other case I mentioned in my first email is where, a user in an >> organisation has created e.g. a "Book" record. Under default policies only >> they can see and manage this Book they created. They can then share this >> book with site 2 so that users in site 2 can also read the book, they may >> also share it with the whole organisation so anyone in the realm can read >> it. The extension to this is when members of one site could normally only >> see a subset of fields from Book but one one occasion a user shares a >> single Book with one or more members giving then the permission to "manage" >> this one Book. This lifts the limitation on this one instance of book >> enabling the user it is shared with to access a field of Book they wouldn't >> have been able to see before. >> > > Now I see, thanks. I was imagining something like that. > > In Keycloak, resource can have a type [1]. A "typed" resource is a > resource which owner is the resource server (when I say resource server, I > mean the client application you are setting up permissions). You can define > permissions to these typed resources [2] where these permissions will be > considered when deciding whether or not access should be granted to other > resources with the same type, where these other resources are actually > instances of the "typed" resource (the class example you gave). Resource > instances have users as resource owners, not the resource server. That is > the difference between a typed vs resource instance. > > Let's take the case you mentioned as an example. You have a "Book > Resource" with a type "book" and permissions associated with this book. > Where policies associated with this permission only grants access to the > owner of the resource. Once you have this configuration, create a resource > as follows: > > curl -X POST \ > http://localhost:8180/auth/realms/{realm}/authz/protection/resource_set > \ > -H 'Authorization: Bearer {access_token}' \ > -H 'Content-Type: application/json' \ > -d '{ > "name":"Alice Book", > "type": "book", > "resource_scopes":["read", "manage"], > "owner":"alice" > }' > > The command above is creating a book where user "alice" is the owner. Note > the "type" field defined as "book". Once you do that, if you try to use the > policy evaluation tool [3] to check permissions for "alice" on resource > "Alice Book", access should be granted. Note that we did not define any > permission for "Alice Book" directly, permissions are being processed based > on what was defined for "Book Resource". > > We also allow you to override permissions on a per resource instance > basis. So, suppose you want to also allow some other user to access "Alice > Book". You just create a permission for this resource granting access to > the user you want. > Ahhhhh! That example sheds some light on things for me. Thank you for that. > We also support UMA, a standard focused on privacy and resource sharing > requirements [4]. We have an extension to UMA (contribution from community) > that allows resource servers to define custom permissions for user-managed > resources [5]. When using UMA capabilities, your users are allowed to > manage their resources via Keycloak Account Service. > > [1] https://www.keycloak.org/docs/latest/authorization_servi > ces/index.html#typed-resources > [2] https://www.keycloak.org/docs/latest/authorization_servi > ces/index.html#_permission_typed_resource > [3] https://www.keycloak.org/docs/latest/authorization_servi > ces/index.html#_policy_evaluation_overview > [4] https://www.keycloak.org/docs/latest/authorization_servi > ces/index.html#_service_user_managed_access > [5] https://www.keycloak.org/docs/latest/authorization_servi > ces/index.html#_service_authorization_uma_policy_api > > >> >> >>> >>> >>> Regarding how the adapter (policy enforcer in particular) work. It >>> verifies permissions locally in case the client is sending a bearer token >>> with permissions, otherwise the adapter will query the server for >>> permissions associated with resource the client is trying to access >>> (mapping is based on URIs). >>> >> >> I had a feeling. One of the reasons I'm so unclear about how to achieve >> what we want is that it feels like a mixture of the auth policies Keycloak >> supports is needed. >> I've been thinking that for each app, default Keycloak policies are >> created that e.g. allowed read only within an organisation. >> Use Keycloak groups to represent "sites" e.g. offices in an organisation >> and applied default policies to the groups. >> Then, the key thing I thought was that I'd have to register each type and >> it's fields in Keycloak as resources and then have a fixed list of scopes >> read, write, update, delete, share etc >> When an entry/instance (say of a Book) is shared, the model changes from >> being type based to being based on the ID of the object i.e. the Book's ID >> > > It makes sense. However, I don't think the model needs to change. Your > typed resource will always be there. What you need to do is create new > resources (with their corresponding types) representing those > "entries/instances". > Got it. > > >> >> If I understood correctly, that means the size of the token will grow >> with each object shared directly with a user, surely a problem. >> > > Not really. It depends on how you want to enforce ermissions. > > If you don't want to evaluate permissions all the time, you can obtain a > token with some initial permissions. Then you can perform incremental > authorization to obtain more permissions in addition to those previously > granted. We also support limiting the number of permissions in a response > from the server. [4] > > In next release, we are also supporting a response_mode parameter that you > could use to define the format of responses from server. These formats are > specially useful in case you don't want to use permissions from access > tokens but invoke server to only obtain permissions. > > [4] https://www.keycloak.org/docs/latest/authorization_services/ > index.html#_service_obtaining_permissions > We'll have to give this one some careful thought, latency is a big concern. Some of our customer's use cases demand low latency (automated and pseudo real time decisions) so in general an approach that minimised round trips to Keycloak would be best. It's a real mixed bag though because most cases are web application flows that do not have this low latency requirement. One of us in the team will be working on this in our next sprint so a lot of things should fall into place as part of this. > > >> In a similar vein, do I have to create an entry for every Book record in >> keycloak to be able to do per book permissions? >> > > Yes. You could use a single resource + JS policy too, but there are > several issues doing that. > > People suggested a Resource SPI, which could be used to fetch resources > from external databases ... > > I take that as suggested but hasn't been done yet? (Given I've not seen the interface in the codebase or mentioned in the docs) We'd be very interested in this. Our storage is centred around Apache Ignite and a great deal of effort's been poured into understanding and working with it. One outstanding concern with our proposed move to Keycloak for authorisation is understanding how to scale it well with the rest of our stack. I've had an attempt at a user SPI and concluded we'd be better off pushing it to Keycloak backed by Postgres. (Considered if we could write an Ignite drop in or something similar but the effort wasn't worth the initial perceived gains since users are probably going to remain relatively small compared to resources). Out of interest however, Keycloak's using Hibernate right? How pluggable is this so that it could be replaced with Hibernate OGM? For resources this (scaling) is still an open question. We're Kubernetes based and a base line for our services is to configure it with a minimum number of replicas and use metrics and auto scalers to grow that based on usage. Some of my questions may seem odd but as well as the functional aspect I'm working out how/if this fits in operationally as well. We have one particular customer with an IoT use case at the moment which can be quite bursty their entire setup is automated including policies on who/what can see different pieces of data being produced by devices. Resource types are relatively fixed in the order of a few thousand, instances are however hundreds of thousands per hour and can burst to millions. Those numbers have been steadily growing and we're expecting more customers with similar or larger numbers. This is why I was particularly keen to get some answers around whether we'd have to register every instance in Keycloak, about token size and trips to Keycloak, we're comfortable scaling ignite and the rest of our stack but unclear exactly what that means for Keycloak, I've seen and have currently got an HA Keycloak and Postgres setup and just starting to look into doing stress tests but figuring out our auto model first since it doesn't make sense to stress it with one scenario and then implement another! At the moment some of these things aren't a concern because we use Apache Shiro in the service so there's no network round trip and our make shift "policy evaluation" uses the user defined rules that are largely based on patterns so doesn't need per instance permissions meaning low cardinality on policy/permissions. With your explanation I now understand how this can be done but I'm still left with some concern about permission growth for these automated use cases. Since they're user defined, the slightest mistake could lead to hundreds of millions of permission entries in Keycloak in a short space of time. The only solace at the moment is that the keycloak API isn't being exposed directly so we can probably think of a way to ensure the flexibility of Keycloak is available while minimising this explosion of permission entries. I hope this provides a little more insight and I welcome any further comments/suggestions on what/where to look to address some of these concerns or in fact any reason why the concerns are unwarranted. Regards, Courtney From remy at grunblatt.org Tue Aug 14 05:25:25 2018 From: remy at grunblatt.org (=?UTF-8?Q?R=c3=a9my_Gr=c3=bcnblatt?=) Date: Tue, 14 Aug 2018 11:25:25 +0200 Subject: [keycloak-user] Custom Identity Brokering for a CAS Server Message-ID: <5007da33-fd04-f910-710f-4df3b8474983@grunblatt.org> Hello, We would like to have a Keycloak server use data from a legacy auth system (namely, a CAS server, https://en.wikipedia.org/wiki/Central_Authentication_Service ) to authenticate people. We do not have admin rights on the CAS server, nor we are able to access the underlying ldap database it uses internally. People would be able to have ? pure ? keycloak accounts (new users), but also link their identity from the CAS or use the CAS to identify, and create an account the first time they do so. I tried to find documentation to develop our own identity provider (as Keycloak only has an social, oidc, and saml providers), but I find it difficult to guess what are the interfaces we need to implement. Right now, this is what I have: https://github.com/Reventl0v/KeycloakCAS So, questions: - Is there somewhere listing everything we need to implement beside looking at the code of keycloak? - Is there online some custom provider example code for something that is not talking oidc, saml, or is a social provider? - Do you think it's a good idea to create such a provider? I found http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html but I have no news about the result of this enterprise: Dominik (can I call you Dominik?), did you manage to achieve this goal? Many thanks, R?my From Sebastian.Schuster at bosch-si.com Tue Aug 14 05:29:03 2018 From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1)) Date: Tue, 14 Aug 2018 09:29:03 +0000 Subject: [keycloak-user] Keycloak user/authorization/realmRevisionsCache and Prometheus JMX exporter: rebalancingEnabled attribute missing Message-ID: Hi everybody, We are currently trying to get Infinispan Cache Metrics via JMX out of Keycloak and into Prometheus. After including the Prometheus JXM Exporter (https://github.com/prometheus/jmx_exporter) and going through a configuration spree, we get warnings in the Keycloak log indicating that the attribute ?rebalancingEnabled? is null/not set for the Infinispan Caches userRevisions, authorizationRevisions, and realmRevisions. The error looks like the following: 07:32:34,276 DEBUG [org.infinispan.jmx.ResourceDMBean] (pool-1-thread-3) Exception while reading value of attribute rebalancingEnabled: java.lang.reflect.InvocationTargetException 07:32:34,276 WARN [org.infinispan.jmx.ResourceDMBean] (pool-1-thread-3) ISPN000036: Did not find attribute rebalancingEnabled 07:32:34,336 WARN [org.infinispan.topology.CacheTopologyControlCommand] (pool-1-thread-3) ISPN000071: Caught exception when handling command CacheTopologyControlCommand{cache=authorizationRevisions, type=POLICY_GET_STATUS, sender=keycloak-mssql-6599fb56cb-vhll5, joinInfo=null, topologyId=0, rebalanceId=0, currentCH=null, pendingCH=null, availabilityMode=null, actualMembers=null, throwable=null, viewId=0}: java.lang.NullPointerException at org.infinispan.topology.ClusterTopologyManagerImpl.isRebalancingEnabled(ClusterTopologyManagerImpl.java:628) at org.infinispan.topology.CacheTopologyControlCommand.doPerform(CacheTopologyControlCommand.java:197) at org.infinispan.topology.CacheTopologyControlCommand.perform(CacheTopologyControlCommand.java:153) at org.infinispan.topology.LocalTopologyManagerImpl.executeOnCoordinator(LocalTopologyManagerImpl.java:606) at org.infinispan.topology.LocalTopologyManagerImpl.isCacheRebalancingEnabled(LocalTopologyManagerImpl.java:540) at org.infinispan.cache.impl.CacheImpl.isRebalancingEnabled(CacheImpl.java:998) at sun.reflect.GeneratedMethodAccessor554.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.infinispan.jmx.ResourceDMBean$InvokableSetterBasedMBeanAttributeInfo.invoke(ResourceDMBean.java:394) at org.infinispan.jmx.ResourceDMBean.getNamedAttribute(ResourceDMBean.java:298) at org.infinispan.jmx.ResourceDMBean.getAttributes(ResourceDMBean.java:197) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getAttributes(DefaultMBeanServerInterceptor.java:709) at com.sun.jmx.mbeanserver.JmxMBeanServer.getAttributes(JmxMBeanServer.java:705) at io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.scrapeBean(JmxScraper.java:151) at io.prometheus.jmx.shaded.io.prometheus.jmx.JmxScraper.doScrape(JmxScraper.java:117) at io.prometheus.jmx.shaded.io.prometheus.jmx.JmxCollector.collect(JmxCollector.java:456) at io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.findNextElement(CollectorRegistry.java:183) at io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:216) at io.prometheus.jmx.shaded.io.prometheus.client.CollectorRegistry$MetricFamilySamplesEnumeration.nextElement(CollectorRegistry.java:137) at io.prometheus.jmx.shaded.io.prometheus.client.exporter.common.TextFormat.write004(TextFormat.java:22) at io.prometheus.jmx.shaded.io.prometheus.client.exporter.HTTPServer$HTTPMetricHandler.handle(HTTPServer.java:59) at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79) at sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:83) at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:82) at sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:675) at com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:79) at sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:647) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) These caches are created programmatically, as far as I can see so there is no easy way to change their configuration. Did anybody have a similar problem or can shed some light why these caches miss the ?rebalancingEnabled? attribute? Thanks and best regards, Sebastian Mit freundlichen Gr??en / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn From msakho at redhat.com Tue Aug 14 05:51:41 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Tue, 14 Aug 2018 11:51:41 +0200 Subject: [keycloak-user] Custom Identity Brokering for a CAS Server In-Reply-To: <5007da33-fd04-f910-710f-4df3b8474983@grunblatt.org> References: <5007da33-fd04-f910-710f-4df3b8474983@grunblatt.org> Message-ID: Remy, take a look at this [1] [1] =https://github.com/Doccrazy/keycloak-protocol-cas Meissa 2018-08-14 11:25 GMT+02:00 R?my Gr?nblatt : > Hello, > > We would like to have a Keycloak server use data from a legacy auth > system (namely, a CAS server, > https://en.wikipedia.org/wiki/Central_Authentication_Service ) to > authenticate people. We do not have admin rights on the CAS server, nor > we are able to access the underlying ldap database it uses internally. > > People would be able to have ? pure ? keycloak accounts (new users), but > also link their identity from the CAS or use the CAS to identify, and > create an account the first time they do so. > > I tried to find documentation to develop our own identity provider (as > Keycloak only has an social, oidc, and saml providers), but I find it > difficult to guess what are the interfaces we need to implement. > > Right now, this is what I have: https://github.com/Reventl0v/KeycloakCAS > > > So, questions: > > - Is there somewhere listing everything we need to implement beside > looking at the code of keycloak? > - Is there online some custom provider example code for something that > is not talking oidc, saml, or is a social provider? > - Do you think it's a good idea to create such a provider? > > > I found > http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html > but I have no news about the result of this enterprise: Dominik (can I > call you Dominik?), did you manage to achieve this goal? > > Many thanks, > > R?my > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From remy at grunblatt.org Tue Aug 14 06:07:31 2018 From: remy at grunblatt.org (=?ISO-8859-1?Q?R=E9my_Gr=FCnblatt?=) Date: Tue, 14 Aug 2018 12:07:31 +0200 Subject: [keycloak-user] Custom Identity Brokering for a CAS Server In-Reply-To: References: <5007da33-fd04-f910-710f-4df3b8474983@grunblatt.org> Message-ID: <8E4DE842-9399-4554-874C-37F41DA8EA55@grunblatt.org> Hi, This adds a client protocol, what we are searching for is the other way around (use the CAS as a provider). Thanks, R?my Le 14 ao?t 2018 11:51:41 GMT+02:00, Meissa M'baye Sakho a ?crit : >Remy, >take a look at this [1] > [1] =https://github.com/Doccrazy/keycloak-protocol-cas > >Meissa > >2018-08-14 11:25 GMT+02:00 R?my Gr?nblatt : > >> Hello, >> >> We would like to have a Keycloak server use data from a legacy auth >> system (namely, a CAS server, >> https://en.wikipedia.org/wiki/Central_Authentication_Service ) to >> authenticate people. We do not have admin rights on the CAS server, >nor >> we are able to access the underlying ldap database it uses >internally. >> >> People would be able to have ? pure ? keycloak accounts (new users), >but >> also link their identity from the CAS or use the CAS to identify, and >> create an account the first time they do so. >> >> I tried to find documentation to develop our own identity provider >(as >> Keycloak only has an social, oidc, and saml providers), but I find it >> difficult to guess what are the interfaces we need to implement. >> >> Right now, this is what I have: >https://github.com/Reventl0v/KeycloakCAS >> >> >> So, questions: >> >> - Is there somewhere listing everything we need to implement beside >> looking at the code of keycloak? >> - Is there online some custom provider example code for something >that >> is not talking oidc, saml, or is a social provider? >> - Do you think it's a good idea to create such a provider? >> >> >> I found >> >http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html >> but I have no news about the result of this enterprise: Dominik (can >I >> call you Dominik?), did you manage to achieve this goal? >> >> Many thanks, >> >> R?my >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- Envoy? de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma bri?vet?. From erlend at hamnaberg.net Tue Aug 14 07:00:29 2018 From: erlend at hamnaberg.net (Erlend Hamnaberg) Date: Tue, 14 Aug 2018 13:00:29 +0200 Subject: [keycloak-user] Custom Identity Brokering for a CAS Server In-Reply-To: <8E4DE842-9399-4554-874C-37F41DA8EA55@grunblatt.org> References: <5007da33-fd04-f910-710f-4df3b8474983@grunblatt.org> <8E4DE842-9399-4554-874C-37F41DA8EA55@grunblatt.org> Message-ID: I have done this for my client. It is quite possible to do, however it is not trivial. Not sure if I'm allowed to publish the source for the integration, but I will ask. /Erlend On Tue, Aug 14, 2018 at 12:07 PM, R?my Gr?nblatt wrote: > Hi, > > This adds a client protocol, what we are searching for is the other way > around (use the CAS as a provider). > > Thanks, > R?my > > Le 14 ao?t 2018 11:51:41 GMT+02:00, Meissa M'baye Sakho > a ?crit : > >Remy, > >take a look at this [1] > > [1] =https://github.com/Doccrazy/keycloak-protocol-cas > > > >Meissa > > > >2018-08-14 11:25 GMT+02:00 R?my Gr?nblatt : > > > >> Hello, > >> > >> We would like to have a Keycloak server use data from a legacy auth > >> system (namely, a CAS server, > >> https://en.wikipedia.org/wiki/Central_Authentication_Service ) to > >> authenticate people. We do not have admin rights on the CAS server, > >nor > >> we are able to access the underlying ldap database it uses > >internally. > >> > >> People would be able to have ? pure ? keycloak accounts (new users), > >but > >> also link their identity from the CAS or use the CAS to identify, and > >> create an account the first time they do so. > >> > >> I tried to find documentation to develop our own identity provider > >(as > >> Keycloak only has an social, oidc, and saml providers), but I find it > >> difficult to guess what are the interfaces we need to implement. > >> > >> Right now, this is what I have: > >https://github.com/Reventl0v/KeycloakCAS > >> > >> > >> So, questions: > >> > >> - Is there somewhere listing everything we need to implement beside > >> looking at the code of keycloak? > >> - Is there online some custom provider example code for something > >that > >> is not talking oidc, saml, or is a social provider? > >> - Do you think it's a good idea to create such a provider? > >> > >> > >> I found > >> > >http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html > >> but I have no news about the result of this enterprise: Dominik (can > >I > >> call you Dominik?), did you manage to achieve this goal? > >> > >> Many thanks, > >> > >> R?my > >> > >> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Envoy? de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma > bri?vet?. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Tue Aug 14 08:06:25 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 14 Aug 2018 09:06:25 -0300 Subject: [keycloak-user] Using Keycloak for per field authorisation In-Reply-To: References: Message-ID: On Tue, Aug 14, 2018 at 12:27 AM, Courtney Robinson < courtney.robinson at hypi.io> wrote: > On Tue, Aug 14, 2018 at 2:54 AM, Pedro Igor Silva > wrote: > >> Sorry for the late reply ... >> > > Not at all. Thank you for the detailed response. > >> The other case I mentioned in my first email is where, a user in an >>> organisation has created e.g. a "Book" record. Under default policies only >>> they can see and manage this Book they created. They can then share this >>> book with site 2 so that users in site 2 can also read the book, they may >>> also share it with the whole organisation so anyone in the realm can read >>> it. The extension to this is when members of one site could normally only >>> see a subset of fields from Book but one one occasion a user shares a >>> single Book with one or more members giving then the permission to "manage" >>> this one Book. This lifts the limitation on this one instance of book >>> enabling the user it is shared with to access a field of Book they wouldn't >>> have been able to see before. >>> >> >> Now I see, thanks. I was imagining something like that. >> >> In Keycloak, resource can have a type [1]. A "typed" resource is a >> resource which owner is the resource server (when I say resource server, I >> mean the client application you are setting up permissions). You can define >> permissions to these typed resources [2] where these permissions will be >> considered when deciding whether or not access should be granted to other >> resources with the same type, where these other resources are actually >> instances of the "typed" resource (the class example you gave). Resource >> instances have users as resource owners, not the resource server. That is >> the difference between a typed vs resource instance. >> >> Let's take the case you mentioned as an example. You have a "Book >> Resource" with a type "book" and permissions associated with this book. >> Where policies associated with this permission only grants access to the >> owner of the resource. Once you have this configuration, create a resource >> as follows: >> >> curl -X POST \ >> http://localhost:8180/auth/realms/{realm}/authz/protection/resource_set >> \ >> -H 'Authorization: Bearer {access_token}' \ >> -H 'Content-Type: application/json' \ >> -d '{ >> "name":"Alice Book", >> "type": "book", >> "resource_scopes":["read", "manage"], >> "owner":"alice" >> }' >> >> The command above is creating a book where user "alice" is the owner. >> Note the "type" field defined as "book". Once you do that, if you try to >> use the policy evaluation tool [3] to check permissions for "alice" on >> resource "Alice Book", access should be granted. Note that we did not >> define any permission for "Alice Book" directly, permissions are being >> processed based on what was defined for "Book Resource". >> >> We also allow you to override permissions on a per resource instance >> basis. So, suppose you want to also allow some other user to access "Alice >> Book". You just create a permission for this resource granting access to >> the user you want. >> > > Ahhhhh! That example sheds some light on things for me. Thank you for that. > > >> We also support UMA, a standard focused on privacy and resource sharing >> requirements [4]. We have an extension to UMA (contribution from community) >> that allows resource servers to define custom permissions for user-managed >> resources [5]. When using UMA capabilities, your users are allowed to >> manage their resources via Keycloak Account Service. >> >> [1] https://www.keycloak.org/docs/latest/authorization_servi >> ces/index.html#typed-resources >> [2] https://www.keycloak.org/docs/latest/authorization_servi >> ces/index.html#_permission_typed_resource >> [3] https://www.keycloak.org/docs/latest/authorization_servi >> ces/index.html#_policy_evaluation_overview >> [4] https://www.keycloak.org/docs/latest/authorization_servi >> ces/index.html#_service_user_managed_access >> [5] https://www.keycloak.org/docs/latest/authorization_servi >> ces/index.html#_service_authorization_uma_policy_api >> >> >>> >>> >>>> >>>> >>>> Regarding how the adapter (policy enforcer in particular) work. It >>>> verifies permissions locally in case the client is sending a bearer token >>>> with permissions, otherwise the adapter will query the server for >>>> permissions associated with resource the client is trying to access >>>> (mapping is based on URIs). >>>> >>> >>> I had a feeling. One of the reasons I'm so unclear about how to achieve >>> what we want is that it feels like a mixture of the auth policies Keycloak >>> supports is needed. >>> I've been thinking that for each app, default Keycloak policies are >>> created that e.g. allowed read only within an organisation. >>> Use Keycloak groups to represent "sites" e.g. offices in an organisation >>> and applied default policies to the groups. >>> Then, the key thing I thought was that I'd have to register each type >>> and it's fields in Keycloak as resources and then have a fixed list of >>> scopes read, write, update, delete, share etc >>> When an entry/instance (say of a Book) is shared, the model changes from >>> being type based to being based on the ID of the object i.e. the Book's ID >>> >> >> It makes sense. However, I don't think the model needs to change. Your >> typed resource will always be there. What you need to do is create new >> resources (with their corresponding types) representing those >> "entries/instances". >> > > Got it. > > >> >> >>> >>> If I understood correctly, that means the size of the token will grow >>> with each object shared directly with a user, surely a problem. >>> >> >> Not really. It depends on how you want to enforce ermissions. >> >> If you don't want to evaluate permissions all the time, you can obtain a >> token with some initial permissions. Then you can perform incremental >> authorization to obtain more permissions in addition to those previously >> granted. We also support limiting the number of permissions in a response >> from the server. [4] >> >> In next release, we are also supporting a response_mode parameter that >> you could use to define the format of responses from server. These formats >> are specially useful in case you don't want to use permissions from access >> tokens but invoke server to only obtain permissions. >> >> [4] https://www.keycloak.org/docs/latest/authorization_services/ >> index.html#_service_obtaining_permissions >> > > We'll have to give this one some careful thought, latency is a big > concern. Some of our customer's use cases demand low latency (automated and > pseudo real time decisions) so in general an approach that minimised round > trips to Keycloak would be best. It's a real mixed bag though because most > cases are web application flows that do not have this low latency > requirement. > > One of us in the team will be working on this in our next sprint so a lot > of things should fall into place as part of this. > In the next release, we are also delivering improvements around performance. We found places we could improve and especially the policy evaluation engine. We have introduced some cache layers to avoid redundancy when evaluating permissions/policies. Let us know about your experience, we know we can still improve it. But as the first work we did around performance tests, the results are pretty much good (and much better from previous releases). > > >> >> >>> In a similar vein, do I have to create an entry for every Book record in >>> keycloak to be able to do per book permissions? >>> >> >> Yes. You could use a single resource + JS policy too, but there are >> several issues doing that. >> >> People suggested a Resource SPI, which could be used to fetch resources >> from external databases ... >> >> > I take that as suggested but hasn't been done yet? (Given I've not seen > the interface in the codebase or mentioned in the docs) We'd be very > interested in this. Our storage is centred around Apache Ignite and a great > deal of effort's been poured into understanding and working with it. One > outstanding concern with our proposed move to Keycloak for authorisation is > understanding how to scale it well with the rest of our stack. > Not it is not and you are not the first one from community with similar requirements. Maybe we could start discussing and including this in our roadmap. > > I've had an attempt at a user SPI and concluded we'd be better off pushing > it to Keycloak backed by Postgres. (Considered if we could write an Ignite > drop in or something similar but the effort wasn't worth the initial > perceived gains since users are probably going to remain relatively small > compared to resources). > Out of interest however, Keycloak's using Hibernate right? How pluggable > is this so that it could be replaced with Hibernate OGM? > IIRC, OGM is based on JPA spec, right ? If you mean implementing User SPI sing OGM, it should work. > > For resources this (scaling) is still an open question. We're Kubernetes > based and a base line for our services is to configure it with a minimum > number of replicas and use metrics and auto scalers to grow that based on > usage. Some of my questions may seem odd but as well as the functional > aspect I'm working out how/if this fits in operationally as well. > > We have one particular customer with an IoT use case at the moment which > can be quite bursty their entire setup is automated including policies on > who/what can see different pieces of data being produced by devices. > Resource types are relatively fixed in the order of a few thousand, > instances are however hundreds of thousands per hour and can burst to > millions. Those numbers have been steadily growing and we're expecting more > customers with similar or larger numbers. > Nice. As I mentioned before, we have been working with performance improvements. During this work I noticed that performance is not really related with the number of resources or scopes, but on how you design your policies and how you obtain them from server. For instance, if you query the server for all permissions an user has, you would not get good throughput. However, if you can perform incremental authorization, ask for chunks of permissions, etc, you will get a good throughput. Of course, this is relative, I could give you numbers but that could be misleading and not based on your real constraints. This is an area we want to improve for now on, so, feedback is always welcome. > > This is why I was particularly keen to get some answers around whether > we'd have to register every instance in Keycloak, about token size and > trips to Keycloak, we're comfortable scaling ignite and the rest of our > stack but unclear exactly what that means for Keycloak, I've seen and have > currently got an HA Keycloak and Postgres setup and just starting to look > into doing stress tests but figuring out our auto model first since it > doesn't make sense to stress it with one scenario and then implement > another! > > At the moment some of these things aren't a concern because we use Apache > Shiro in the service so there's no network round trip and our make shift > "policy evaluation" uses the user defined rules that are largely based on > patterns so doesn't need per instance permissions meaning low cardinality > on policy/permissions. With your explanation I now understand how this can > be done but I'm still left with some concern about permission growth for > these automated use cases. Since they're user defined, the slightest > mistake could lead to hundreds of millions of permission entries in > Keycloak in a short space of time. The only solace at the moment is that > the keycloak API isn't being exposed directly so we can probably think of a > way to ensure the flexibility of Keycloak is available while minimising > this explosion of permission entries. > > I hope this provides a little more insight and I welcome any further > comments/suggestions on what/where to look to address some of these > concerns or in fact any reason why the concerns are unwarranted. > No doubts, it is a great use case that could stress our capabilities. Like I said, I do think it really depends on how you desing authorization. For instance, you mentioned that you may have hundres of millions of permissions. But you could also have a single permission to representing/enforcing access to N resources. Take a simple "Only Owner Can Access" policy as an example. One of the things that I like most in Keycloak authz is that you are really designing your authorization requirements, thinking/implementing/testing the policies you need and re-using these policies to enforce access to different resources. > > Regards, > Courtney > From elyse.badr.saradar at gmail.com Tue Aug 14 08:08:44 2018 From: elyse.badr.saradar at gmail.com (elyse badr saradar) Date: Tue, 14 Aug 2018 15:08:44 +0300 Subject: [keycloak-user] Fwd: Help In-Reply-To: References: Message-ID: Hello, I am trying to integrate keycloak in my system. I already have two authentication applications that i cant change/update its code. I would like to have a single login page for all my applications using keycloak and let keycloak communicate with them authenticate/authorize only once (single sign on) regardless of whether the user enters the first application credentials or the second one. I first saw the broker identity provider feature you have and i configure it but it still didnt work fine. (i probably missed some configuration) or maybe i need to add custom code in my aplication. Second i saw the SPI and thought of writing a customized authentication jar to change in keycloak authentication to communicate with my authentication applications. I saw in git hub we have ubder example/provider/authenticator a sample code. I tried to import it in my IDE but im facing this issue: Failed to execute goal on project authenticator-required-action-example: Could not resolve dependencies for project org.keycloak:authenticator- required-action-example:jar:4.3.0.Final-SNAPSHOT: The following artifacts could not be resolved: org.keycloak:keycloak-core:jar:4.3.0.Final-SNAPSHOT, org.keycloak:keycloak-server-spi:jar:4.3.0.Final-SNAPSHOT, org.keycloak:keycloak-server-spi-private:jar:4.3.0.Final-SNAPSHOT, org.keycloak:keycloak-services:jar:4.3.0.Final-SNAPSHOT: Could not find artifact org.keycloak:keycloak-core:jar:4.3.0.Final-SNAPSHOT -> [Help 1] [ERROR] Can you guide on whether this version is used or not on maven online repository? Note that i am trying to add several keycloak dependency but not able to find which one has org.keycloak.authentication according to the documentation link: https://www.keycloak.org/docs/3.3/server_ development/topics/auth-spi.html Please help and thanks in advance From rafaelweingartner at gmail.com Tue Aug 14 09:26:19 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Tue, 14 Aug 2018 10:26:19 -0300 Subject: [keycloak-user] Keycloak configuring SAML clients Message-ID: Hello Keycloakers, I am trying to integrate Keycloak with an SP using SAML. I downloaded keycloak metadata using https:///auth/realms//protocol/saml/descriptor. I configured this metadata in my metadata provider (for the whole federation). The SPs now can see the IdP (Keycloak). How do I configure Keycloak to use my federation metadata? I mean, instead of configuring each client manually, keycloak could read this descriptor file, and get the Keys (public keys of service provides) and URLs from there. At least that is how we are used to do when using Shibboleth. -- Rafael Weing?rtner From Gregor.Tudan at cofinpro.de Tue Aug 14 09:43:54 2018 From: Gregor.Tudan at cofinpro.de (Gregor Tudan) Date: Tue, 14 Aug 2018 13:43:54 +0000 Subject: [keycloak-user] Staging Configuration Message-ID: <94360278-5E11-4B0B-968B-92DE735AD18F@cofinpro.de> Hi! We are running a multi-tenant setup and therefore have a lot of realms which are identical to one another in terms of clients - the only differences are the urls. This leaves us with two challenges: - how can we sync the settings of the realms (i.e. when adding a new client). - how can we sync the settings of the realms to different stages (development, test, production?) Has anybody faced similar problems and found a nice solution? Our best idea is to script as many changes as possible through the admin-client, but comparing different realms and instances would be nice as well. Thank you, Gregor From jdennis at redhat.com Tue Aug 14 09:53:19 2018 From: jdennis at redhat.com (John Dennis) Date: Tue, 14 Aug 2018 09:53:19 -0400 Subject: [keycloak-user] Keycloak configuring SAML clients In-Reply-To: References: Message-ID: On 08/14/2018 09:26 AM, Rafael Weing?rtner wrote: > Hello Keycloakers, > > I am trying to integrate Keycloak with an SP using SAML. I downloaded > keycloak metadata using > https:///auth/realms//protocol/saml/descriptor. > I configured this metadata in my metadata provider (for the whole > federation). The SPs now can see the IdP (Keycloak). How do I configure > Keycloak to use my federation metadata? I mean, instead of configuring > each client manually, keycloak could read this descriptor file, and get the > Keys (public keys of service provides) and URLs from there. At least that > is how we are used to do when using Shibboleth. Using the Web Admin GUI, go to the relevant realm page. In the left panel is a "Clients" tab, click on that. On the "Clients" page click on "Create" in the upper right. On the "Add Client" page is a "import" box, enter your SP metadata there. Make sure the client protocol is set to saml. -- John Dennis From rafaelweingartner at gmail.com Tue Aug 14 10:03:11 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Tue, 14 Aug 2018 11:03:11 -0300 Subject: [keycloak-user] Keycloak configuring SAML clients In-Reply-To: References: Message-ID: Thanks! I tried using that, but I received an error. Now I found out why. my SP metadata file had the following line: > > That was breaking the parser. On Tue, Aug 14, 2018 at 10:53 AM, John Dennis wrote: > On 08/14/2018 09:26 AM, Rafael Weing?rtner wrote: > >> Hello Keycloakers, >> >> I am trying to integrate Keycloak with an SP using SAML. I downloaded >> keycloak metadata using >> https:///auth/realms//protocol/saml/descriptor. >> I configured this metadata in my metadata provider (for the whole >> federation). The SPs now can see the IdP (Keycloak). How do I configure >> Keycloak to use my federation metadata? I mean, instead of configuring >> each client manually, keycloak could read this descriptor file, and get >> the >> Keys (public keys of service provides) and URLs from there. At least that >> is how we are used to do when using Shibboleth. >> > > Using the Web Admin GUI, go to the relevant realm page. In the left panel > is a "Clients" tab, click on that. On the "Clients" page click on "Create" > in the upper right. On the "Add Client" page is a "import" box, enter your > SP metadata there. Make sure the client protocol is set to saml. > > > -- > John Dennis > -- Rafael Weing?rtner From ryans at jlab.org Tue Aug 14 11:07:23 2018 From: ryans at jlab.org (Ryan Slominski) Date: Tue, 14 Aug 2018 11:07:23 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <2102357851.19955408.1534259148993.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> Message-ID: <1449853930.19955607.1534259243920.JavaMail.zimbra@jlab.org> Hi Stan, I'm not sure if it is an issue or just the way it is supposed to work. Again, HttpServletRequest.logout() does work when the servlet container itself believes a user is logged in. The case in which it appears to be a no-op is when the servlet container is not aware of any login. This might be okay? Not sure? The problem is that a user can be logged into Keycloak, but not logged into the servlet container. In this case how do I log the user out? Perhaps I should use the alternative method, the URL: https://authserver/auth/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri? However, having a logout anchor (link) that navigates to that URL does not destroy the Keycloak login. Perhaps I need to add some authentication header, bearer token, or something else along with the GET HTTP request? Watching the network requests using the developer console of a web browser I see that even after the logout request to Keycloak if I attempt a login immediately after I see the KC_RESTART cookie is used (so a token must still exist?) and I am logged in automatically without being prompted for username or password - so... the logout URL didn't seem to work. Thanks, Ryan ----- Original Message ----- From: "Stan Silvert" To: "keycloak-user" Sent: Monday, August 13, 2018 7:15:15 PM Subject: Re: [keycloak-user] How to logout HttpServletRequest.logout() should not be a no-op.? It was implemented a long time ago: https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= If there is an issue with it you should report it in JIRA. Stan On 8/13/2018 4:19 PM, Ryan Slominski wrote: > Hi Keycloak Users, > > I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: > > 1. Call HttpServletRequest.logout() > 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri > > See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= > > The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? > > A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From ryans at jlab.org Tue Aug 14 11:35:53 2018 From: ryans at jlab.org (Ryan Slominski) Date: Tue, 14 Aug 2018 11:35:53 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <1449853930.19955607.1534259243920.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1449853930.19955607.1534259243920.JavaMail.zimbra@jlab.org> Message-ID: <58731943.19961181.1534260953941.JavaMail.zimbra@jlab.org> Maybe related: 1. https://issues.jboss.org/browse/KEYCLOAK-5325 2. https://issues.jboss.org/browse/KEYCLOAK-3302 Looks like I'm not the only one asking questions about this either: 1. https://stackoverflow.com/questions/46689034/logout-user-via-keycloak-rest-api-doesnt-work 2. https://stackoverflow.com/questions/49190827/keycloak-logout-does-not-end-session 3. https://stackoverflow.com/questions/42295548/keycloak-logout-request-does-not-log-out-user 4. https://stackoverflow.com/questions/50537584/keycloak-openid-single-log-out-with-spring-boot ----- Original Message ----- From: "Ryan Slominski" To: "Stan Silvert" Cc: "keycloak-user" Sent: Tuesday, August 14, 2018 11:07:23 AM Subject: Re: [keycloak-user] How to logout Hi Stan, I'm not sure if it is an issue or just the way it is supposed to work. Again, HttpServletRequest.logout() does work when the servlet container itself believes a user is logged in. The case in which it appears to be a no-op is when the servlet container is not aware of any login. This might be okay? Not sure? The problem is that a user can be logged into Keycloak, but not logged into the servlet container. In this case how do I log the user out? Perhaps I should use the alternative method, the URL: https://authserver/auth/{realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri? However, having a logout anchor (link) that navigates to that URL does not destroy the Keycloak login. Perhaps I need to add some authentication header, bearer token, or something else along with the GET HTTP request? Watching the network requests using the developer console of a web browser I see that even after the logout request to Keycloak if I attempt a login immediately after I see the KC_RESTART cookie is used (so a token must still exist?) and I am logged in automatically without being prompted for username or password - so... the logout URL didn't seem to work. Thanks, Ryan ----- Original Message ----- From: "Stan Silvert" To: "keycloak-user" Sent: Monday, August 13, 2018 7:15:15 PM Subject: Re: [keycloak-user] How to logout HttpServletRequest.logout() should not be a no-op.? It was implemented a long time ago: https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= If there is an issue with it you should report it in JIRA. Stan On 8/13/2018 4:19 PM, Ryan Slominski wrote: > Hi Keycloak Users, > > I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: > > 1. Call HttpServletRequest.logout() > 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri > > See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= > > The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? > > A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From thomas.darimont at googlemail.com Tue Aug 14 14:58:20 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Tue, 14 Aug 2018 20:58:20 +0200 Subject: [keycloak-user] Fine-grained permissions along hierarchy paths Message-ID: Hello, I have a realm with nested groups that denotes a hierarchical corporate structure. /corp -/org --/branch1 ---/divsion1 ----/team1 ----/team2 ---/divsion2 ----/team3 ----/team4 --/branch2 -/infra ... Users belong to one particular group along the /corp/org subtree, but might also be members of one or more groups from a different subtree, e.g., /corp/infra. Is it possible to have dedicated admin users at /corp, /branchX, /divisionX level who can only view and manage the users from their group or subtree with an admin-console scoped to a fixed realm? admin-console scoped to group-hierarchy-demo realm: http://localhost:8080/auth/admin/group-hierarchy-demo/console/#/realms/group-hierarchy-demo/users If a user logs in as divsion1-admin-user, he should only be able to see and manage the users beneath the path (/corp/org/branch1/division1/*). Does the fine-grained permission system already support use cases like this? Cheers, Thomas From graham.burgess at razer.com Tue Aug 14 15:29:08 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Tue, 14 Aug 2018 19:29:08 +0000 Subject: [keycloak-user] Problem Integration with OAuth2 provider Message-ID: I am trying to use Keycloak to broker our internally managed OAuth2 provider. I am unable to get it complete the "First Broker Login" workflow. The logs show "No token from server" as an error but I have thus far being able to get my Google-fu to help me figure out what the issue might be. I even went as far as looking at the code based on the stack trace and that would suggest that it is looking for an id_token, but my understanding for response_type=code as chosen by Keycloak, id_token isn't returned. I suspect I am doing something wrong but I don't know what and I am at a point that I don't know where to look to figure it out. I have looked at the different requests as they go through the workflow and can see all the redirects, etc. but it hasn't shown anything that has help me either. Anyone have any suggestions on how to proceed with troubleshooting this issue? Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 [http://assets.razerzone.com/email/email-sig.jpg] Razer.com | Razer Game Store | Razer Insider | Razer zVault [https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png] [Twitter_Social_Icon_Rounded_Square_Color] [glyph-logo_May2016] [youtube_social_squircle_red] Razer Inc. (San Francisco) 201 3rd Street, Suite 900 San Francisco CA 94103, USA Tel: +1 (415) 266 5300 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 33672 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180814/be641417/attachment-0001.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 1088 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180814/be641417/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 1190 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180814/be641417/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.png Type: image/png Size: 930 bytes Desc: image004.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180814/be641417/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image005.png Type: image/png Size: 1337 bytes Desc: image005.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180814/be641417/attachment-0007.png From ryans at jlab.org Tue Aug 14 16:21:54 2018 From: ryans at jlab.org (Ryan Slominski) Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT) Subject: [keycloak-user] =?utf-8?q?CORS_=E2=80=98Access-Control-Allow-Orig?= =?utf-8?q?in=E2=80=99_missing?= Message-ID: <463762502.20050871.1534278114168.JavaMail.zimbra@jlab.org> Hi Keycloak Users, I'm attempting to save my users a few button clicks by automatically trying brokered identity providers in the background with AJAX requests before redirecting them to the Keycloak login form (AJAX requests using kc_idp_hint parameter). In most cases users will already be logged into one of the brokered identity providers (the client is often on one of several SPNEGO protected subnets) and instead of showing users the login form with buttons to try the brokered providers manually one by one I was hoping to simply do it for them in the background and when directed to the login form for the realm the common case would be for users to be immediately redirected back because they're logged in already. I'm using the Wildfly client adapters (Java servlet container managed security) configured as confidential clients. I have the client "Web Origins" set to "*". In the Wildfly standalone.xml I have the clients configured with "true". I'm using Keycloak 4.1.0. On the client side I'm using jQuery and have "crossDomain: true" and "xhrFields:{withCredentials: true}" set on the XHR object. The keycloak server still doesn't respond with a Access-Control-Allow-Origin header though so the login fails. It works if not using AJAX. The network trace of an AJAX request from the web browser console looks like: --- Request 1 --- GET https://myhost.example.com/myapp/protected?kc_idp_hint=broker1-keycloak-oidc&returnUrl=https://myhost.example.com/myapp/mypage Host: myhost.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://myhost.example.com/myapp/mypage Cookie: OAuth_Token_Request_State=; JSESSIONID=.myhost Connection: keep-alive --- Response 1 --- Cache-Control: no-cache, no-store, must-revalidate Connection: Keep-Alive Content-Length: 0 Date: Tue, 14 Aug 2018 19:48:46 GMT Expires: 0 Keep-Alive: timeout=5, max=100 Location: https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fprotected?returnUrl%3Dhttps%253A%252F%252Fmyhost.example.com%252Fmyapp%252Fmypage&state=&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid Pragma: no-cache Server: WildFly/11 Set-Cookie: OAuth_Token_Request_State=; HttpOnly X-Powered-By: Undertow/1 --- Request 2 --- GET https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.example.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state=&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid Host: keycloak1.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://myhost.example.com/myapp/mypage Origin: https://myhost.example.com Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= Connection: keep-alive --- Response 2 --- Status: 401 Cache-Control: no-store, must-revalidate, max-age=0 Connection: Keep-Alive Content-Length: 615 Content-Type: text/html;charset=UTF-8 Date: Tue, 14 Aug 2018 19:48:48 GMT Keep-Alive: timeout=5, max=100 Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly WWW-Authenticate: Negotiate --- Request 3 --- GET https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.exampel.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state=&login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid Host: keycloak1.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://myhost.example.com/myapp/mypage Origin: https://myhost.example.com Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= Connection: keep-alive Authorization: Negotiate --- Response 3 --- Cache-Control: no-store, must-revalidate, max-age=0 Connection: Keep-Alive Content-Length: 0 Date: Tue, 14 Aug 2018 19:48:48 GMT Keep-Alive: timeout=5, max=99 Location: https://keycloak1.example.com/auth/realms/myrealm/broker/broker1-keycloak-oidc/login?session_code=&client_id=client1&tab_id=FP3hTW-bfQ8 Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; HttpOnly Notice I must redirect off a protected URL on my client app since Wildfly client adapter only works on pages which are explicitly protected by the container managed security. Also notice in the third and final request the response is missing the Access-Control-Allow-Origin header, which results in the error in the browser web console and the process ending. Any ideas? Thanks, Ryan From ebenzacar at gmail.com Tue Aug 14 23:23:57 2018 From: ebenzacar at gmail.com (Eric B) Date: Tue, 14 Aug 2018 23:23:57 -0400 Subject: [keycloak-user] How to force client to use PKCE code exchange? Message-ID: I'm using keycloak 3.4.3. Is there a way in the client configuration to require PKCE code exchange? I can't seem to find an option that would require to support this vs just the standard code exchange flow. Thanks Eric From henning.waack at codecentric.de Wed Aug 15 03:08:41 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Wed, 15 Aug 2018 09:08:41 +0200 Subject: [keycloak-user] Client roles in Access Token Message-ID: Dear all. Using KC 4.2.1, I get the following access token for a "Service Account User": { "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878", "exp": 1534251578, "nbf": 0, "iat": 1534251278, "iss": "https://xxx/auth/realms/NAK", "aud": "nak-portal", "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4", "typ": "Bearer", "azp": "nak-portal", "auth_time": 0, "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0", "name": "nak portal", "given_name": "nak", "family_name": "portal", "preferred_username": "service-account-nak-portal", "email": "service-account-nak-portal at placeholder.de", "email_verified": true, "acr": "1", "allowed-origins": [ "http://dummy:8008" ], "realm_access": { "roles": [ "source_system" ] }, "resource_access": { "realm-management": { "roles": [ "manage-users", "view-users", "query-clients", "query-groups", "query-users" ] } }, "scope": "email profile", "clientId": "nak-portal", "clientHost": "80.242.181.71", "clientAddress": "80.242.181.71", "client_id": "nak-portal", "username": "service-account-nak-portal", "active": true } Please note the five realm-management client roles. Problem is that for the given service account I have assigned many more roles, please see attached screenshot Why don't I see all effective roles (or assigned roles) in my access token? Interestingly enough I am also missing some of my realm roles. I have mapped 4 realm roles, but in the token I only have 1. Am I missing something? Thanks in advance, greetings Henning -------------- next part -------------- A non-text attachment was scrubbed... Name: service_account_roles.png Type: image/png Size: 158302 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180815/c51964f3/attachment-0001.png From jan.garaj at gmail.com Wed Aug 15 03:36:24 2018 From: jan.garaj at gmail.com (Jan Garaj) Date: Wed, 15 Aug 2018 08:36:24 +0100 Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing In-Reply-To: References: Message-ID: Hi, Actually, Access-Control-Allow-Origin is not missing, because it should be available in the preflight (OPTIONS) response and not in GET/POST response. My assumption is that 3.4.2+ Keycloak CORS implementation is broken and it doesn't support any JS cross-domain access at the moment. More details: https://issues.jboss.org/browse/KEYCLOAK-8006 You can find this CORS problem also on StackOverflow: https://stackoverflow.com/questions/51706569/angular-keycloak-cant-get-token-using-api Workaround: downgrade to 3.4.2- and use insecure "Web Origins": "*" *Jan Garaj* Web: http://www.jangaraj.com / http://monitoringartist.com LinkedIn: http://www.linkedin.com/in/jangaraj On Wed, Aug 15, 2018 at 8:09 AM wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > Today's Topics: > > 1. CORS ?Access-Control-Allow-Origin? missing (Ryan Slominski) > 2. How to force client to use PKCE code exchange? (Eric B) > 3. Client roles in Access Token (Henning Waack) > > > > ---------- Forwarded message ---------- > From: Ryan Slominski > To: keycloak-user > Cc: > Bcc: > Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT) > Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing > Hi Keycloak Users, > > I'm attempting to save my users a few button clicks by automatically > trying brokered identity providers in the background with AJAX requests > before redirecting them to the Keycloak login form (AJAX requests using > kc_idp_hint parameter). In most cases users will already be logged into > one of the brokered identity providers (the client is often on one of > several SPNEGO protected subnets) and instead of showing users the login > form with buttons to try the brokered providers manually one by one I was > hoping to simply do it for them in the background and when directed to the > login form for the realm the common case would be for users to be > immediately redirected back because they're logged in already. I'm using > the Wildfly client adapters (Java servlet container managed security) > configured as confidential clients. I have the client "Web Origins" set to > "*". In the Wildfly standalone.xml I have the clients configured with > "true". I'm using Keycloak! > 4.1.0. On the client side I'm using jQuery and have "crossDomain: true" > and "xhrFields:{withCredentials: true}" set on the XHR object. The > keycloak server still doesn't respond with a Access-Control-Allow-Origin > header though so the login fails. It works if not using AJAX. The > network trace of an AJAX request from the web browser console looks like: > > --- Request 1 --- > GET > https://myhost.example.com/myapp/protected?kc_idp_hint=broker1-keycloak-oidc&returnUrl=https://myhost.example.com/myapp/mypage > Host: myhost.example.com > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html, */*; q=0.01 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate, br > Referer: https://myhost.example.com/myapp/mypage > Cookie: OAuth_Token_Request_State=; JSESSIONID=.myhost > Connection: keep-alive > > --- Response 1 --- > Cache-Control: no-cache, no-store, must-revalidate > Connection: Keep-Alive > Content-Length: 0 > Date: Tue, 14 Aug 2018 19:48:46 GMT > Expires: 0 > Keep-Alive: timeout=5, max=100 > Location: > https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fprotected?returnUrl%3Dhttps%253A%252F%252Fmyhost.example.com%252Fmyapp%252Fmypage&state= > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > Pragma: no-cache > Server: WildFly/11 > Set-Cookie: OAuth_Token_Request_State=; HttpOnly > X-Powered-By: Undertow/1 > > --- Request 2 --- > GET > https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.example.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state= > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > Host: keycloak1.example.com > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html, */*; q=0.01 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate, br > Referer: https://myhost.example.com/myapp/mypage > Origin: https://myhost.example.com > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > Connection: keep-alive > > --- Response 2 --- > Status: 401 > Cache-Control: no-store, must-revalidate, max-age=0 > Connection: Keep-Alive > Content-Length: 615 > Content-Type: text/html;charset=UTF-8 > Date: Tue, 14 Aug 2018 19:48:48 GMT > Keep-Alive: timeout=5, max=100 > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > Path=/auth/realms/myrealm/; Secure; HttpOnly > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > HttpOnly > WWW-Authenticate: Negotiate > > --- Request 3 --- > GET > https://keycloak1.example.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&client_id=client1&redirect_uri=https://myhost.exampel.com/myapp/protected?returnUrl=https%3A%2F%2Fmyhost.example.com%2Fmyapp%2Fmypage&state= > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > Host: keycloak1.example.com > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html, */*; q=0.01 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate, br > Referer: https://myhost.example.com/myapp/mypage > Origin: https://myhost.example.com > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > Connection: keep-alive > Authorization: Negotiate > > --- Response 3 --- > Cache-Control: no-store, must-revalidate, max-age=0 > Connection: Keep-Alive > Content-Length: 0 > Date: Tue, 14 Aug 2018 19:48:48 GMT > Keep-Alive: timeout=5, max=99 > Location: > https://keycloak1.example.com/auth/realms/myrealm/broker/broker1-keycloak-oidc/login?session_code= > &client_id=client1&tab_id=FP3hTW-bfQ8 > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > Path=/auth/realms/myrealm/; Secure; HttpOnly > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > HttpOnly > > Notice I must redirect off a protected URL on my client app since Wildfly > client adapter only works on pages which are explicitly protected by the > container managed security. Also notice in the third and final request the > response is missing the Access-Control-Allow-Origin header, which results > in the error in the browser web console and the process ending. Any ideas? > > Thanks, > > Ryan > > > > > > ---------- Forwarded message ---------- > From: Eric B > To: keycloak-user at lists.jboss.org > Cc: > Bcc: > Date: Tue, 14 Aug 2018 23:23:57 -0400 > Subject: [keycloak-user] How to force client to use PKCE code exchange? > I'm using keycloak 3.4.3. Is there a way in the client configuration to > require PKCE code exchange? I can't seem to find an option that would > require to support this vs just the standard code exchange flow. > > Thanks > > Eric > > > > > ---------- Forwarded message ---------- > From: Henning Waack > To: keycloak-user at lists.jboss.org > Cc: > Bcc: > Date: Wed, 15 Aug 2018 09:08:41 +0200 > Subject: [keycloak-user] Client roles in Access Token > Dear all. > > Using KC 4.2.1, I get the following access token for a "Service Account > User": > > { > "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878", > "exp": 1534251578, > "nbf": 0, > "iat": 1534251278, > "iss": "https://xxx/auth/realms/NAK", > "aud": "nak-portal", > "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4", > "typ": "Bearer", > "azp": "nak-portal", > "auth_time": 0, > "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0", > "name": "nak portal", > "given_name": "nak", > "family_name": "portal", > "preferred_username": "service-account-nak-portal", > "email": "service-account-nak-portal at placeholder.de", > "email_verified": true, > "acr": "1", > "allowed-origins": [ > "http://dummy:8008" > ], > "realm_access": { > "roles": [ > "source_system" > ] > }, > "resource_access": { > "realm-management": { > "roles": [ > "manage-users", > "view-users", > "query-clients", > "query-groups", > "query-users" > ] > } > }, > "scope": "email profile", > "clientId": "nak-portal", > "clientHost": "80.242.181.71", > "clientAddress": "80.242.181.71", > "client_id": "nak-portal", > "username": "service-account-nak-portal", > "active": true > } > > Please note the five realm-management client roles. Problem is that for the > given service account I have assigned many more roles, please see attached > screenshot > > Why don't I see all effective roles (or assigned roles) in my access token? > Interestingly enough I am also missing some of my realm roles. I have > mapped 4 realm roles, but in the token I only have 1. Am I missing > something? > > Thanks in advance, greetings > > Henning > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Sebastian.Schuster at bosch-si.com Wed Aug 15 03:44:18 2018 From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1)) Date: Wed, 15 Aug 2018 07:44:18 +0000 Subject: [keycloak-user] [keycloak-dev] Fine-grained permissions along hierarchy paths In-Reply-To: References: Message-ID: Hi Thomas, I think this should work. You will just have to enable permissions for the groups /corp, /branchX, /divisionX and create matching policies and assign the scopes view-members and manage-members. If a user is a member of one of the subgroups, the permissions defined on the parent groups still kick in. You just need to be aware that listing all users does not work as expected, see https://issues.jboss.org/browse/KEYCLOAK-7950. If you navigate via the groups, you should be fine... I am just not sure what you mean by "admin console scoped to a fixed realm". All of this only works on the same realm, other realms are completely separate things... Best regards, Sebastian Mit freundlichen Gr??en / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn -----Original Message----- From: keycloak-dev-bounces at lists.jboss.org On Behalf Of Thomas Darimont Sent: Dienstag, 14. August 2018 20:58 To: keycloak-dev ; keycloak-user Subject: [keycloak-dev] Fine-grained permissions along hierarchy paths Hello, I have a realm with nested groups that denotes a hierarchical corporate structure. /corp -/org --/branch1 ---/divsion1 ----/team1 ----/team2 ---/divsion2 ----/team3 ----/team4 --/branch2 -/infra ... Users belong to one particular group along the /corp/org subtree, but might also be members of one or more groups from a different subtree, e.g., /corp/infra. Is it possible to have dedicated admin users at /corp, /branchX, /divisionX level who can only view and manage the users from their group or subtree with an admin-console scoped to a fixed realm? admin-console scoped to group-hierarchy-demo realm: http://localhost:8080/auth/admin/group-hierarchy-demo/console/#/realms/group-hierarchy-demo/users If a user logs in as divsion1-admin-user, he should only be able to see and manage the users beneath the path (/corp/org/branch1/division1/*). Does the fine-grained permission system already support use cases like this? Cheers, Thomas _______________________________________________ keycloak-dev mailing list keycloak-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev From henning.waack at codecentric.de Wed Aug 15 05:53:36 2018 From: henning.waack at codecentric.de (Henning Waack) Date: Wed, 15 Aug 2018 11:53:36 +0200 Subject: [keycloak-user] Client roles in Access Token In-Reply-To: References: Message-ID: Please ignore, it was a problem with the scope settings on my client. I had not set "Fulll scope allowed" and the roles I had mapped where incomplete. Thanks & greetings Henning Am Mi., 15. Aug. 2018 um 09:08 Uhr schrieb Henning Waack < henning.waack at codecentric.de>: > Dear all. > > Using KC 4.2.1, I get the following access token for a "Service Account > User": > > { > "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878", > "exp": 1534251578, > "nbf": 0, > "iat": 1534251278, > "iss": "https://xxx/auth/realms/NAK", > "aud": "nak-portal", > "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4", > "typ": "Bearer", > "azp": "nak-portal", > "auth_time": 0, > "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0", > "name": "nak portal", > "given_name": "nak", > "family_name": "portal", > "preferred_username": "service-account-nak-portal", > "email": "service-account-nak-portal at placeholder.de", > "email_verified": true, > "acr": "1", > "allowed-origins": [ > "http://dummy:8008" > ], > "realm_access": { > "roles": [ > "source_system" > ] > }, > "resource_access": { > "realm-management": { > "roles": [ > "manage-users", > "view-users", > "query-clients", > "query-groups", > "query-users" > ] > } > }, > "scope": "email profile", > "clientId": "nak-portal", > "clientHost": "80.242.181.71", > "clientAddress": "80.242.181.71", > "client_id": "nak-portal", > "username": "service-account-nak-portal", > "active": true > } > > Please note the five realm-management client roles. Problem is that for > the given service account I have assigned many more roles, please see > attached screenshot > > Why don't I see all effective roles (or assigned roles) in my access > token? Interestingly enough I am also missing some of my realm roles. I > have mapped 4 realm roles, but in the token I only have 1. Am I missing > something? > > Thanks in advance, greetings > > Henning > -- ----------- Henning Waack | IT Consultant codecentric AG | Hochstra?e 11 | 42697 Solingen |Deutschland tel: +49 (0)151 108 515 29 www.codecentric.de | blog.codecentric.de | www.meettheexperts.de Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und l?schen Sie diese E-Mail und evtl. beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. From pdomsk at gmail.com Wed Aug 15 06:35:30 2018 From: pdomsk at gmail.com (Dmitry Pichugin) Date: Wed, 15 Aug 2018 13:35:30 +0300 Subject: [keycloak-user] UMA vs OAuth Message-ID: Good day! We are using Keyclaok in our project, have installed version 4.2.1. Our task: - integration with API gateway and use KeyCloak for resources protect. We would be to use "Client Credentials Flow" from OAuth specs. But during version 4, KeyCloak does not support OAuth and is recommended to apply UMA 2.0. Yes, the differences between UMA and OAuth not huge, as a request and response(JWT token) formats, UMA has specific logic with RPT-token etc and UMA gives some advantages(we do not have the plan to use it). We try to make a request in OAuth specs but got the error. Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have some specific reasons for this? Thank you! Best regards. Dmitry Pichugin. From John.mcdonnell at bearingpoint.com Wed Aug 15 07:04:36 2018 From: John.mcdonnell at bearingpoint.com (McDonnell, John) Date: Wed, 15 Aug 2018 11:04:36 +0000 Subject: [keycloak-user] Keycloak 3.4.3 - Importing Terms and Conditions Required Action Message-ID: <865A51D9-261B-428A-AA02-4F86C0B9A31E@bearingpoint.com> Hi, I?m working on an integration project against Keycloak 3.4.3-FINAL, and so am limited to what KeyCloak version in use. At the moment I have spotted that when I import realm settings as JSON via rest, the terms and conditions required actions enabled/defaultAction settings are not being considered. I am using the API: HTTP PUT: "/auth/admin/realms/R6", where R6 is the realm I?m updating, and the content of the update I?m trying is: { "realm": "R6", "loginTheme": "btcms-default", "accountTheme": "r6-default", "emailTheme": "btcms-default", "passwordPolicy": "regexPattern(^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$@$!?&])[A-Za-z\\d$@$!?&]{8,32}) and forceExpiredPasswordChange(90) and passwordHistory(3)", "resetPasswordAllowed": true, "requiredActions": [ { "alias": "CONFIGURE_TOTP", "name": "Configure OTP", "providerId": "CONFIGURE_TOTP", "enabled": true, "defaultAction": false, "config": {} }, { "alias": "UPDATE_PASSWORD", "name": "Update Password", "providerId": "UPDATE_PASSWORD", "enabled": true, "defaultAction": false, "config": {} }, { "alias": "UPDATE_PROFILE", "name": "Update Profile", "providerId": "UPDATE_PROFILE", "enabled": true, "defaultAction": false, "config": {} }, { "alias": "VERIFY_EMAIL", "name": "Verify Email", "providerId": "VERIFY_EMAIL", "enabled": true, "defaultAction": false, "config": {} }, { "alias": "terms_and_conditions", "name": "Terms and Conditions", "providerId": "terms_and_conditions", "enabled": true, "defaultAction": true, "config": {} } ] } The issue I?m seeing in the UI is that the terms and conditions require actions is disabled. I can change this in the UI, and export, which exports this correctly, but I am unable to import this configuration. Is there something else needed to configure required actions? Regards John McDonnell Manager [signature_831592184] BearingPoint Montague House Adelaide Road Dublin D02 K039 Ireland john.mcdonnell at bearingpoint.com www.bearingpoint.com ________________________________ BearingPoint Ireland uc registered in Dublin, Ireland No. 489298. Registered office: Montague House, Adelaide Road, Dublin 2. The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 2206 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180815/6196fa0e/attachment.png From psilva at redhat.com Wed Aug 15 07:31:17 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 15 Aug 2018 08:31:17 -0300 Subject: [keycloak-user] UMA vs OAuth In-Reply-To: References: Message-ID: On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin wrote: > Good day! > > We are using Keyclaok in our project, have installed version 4.2.1. > > Our task: > > - integration with API gateway and use KeyCloak for resources protect. > > We would be to use "Client Credentials Flow" from OAuth specs. But during > version 4, KeyCloak does not support OAuth and is recommended to apply UMA > 2.0. > I'm not sure what you mean here. Where did you find this recommendation ? > > Yes, the differences between UMA and OAuth not huge, as a request and > response(JWT token) formats, UMA has specific logic with RPT-token etc and > UMA gives some advantages(we do not have the plan to use it). > UMA is a standard mainly targeted for privacy (although there are other benefits in using even if not for privacy), if you don't need users managing their own resources, sharing, etc, yeah, you probably don't need it. However, keep in mind that UMA support is one of the capabilities we support in Keycloak Authorization Services, you can still use Keycloak to enforce access to your protected resources using permissions managed/granted by the server. > > We try to make a request in OAuth specs but got the error. > > Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have some > specific reasons for this? > We do support. Could you elaborate more what you are trying to achieve ? > > Thank you! > > Best regards. Dmitry Pichugin. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From joy at autonomic.ai Wed Aug 15 08:45:18 2018 From: joy at autonomic.ai (Joy Kent) Date: Wed, 15 Aug 2018 05:45:18 -0700 Subject: [keycloak-user] How to retrieve identity provider name in a UserStorageProvider Message-ID: We have implemented a *UserStorageProvider* that stores the user information (username, email) in an external PostgreSQL database. To be more specific, it implements the following: public class MyUserStorageProvider implements UserStorageProvider, > > UserLookupProvider, > > UserRegistrationProvider, > > UserQueryProvider As I understand it, for identity federation, the identity provider name is stored in keycloak through *UserFederatedStorageProvider*, which is stored in KeycloakSession instance. My question is at the time when *addUser() *in * MyUserStorageProvider* is called, is it possible to retrieve an *FederatedIdentityModel* object or something similar from the KeycloakSession instance? The main piece of information I need is the identity provider name. Thanks, Joy From ryans at jlab.org Wed Aug 15 09:25:36 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 15 Aug 2018 09:25:36 -0400 (EDT) Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing In-Reply-To: <1111578163.20437469.1534339449584.JavaMail.zimbra@jlab.org> References: Message-ID: <265894332.20437731.1534339536045.JavaMail.zimbra@jlab.org> Hi Jan, If I comment out the jQuery "crossDomain: true" and "xhrFields: {withCredentials: true}" attributes of the XHR object then I do see the OPTIONS header in the web browser console. If I include the attributes I don't see OPTIONS. Is it possible preflight isn't needed if you've configured your client to use crossDomain? If forgot to include in my last email the final request HTTP status response code: it is 303. Is that a clue? What about all of the CORS options such as cors-max-age, cors-allowed-headers, cors-allowed-methods, etc. I am not including them in Wildfly standalone.xml currently. Are they needed to make this work? It doesn't seem to make a difference when experimenting, but I'm not sure what values to use... Thanks, Ryan ----- Original Message ----- From: "Jan Garaj" To: "keycloak-user" Sent: Wednesday, August 15, 2018 3:36:24 AM Subject: Re: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing Hi, Actually, Access-Control-Allow-Origin is not missing, because it should be available in the preflight (OPTIONS) response and not in GET/POST response. My assumption is that 3.4.2+ Keycloak CORS implementation is broken and it doesn't support any JS cross-domain access at the moment. More details: https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D8006&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=xO_Xo8SRP4TXwbIk7CPBiUzJDX8qO0puq3c6DETKMrc&e= You can find this CORS problem also on StackOverflow: https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_51706569_angular-2Dkeycloak-2Dcant-2Dget-2Dtoken-2Dusing-2Dapi&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=BuR5cmrMaYekh0LpJ5W6LHIoRbc5eGA3Ggbb0miMXy0&e= Workaround: downgrade to 3.4.2- and use insecure "Web Origins": "*" *Jan Garaj* Web: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jangaraj.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=Tx5iqmJUoxKQgUDirUvQgFYQbTsuYCFphwi5oNK_TcQ&e= / https://urldefense.proofpoint.com/v2/url?u=http-3A__monitoringartist.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=kCQFpK79UDMJrCjzikL7pd2Zg6p7GTvg9Qby5r_7RfQ&e= LinkedIn: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_jangaraj&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=EqJM5sOC0V-WcpgSSukViubjO8zlR7k0l5BUapC2u9I&e= On Wed, Aug 15, 2018 at 8:09 AM wrote: > Send keycloak-user mailing list submissions to > keycloak-user at lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= > or, via email, send a message with subject or body 'help' to > keycloak-user-request at lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner at lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > Today's Topics: > > 1. CORS ?Access-Control-Allow-Origin? missing (Ryan Slominski) > 2. How to force client to use PKCE code exchange? (Eric B) > 3. Client roles in Access Token (Henning Waack) > > > > ---------- Forwarded message ---------- > From: Ryan Slominski > To: keycloak-user > Cc: > Bcc: > Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT) > Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing > Hi Keycloak Users, > > I'm attempting to save my users a few button clicks by automatically > trying brokered identity providers in the background with AJAX requests > before redirecting them to the Keycloak login form (AJAX requests using > kc_idp_hint parameter). In most cases users will already be logged into > one of the brokered identity providers (the client is often on one of > several SPNEGO protected subnets) and instead of showing users the login > form with buttons to try the brokered providers manually one by one I was > hoping to simply do it for them in the background and when directed to the > login form for the realm the common case would be for users to be > immediately redirected back because they're logged in already. I'm using > the Wildfly client adapters (Java servlet container managed security) > configured as confidential clients. I have the client "Web Origins" set to > "*". In the Wildfly standalone.xml I have the clients configured with > "true". I'm using Keycloak! > 4.1.0. On the client side I'm using jQuery and have "crossDomain: true" > and "xhrFields:{withCredentials: true}" set on the XHR object. The > keycloak server still doesn't respond with a Access-Control-Allow-Origin > header though so the login fails. It works if not using AJAX. The > network trace of an AJAX request from the web browser console looks like: > > --- Request 1 --- > GET > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_protected-3Fkc-5Fidp-5Fhint-3Dbroker1-2Dkeycloak-2Doidc-26returnUrl-3Dhttps-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dRo4-TfbjKFf6XrJCbbaKe7nCb619uVIVyZ6gd5HW94&e= > Host: myhost.example.com > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html, */*; q=0.01 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate, br > Referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > Cookie: OAuth_Token_Request_State=; JSESSIONID=.myhost > Connection: keep-alive > > --- Response 1 --- > Cache-Control: no-cache, no-store, must-revalidate > Connection: Keep-Alive > Content-Length: 0 > Date: Tue, 14 Aug 2018 19:48:46 GMT > Expires: 0 > Keep-Alive: timeout=5, max=100 > Location: > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fprotected-3FreturnUrl-253Dhttps-25253A-25252F-25252Fmyhost.example.com-25252Fmyapp-25252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=uPEL7M5FvZx0CxiSv1V4uZm0nEyFhIxNSSSj2OVRd7M&e= > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > Pragma: no-cache > Server: WildFly/11 > Set-Cookie: OAuth_Token_Request_State=; HttpOnly > X-Powered-By: Undertow/1 > > --- Request 2 --- > GET > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.example.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=7QuU6fpn5Is6atfdUgb7aFz9qqnq9059Xad3fN7GAxU&e= > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > Host: keycloak1.example.com > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html, */*; q=0.01 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate, br > Referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > Origin: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e= > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > Connection: keep-alive > > --- Response 2 --- > Status: 401 > Cache-Control: no-store, must-revalidate, max-age=0 > Connection: Keep-Alive > Content-Length: 615 > Content-Type: text/html;charset=UTF-8 > Date: Tue, 14 Aug 2018 19:48:48 GMT > Keep-Alive: timeout=5, max=100 > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > Path=/auth/realms/myrealm/; Secure; HttpOnly > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > HttpOnly > WWW-Authenticate: Negotiate > > --- Request 3 --- > GET > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.exampel.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dkCL2WAVz5tGNSss8fH1oxnS6zPPbV_9SHYhhayp31A&e= > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > Host: keycloak1.example.com > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > Firefox/52.0 > Accept: text/html, */*; q=0.01 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate, br > Referer: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > Origin: https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e= > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > Connection: keep-alive > Authorization: Negotiate > > --- Response 3 --- > Cache-Control: no-store, must-revalidate, max-age=0 > Connection: Keep-Alive > Content-Length: 0 > Date: Tue, 14 Aug 2018 19:48:48 GMT > Keep-Alive: timeout=5, max=99 > Location: > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_broker_broker1-2Dkeycloak-2Doidc_login-3Fsession-5Fcode-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=FsNAP79N8n3OUuS9Kr0McTejbOuEkVr-6h89z7HAgic&e= > &client_id=client1&tab_id=FP3hTW-bfQ8 > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > Path=/auth/realms/myrealm/; Secure; HttpOnly > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > HttpOnly > > Notice I must redirect off a protected URL on my client app since Wildfly > client adapter only works on pages which are explicitly protected by the > container managed security. Also notice in the third and final request the > response is missing the Access-Control-Allow-Origin header, which results > in the error in the browser web console and the process ending. Any ideas? > > Thanks, > > Ryan > > > > > > ---------- Forwarded message ---------- > From: Eric B > To: keycloak-user at lists.jboss.org > Cc: > Bcc: > Date: Tue, 14 Aug 2018 23:23:57 -0400 > Subject: [keycloak-user] How to force client to use PKCE code exchange? > I'm using keycloak 3.4.3. Is there a way in the client configuration to > require PKCE code exchange? I can't seem to find an option that would > require to support this vs just the standard code exchange flow. > > Thanks > > Eric > > > > > ---------- Forwarded message ---------- > From: Henning Waack > To: keycloak-user at lists.jboss.org > Cc: > Bcc: > Date: Wed, 15 Aug 2018 09:08:41 +0200 > Subject: [keycloak-user] Client roles in Access Token > Dear all. > > Using KC 4.2.1, I get the following access token for a "Service Account > User": > > { > "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878", > "exp": 1534251578, > "nbf": 0, > "iat": 1534251278, > "iss": "https://urldefense.proofpoint.com/v2/url?u=https-3A__xxx_auth_realms_NAK&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=HrT8nsYF-O64VcYc45s_nWug0Ri9Ca0ZrmObVHiTNeE&e= ", > "aud": "nak-portal", > "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4", > "typ": "Bearer", > "azp": "nak-portal", > "auth_time": 0, > "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0", > "name": "nak portal", > "given_name": "nak", > "family_name": "portal", > "preferred_username": "service-account-nak-portal", > "email": "service-account-nak-portal at placeholder.de", > "email_verified": true, > "acr": "1", > "allowed-origins": [ > "https://urldefense.proofpoint.com/v2/url?u=http-3A__dummy-3A8008&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=YDJWqlS6wwV1oG7ouEQZAjPf1Bfb2wd1T1eOXtMmNSo&e= " > ], > "realm_access": { > "roles": [ > "source_system" > ] > }, > "resource_access": { > "realm-management": { > "roles": [ > "manage-users", > "view-users", > "query-clients", > "query-groups", > "query-users" > ] > } > }, > "scope": "email profile", > "clientId": "nak-portal", > "clientHost": "80.242.181.71", > "clientAddress": "80.242.181.71", > "client_id": "nak-portal", > "username": "service-account-nak-portal", > "active": true > } > > Please note the five realm-management client roles. Problem is that for the > given service account I have assigned many more roles, please see attached > screenshot > > Why don't I see all effective roles (or assigned roles) in my access token? > Interestingly enough I am also missing some of my realm roles. I have > mapped 4 realm roles, but in the token I only have 1. Am I missing > something? > > Thanks in advance, greetings > > Henning > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= From ryans at jlab.org Wed Aug 15 09:50:37 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 15 Aug 2018 09:50:37 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <262353809.20444827.1534340976125.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> Message-ID: <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> Hi Stan, The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: {"error":"invalid_request","error_description":"No refresh token"} So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). Thanks, Ryan ----- Original Message ----- From: "Stan Silvert" To: "keycloak-user" Sent: Monday, August 13, 2018 7:15:15 PM Subject: Re: [keycloak-user] How to logout HttpServletRequest.logout() should not be a no-op.? It was implemented a long time ago: https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= If there is an issue with it you should report it in JIRA. Stan On 8/13/2018 4:19 PM, Ryan Slominski wrote: > Hi Keycloak Users, > > I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: > > 1. Call HttpServletRequest.logout() > 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri > > See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= > > The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? > > A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From jdoyle at redhat.com Wed Aug 15 10:28:37 2018 From: jdoyle at redhat.com (John Doyle) Date: Wed, 15 Aug 2018 10:28:37 -0400 Subject: [keycloak-user] Naming of the keycloak proxy/generic adapter Message-ID: We've begun calling the keycloak proxy the generic adapter. I think this is a good move, there's too many proxies. My concern with 'generic adapter' is that it's not specific enough. Users could be justified in thinking that they can proxy SAML with it in addition to OIDC. I propose that we included OIDC in the name to make it clear. Some Possibilities: OIDC Adapter Generic OIDC Adapter Universal OIDC Adapter Standalone OIDC Adapter Other ideas or preferences? ~jd From Kevin.Fox at pnnl.gov Wed Aug 15 11:31:37 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Wed, 15 Aug 2018 15:31:37 +0000 Subject: [keycloak-user] Naming of the keycloak proxy/generic adapter In-Reply-To: References: Message-ID: <1A3C52DFCD06494D8528644858247BF01C170CE7@EX10MBOX03.pnnl.gov> KeyCloak OIDC Generic Adapter - KOGA ? :) Kevin ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of John Doyle [jdoyle at redhat.com] Sent: Wednesday, August 15, 2018 7:28 AM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Naming of the keycloak proxy/generic adapter We've begun calling the keycloak proxy the generic adapter. I think this is a good move, there's too many proxies. My concern with 'generic adapter' is that it's not specific enough. Users could be justified in thinking that they can proxy SAML with it in addition to OIDC. I propose that we included OIDC in the name to make it clear. Some Possibilities: OIDC Adapter Generic OIDC Adapter Universal OIDC Adapter Standalone OIDC Adapter Other ideas or preferences? ~jd _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From katariakhyati11 at gmail.com Wed Aug 15 11:49:02 2018 From: katariakhyati11 at gmail.com (Khyati Kataria) Date: Wed, 15 Aug 2018 11:49:02 -0400 Subject: [keycloak-user] Need to stop multiple reset password request Message-ID: Hi, As per one of the vulnerability requirement, it should possible to block a hacker from flooding user's email box with the password reset feature. Can you please let us know if Keycloak can be configured to prevent this vulnerability. Thanks, Khyati Kataria From ryans at jlab.org Wed Aug 15 13:58:11 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 15 Aug 2018 13:58:11 -0400 (EDT) Subject: [keycloak-user] Uncaught Exception: undefined in JavaScript client with check-sso Message-ID: <195546130.20529701.1534355891306.JavaMail.zimbra@jlab.org> Hi Keycloak Users, Looks like there might be a bug in the JavaScript client as the simplest use of onLoad: 'check-sso' seems to result in an Uncaught Exception. Using Keycloak 4.1.0. Simplest code snippet here: https://gist.github.com/slominskir/547730097f9950356df34eb29270c911 Open web browser console (F12) and see Uncaught Exception. Exception doesn't seem to break anything though and it appears to be safe to simply ignore it. Remove check-sso and the exception goes away. Should I file a bug issue on it? Ryan From msakho at redhat.com Wed Aug 15 14:28:04 2018 From: msakho at redhat.com (Meissa M'baye Sakho) Date: Wed, 15 Aug 2018 20:28:04 +0200 Subject: [keycloak-user] Custom Identity Brokering for a CAS Server In-Reply-To: References: <5007da33-fd04-f910-710f-4df3b8474983@grunblatt.org> <8E4DE842-9399-4554-874C-37F41DA8EA55@grunblatt.org> Message-ID: Erlend, At least, you could give inputs if you are not allowed to publish. 2018-08-14 13:00 GMT+02:00 Erlend Hamnaberg : > I have done this for my client. > > It is quite possible to do, however it is not trivial. > Not sure if I'm allowed to publish the source for the integration, but I > will ask. > > > /Erlend > > On Tue, Aug 14, 2018 at 12:07 PM, R?my Gr?nblatt > wrote: > >> Hi, >> >> This adds a client protocol, what we are searching for is the other way >> around (use the CAS as a provider). >> >> Thanks, >> R?my >> >> Le 14 ao?t 2018 11:51:41 GMT+02:00, Meissa M'baye Sakho < >> msakho at redhat.com> a ?crit : >> >Remy, >> >take a look at this [1] >> > [1] =https://github.com/Doccrazy/keycloak-protocol-cas >> > >> >Meissa >> > >> >2018-08-14 11:25 GMT+02:00 R?my Gr?nblatt : >> > >> >> Hello, >> >> >> >> We would like to have a Keycloak server use data from a legacy auth >> >> system (namely, a CAS server, >> >> https://en.wikipedia.org/wiki/Central_Authentication_Service ) to >> >> authenticate people. We do not have admin rights on the CAS server, >> >nor >> >> we are able to access the underlying ldap database it uses >> >internally. >> >> >> >> People would be able to have ? pure ? keycloak accounts (new users), >> >but >> >> also link their identity from the CAS or use the CAS to identify, and >> >> create an account the first time they do so. >> >> >> >> I tried to find documentation to develop our own identity provider >> >(as >> >> Keycloak only has an social, oidc, and saml providers), but I find it >> >> difficult to guess what are the interfaces we need to implement. >> >> >> >> Right now, this is what I have: >> >https://github.com/Reventl0v/KeycloakCAS >> >> >> >> >> >> So, questions: >> >> >> >> - Is there somewhere listing everything we need to implement beside >> >> looking at the code of keycloak? >> >> - Is there online some custom provider example code for something >> >that >> >> is not talking oidc, saml, or is a social provider? >> >> - Do you think it's a good idea to create such a provider? >> >> >> >> >> >> I found >> >> >> >http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html >> >> but I have no news about the result of this enterprise: Dominik (can >> >I >> >> call you Dominik?), did you manage to achieve this goal? >> >> >> >> Many thanks, >> >> >> >> R?my >> >> >> >> >> >> >> >> _______________________________________________ >> >> keycloak-user mailing list >> >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> -- >> Envoy? de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser >> ma bri?vet?. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From ssilvert at redhat.com Wed Aug 15 15:02:18 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 15 Aug 2018 15:02:18 -0400 Subject: [keycloak-user] How to logout In-Reply-To: <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> Message-ID: Why is your client out of sync with the keycloak server?? If you are building a servlet-based application (JSF, JSP, Struts, etc.), then why not use the WildFly adapter in the JEE way as described in the Keycloak documentation? ? The WildFly Keycloak adapter takes care of all the hard stuff for you. On 8/15/2018 9:50 AM, Ryan Slominski wrote: > Hi Stan, > The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? > > So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: > > {"error":"invalid_request","error_description":"No refresh token"} > > So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). > > Thanks, > > Ryan > > ----- Original Message ----- > From: "Stan Silvert" > To: "keycloak-user" > Sent: Monday, August 13, 2018 7:15:15 PM > Subject: Re: [keycloak-user] How to logout > > HttpServletRequest.logout() should not be a no-op.? It was implemented a > long time ago: > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= > > If there is an issue with it you should report it in JIRA. > > Stan > > On 8/13/2018 4:19 PM, Ryan Slominski wrote: >> Hi Keycloak Users, >> >> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >> >> 1. Call HttpServletRequest.logout() >> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >> >> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >> >> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >> >> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >> >> Thanks, >> >> Ryan >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From ssilvert at redhat.com Wed Aug 15 15:13:16 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 15 Aug 2018 15:13:16 -0400 Subject: [keycloak-user] Need to stop multiple reset password request In-Reply-To: References: Message-ID: <48e150eb-e91f-85b7-c06f-f26e1d4fa56b@redhat.com> On 8/15/2018 11:49 AM, Khyati Kataria wrote: > Hi, > > As per one of the vulnerability requirement, it should possible to > block a hacker from flooding user's email box with the password reset > feature. > > Can you please let us know if Keycloak can be configured to prevent > this vulnerability. I don't think so.? This seems like something that could be handled by your email server though. > > > > > > Thanks, > Khyati Kataria > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ryans at jlab.org Wed Aug 15 15:27:30 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 15 Aug 2018 15:27:30 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <840634764.20565537.1534361240346.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> Message-ID: <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> Hi Stan, If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: https://javaee.github.io/tutorial/security-webtier003.html And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? Ryan ----- Original Message ----- From: "Stan Silvert" To: "Ryan Slominski" Cc: "keycloak-user" Sent: Wednesday, August 15, 2018 3:02:18 PM Subject: Re: [keycloak-user] How to logout Why is your client out of sync with the keycloak server?? If you are building a servlet-based application (JSF, JSP, Struts, etc.), then why not use the WildFly adapter in the JEE way as described in the Keycloak documentation? ? The WildFly Keycloak adapter takes care of all the hard stuff for you. On 8/15/2018 9:50 AM, Ryan Slominski wrote: > Hi Stan, > The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? > > So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: > > {"error":"invalid_request","error_description":"No refresh token"} > > So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). > > Thanks, > > Ryan > > ----- Original Message ----- > From: "Stan Silvert" > To: "keycloak-user" > Sent: Monday, August 13, 2018 7:15:15 PM > Subject: Re: [keycloak-user] How to logout > > HttpServletRequest.logout() should not be a no-op.? It was implemented a > long time ago: > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= > > If there is an issue with it you should report it in JIRA. > > Stan > > On 8/13/2018 4:19 PM, Ryan Slominski wrote: >> Hi Keycloak Users, >> >> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >> >> 1. Call HttpServletRequest.logout() >> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >> >> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >> >> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >> >> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >> >> Thanks, >> >> Ryan >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From ssilvert at redhat.com Wed Aug 15 16:04:03 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Wed, 15 Aug 2018 16:04:03 -0400 Subject: [keycloak-user] How to logout In-Reply-To: <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> Message-ID: On 8/15/2018 3:27 PM, Ryan Slominski wrote: > Hi Stan, > If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: I don't understand why this matters.? If you are not going to a protected page in application B then why do you care if you are logged into Keycloak? I guess I'm not understanding your use case. > > https://javaee.github.io/tutorial/security-webtier003.html > > And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? > > Ryan > > > > ----- Original Message ----- > From: "Stan Silvert" > To: "Ryan Slominski" > Cc: "keycloak-user" > Sent: Wednesday, August 15, 2018 3:02:18 PM > Subject: Re: [keycloak-user] How to logout > > Why is your client out of sync with the keycloak server?? If you are > building a servlet-based application (JSF, JSP, Struts, etc.), then why > not use the WildFly adapter in the JEE way as described in the Keycloak > documentation? ? The WildFly Keycloak adapter takes care of all the hard > stuff for you. > > On 8/15/2018 9:50 AM, Ryan Slominski wrote: >> Hi Stan, >> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? >> >> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: >> >> {"error":"invalid_request","error_description":"No refresh token"} >> >> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). >> >> Thanks, >> >> Ryan >> >> ----- Original Message ----- >> From: "Stan Silvert" >> To: "keycloak-user" >> Sent: Monday, August 13, 2018 7:15:15 PM >> Subject: Re: [keycloak-user] How to logout >> >> HttpServletRequest.logout() should not be a no-op.? It was implemented a >> long time ago: >> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= >> >> If there is an issue with it you should report it in JIRA. >> >> Stan >> >> On 8/13/2018 4:19 PM, Ryan Slominski wrote: >>> Hi Keycloak Users, >>> >>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >>> >>> 1. Call HttpServletRequest.logout() >>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >>> >>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >>> >>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >>> >>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >>> >>> Thanks, >>> >>> Ryan >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From ryans at jlab.org Wed Aug 15 16:34:15 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 15 Aug 2018 16:34:15 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <86575982.20581685.1534365193436.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> Message-ID: <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> Two issues: (1) Wildfly client adapter doesn't detect when a user is logged into Keycloak on pages in which HttpServletRequest.isUserInRole() method is used to programmatically determine who sees what until after hitting a declaratively protected (web.xml) page first. Wildfly client adapter assumes all pages which use isUserInRole are declaratively protected, but that is not always true (and essentially never true in my case). This means when jumping from one application to another you lose your SSO. (2) Trying to switch users in an environment where it is unknown whether you are logged in or not results in surprise logins as the previous account when you really want to enter new credentials Essentially all my application pages show something no matter if you are logged in or not, but if you are logged in you see extra stuff like edit buttons. When working in a group around a computer and someone asks to switch users (login as admin or move over and let me show you scenarios) confusion ensues as the application might show the user as not logged in, but then attempting to login detects existing token and skips login form. Now user must logout and try again. ----- Original Message ----- From: "Stan Silvert" To: "Ryan Slominski" Cc: "keycloak-user" Sent: Wednesday, August 15, 2018 4:04:03 PM Subject: Re: [keycloak-user] How to logout On 8/15/2018 3:27 PM, Ryan Slominski wrote: > Hi Stan, > If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: I don't understand why this matters.? If you are not going to a protected page in application B then why do you care if you are logged into Keycloak? I guess I'm not understanding your use case. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__javaee.github.io_tutorial_security-2Dwebtier003.html&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=c_G5XCh4KyQNw7rawL_GHLQZ9GEm05ARlz-C-jeVx3o&s=bXb-7yw6Njk4DirMWLlxJAxGwUFKULf9HM-3_Imo35g&e= > > And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? > > Ryan > > > > ----- Original Message ----- > From: "Stan Silvert" > To: "Ryan Slominski" > Cc: "keycloak-user" > Sent: Wednesday, August 15, 2018 3:02:18 PM > Subject: Re: [keycloak-user] How to logout > > Why is your client out of sync with the keycloak server?? If you are > building a servlet-based application (JSF, JSP, Struts, etc.), then why > not use the WildFly adapter in the JEE way as described in the Keycloak > documentation? ? The WildFly Keycloak adapter takes care of all the hard > stuff for you. > > On 8/15/2018 9:50 AM, Ryan Slominski wrote: >> Hi Stan, >> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? >> >> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: >> >> {"error":"invalid_request","error_description":"No refresh token"} >> >> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). >> >> Thanks, >> >> Ryan >> >> ----- Original Message ----- >> From: "Stan Silvert" >> To: "keycloak-user" >> Sent: Monday, August 13, 2018 7:15:15 PM >> Subject: Re: [keycloak-user] How to logout >> >> HttpServletRequest.logout() should not be a no-op.? It was implemented a >> long time ago: >> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= >> >> If there is an issue with it you should report it in JIRA. >> >> Stan >> >> On 8/13/2018 4:19 PM, Ryan Slominski wrote: >>> Hi Keycloak Users, >>> >>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >>> >>> 1. Call HttpServletRequest.logout() >>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >>> >>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >>> >>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >>> >>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >>> >>> Thanks, >>> >>> Ryan >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From pdomsk at gmail.com Wed Aug 15 18:33:49 2018 From: pdomsk at gmail.com (Dmitry Pichugin) Date: Thu, 16 Aug 2018 01:33:49 +0300 Subject: [keycloak-user] UMA vs OAuth In-Reply-To: References: Message-ID: > > We do support. Could you elaborate more what you are trying to achieve ? Pedro, thank you for the answer! You are right. We tried to apply UMA for simple OAuth scenario "Client Credential flow" and it was a mistake. We only need to get access token, which contains scopes. Yes, it's work in KeyCloak. But we have another problem: when we tried to request an access token with scopes which are not been existed or not been assigned to the client, as a result, we received the access token with fill "scope" parameters. Request: curl -X "POST" -d "client_id=testclient&client_secret=secret&grant_type= client_credentials&scope=unexisted_scope" http://keykcloak_server:8080/auth/realms/master/protocol/openid-connect/token Response: { "access_token": "eyJhbG[...]1LQ", "token_type": "Bearer", "expires_in": 3600, *"scope": ""* } But, according to RFC 6749 The OAuth 2.0 Authorization Framework point, we must get the error " invalid_scope". 4.1.4 . Access Token Response If the access token request is valid and authorized, the authorization server issues an access token and optional refresh token as described in Section 5.1 . If the request client authentication failed or is invalid, the authorization server returns an error response as described in Section 5.2 . and point 5.2 . Error Response *.....* invalid_scope The requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner. We tried to find something in client settings for fixing problem, but nothing to find. Could you reply, is it a KeyCloak's error or we can't find some special "setting" in the interface? Best regards. Dmitry Pichugin. On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva wrote: > On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin wrote: > >> Good day! >> >> We are using Keyclaok in our project, have installed version 4.2.1. >> >> Our task: >> >> - integration with API gateway and use KeyCloak for resources protect. >> >> We would be to use "Client Credentials Flow" from OAuth specs. But during >> version 4, KeyCloak does not support OAuth and is recommended to apply UMA >> 2.0. >> > > I'm not sure what you mean here. Where did you find this recommendation ? > > >> >> Yes, the differences between UMA and OAuth not huge, as a request and >> response(JWT token) formats, UMA has specific logic with RPT-token etc and >> UMA gives some advantages(we do not have the plan to use it). >> > > UMA is a standard mainly targeted for privacy (although there are other > benefits in using even if not for privacy), if you don't need users > managing their own resources, sharing, etc, yeah, you probably don't need > it. However, keep in mind that UMA support is one of the capabilities we > support in Keycloak Authorization Services, you can still use Keycloak to > enforce access to your protected resources using permissions > managed/granted by the server. > > >> >> We try to make a request in OAuth specs but got the error. >> >> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have >> some >> specific reasons for this? >> > > We do support. Could you elaborate more what you are trying to achieve ? > > >> >> Thank you! >> >> Best regards. Dmitry Pichugin. >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From courtney.robinson at hypi.io Wed Aug 15 23:23:42 2018 From: courtney.robinson at hypi.io (Courtney Robinson) Date: Thu, 16 Aug 2018 04:23:42 +0100 Subject: [keycloak-user] Using Keycloak for per field authorisation In-Reply-To: References: Message-ID: > > >> One of us in the team will be working on this in our next sprint so a lot >> of things should fall into place as part of this. >> > > In the next release, we are also delivering improvements around > performance. We found places we could improve and especially the policy > evaluation engine. We have introduced some cache layers to avoid redundancy > when evaluating permissions/policies. Let us know about your experience, we > know we can still improve it. But as the first work we did around > performance tests, the results are pretty much good (and much better from > previous releases). > > Sounds good. I'll provide feedback once we've implemented and put it under some real load with it. One outstanding concern with our proposed move to Keycloak for >> authorisation is understanding how to scale it well with the rest of our >> stack. >> > > Not it is not and you are not the first one from community with similar > requirements. Maybe we could start discussing and including this in our > roadmap. > I am more than happy to do that. Keycloak provides everything we think we need for authz so we're more than happy to help get that last 20% in there. We're a tiny team though so I expect we wouldn't be able to do much in the way of contributions until mid-Nov after our current roadmap targets have been delivered. Post that we can schedule some Keycloak work into our sprints. >> I've had an attempt at a user SPI and concluded we'd be better off >> pushing it to Keycloak backed by Postgres. (Considered if we could write an >> Ignite drop in or something similar but the effort wasn't worth the initial >> perceived gains since users are probably going to remain relatively small >> compared to resources). >> Out of interest however, Keycloak's using Hibernate right? How pluggable >> is this so that it could be replaced with Hibernate OGM? >> > > IIRC, OGM is based on JPA spec, right ? If you mean implementing User SPI > sing OGM, it should work. > Yeah, the latest OGM is JPA 2.2 compliant now if memory serves. It's more of a Hibernate for "NoSQL" so you could hook up Cassandra, Ignite, CouchDB etc as a persistence unit and for the most part use the Hibernate APIs as if they were going to a relational DB. I meant more of a drop in replacement so all of the Keycloak persistence went through OGM. I'll experiment, I just asked in case you readily knew. Nice. As I mentioned before, we have been working with performance > improvements. During this work I noticed that performance is not really > related with the number of resources or scopes, but on how you design your > policies and how you obtain them from server. For instance, if you query > the server for all permissions an user has, you would not get good > throughput. However, if you can perform incremental authorization, ask for > chunks of permissions, etc, you will get a good throughput. Of course, this > is relative, I could give you numbers but that could be misleading and not > based on your real constraints. > > This is an area we want to improve for now on, so, feedback is always > welcome. > I think because the entry point to our API is GraphQL it lends itself well to being able to do incremental authorisation. I'll have some feedback soon on how this turns out. Thanks for all the info. it's been very helpful. From erlend at hamnaberg.net Thu Aug 16 02:25:52 2018 From: erlend at hamnaberg.net (Erlend Hamnaberg) Date: Thu, 16 Aug 2018 08:25:52 +0200 Subject: [keycloak-user] Fwd: Custom Identity Brokering for a CAS Server In-Reply-To: References: <5007da33-fd04-f910-710f-4df3b8474983@grunblatt.org> <8E4DE842-9399-4554-874C-37F41DA8EA55@grunblatt.org> Message-ID: Whops, Forgot to send this to the list. Sure. It all depends on how you want to implement this. You can for instance implement the Authenticator SPI or by using the IdentityProvider SPI. These are very differerent implementation. I have used the IdentityProvider SPI, and used the client libs from CAS. If you are able to change the CAS server install, you can add the OpenId Connect plugin and then the implementation becomes trivial, as you only need to add that as a OIDC IdentityProvider config. For my client, that was not possible. /Erlend On Wed, Aug 15, 2018 at 8:28 PM, Meissa M'baye Sakho wrote: > Erlend, > At least, you could give inputs if you are not allowed to publish. > > 2018-08-14 13:00 GMT+02:00 Erlend Hamnaberg : > >> I have done this for my client. >> >> It is quite possible to do, however it is not trivial. >> Not sure if I'm allowed to publish the source for the integration, but I >> will ask. >> >> >> /Erlend >> >> On Tue, Aug 14, 2018 at 12:07 PM, R?my Gr?nblatt >> wrote: >> >>> Hi, >>> >>> This adds a client protocol, what we are searching for is the other way >>> around (use the CAS as a provider). >>> >>> Thanks, >>> R?my >>> >>> Le 14 ao?t 2018 11:51:41 GMT+02:00, Meissa M'baye Sakho < >>> msakho at redhat.com> a ?crit : >>> >Remy, >>> >take a look at this [1] >>> > [1] =https://github.com/Doccrazy/keycloak-protocol-cas >>> > >>> >Meissa >>> > >>> >2018-08-14 11:25 GMT+02:00 R?my Gr?nblatt : >>> > >>> >> Hello, >>> >> >>> >> We would like to have a Keycloak server use data from a legacy auth >>> >> system (namely, a CAS server, >>> >> https://en.wikipedia.org/wiki/Central_Authentication_Service ) to >>> >> authenticate people. We do not have admin rights on the CAS server, >>> >nor >>> >> we are able to access the underlying ldap database it uses >>> >internally. >>> >> >>> >> People would be able to have ? pure ? keycloak accounts (new users), >>> >but >>> >> also link their identity from the CAS or use the CAS to identify, and >>> >> create an account the first time they do so. >>> >> >>> >> I tried to find documentation to develop our own identity provider >>> >(as >>> >> Keycloak only has an social, oidc, and saml providers), but I find it >>> >> difficult to guess what are the interfaces we need to implement. >>> >> >>> >> Right now, this is what I have: >>> >https://github.com/Reventl0v/KeycloakCAS >>> >> >>> >> >>> >> So, questions: >>> >> >>> >> - Is there somewhere listing everything we need to implement beside >>> >> looking at the code of keycloak? >>> >> - Is there online some custom provider example code for something >>> >that >>> >> is not talking oidc, saml, or is a social provider? >>> >> - Do you think it's a good idea to create such a provider? >>> >> >>> >> >>> >> I found >>> >> >>> >http://lists.jboss.org/pipermail/keycloak-user/2017-October/012100.html >>> >> but I have no news about the result of this enterprise: Dominik (can >>> >I >>> >> call you Dominik?), did you manage to achieve this goal? >>> >> >>> >> Many thanks, >>> >> >>> >> R?my >>> >> >>> >> >>> >> >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> -- >>> Envoy? de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser >>> ma bri?vet?. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From abdul.basith at iinerds.com Thu Aug 16 03:14:33 2018 From: abdul.basith at iinerds.com (Abdul Basith) Date: Thu, 16 Aug 2018 12:44:33 +0530 Subject: [keycloak-user] Redirect uri is not working Message-ID: Hi All, I have configured a Keycloak standalone server and created a client under a newly created a realm and given a HTTP url (for ex: http://something.com)in the "Valid redirect Uri section of client settings. Then I have added Keycloak to our web application which is developed in vue.js using the "rockt-vuejs-keycloak-npm". everything worked fine. Due to security reasons we changed our url to HTTPS and replaced the "Valid redirect Uri" with HTTPS URL in keycloak. But unfortunately we started getting an error "Invalid redirect URL" while loading the page and still the redirect URL is pointing to the old http redirect URL. I have tried by clearing the realm cache. but still getting the error. What will be the reason for this issue? and how can I fix this issue? Thanks in advance Abdul Basith From Sebastian.Schuster at bosch-si.com Thu Aug 16 03:15:47 2018 From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST/ESY1)) Date: Thu, 16 Aug 2018 07:15:47 +0000 Subject: [keycloak-user] Naming of the keycloak proxy/generic adapter In-Reply-To: References: Message-ID: <23ba44fc46cc4b1ca2b3e7df8faa1b05@bosch-si.com> My vote goes to OIDC Adapter. It just supports OIDC, that's what the name says. I don't think adding something like "generic" adds meaningful information. The shorter, the better... :) Best regards, Sebastian Mit freundlichen Gr??en / Best regards Dr.-Ing. Sebastian Schuster Engineering and Support (INST/ESY1) Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of John Doyle Sent: Mittwoch, 15. August 2018 16:29 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Naming of the keycloak proxy/generic adapter We've begun calling the keycloak proxy the generic adapter. I think this is a good move, there's too many proxies. My concern with 'generic adapter' is that it's not specific enough. Users could be justified in thinking that they can proxy SAML with it in addition to OIDC. I propose that we included OIDC in the name to make it clear. Some Possibilities: OIDC Adapter Generic OIDC Adapter Universal OIDC Adapter Standalone OIDC Adapter Other ideas or preferences? ~jd _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From olivier.guilloux at libre-logic.fr Thu Aug 16 06:01:24 2018 From: olivier.guilloux at libre-logic.fr (Olivier Guilloux) Date: Thu, 16 Aug 2018 12:01:24 +0200 Subject: [keycloak-user] How a end-user can delete his account Message-ID: Hello, How a end-user can delete his account using the account page (auth/realms/<...>/account/) ? I have found the API "DELETE /{realm}/users/{id}" but the account page doesn't have any delete account button ? Regards, -- Olivier GUILLOUX From christian.neudert at doksafe.de Thu Aug 16 06:06:16 2018 From: christian.neudert at doksafe.de (Christian Neudert) Date: Thu, 16 Aug 2018 10:06:16 +0000 Subject: [keycloak-user] Limitations of create_realm role or a bug? Message-ID: Hello, I have a permission problem with realms created by an user in the master realm, who has the ?create_realm? role only. This user can create a realm and new users in it but can?t assign the ?impersonation? role to them. From my understanding, it?s because this user doesn?t have the ?impersonation? role in the master realm and therefor can?t assign it to another user in another realm. This is expected as of what?s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#realm-specific-roles. My problem is that I can?t configure the created realm completely with this user without that posibility. It also contradicts what?s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#global-roles: ?Users with the create-realm role are allowed to create new realms. They will be granted full access to any new realm they create.?. Should a user with the ?create_realm? role be allowed to set the ?impersonation? role for users in realms created by her or is it a bug? If it?s a wanted restriction I don?t know how to solve that problem without giving this user the admin permission in the master realm which is? not so good. FYI: I?m using Keycloak 3.4 with the Java Keycloak Admin CLI atm. Best regards, Christian Neudert ________________________________ [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg] Kanzleisoftware f?r moderne Anw?lte Kostenlos testen unter www.actaport.de ________________________________ [https://www.actaport.de/images/doksafe_logo_200.png] dokSAFE GmbH Goethestra?e 1 04109 Leipzig www.doksafe.de ________________________________ Sitz der Gesellschaft: Goethestra?e 1, 04109 Leipzig Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer ________________________________ Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. ________________________________ This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. From christian.neudert at doksafe.de Thu Aug 16 06:06:48 2018 From: christian.neudert at doksafe.de (Christian Neudert) Date: Thu, 16 Aug 2018 10:06:48 +0000 Subject: [keycloak-user] Problem Integration with OAuth2 provider In-Reply-To: References: Message-ID: <6B87FE87-AC99-4710-9340-CCC35FE602DD@doksafe.de> Hello Graham, Maybe a little help: I remember a similar case in which the client-secret was wrong and the response that Keycloak got, was empty. Keycloak then didn't handle it as error, just went on and found no token. Best regards, Christian Neudert On 15.08.18, 00:55, "keycloak-user-bounces at lists.jboss.org on behalf of Graham Burgess" wrote: I am trying to use Keycloak to broker our internally managed OAuth2 provider. I am unable to get it complete the "First Broker Login" workflow. The logs show "No token from server" as an error but I have thus far being able to get my Google-fu to help me figure out what the issue might be. I even went as far as looking at the code based on the stack trace and that would suggest that it is looking for an id_token, but my understanding for response_type=code as chosen by Keycloak, id_token isn't returned. I suspect I am doing something wrong but I don't know what and I am at a point that I don't know where to look to figure it out. I have looked at the different requests as they go through the workflow and can see all the redirects, etc. but it hasn't shown anything that has help me either. Anyone have any suggestions on how to proceed with troubleshooting this issue? Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 [http://assets.razerzone.com/email/email-sig.jpg] Razer.com | Razer Game Store | Razer Insider | Razer zVault [https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png] [Twitter_Social_Icon_Rounded_Square_Color] [glyph-logo_May2016] [youtube_social_squircle_red] Razer Inc. (San Francisco) 201 3rd Street, Suite 900 San Francisco CA 94103, USA Tel: +1 (415) 266 5300 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. ________________________________ [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg] Kanzleisoftware f?r moderne Anw?lte Kostenlos testen unter www.actaport.de ________________________________ [https://www.actaport.de/images/doksafe_logo_200.png] dokSAFE GmbH Goethestra?e 1 04109 Leipzig www.doksafe.de ________________________________ Sitz der Gesellschaft: Goethestra?e 1, 04109 Leipzig Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer ________________________________ Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. ________________________________ This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. From sthorger at redhat.com Thu Aug 16 06:15:18 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 16 Aug 2018 12:15:18 +0200 Subject: [keycloak-user] Keycloak 4.3.0.Final is out Message-ID: https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-4-3-0-final From jan.garaj at gmail.com Thu Aug 16 06:12:05 2018 From: jan.garaj at gmail.com (Jan Garaj) Date: Thu, 16 Aug 2018 11:12:05 +0100 Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing In-Reply-To: <265894332.20437731.1534339536045.JavaMail.zimbra@jlab.org> References: <1111578163.20437469.1534339449584.JavaMail.zimbra@jlab.org> <265894332.20437731.1534339536045.JavaMail.zimbra@jlab.org> Message-ID: Hi Ryan, IMHO jQuery "crossDomain: true" doesn't help - that's for JSONP request. I'm not familiar with Wildfly, but I don't understand why should I configure CORS headers in the app server when I can return them from the app (Keycloak in this case). What is your Keycloak version and preflight request/response? *Jan Garaj* Web: http://www.jangaraj.com / http://monitoringartist.com LinkedIn: http://www.linkedin.com/in/jangaraj On Wed, Aug 15, 2018 at 2:25 PM Ryan Slominski wrote: > Hi Jan, > > If I comment out the jQuery "crossDomain: true" and "xhrFields: > {withCredentials: true}" attributes of the XHR object then I do see the > OPTIONS header in the web browser console. If I include the attributes I > don't see OPTIONS. Is it possible preflight isn't needed if you've > configured your client to use crossDomain? If forgot to include in my last > email the final request HTTP status response code: it is 303. Is that a > clue? > > What about all of the CORS options such as cors-max-age, > cors-allowed-headers, cors-allowed-methods, etc. I am not including them > in Wildfly standalone.xml currently. Are they needed to make this work? > It doesn't seem to make a difference when experimenting, but I'm not sure > what values to use... > > Thanks, > > Ryan > > ----- Original Message ----- > From: "Jan Garaj" > To: "keycloak-user" > Sent: Wednesday, August 15, 2018 3:36:24 AM > Subject: Re: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing > > Hi, > > Actually, Access-Control-Allow-Origin is not missing, because it should be > available in the preflight (OPTIONS) response and not in GET/POST response. > > My assumption is that 3.4.2+ Keycloak CORS implementation is broken and it > doesn't support any JS cross-domain access at the moment. > > More details: > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D8006&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=xO_Xo8SRP4TXwbIk7CPBiUzJDX8qO0puq3c6DETKMrc&e= > > You can find this CORS problem also on StackOverflow: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_51706569_angular-2Dkeycloak-2Dcant-2Dget-2Dtoken-2Dusing-2Dapi&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=BuR5cmrMaYekh0LpJ5W6LHIoRbc5eGA3Ggbb0miMXy0&e= > > Workaround: downgrade to 3.4.2- and use insecure "Web Origins": "*" > > *Jan Garaj* > Web: > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jangaraj.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=Tx5iqmJUoxKQgUDirUvQgFYQbTsuYCFphwi5oNK_TcQ&e= > / > https://urldefense.proofpoint.com/v2/url?u=http-3A__monitoringartist.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=kCQFpK79UDMJrCjzikL7pd2Zg6p7GTvg9Qby5r_7RfQ&e= > LinkedIn: > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_jangaraj&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=EqJM5sOC0V-WcpgSSukViubjO8zlR7k0l5BUapC2u9I&e= > > On Wed, Aug 15, 2018 at 8:09 AM > wrote: > > > Send keycloak-user mailing list submissions to > > keycloak-user at lists.jboss.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= > > or, via email, send a message with subject or body 'help' to > > keycloak-user-request at lists.jboss.org > > > > You can reach the person managing the list at > > keycloak-user-owner at lists.jboss.org > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of keycloak-user digest..." > > Today's Topics: > > > > 1. CORS ?Access-Control-Allow-Origin? missing (Ryan Slominski) > > 2. How to force client to use PKCE code exchange? (Eric B) > > 3. Client roles in Access Token (Henning Waack) > > > > > > > > ---------- Forwarded message ---------- > > From: Ryan Slominski > > To: keycloak-user > > Cc: > > Bcc: > > Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT) > > Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing > > Hi Keycloak Users, > > > > I'm attempting to save my users a few button clicks by automatically > > trying brokered identity providers in the background with AJAX requests > > before redirecting them to the Keycloak login form (AJAX requests using > > kc_idp_hint parameter). In most cases users will already be logged into > > one of the brokered identity providers (the client is often on one of > > several SPNEGO protected subnets) and instead of showing users the login > > form with buttons to try the brokered providers manually one by one I was > > hoping to simply do it for them in the background and when directed to > the > > login form for the realm the common case would be for users to be > > immediately redirected back because they're logged in already. I'm using > > the Wildfly client adapters (Java servlet container managed security) > > configured as confidential clients. I have the client "Web Origins" set > to > > "*". In the Wildfly standalone.xml I have the clients configured with > > "true". I'm using Keycloak! > > 4.1.0. On the client side I'm using jQuery and have "crossDomain: > true" > > and "xhrFields:{withCredentials: true}" set on the XHR object. The > > keycloak server still doesn't respond with a Access-Control-Allow-Origin > > header though so the login fails. It works if not using AJAX. The > > network trace of an AJAX request from the web browser console looks like: > > > > --- Request 1 --- > > GET > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_protected-3Fkc-5Fidp-5Fhint-3Dbroker1-2Dkeycloak-2Doidc-26returnUrl-3Dhttps-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dRo4-TfbjKFf6XrJCbbaKe7nCb619uVIVyZ6gd5HW94&e= > > Host: myhost.example.com > > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > > Firefox/52.0 > > Accept: text/html, */*; q=0.01 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate, br > > Referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > > Cookie: OAuth_Token_Request_State=; > JSESSIONID=.myhost > > Connection: keep-alive > > > > --- Response 1 --- > > Cache-Control: no-cache, no-store, must-revalidate > > Connection: Keep-Alive > > Content-Length: 0 > > Date: Tue, 14 Aug 2018 19:48:46 GMT > > Expires: 0 > > Keep-Alive: timeout=5, max=100 > > Location: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fprotected-3FreturnUrl-253Dhttps-25253A-25252F-25252Fmyhost.example.com-25252Fmyapp-25252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=uPEL7M5FvZx0CxiSv1V4uZm0nEyFhIxNSSSj2OVRd7M&e= > > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > > Pragma: no-cache > > Server: WildFly/11 > > Set-Cookie: OAuth_Token_Request_State=; HttpOnly > > X-Powered-By: Undertow/1 > > > > --- Request 2 --- > > GET > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.example.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=7QuU6fpn5Is6atfdUgb7aFz9qqnq9059Xad3fN7GAxU&e= > > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > > Host: keycloak1.example.com > > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > > Firefox/52.0 > > Accept: text/html, */*; q=0.01 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate, br > > Referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > > Origin: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e= > > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > > Connection: keep-alive > > > > --- Response 2 --- > > Status: 401 > > Cache-Control: no-store, must-revalidate, max-age=0 > > Connection: Keep-Alive > > Content-Length: 615 > > Content-Type: text/html;charset=UTF-8 > > Date: Tue, 14 Aug 2018 19:48:48 GMT > > Keep-Alive: timeout=5, max=100 > > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > > Path=/auth/realms/myrealm/; Secure; HttpOnly > > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > > HttpOnly > > WWW-Authenticate: Negotiate > > > > --- Request 3 --- > > GET > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.exampel.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dkCL2WAVz5tGNSss8fH1oxnS6zPPbV_9SHYhhayp31A&e= > > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > > Host: keycloak1.example.com > > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > > Firefox/52.0 > > Accept: text/html, */*; q=0.01 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate, br > > Referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > > Origin: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e= > > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > > Connection: keep-alive > > Authorization: Negotiate > > > > --- Response 3 --- > > Cache-Control: no-store, must-revalidate, max-age=0 > > Connection: Keep-Alive > > Content-Length: 0 > > Date: Tue, 14 Aug 2018 19:48:48 GMT > > Keep-Alive: timeout=5, max=99 > > Location: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_broker_broker1-2Dkeycloak-2Doidc_login-3Fsession-5Fcode-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=FsNAP79N8n3OUuS9Kr0McTejbOuEkVr-6h89z7HAgic&e= > > &client_id=client1&tab_id=FP3hTW-bfQ8 > > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > > Path=/auth/realms/myrealm/; Secure; HttpOnly > > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > > HttpOnly > > > > Notice I must redirect off a protected URL on my client app since Wildfly > > client adapter only works on pages which are explicitly protected by the > > container managed security. Also notice in the third and final request > the > > response is missing the Access-Control-Allow-Origin header, which results > > in the error in the browser web console and the process ending. Any > ideas? > > > > Thanks, > > > > Ryan > > > > > > > > > > > > ---------- Forwarded message ---------- > > From: Eric B > > To: keycloak-user at lists.jboss.org > > Cc: > > Bcc: > > Date: Tue, 14 Aug 2018 23:23:57 -0400 > > Subject: [keycloak-user] How to force client to use PKCE code exchange? > > I'm using keycloak 3.4.3. Is there a way in the client configuration to > > require PKCE code exchange? I can't seem to find an option that would > > require to support this vs just the standard code exchange flow. > > > > Thanks > > > > Eric > > > > > > > > > > ---------- Forwarded message ---------- > > From: Henning Waack > > To: keycloak-user at lists.jboss.org > > Cc: > > Bcc: > > Date: Wed, 15 Aug 2018 09:08:41 +0200 > > Subject: [keycloak-user] Client roles in Access Token > > Dear all. > > > > Using KC 4.2.1, I get the following access token for a "Service Account > > User": > > > > { > > "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878", > > "exp": 1534251578, > > "nbf": 0, > > "iat": 1534251278, > > "iss": " > https://urldefense.proofpoint.com/v2/url?u=https-3A__xxx_auth_realms_NAK&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=HrT8nsYF-O64VcYc45s_nWug0Ri9Ca0ZrmObVHiTNeE&e= > ", > > "aud": "nak-portal", > > "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4", > > "typ": "Bearer", > > "azp": "nak-portal", > > "auth_time": 0, > > "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0", > > "name": "nak portal", > > "given_name": "nak", > > "family_name": "portal", > > "preferred_username": "service-account-nak-portal", > > "email": "service-account-nak-portal at placeholder.de", > > "email_verified": true, > > "acr": "1", > > "allowed-origins": [ > > " > https://urldefense.proofpoint.com/v2/url?u=http-3A__dummy-3A8008&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=YDJWqlS6wwV1oG7ouEQZAjPf1Bfb2wd1T1eOXtMmNSo&e= > " > > ], > > "realm_access": { > > "roles": [ > > "source_system" > > ] > > }, > > "resource_access": { > > "realm-management": { > > "roles": [ > > "manage-users", > > "view-users", > > "query-clients", > > "query-groups", > > "query-users" > > ] > > } > > }, > > "scope": "email profile", > > "clientId": "nak-portal", > > "clientHost": "80.242.181.71", > > "clientAddress": "80.242.181.71", > > "client_id": "nak-portal", > > "username": "service-account-nak-portal", > > "active": true > > } > > > > Please note the five realm-management client roles. Problem is that for > the > > given service account I have assigned many more roles, please see > attached > > screenshot > > > > Why don't I see all effective roles (or assigned roles) in my access > token? > > Interestingly enough I am also missing some of my realm roles. I have > > mapped 4 realm roles, but in the token I only have 1. Am I missing > > something? > > > > Thanks in advance, greetings > > > > Henning > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= > From matthew.broadhead at nbmlaw.co.uk Thu Aug 16 06:51:58 2018 From: matthew.broadhead at nbmlaw.co.uk (Matthew Broadhead) Date: Thu, 16 Aug 2018 12:51:58 +0200 Subject: [keycloak-user] Keycloak 4.3.0.Final is out In-Reply-To: References: Message-ID: is it possible to upgrade from 3.4.0 directly to 4.3.0? On 16/08/18 12:15, Stian Thorgersen wrote: > https://www.keycloak.org/docs/latest/release_notes/index.html#keycloak-4-3-0-final > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ssilvert at redhat.com Thu Aug 16 07:44:01 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Thu, 16 Aug 2018 07:44:01 -0400 Subject: [keycloak-user] How to logout In-Reply-To: <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> Message-ID: <63ba64de-9049-155b-f3fb-6e85bda85a73@redhat.com> On 8/15/2018 4:34 PM, Ryan Slominski wrote: > Two issues: > > (1) Wildfly client adapter doesn't detect when a user is logged into Keycloak on pages in which HttpServletRequest.isUserInRole() method is used to programmatically determine who sees what until after hitting a declaratively protected (web.xml) page first. Wildfly client adapter assumes all pages which use isUserInRole are declaratively protected, but that is not always true (and essentially never true in my case). This means when jumping from one application to another you lose your SSO. If you are correct about isUserInRole() then the WildFly adapter needs to be fixed. What should happen is that when you logout of application A then the Keycloak server sends a backchannel logout to application B.? At that point, a call to isUserInRole() from application B should return false. Do you have backchannel logout working? > (2) Trying to switch users in an environment where it is unknown whether you are logged in or not results in surprise logins as the previous account when you really want to enter new credentials > > Essentially all my application pages show something no matter if you are logged in or not, but if you are logged in you see extra stuff like edit buttons. When working in a group around a computer and someone asks to switch users (login as admin or move over and let me show you scenarios) confusion ensues as the application might show the user as not logged in, but then attempting to login detects existing token and skips login form. Now user must logout and try again. > > > ----- Original Message ----- > From: "Stan Silvert" > To: "Ryan Slominski" > Cc: "keycloak-user" > Sent: Wednesday, August 15, 2018 4:04:03 PM > Subject: Re: [keycloak-user] How to logout > > On 8/15/2018 3:27 PM, Ryan Slominski wrote: >> Hi Stan, >> If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: > I don't understand why this matters.? If you are not going to a > protected page in application B then why do you care if you are logged > into Keycloak? > > I guess I'm not understanding your use case. >> https://urldefense.proofpoint.com/v2/url?u=https-3A__javaee.github.io_tutorial_security-2Dwebtier003.html&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=c_G5XCh4KyQNw7rawL_GHLQZ9GEm05ARlz-C-jeVx3o&s=bXb-7yw6Njk4DirMWLlxJAxGwUFKULf9HM-3_Imo35g&e= >> >> And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? >> >> Ryan >> >> >> >> ----- Original Message ----- >> From: "Stan Silvert" >> To: "Ryan Slominski" >> Cc: "keycloak-user" >> Sent: Wednesday, August 15, 2018 3:02:18 PM >> Subject: Re: [keycloak-user] How to logout >> >> Why is your client out of sync with the keycloak server?? If you are >> building a servlet-based application (JSF, JSP, Struts, etc.), then why >> not use the WildFly adapter in the JEE way as described in the Keycloak >> documentation? ? The WildFly Keycloak adapter takes care of all the hard >> stuff for you. >> >> On 8/15/2018 9:50 AM, Ryan Slominski wrote: >>> Hi Stan, >>> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? >>> >>> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: >>> >>> {"error":"invalid_request","error_description":"No refresh token"} >>> >>> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). >>> >>> Thanks, >>> >>> Ryan >>> >>> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: "keycloak-user" >>> Sent: Monday, August 13, 2018 7:15:15 PM >>> Subject: Re: [keycloak-user] How to logout >>> >>> HttpServletRequest.logout() should not be a no-op.? It was implemented a >>> long time ago: >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= >>> >>> If there is an issue with it you should report it in JIRA. >>> >>> Stan >>> >>> On 8/13/2018 4:19 PM, Ryan Slominski wrote: >>>> Hi Keycloak Users, >>>> >>>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >>>> >>>> 1. Call HttpServletRequest.logout() >>>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >>>> >>>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >>>> >>>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >>>> >>>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >>>> >>>> Thanks, >>>> >>>> Ryan >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From remy at grunblatt.org Thu Aug 16 07:59:54 2018 From: remy at grunblatt.org (=?UTF-8?Q?R=c3=a9my_Gr=c3=bcnblatt?=) Date: Thu, 16 Aug 2018 13:59:54 +0200 Subject: [keycloak-user] Set up user attributes at account creation Message-ID: <958479d8-b911-2d1c-870c-1000a5a11af9@grunblatt.org> Hi, Is there any possibility to automatically set up attributes (such as an unique integer Id) at account creation, with keycloak? I'm trying to set up a "rank" (1 for the first user, 2 for the second user, 3 for the third one) as an attribute and I'm having trouble to find out how I could ? automate ? this. Thanks, R?my From matthias.kesternich at moneymeets.com Thu Aug 16 08:26:12 2018 From: matthias.kesternich at moneymeets.com (Matthias Kesternich) Date: Thu, 16 Aug 2018 12:26:12 +0000 Subject: [keycloak-user] Internal server error with event logging Message-ID: <1C08CC91-C06C-410C-B937-DE95ED19161E@moneymeets.com> Hello, with event detail logging enabled I keep getting 500 Internal Server Error. There was also a post on this list in May detailing the same problem (see http://lists.jboss.org/pipermail/keycloak-dev/2018-May/010807.html ). As outlined in the post the problematic piece of code is @Column(name="DETAILS_JSON", length = 2550) private String detailsJson; This hardcodes length to 2550 and apparently some of my event details get bigger than that. Any idea what I can do about this? Manually changing the database column could work, but I?m afraid a future keycloak db migration will badly interfere with this. Is there any ?official? way to override values like this? E.g. some configuration setting or JPA way to overwrite this? Thanks, -Matthias From psilva at redhat.com Thu Aug 16 08:37:35 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Aug 2018 09:37:35 -0300 Subject: [keycloak-user] Using Keycloak for per field authorisation In-Reply-To: References: Message-ID: We appreciate any feedback. Performance is one of the key aspects we will be looking at for now on. Next release will have some improvements and we hope to deliver more. On Thu, Aug 16, 2018 at 12:23 AM, Courtney Robinson < courtney.robinson at hypi.io> wrote: > >>> One of us in the team will be working on this in our next sprint so a >>> lot of things should fall into place as part of this. >>> >> >> In the next release, we are also delivering improvements around >> performance. We found places we could improve and especially the policy >> evaluation engine. We have introduced some cache layers to avoid redundancy >> when evaluating permissions/policies. Let us know about your experience, we >> know we can still improve it. But as the first work we did around >> performance tests, the results are pretty much good (and much better from >> previous releases). >> >> > > Sounds good. I'll provide feedback once we've implemented and put it under > some real load > > with it. One outstanding concern with our proposed move to Keycloak for >>> authorisation is understanding how to scale it well with the rest of our >>> stack. >>> >> >> Not it is not and you are not the first one from community with similar >> requirements. Maybe we could start discussing and including this in our >> roadmap. >> > > I am more than happy to do that. Keycloak provides everything we think we > need for authz so we're more than happy to help get that last 20% in there. > We're a tiny team though so I expect we wouldn't be able to do much in the > way of contributions until mid-Nov after our current roadmap targets have > been delivered. Post that we can schedule some Keycloak work into our > sprints. > > >>> I've had an attempt at a user SPI and concluded we'd be better off >>> pushing it to Keycloak backed by Postgres. (Considered if we could write an >>> Ignite drop in or something similar but the effort wasn't worth the initial >>> perceived gains since users are probably going to remain relatively small >>> compared to resources). >>> Out of interest however, Keycloak's using Hibernate right? How pluggable >>> is this so that it could be replaced with Hibernate OGM? >>> >> >> IIRC, OGM is based on JPA spec, right ? If you mean implementing User SPI >> sing OGM, it should work. >> > > Yeah, the latest OGM is JPA 2.2 compliant now if memory serves. It's more > of a Hibernate for "NoSQL" so you could hook up Cassandra, Ignite, CouchDB > etc as a persistence unit and for the most part use the Hibernate APIs as > if they were going to a relational DB. > I meant more of a drop in replacement so all of the Keycloak persistence > went through OGM. I'll experiment, I just asked in case you readily knew. > > Nice. As I mentioned before, we have been working with performance >> improvements. During this work I noticed that performance is not really >> related with the number of resources or scopes, but on how you design your >> policies and how you obtain them from server. For instance, if you query >> the server for all permissions an user has, you would not get good >> throughput. However, if you can perform incremental authorization, ask for >> chunks of permissions, etc, you will get a good throughput. Of course, this >> is relative, I could give you numbers but that could be misleading and not >> based on your real constraints. >> >> This is an area we want to improve for now on, so, feedback is always >> welcome. >> > > I think because the entry point to our API is GraphQL it lends itself well > to being able to do incremental authorisation. I'll have some feedback soon > on how this turns out. > Thanks for all the info. it's been very helpful. > > From ryans at jlab.org Thu Aug 16 08:41:13 2018 From: ryans at jlab.org (Ryan Slominski) Date: Thu, 16 Aug 2018 08:41:13 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <63ba64de-9049-155b-f3fb-6e85bda85a73@redhat.com> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> <63ba64de-9049-155b-f3fb-6e85bda85a73@redhat.com> Message-ID: <1511503812.20960187.1534423273828.JavaMail.zimbra@jlab.org> I've enabled backchannel logout in the brokered identity providers, and I've confirmed it keeps all of the brokered identity providers in sync. For example if I log into my broker 3 IdP and logout of my realm then I'm also logged out of broker IdP 3. So, backchannel logout seems to work with the link between the realm and brokered identity providers. However, unless I'm not understanding backchannel logout, it doesn't affect clients who manage their own session state such as the Wildfly client adapter, which creates an independent JSESSIONID cookie to store session state. So right now logging out of application A does destroy the Keycloak token, but if a login with application B was already established then it remains locally logged in even after application A is logged out. Is that not how it is supposed to work? If not, how do I configure a Wildfly client to honor another application's logout? ----- Original Message ----- From: "Stan Silvert" To: "Ryan Slominski" Cc: "keycloak-user" Sent: Thursday, August 16, 2018 7:44:01 AM Subject: Re: [keycloak-user] How to logout On 8/15/2018 4:34 PM, Ryan Slominski wrote: > Two issues: > > (1) Wildfly client adapter doesn't detect when a user is logged into Keycloak on pages in which HttpServletRequest.isUserInRole() method is used to programmatically determine who sees what until after hitting a declaratively protected (web.xml) page first. Wildfly client adapter assumes all pages which use isUserInRole are declaratively protected, but that is not always true (and essentially never true in my case). This means when jumping from one application to another you lose your SSO. If you are correct about isUserInRole() then the WildFly adapter needs to be fixed. What should happen is that when you logout of application A then the Keycloak server sends a backchannel logout to application B.? At that point, a call to isUserInRole() from application B should return false. Do you have backchannel logout working? > (2) Trying to switch users in an environment where it is unknown whether you are logged in or not results in surprise logins as the previous account when you really want to enter new credentials > > Essentially all my application pages show something no matter if you are logged in or not, but if you are logged in you see extra stuff like edit buttons. When working in a group around a computer and someone asks to switch users (login as admin or move over and let me show you scenarios) confusion ensues as the application might show the user as not logged in, but then attempting to login detects existing token and skips login form. Now user must logout and try again. > > > ----- Original Message ----- > From: "Stan Silvert" > To: "Ryan Slominski" > Cc: "keycloak-user" > Sent: Wednesday, August 15, 2018 4:04:03 PM > Subject: Re: [keycloak-user] How to logout > > On 8/15/2018 3:27 PM, Ryan Slominski wrote: >> Hi Stan, >> If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: > I don't understand why this matters.? If you are not going to a > protected page in application B then why do you care if you are logged > into Keycloak? > > I guess I'm not understanding your use case. >> https://urldefense.proofpoint.com/v2/url?u=https-3A__javaee.github.io_tutorial_security-2Dwebtier003.html&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=c_G5XCh4KyQNw7rawL_GHLQZ9GEm05ARlz-C-jeVx3o&s=bXb-7yw6Njk4DirMWLlxJAxGwUFKULf9HM-3_Imo35g&e= >> >> And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? >> >> Ryan >> >> >> >> ----- Original Message ----- >> From: "Stan Silvert" >> To: "Ryan Slominski" >> Cc: "keycloak-user" >> Sent: Wednesday, August 15, 2018 3:02:18 PM >> Subject: Re: [keycloak-user] How to logout >> >> Why is your client out of sync with the keycloak server?? If you are >> building a servlet-based application (JSF, JSP, Struts, etc.), then why >> not use the WildFly adapter in the JEE way as described in the Keycloak >> documentation? ? The WildFly Keycloak adapter takes care of all the hard >> stuff for you. >> >> On 8/15/2018 9:50 AM, Ryan Slominski wrote: >>> Hi Stan, >>> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? >>> >>> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: >>> >>> {"error":"invalid_request","error_description":"No refresh token"} >>> >>> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). >>> >>> Thanks, >>> >>> Ryan >>> >>> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: "keycloak-user" >>> Sent: Monday, August 13, 2018 7:15:15 PM >>> Subject: Re: [keycloak-user] How to logout >>> >>> HttpServletRequest.logout() should not be a no-op.? It was implemented a >>> long time ago: >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= >>> >>> If there is an issue with it you should report it in JIRA. >>> >>> Stan >>> >>> On 8/13/2018 4:19 PM, Ryan Slominski wrote: >>>> Hi Keycloak Users, >>>> >>>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >>>> >>>> 1. Call HttpServletRequest.logout() >>>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >>>> >>>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >>>> >>>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >>>> >>>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >>>> >>>> Thanks, >>>> >>>> Ryan >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From psilva at redhat.com Thu Aug 16 08:46:38 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 16 Aug 2018 09:46:38 -0300 Subject: [keycloak-user] UMA vs OAuth In-Reply-To: References: Message-ID: This seems to be a bug. I also tried here and I could reproduce the issue (after removing default client scopes email and profile from client). Would you mind creating a JIRA, please ? Regards. On Wed, Aug 15, 2018 at 7:33 PM, Dmitry Pichugin wrote: > We do support. Could you elaborate more what you are trying to achieve ? > > > Pedro, thank you for the answer! You are right. > > We tried to apply UMA for simple OAuth scenario "Client Credential flow" > and it was a mistake. We only need to get access token, which contains > scopes. Yes, it's work in KeyCloak. > > But we have another problem: when we tried to request an access token with > scopes which are not been existed or not been assigned to the client, as a > result, we received the access token with fill "scope" parameters. > > Request: > > curl -X "POST" -d "client_id=testclient&client_secret=secret&grant_type= > client_credentials&scope=unexisted_scope" http://keykcloak_ > server:8080/auth/realms/master/protocol/openid-connect/token > > > Response: > > { > "access_token": "eyJhbG[...]1LQ", > "token_type": "Bearer", > "expires_in": 3600, > *"scope": ""* > } > > But, according to RFC 6749 The OAuth 2.0 Authorization Framework > point, we must get the error " > invalid_scope". > > 4.1.4 . Access Token > Response > > If the access token request is valid and authorized, the > authorization server issues an access token and optional refresh > token as described in Section 5.1 . If the request client > authentication failed or is invalid, the authorization server returns > an error response as described in Section 5.2 . > > > and point > > > 5.2 . Error Response > > *.....* > > invalid_scope > The requested scope is invalid, unknown, malformed, or > exceeds the scope granted by the resource owner. > > > > We tried to find something in client settings for fixing problem, but nothing to find. Could you reply, is it a KeyCloak's error or we can't find some special "setting" in the interface? > > > Best regards. Dmitry Pichugin. > > > On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva wrote: > >> On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin >> wrote: >> >>> Good day! >>> >>> We are using Keyclaok in our project, have installed version 4.2.1. >>> >>> Our task: >>> >>> - integration with API gateway and use KeyCloak for resources protect. >>> >>> We would be to use "Client Credentials Flow" from OAuth specs. But during >>> version 4, KeyCloak does not support OAuth and is recommended to apply >>> UMA >>> 2.0. >>> >> >> I'm not sure what you mean here. Where did you find this recommendation ? >> >> >>> >>> Yes, the differences between UMA and OAuth not huge, as a request and >>> response(JWT token) formats, UMA has specific logic with RPT-token etc >>> and >>> UMA gives some advantages(we do not have the plan to use it). >>> >> >> UMA is a standard mainly targeted for privacy (although there are other >> benefits in using even if not for privacy), if you don't need users >> managing their own resources, sharing, etc, yeah, you probably don't need >> it. However, keep in mind that UMA support is one of the capabilities we >> support in Keycloak Authorization Services, you can still use Keycloak to >> enforce access to your protected resources using permissions >> managed/granted by the server. >> >> >>> >>> We try to make a request in OAuth specs but got the error. >>> >>> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have >>> some >>> specific reasons for this? >>> >> >> We do support. Could you elaborate more what you are trying to achieve ? >> >> >>> >>> Thank you! >>> >>> Best regards. Dmitry Pichugin. >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> From ryans at jlab.org Thu Aug 16 08:58:28 2018 From: ryans at jlab.org (Ryan Slominski) Date: Thu, 16 Aug 2018 08:58:28 -0400 (EDT) Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing In-Reply-To: References: <1111578163.20437469.1534339449584.JavaMail.zimbra@jlab.org> <265894332.20437731.1534339536045.JavaMail.zimbra@jlab.org> Message-ID: <628139031.20962920.1534424308650.JavaMail.zimbra@jlab.org> Hi Jan, With regards to "crossDomain: true" I'm just going off examples I've found and the jQuery documentation: http://api.jquery.com/jquery.ajax/. Since I'm making a request to the same domain (host), but it redirects to a different one (keycloak server) I believe I need this attribute. Keycloak version is 4.1.0. Preflight request/response not happening. ----- Original Message ----- From: "Jan Garaj" To: ryans at jlab.org Cc: "keycloak-user" Sent: Thursday, August 16, 2018 6:12:05 AM Subject: Re: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing Hi Ryan, IMHO jQuery "crossDomain: true" doesn't help - that's for JSONP request. I'm not familiar with Wildfly, but I don't understand why should I configure CORS headers in the app server when I can return them from the app (Keycloak in this case). What is your Keycloak version and preflight request/response? *Jan Garaj* Web: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jangaraj.com&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=__tT9PAppLmuEdO2_axwbBSqjh9yAL00YeBxB2PSXKI&s=jAMvI0s3yBDlrkoAKGfC9PDbzWhwIUgNMdjhN7M3A24&e= / https://urldefense.proofpoint.com/v2/url?u=http-3A__monitoringartist.com&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=__tT9PAppLmuEdO2_axwbBSqjh9yAL00YeBxB2PSXKI&s=GslhIjkIPvkcfiAOFbhcml1lOiVmTlvNkPxRLAtMQ38&e= LinkedIn: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_jangaraj&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=__tT9PAppLmuEdO2_axwbBSqjh9yAL00YeBxB2PSXKI&s=UXCtbAMjaZJHJLzgvPSZyoou5jaZb4e2JrdDLSJENms&e= On Wed, Aug 15, 2018 at 2:25 PM Ryan Slominski wrote: > Hi Jan, > > If I comment out the jQuery "crossDomain: true" and "xhrFields: > {withCredentials: true}" attributes of the XHR object then I do see the > OPTIONS header in the web browser console. If I include the attributes I > don't see OPTIONS. Is it possible preflight isn't needed if you've > configured your client to use crossDomain? If forgot to include in my last > email the final request HTTP status response code: it is 303. Is that a > clue? > > What about all of the CORS options such as cors-max-age, > cors-allowed-headers, cors-allowed-methods, etc. I am not including them > in Wildfly standalone.xml currently. Are they needed to make this work? > It doesn't seem to make a difference when experimenting, but I'm not sure > what values to use... > > Thanks, > > Ryan > > ----- Original Message ----- > From: "Jan Garaj" > To: "keycloak-user" > Sent: Wednesday, August 15, 2018 3:36:24 AM > Subject: Re: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing > > Hi, > > Actually, Access-Control-Allow-Origin is not missing, because it should be > available in the preflight (OPTIONS) response and not in GET/POST response. > > My assumption is that 3.4.2+ Keycloak CORS implementation is broken and it > doesn't support any JS cross-domain access at the moment. > > More details: > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D8006&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=xO_Xo8SRP4TXwbIk7CPBiUzJDX8qO0puq3c6DETKMrc&e= > > You can find this CORS problem also on StackOverflow: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__stackoverflow.com_questions_51706569_angular-2Dkeycloak-2Dcant-2Dget-2Dtoken-2Dusing-2Dapi&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=BuR5cmrMaYekh0LpJ5W6LHIoRbc5eGA3Ggbb0miMXy0&e= > > Workaround: downgrade to 3.4.2- and use insecure "Web Origins": "*" > > *Jan Garaj* > Web: > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jangaraj.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=Tx5iqmJUoxKQgUDirUvQgFYQbTsuYCFphwi5oNK_TcQ&e= > / > https://urldefense.proofpoint.com/v2/url?u=http-3A__monitoringartist.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=kCQFpK79UDMJrCjzikL7pd2Zg6p7GTvg9Qby5r_7RfQ&e= > LinkedIn: > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_in_jangaraj&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=EqJM5sOC0V-WcpgSSukViubjO8zlR7k0l5BUapC2u9I&e= > > On Wed, Aug 15, 2018 at 8:09 AM > wrote: > > > Send keycloak-user mailing list submissions to > > keycloak-user at lists.jboss.org > > > > To subscribe or unsubscribe via the World Wide Web, visit > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= > > or, via email, send a message with subject or body 'help' to > > keycloak-user-request at lists.jboss.org > > > > You can reach the person managing the list at > > keycloak-user-owner at lists.jboss.org > > > > When replying, please edit your Subject line so it is more specific > > than "Re: Contents of keycloak-user digest..." > > Today's Topics: > > > > 1. CORS ?Access-Control-Allow-Origin? missing (Ryan Slominski) > > 2. How to force client to use PKCE code exchange? (Eric B) > > 3. Client roles in Access Token (Henning Waack) > > > > > > > > ---------- Forwarded message ---------- > > From: Ryan Slominski > > To: keycloak-user > > Cc: > > Bcc: > > Date: Tue, 14 Aug 2018 16:21:54 -0400 (EDT) > > Subject: [keycloak-user] CORS ?Access-Control-Allow-Origin? missing > > Hi Keycloak Users, > > > > I'm attempting to save my users a few button clicks by automatically > > trying brokered identity providers in the background with AJAX requests > > before redirecting them to the Keycloak login form (AJAX requests using > > kc_idp_hint parameter). In most cases users will already be logged into > > one of the brokered identity providers (the client is often on one of > > several SPNEGO protected subnets) and instead of showing users the login > > form with buttons to try the brokered providers manually one by one I was > > hoping to simply do it for them in the background and when directed to > the > > login form for the realm the common case would be for users to be > > immediately redirected back because they're logged in already. I'm using > > the Wildfly client adapters (Java servlet container managed security) > > configured as confidential clients. I have the client "Web Origins" set > to > > "*". In the Wildfly standalone.xml I have the clients configured with > > "true". I'm using Keycloak! > > 4.1.0. On the client side I'm using jQuery and have "crossDomain: > true" > > and "xhrFields:{withCredentials: true}" set on the XHR object. The > > keycloak server still doesn't respond with a Access-Control-Allow-Origin > > header though so the login fails. It works if not using AJAX. The > > network trace of an AJAX request from the web browser console looks like: > > > > --- Request 1 --- > > GET > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_protected-3Fkc-5Fidp-5Fhint-3Dbroker1-2Dkeycloak-2Doidc-26returnUrl-3Dhttps-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dRo4-TfbjKFf6XrJCbbaKe7nCb619uVIVyZ6gd5HW94&e= > > Host: myhost.example.com > > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > > Firefox/52.0 > > Accept: text/html, */*; q=0.01 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate, br > > Referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > > Cookie: OAuth_Token_Request_State=; > JSESSIONID=.myhost > > Connection: keep-alive > > > > --- Response 1 --- > > Cache-Control: no-cache, no-store, must-revalidate > > Connection: Keep-Alive > > Content-Length: 0 > > Date: Tue, 14 Aug 2018 19:48:46 GMT > > Expires: 0 > > Keep-Alive: timeout=5, max=100 > > Location: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fprotected-3FreturnUrl-253Dhttps-25253A-25252F-25252Fmyhost.example.com-25252Fmyapp-25252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=uPEL7M5FvZx0CxiSv1V4uZm0nEyFhIxNSSSj2OVRd7M&e= > > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > > Pragma: no-cache > > Server: WildFly/11 > > Set-Cookie: OAuth_Token_Request_State=; HttpOnly > > X-Powered-By: Undertow/1 > > > > --- Request 2 --- > > GET > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.example.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=7QuU6fpn5Is6atfdUgb7aFz9qqnq9059Xad3fN7GAxU&e= > > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > > Host: keycloak1.example.com > > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > > Firefox/52.0 > > Accept: text/html, */*; q=0.01 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate, br > > Referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > > Origin: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e= > > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > > Connection: keep-alive > > > > --- Response 2 --- > > Status: 401 > > Cache-Control: no-store, must-revalidate, max-age=0 > > Connection: Keep-Alive > > Content-Length: 615 > > Content-Type: text/html;charset=UTF-8 > > Date: Tue, 14 Aug 2018 19:48:48 GMT > > Keep-Alive: timeout=5, max=100 > > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > > Path=/auth/realms/myrealm/; Secure; HttpOnly > > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > > HttpOnly > > WWW-Authenticate: Negotiate > > > > --- Request 3 --- > > GET > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_protocol_openid-2Dconnect_auth-3Fresponse-5Ftype-3Dcode-26client-5Fid-3Dclient1-26redirect-5Furi-3Dhttps-3A__myhost.exampel.com_myapp_protected-3FreturnUrl-3Dhttps-253A-252F-252Fmyhost.example.com-252Fmyapp-252Fmypage-26state-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=dkCL2WAVz5tGNSss8fH1oxnS6zPPbV_9SHYhhayp31A&e= > > &login=true&kc_idp_hint=broker1-keycloak-oidc&scope=openid > > Host: keycloak1.example.com > > User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 > > Firefox/52.0 > > Accept: text/html, */*; q=0.01 > > Accept-Language: en-US,en;q=0.5 > > Accept-Encoding: gzip, deflate, br > > Referer: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com_myapp_mypage&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=VODYiWfTQJm2fKKYH5RLzDRwZcazkNJEugdhp3dvVCQ&e= > > Origin: > https://urldefense.proofpoint.com/v2/url?u=https-3A__myhost.example.com&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=S6uyHPj3Bks9dqo9BdgNVP7Rj1PhiJgQaEL0HhyY-Bk&e= > > Cookie: AUTH_SESSION_ID=.keycloak1; KC_RESTART= > > Connection: keep-alive > > Authorization: Negotiate > > > > --- Response 3 --- > > Cache-Control: no-store, must-revalidate, max-age=0 > > Connection: Keep-Alive > > Content-Length: 0 > > Date: Tue, 14 Aug 2018 19:48:48 GMT > > Keep-Alive: timeout=5, max=99 > > Location: > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__keycloak1.example.com_auth_realms_myrealm_broker_broker1-2Dkeycloak-2Doidc_login-3Fsession-5Fcode-3D&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=FsNAP79N8n3OUuS9Kr0McTejbOuEkVr-6h89z7HAgic&e= > > &client_id=client1&tab_id=FP3hTW-bfQ8 > > Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips > > mod_auth_kerb/5.4 PHP/7.1.18 mod_wsgi/3.4 Python/2.7.5 > > Set-Cookie: AUTH_SESSION_ID=.keycloak1; Version=1; > > Path=/auth/realms/myrealm/; Secure; HttpOnly > > KC_RESTART=; Version=1; Path=/auth/realms/myrealm/; Secure; > > HttpOnly > > > > Notice I must redirect off a protected URL on my client app since Wildfly > > client adapter only works on pages which are explicitly protected by the > > container managed security. Also notice in the third and final request > the > > response is missing the Access-Control-Allow-Origin header, which results > > in the error in the browser web console and the process ending. Any > ideas? > > > > Thanks, > > > > Ryan > > > > > > > > > > > > ---------- Forwarded message ---------- > > From: Eric B > > To: keycloak-user at lists.jboss.org > > Cc: > > Bcc: > > Date: Tue, 14 Aug 2018 23:23:57 -0400 > > Subject: [keycloak-user] How to force client to use PKCE code exchange? > > I'm using keycloak 3.4.3. Is there a way in the client configuration to > > require PKCE code exchange? I can't seem to find an option that would > > require to support this vs just the standard code exchange flow. > > > > Thanks > > > > Eric > > > > > > > > > > ---------- Forwarded message ---------- > > From: Henning Waack > > To: keycloak-user at lists.jboss.org > > Cc: > > Bcc: > > Date: Wed, 15 Aug 2018 09:08:41 +0200 > > Subject: [keycloak-user] Client roles in Access Token > > Dear all. > > > > Using KC 4.2.1, I get the following access token for a "Service Account > > User": > > > > { > > "jti": "af460ad9-e436-481f-aa4c-2d0ee0a19878", > > "exp": 1534251578, > > "nbf": 0, > > "iat": 1534251278, > > "iss": " > https://urldefense.proofpoint.com/v2/url?u=https-3A__xxx_auth_realms_NAK&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=HrT8nsYF-O64VcYc45s_nWug0Ri9Ca0ZrmObVHiTNeE&e= > ", > > "aud": "nak-portal", > > "sub": "f19b3205-1f3c-4a7e-8e76-c5d8e47ef0e4", > > "typ": "Bearer", > > "azp": "nak-portal", > > "auth_time": 0, > > "session_state": "a47e50aa-2ed2-40fa-9ba7-453d5632ced0", > > "name": "nak portal", > > "given_name": "nak", > > "family_name": "portal", > > "preferred_username": "service-account-nak-portal", > > "email": "service-account-nak-portal at placeholder.de", > > "email_verified": true, > > "acr": "1", > > "allowed-origins": [ > > " > https://urldefense.proofpoint.com/v2/url?u=http-3A__dummy-3A8008&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=YDJWqlS6wwV1oG7ouEQZAjPf1Bfb2wd1T1eOXtMmNSo&e= > " > > ], > > "realm_access": { > > "roles": [ > > "source_system" > > ] > > }, > > "resource_access": { > > "realm-management": { > > "roles": [ > > "manage-users", > > "view-users", > > "query-clients", > > "query-groups", > > "query-users" > > ] > > } > > }, > > "scope": "email profile", > > "clientId": "nak-portal", > > "clientHost": "80.242.181.71", > > "clientAddress": "80.242.181.71", > > "client_id": "nak-portal", > > "username": "service-account-nak-portal", > > "active": true > > } > > > > Please note the five realm-management client roles. Problem is that for > the > > given service account I have assigned many more roles, please see > attached > > screenshot > > > > Why don't I see all effective roles (or assigned roles) in my access > token? > > Interestingly enough I am also missing some of my realm roles. I have > > mapped 4 realm roles, but in the token I only have 1. Am I missing > > something? > > > > Thanks in advance, greetings > > > > Henning > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=_JyzH-1PJI0TNckIY63dU5VYKW6Sw9tVMArOJ15sDKg&s=iYUxoVC6nYlQALDCl3jsVI4UReg_AAniNUjoI3Iy_6Q&e= > From jambo_mcd at yahoo.co.uk Thu Aug 16 10:32:22 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Thu, 16 Aug 2018 14:32:22 +0000 (UTC) Subject: [keycloak-user] Multiple password policies In-Reply-To: <1356792787.9540666.1534168050614@mail.yahoo.com> References: <1356792787.9540666.1534168050614.ref@mail.yahoo.com> <1356792787.9540666.1534168050614@mail.yahoo.com> Message-ID: <504557615.12069269.1534429942790@mail.yahoo.com> Hi, Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated) We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity.? We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies? Has anyone configured this before or can suggest alternatives? Regards, Jamie From sthorger at redhat.com Thu Aug 16 10:59:59 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 16 Aug 2018 16:59:59 +0200 Subject: [keycloak-user] Naming of the keycloak proxy/generic adapter In-Reply-To: <23ba44fc46cc4b1ca2b3e7df8faa1b05@bosch-si.com> References: <23ba44fc46cc4b1ca2b3e7df8faa1b05@bosch-si.com> Message-ID: I'm not that keen on "Generic" either. Simply OIDC adapter is nicer, but does it need to somehow refer to the fact that it's not language/framework specific and that it's an external process (but not proxy)? On Thu, 16 Aug 2018 at 09:18, Schuster Sebastian (INST/ESY1) < Sebastian.Schuster at bosch-si.com> wrote: > My vote goes to OIDC Adapter. It just supports OIDC, that's what the name > says. I don't think adding something like "generic" adds meaningful > information. The shorter, the better... :) > > Best regards, > Sebastian > > Mit freundlichen Gr??en / Best regards > > Dr.-Ing. Sebastian Schuster > > Engineering and Support (INST/ESY1) > Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin | > GERMANY | www.bosch-si.com > Tel. +49 30 726112-485 | Fax +49 30 726112-100 | > Sebastian.Schuster at bosch-si.com > > Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B > Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. > Stefan Ferber, Michael Hahn > > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> On Behalf Of John Doyle > Sent: Mittwoch, 15. August 2018 16:29 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Naming of the keycloak proxy/generic adapter > > We've begun calling the keycloak proxy the generic adapter. I think this > is a good move, there's too many proxies. My concern with 'generic adapter' > is that it's not specific enough. Users could be justified in thinking that > they can proxy SAML with it in addition to OIDC. I propose that we included > OIDC in the name to make it clear. > > Some Possibilities: > OIDC Adapter > Generic OIDC Adapter > Universal OIDC Adapter > Standalone OIDC Adapter > > Other ideas or preferences? > > ~jd > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Alexander.Vollertsen at wilken.de Thu Aug 16 11:15:24 2018 From: Alexander.Vollertsen at wilken.de (Vollertsen, Alexander (Wilken GmbH)) Date: Thu, 16 Aug 2018 15:15:24 +0000 Subject: [keycloak-user] Problem with SAML 2.0 IDP and direct grant Message-ID: <006a30397cdc4949809e7c2e8c89786e@wilken.de> Hello keycloak users, we are a company developing erp-software and want to use keycloak for our SSO server. I will shortly explain our given scenario: We have our application running on a wildflyserver protected with keycloak adapter in the standalone xml. The keycloak authentification server is running in an other wildfly. Opening our application in the browser, redirecting to keycloak server and singing in is working fine. Now the IDP comes into play. We want to authenticate at the IDP and redirect over the keycloak server directly to our application without a second authentication at the keycloak server. My understanding is to use direct grant as first login flow to get a direct redirect to our application. The idp is a server from one of our customers and we are communicating over saml 2.0. Now the idp is sending a saml response and the keycloak server is responding the following output: {"error":"invalid_request","error_description":"Missing parameter: username"} The username is located in the field urn:oid:0.9.2342.19200300.100.1.1. So why can't keycloak get the username and redirect to our application? The decoded SAML response looks like this: idm.ekir.de D3xmrXVhSRsQxhxJhrqg1WPKlmo=OWelDbxd2wFMclqWSw6Vyn4Xm++ykDq10tDAWZtpTJXAqbcJGYvJ1oyuk7bJi7Q47R9O5CNTuFcQQIXv45J+ux4QUnGlPIosn2RjAVIX/T87Z0nVkbSfMYfkj7t/0Ol81jaH0l3q2fbLLboCXvsi7EiyZfiUTxh778zUMjphF5W19JyLdMpx3iXBptgRFOof6mJdz129SzrnlygM0EJuVbYdQLY/5YFvOqx0Ty7kubG85lKERxYbCD31w3/T/Ij0FSU/VWrhPws0qZrNiLHNfdUY0YsdT0yIP0qiHWpGovHYM3nCJJh1/XjyzD191F2gTDZXVPjGMEriFUQ0aJSrnA== MIIEMzCCAxugAwIBAgIJAJ5hbfqjs7JMMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTAeFw0xNjA0MjAxNTAxNDdaFw0zNjA0MjAxNTAxNDdaMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKFv9eW8oqkBqaQzsguz0g9OnCCNOCrIuLNWjEC1Vjb8M3pLgWKt0obvm8BtgcAOSPSJpkFsjgCwiRsymk0yOKhnPhCLrEjqDMCAWLywO5K/H5SvrBc77PCSJRT0ciCdLOonvXzxEn40YEZSwjo+vqyiWt/gLfdeFtcuc8N2nZsZKdIR5V0wwD+ZSQCLNc7bnnw85tZvf6rtxHn6eo6IqzIcYzXyFSIaO0Lrh8ZN+oj9E1YW210+hNJqWb5+/VM4IpZ3jPzgSHqcyA7PxVRMEpWYBuyPNcvGR0tkqwXew51OarUxuiyyx4kTs5wZe+h4MZExnUty2wiJYyyHjpUYBK8CAwEAAaOB0zCB0DAdBgNVHQ4EFgQUr++yKews/ztiL2MslG+rTjImjAkwgaAGA1UdIwSBmDCBlYAUr++yKews/ztiL2MslG+rTjImjAmhcqRwMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZYIJAJ5hbfqjs7JMMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAObYr07VN0dtR3QUwLNq/xii154BIa1jDgvDEgSlf3Em161pXKU+/8hvHpwQFSp4w82GtiU8gYxiRVpBR02xa0PQ9d6dWRqhVtAzJloQQWIfiH75K97VLqOt77IPTuxIry84KztPnCUKxSSYyBBZ/tlJtSdAT2ce+imFHJxnSIucJoCB7gWNI3S6IoOlN3HwNmAT2BXoXXEpFsQdFEUTnOGcmxTtXh5Mqt0v3aJv3lcITHqazIGCPuPC4sbB0iuU6eRqvUXUED6Bn7JuEZmYaZ1H5sxzHu06xa+smDDGE15UXns5CB0BlaP2r8LckcRjOsPnAzKmp3Zr6uvD/+K7Ps=idm.ekir.de lGcsEgEI/9gDZnc+7tbiVHKA=CztzEHTsWNzwKhkykPdsUP5OcXJJCy7O0VqTW+8vBsbQMg92z4QhX/yX+NvXrMS6/AaBhXS9YIsDxqp8LMqN9XHCEo+ZR2EKVZwAY005x2PxtTMoF6f+43ItekGdPscm28TyjXvh5OM5WSgux1Jx1UhMpoSqhZHTRT72KK+yEkOUwjCaqNBces4yrlgRty97HN0cyAxu+0t+3AYOujENhYbSFbiNvFUwkwcRJEAXeitkJttAGtmJ3ZBa/yhkITW2YwIjRpPw8vZHqpwDtdbjgZLFs2vSzBT4VrDQkQHvmQ+wnQEu9MFZiqT4w53OMtmvgbtM612NWouoCrs+VmGBAg== MIIEMzCCAxugAwIBAgIJAJ5hbs7JMMA0GCSqGSIb3DQEBBQUG4xCzAJBgBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTAeFw0xNjA0MjAxNTAxNDdaFw0zNjA0MjAxNTAxNDdaMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKFv9eW8oqkBqaQzsguz0g9OnCCNOCrIuLNWjEC1Vjb8M3pLgWKt0obvm8BtgcAOSPSJpkFsjgCwiRsymk0yOKhnPhCLrEjqDMCAWLywO5K/H5SvrBc77PCSJRT0ciCdLOonvXzxEn40YEZSwjo+vqyiWt/gLfdeFtcuc8N2nZsZKdIR5V0wwD+ZSQCLNc7bnnw85tZvf6rtxHn6eo6IqzIcYzXyFSIaO0Lrh8ZN+oj9E1YW210+hNJqWb5+/VM4IpZ3jPzgSHqcyA7PxVRMEpWYBuyPNcvGR0tkqwXew51OarUxuiyyx4kTs5wZe+h4MZExnUty2wiJYyyHjpUYBK8CAwEAAaOB0zCB0DAdBgNVHQ4EFgQUr++yKews/ztiL2MslG+rTjImjAkwgaAGA1UdIwSBmDCBlYAUr++yKews/ztiL2MslG+rTjImjAmhcqRwMG4xCzAJBgNVBAYTAkRFMQwwCgYDVQQIEwNOUlcxDzANBgNVBAcTBkFhY2hlbjEXMBUGA1UEChMOc3luYWl4IElUIEdtYkgxETAPBgNVBAsTCFNlY3VyaXR5MRQwEgYDVQQDEwtpZG0uZWtpci5kZYIJAJ5hbfqjs7JMMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAObYr07VN0dtR3QUwLNq/xii154BIa1jDgvDEgSlf3Em161pXKU+/8hvHpwQFSp4w82GtiU8gYxiRVpBR02xa0PQ9d6dWRqhVtAzJloQQWIfiH75K97VLqOt77IPTuxIry84KztPnCUKxSSYyBBZ/tlJtSdAT2ce+imFHJxnSIucJoCB7gWNI3S6IoOlN3HwNmAT2BXoXXEpFsQdFEUTnOGcmxTtXh5Mqt0v3aJv3lcITHqazIGCPuPC4sbB0iuU6eRqvUXUED6Bn7JuEZmYaZ1H5sxzHu06xa+smDDGE15UXns5CB0BlaP2r8LckcRjOsPnAzKmp3Zr6uvD/+K7Ps=94fbf27f692f840a63ea08a0eb8153ec86d022eahttp://qvswm-50-cs2std:20000/auth/realms/saml20-broker-authentication-realmurn:oasis:names:tc:SAML:2.0:ac:classes:Passwordtest2.synsyntest2.syn at ek.detest2 I would appreciate to get some help from the community. Mit freundlichen Gr??en/Best regards Alexander Vollertsen Systementwickler | System Developer Systementwicklung | System Development Phone: +49 731 9650-373 | Fax: Email: Alexander.Vollertsen at wilken.de | Web: www.wilken.de [Best?tigung der Daten] Wilken GmbH H?rvelsinger Weg 29-31 89081 Ulm, Germany Sitz der Gesellschaft: Ulm Amtsgericht Ulm: HRB 794 Gesch?ftsf?hrer: Folkert Wilken, Peter Heinz, Dr. J?rg Vogt -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 118486 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180816/3f434596/attachment-0001.png From sthorger at redhat.com Thu Aug 16 11:19:57 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 16 Aug 2018 17:19:57 +0200 Subject: [keycloak-user] Internal server error with event logging In-Reply-To: <1C08CC91-C06C-410C-B937-DE95ED19161E@moneymeets.com> References: <1C08CC91-C06C-410C-B937-DE95ED19161E@moneymeets.com> Message-ID: Seems like something is putting to much information in the details of the events. It should be short and concise to prevent filling up the database. Do you know what event it is and how to reproduce? On Thu, 16 Aug 2018 at 14:30, Matthias Kesternich < matthias.kesternich at moneymeets.com> wrote: > Hello, > > with event detail logging enabled I keep getting 500 Internal Server > Error. There was also a post on this list in May detailing the same problem > (see http://lists.jboss.org/pipermail/keycloak-dev/2018-May/010807.html ). > > As outlined in the post the problematic piece of code is > > @Column(name="DETAILS_JSON", length = 2550) > private String detailsJson; > > This hardcodes length to 2550 and apparently some of my event details get > bigger than that. > > Any idea what I can do about this? Manually changing the database column > could work, but I?m afraid a future keycloak db migration will badly > interfere with this. > > Is there any ?official? way to override values like this? E.g. some > configuration setting or JPA way to overwrite this? > > Thanks, > -Matthias > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hfuss at bandwidth.com Thu Aug 16 11:50:35 2018 From: hfuss at bandwidth.com (Hayden Fuss) Date: Thu, 16 Aug 2018 11:50:35 -0400 Subject: [keycloak-user] Keycloak availability during LDAP outage Message-ID: Hello, In testing Keycloak's availability for certain flows/endpoints we noticed that introspecting access tokens (never tested refresh tokens) and retrieving new access tokens via a refresh token does not work if LDAP is down and being used for READ-ONLY user federation. Is this in order to guarantee consistency since LDAP is considered the source of truth, and so if its down, everything but getting certs is down? We'd like to prioritize availability over consistency in these scenarios. As a result, we were hoping to be able to guarantee tokens could still be validated/introspected by Keycloak in an LDAP outage, and new access tokens could be granted with a refresh token. That way users/clients could still function while their refresh tokens are valid, limiting the severity of an LDAP outage. Are there settings that can be tweaked to enable this? If not, does this seem like a reasonable feature request? On a similar note, can Keycloak adapters verify tokens locally only, and then periodically go to Keycloak to verify, rather than verify locally and remotely every time? Best, Hayden From suleyman.yildirim at accenture.com Thu Aug 16 13:19:27 2018 From: suleyman.yildirim at accenture.com (Yildirim, Suleyman) Date: Thu, 16 Aug 2018 17:19:27 +0000 Subject: [keycloak-user] IDP SAML Processing Error Message-ID: Hi, I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? Details When I use dummy IDP of Keycloak server, I use https://myapplicationurl/auth/realms/springboot-quickstart/protocol/saml as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. Regards, Suleyman ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. ______________________________________________________________________________________ www.accenture.com -------------- next part -------------- A non-text attachment was scrubbed... Name: dummyIDPSettings.PNG Type: image/png Size: 72605 bytes Desc: dummyIDPSettings.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180816/6537de1f/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: ADFSIDPSettings.PNG Type: image/png Size: 83476 bytes Desc: ADFSIDPSettings.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180816/6537de1f/attachment-0003.png -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: IDP_error.txt Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20180816/6537de1f/attachment-0001.txt From caiyegui at gmail.com Thu Aug 16 15:00:27 2018 From: caiyegui at gmail.com (Yegui Cai) Date: Thu, 16 Aug 2018 15:00:27 -0400 Subject: [keycloak-user] Admin access token Message-ID: Hi all. I am using the admin REST api to obtain an access token using curl: curl --insecure -i --request POST https://127.0.0.1:8666/auth/realms/master/protocol/openid-connect/token --header 'Accept: application/json' --header 'Content-Type: application/x-www-form-urlencoded' --data 'grant_type=password&username=admin&password=admin&client_id=admin-cli' The problem is after my standalone Keycloak running for a while (in between I keep curling access token), I can not get token anymore. The out put of curl is: {"error":"invalid_grant","error_description":"Invalid user credentials"}% >From TRACE level log, I read the following: 2018-08-16 14:42:23,438 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) new JtaTransactionWrapper 2018-08-16 14:42:23,439 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) was existing? false 2018-08-16 14:42:23,454 TRACE [org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory] (default task-3) Create JpaConnectionProvider 2018-08-16 14:42:23,457 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) by id cache hit: master 2018-08-16 14:42:23,495 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-3) AUTHENTICATE CLIENT 2018-08-16 14:42:23,497 TRACE [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) Using executions for client authentication: [33858fd1-64d3-42ae-8713-7a98e7e83700, 63bca01e-0342-4150-9b9c-7e7ceaeda8c6, 9b46d8e9-0331-4554-8d84-0ad8d5944b3e] 2018-08-16 14:42:23,497 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) client authenticator: client-secret 2018-08-16 14:42:23,510 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) adding client by name cache miss: admin-cli 2018-08-16 14:42:23,515 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) client by id cache hit: admin-cli 2018-08-16 14:42:23,516 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) client authenticator SUCCESS: client-secret 2018-08-16 14:42:23,517 DEBUG [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) Client admin-cli authenticated by client-secret 2018-08-16 14:42:23,519 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanAuthenticationSessionProviderFactory] (default task-3) [null] Registered cluster listeners 2018-08-16 14:42:23,523 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: ADD on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,527 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,528 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,528 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,529 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,529 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,530 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) client by id cache hit: admin-cli 2018-08-16 14:42:23,530 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-3) AUTHENTICATE ONLY 2018-08-16 14:42:23,532 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,533 TRACE [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) client by id cache hit: admin-cli 2018-08-16 14:42:23,534 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) processFlow 2018-08-16 14:42:23,534 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) check execution: direct-grant-validate-username requirement: REQUIRED 2018-08-16 14:42:23,534 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator: direct-grant-validate-username 2018-08-16 14:42:23,534 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) invoke authenticator.authenticate: direct-grant-validate-username 2018-08-16 14:42:23,535 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,535 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getUserByUsername: admin 2018-08-16 14:42:23,535 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) query null 2018-08-16 14:42:23,583 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,583 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator SUCCESS: direct-grant-validate-username 2018-08-16 14:42:23,584 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:23,584 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) check execution: direct-grant-validate-password requirement: REQUIRED 2018-08-16 14:42:23,584 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator: direct-grant-validate-password 2018-08-16 14:42:23,584 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getuserById b0942806-9744-4571-9216-d9fb57bd9d2f 2018-08-16 14:42:23,584 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) return managedusers 2018-08-16 14:42:23,584 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) invoke authenticator.authenticate: direct-grant-validate-password 2018-08-16 14:42:23,584 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getuserById b0942806-9744-4571-9216-d9fb57bd9d2f 2018-08-16 14:42:23,584 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) return managedusers 2018-08-16 14:42:24,010 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator SUCCESS: direct-grant-validate-password 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:24,010 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) check execution: direct-grant-validate-otp requirement: OPTIONAL 2018-08-16 14:42:24,010 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator: direct-grant-validate-otp 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getuserById b0942806-9744-4571-9216-d9fb57bd9d2f 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) return managedusers 2018-08-16 14:42:24,010 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) invoke authenticator.authenticate: direct-grant-validate-otp 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getuserById b0942806-9744-4571-9216-d9fb57bd9d2f 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) return managedusers 2018-08-16 14:42:24,010 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) authenticator ATTEMPTED: direct-grant-validate-otp 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] (default task-3) Adding cache operation: REPLACE on d43ccba6-2640-48a6-9c21-0f777b2fd972 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getuserById b0942806-9744-4571-9216-d9fb57bd9d2f 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) return managedusers 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getuserById b0942806-9744-4571-9216-d9fb57bd9d2f 2018-08-16 14:42:24,010 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) return managedusers 2018-08-16 14:42:24,014 DEBUG [org.keycloak.authentication.requiredactions.VerifyEmail] (default task-3) User is required to verify email 2018-08-16 14:42:24,014 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) getuserById b0942806-9744-4571-9216-d9fb57bd9d2f 2018-08-16 14:42:24,015 TRACE [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) registered for invalidation return delegate 2018-08-16 14:42:24,017 TRACE [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=admin-cli, userId=null, ipAddress=127.0.0.1, error=resolve_required_actions, auth_method=openid-connect, grant_type=password, client_auth_method=client-secret, username=admin, requestUri= https://127.0.0.1:8666/auth/realms/master/protocol/openid-connect/token, cookies=[] 2018-08-16 14:42:24,027 TRACE [org.keycloak.services.resources.Cors] (default task-3) No origin header ignoring 2018-08-16 14:42:24,028 TRACE [org.keycloak.services.resources.Cors] (default task-3) No origin header ignoring 2018-08-16 14:42:24,028 TRACE [org.keycloak.services.resources.Cors] (default task-3) No origin header ignoring 2018-08-16 14:42:24,030 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) JtaTransactionWrapper commit 2018-08-16 14:42:24,032 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) JtaTransactionWrapper end 2018-08-16 14:42:24,034 TRACE [org.keycloak.models.cache.infinispan.UserCacheManager] (default task-3) Removed key='master.username.admin', value='UserListQuery{id='master.username.admin'realmName='master'}' from cache 2018-08-16 14:42:24,036 TRACE [org.keycloak.models.cache.infinispan.UserCacheManager] (default task-3) Removed key='b0942806-9744-4571-9216-d9fb57bd9d2f', value='org.keycloak.models.cache.infinispan.entities.CachedUser at 2ae0edf1' from cache 2018-08-16 14:42:24,037 TRACE [org.keycloak.cluster.infinispan.InfinispanNotificationsManager] (default task-3) Sending event with key 5daeb51e-3aac-4c81-add1-4e24209e62b4: UserUpdatedEvent [ userId=b0942806-9744-4571-9216-d9fb57bd9d2f, username=admin, email=null ] 2018-08-16 14:42:24,065 TRACE [org.keycloak.connections.jpa.DefaultJpaConnectionProvider] (default task-3) DefaultJpaConnectionProvider close() Could it be a potential bug? Or the way I use the admin rest api is not right? Thanks a lot! Y. From wgao at utsc.utoronto.ca Thu Aug 16 15:20:22 2018 From: wgao at utsc.utoronto.ca (Weijun Gao) Date: Thu, 16 Aug 2018 15:20:22 -0400 Subject: [keycloak-user] SSO for two groups of web applications? In-Reply-To: References: Message-ID: <9eab6388-98d0-1fe5-c96a-1b753b83dfbb@utsc.utoronto.ca> Hi, Is it possible to authenticate users using *one* Keycloak server for *two* groups of web applications. For example, if a user signs in a web app in the 1st group, the user can access all the apps in the 1st group but none in the 2nd group, vice versa. If it's possible, how? Or any documentation? Thanks and regards, Weijun From hfuss at bandwidth.com Thu Aug 16 16:29:15 2018 From: hfuss at bandwidth.com (Hayden Fuss) Date: Thu, 16 Aug 2018 16:29:15 -0400 Subject: [keycloak-user] Keycloak availability during LDAP outage In-Reply-To: References: Message-ID: Apologies, we were mistaken. We refactored our test script to reuse the previous set of access/refresh tokens so in the event of Resource Owner password grants failing, we could keep retrying introspect, userinfo, and getting a new access token with a refresh token and those endpoints all work if the LDAP host cannot be resolved or connection is refused. For anyone interested, here's the script we're using to test OIDC endpoints as we impact LDAP/MariaDB/ISPN. On Thu, Aug 16, 2018 at 11:50 AM Hayden Fuss wrote: > Hello, > > In testing Keycloak's availability for certain flows/endpoints we noticed > that introspecting access tokens (never tested refresh tokens) and > retrieving new access tokens via a refresh token does not work if LDAP is > down and being used for READ-ONLY user federation. Is this in order to > guarantee consistency since LDAP is considered the source of truth, and so > if its down, everything but getting certs is down? > > We'd like to prioritize availability over consistency in these scenarios. > As a result, we were hoping to be able to guarantee tokens could still be > validated/introspected by Keycloak in an LDAP outage, and new access tokens > could be granted with a refresh token. That way users/clients could still > function while their refresh tokens are valid, limiting the severity of an > LDAP outage. > > Are there settings that can be tweaked to enable this? If not, does this > seem like a reasonable feature request? > > On a similar note, can Keycloak adapters verify tokens locally only, and > then periodically go to Keycloak to verify, rather than verify locally and > remotely every time? > > Best, > Hayden > -------------- next part -------------- A non-text attachment was scrubbed... Name: test-oidc.py Type: text/x-python-script Size: 3687 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180816/0e13bdc6/attachment.bin From graham.burgess at razer.com Thu Aug 16 17:47:25 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Thu, 16 Aug 2018 21:47:25 +0000 Subject: [keycloak-user] SSO for two groups of web applications? In-Reply-To: <9eab6388-98d0-1fe5-c96a-1b753b83dfbb@utsc.utoronto.ca> References: , <9eab6388-98d0-1fe5-c96a-1b753b83dfbb@utsc.utoronto.ca> Message-ID: That should be easily accomplished using keycloak realms. The official docs should be good for that. Graham Get Outlook for Android ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Weijun Gao Sent: Thursday, August 16, 2018 12:20:22 PM To: keycloak-user at lists.jboss.org Subject: [keycloak-user] SSO for two groups of web applications? Hi, Is it possible to authenticate users using *one* Keycloak server for *two* groups of web applications. For example, if a user signs in a web app in the 1st group, the user can access all the apps in the 1st group but none in the 2nd group, vice versa. If it's possible, how? Or any documentation? Thanks and regards, Weijun _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Aug 16 18:47:16 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 17 Aug 2018 01:47:16 +0300 Subject: [keycloak-user] SSO for two groups of web applications? In-Reply-To: <9eab6388-98d0-1fe5-c96a-1b753b83dfbb@utsc.utoronto.ca> References: <9eab6388-98d0-1fe5-c96a-1b753b83dfbb@utsc.utoronto.ca> Message-ID: <1534459636.7811.11.camel@acutus.pro> Hi Weijun, And what if the user first signs in a 1st group app, and then in a 2nd group? Should the user be able to access both groups now? If so: seems like you want two separate SSO realms for your application groups, but with the shared user data? Let's rephrase it; imagine that in your Keycloak: - there are two different realms, realmA and realmB; - apps from the 1st groups are configured as clients of realmA; - the same for the 2nd group and realmB; - users in both realms are the same; would that solve your problem? So it seems like you need some kind of proxy/slave/shadow realm, that would have its own client definitions, but will proxy to another realm for user data. I think this is not available OOTB, but could be implemented as a Keycloak extension using Realm SPI, however implementation can be really tricky. Another way to go is to set up ad-hoc partial replication between the realms. This is neither available OOTB, however implementation should be much simpler (at the price of data duplication, of course). Good news is that you're not alone with this; see Tuesday's posting from Gregor Tudan, the problem statement is almost the same (modulo the kind of data to be replicated, users vs. clients). I'll reply to that post a bit later, so stay tuned. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail:?info at acutus.pro On Thu, 2018-08-16 at 15:20 -0400, Weijun Gao wrote: > Hi, > > Is it possible to authenticate users using *one* Keycloak server for? > *two* groups of web applications. For example, if a user signs in a web? > app in the 1st group, the user can access all the apps in the 1st group? > but none in the 2nd group, vice versa. If it's possible, how? Or any? > documentation? > > Thanks and regards, > > Weijun > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Thu Aug 16 19:06:01 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 17 Aug 2018 02:06:01 +0300 Subject: [keycloak-user] Admin access token In-Reply-To: References: Message-ID: <1534460761.7811.13.camel@acutus.pro> Hi Yegui, I kept curl running in cycle for ~15mins, but couldn't reproduce the issue. What version of Keycloak are you using? Could you try latest stable? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-08-16 at 15:00 -0400, Yegui Cai wrote: > Hi all. > > I am using the admin REST api to obtain an access token using curl: > curl --insecure -i --request POST > https://127.0.0.1:8666/auth/realms/master/protocol/openid-connect/token > --header 'Accept: application/json' --header 'Content-Type: > application/x-www-form-urlencoded' --data > 'grant_type=password&username=admin&password=admin&client_id=admin-cli' > > > The problem is after my standalone Keycloak running for a while (in between > I keep curling access token), I can not get token anymore. The out put of > curl is: > > {"error":"invalid_grant","error_description":"Invalid user credentials"}% > > > From TRACE level log, I read the following: > > 2018-08-16 14:42:23,438 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) new > JtaTransactionWrapper > > 2018-08-16 14:42:23,439 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) was > existing? false > > 2018-08-16 14:42:23,454 TRACE > [org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory] (default > task-3) Create JpaConnectionProvider > > 2018-08-16 14:42:23,457 TRACE > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > by id cache hit: master > > 2018-08-16 14:42:23,495 DEBUG > [org.keycloak.authentication.AuthenticationProcessor] (default task-3) > AUTHENTICATE CLIENT > > 2018-08-16 14:42:23,497 TRACE > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > Using executions for client authentication: > [33858fd1-64d3-42ae-8713-7a98e7e83700, > 63bca01e-0342-4150-9b9c-7e7ceaeda8c6, 9b46d8e9-0331-4554-8d84-0ad8d5944b3e] > > 2018-08-16 14:42:23,497 DEBUG > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > client authenticator: client-secret > > 2018-08-16 14:42:23,510 TRACE > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > adding client by name cache miss: admin-cli > > 2018-08-16 14:42:23,515 TRACE > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > client by id cache hit: admin-cli > > 2018-08-16 14:42:23,516 DEBUG > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > client authenticator SUCCESS: client-secret > > 2018-08-16 14:42:23,517 DEBUG > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > Client admin-cli authenticated by client-secret > > 2018-08-16 14:42:23,519 DEBUG > [org.keycloak.models.sessions.infinispan.InfinispanAuthenticationSessionProviderFactory] > (default task-3) [null] Registered cluster listeners > > 2018-08-16 14:42:23,523 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: ADD on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,527 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,528 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,528 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,529 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,529 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,530 TRACE > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > client by id cache hit: admin-cli > > 2018-08-16 14:42:23,530 DEBUG > [org.keycloak.authentication.AuthenticationProcessor] (default task-3) > AUTHENTICATE ONLY > > 2018-08-16 14:42:23,532 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,533 TRACE > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > client by id cache hit: admin-cli > > 2018-08-16 14:42:23,534 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > processFlow > > 2018-08-16 14:42:23,534 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > check execution: direct-grant-validate-username requirement: REQUIRED > > 2018-08-16 14:42:23,534 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > authenticator: direct-grant-validate-username > > 2018-08-16 14:42:23,534 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > invoke authenticator.authenticate: direct-grant-validate-username > > 2018-08-16 14:42:23,535 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,535 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getUserByUsername: admin > > 2018-08-16 14:42:23,535 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > query null > > 2018-08-16 14:42:23,583 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,583 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > authenticator SUCCESS: direct-grant-validate-username > > 2018-08-16 14:42:23,584 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:23,584 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > check execution: direct-grant-validate-password requirement: REQUIRED > > 2018-08-16 14:42:23,584 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > authenticator: direct-grant-validate-password > > 2018-08-16 14:42:23,584 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > 2018-08-16 14:42:23,584 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > return managedusers > > 2018-08-16 14:42:23,584 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > invoke authenticator.authenticate: direct-grant-validate-password > > 2018-08-16 14:42:23,584 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > 2018-08-16 14:42:23,584 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > return managedusers > > 2018-08-16 14:42:24,010 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > authenticator SUCCESS: direct-grant-validate-password > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:24,010 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > check execution: direct-grant-validate-otp requirement: OPTIONAL > > 2018-08-16 14:42:24,010 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > authenticator: direct-grant-validate-otp > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > return managedusers > > 2018-08-16 14:42:24,010 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > invoke authenticator.authenticate: direct-grant-validate-otp > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > return managedusers > > 2018-08-16 14:42:24,010 DEBUG > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > authenticator ATTEMPTED: direct-grant-validate-otp > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > (default task-3) Adding cache operation: REPLACE on > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > return managedusers > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > 2018-08-16 14:42:24,010 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > return managedusers > > 2018-08-16 14:42:24,014 DEBUG > [org.keycloak.authentication.requiredactions.VerifyEmail] (default task-3) > User is required to verify email > > 2018-08-16 14:42:24,014 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > 2018-08-16 14:42:24,015 TRACE > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > registered for invalidation return delegate > > 2018-08-16 14:42:24,017 TRACE [org.keycloak.events] (default task-3) > type=LOGIN_ERROR, realmId=master, clientId=admin-cli, userId=null, > ipAddress=127.0.0.1, error=resolve_required_actions, > auth_method=openid-connect, grant_type=password, > client_auth_method=client-secret, username=admin, requestUri= > https://127.0.0.1:8666/auth/realms/master/protocol/openid-connect/token, > cookies=[] > > 2018-08-16 14:42:24,027 TRACE [org.keycloak.services.resources.Cors] > (default task-3) No origin header ignoring > > 2018-08-16 14:42:24,028 TRACE [org.keycloak.services.resources.Cors] > (default task-3) No origin header ignoring > > 2018-08-16 14:42:24,028 TRACE [org.keycloak.services.resources.Cors] > (default task-3) No origin header ignoring > > 2018-08-16 14:42:24,030 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) > JtaTransactionWrapper??commit > > 2018-08-16 14:42:24,032 DEBUG > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) > JtaTransactionWrapper end > > 2018-08-16 14:42:24,034 TRACE > [org.keycloak.models.cache.infinispan.UserCacheManager] (default task-3) > Removed key='master.username.admin', > value='UserListQuery{id='master.username.admin'realmName='master'}' from > cache > > 2018-08-16 14:42:24,036 TRACE > [org.keycloak.models.cache.infinispan.UserCacheManager] (default task-3) > Removed key='b0942806-9744-4571-9216-d9fb57bd9d2f', > value='org.keycloak.models.cache.infinispan.entities.CachedUser at 2ae0edf1' > from cache > > 2018-08-16 14:42:24,037 TRACE > [org.keycloak.cluster.infinispan.InfinispanNotificationsManager] (default > task-3) Sending event with key 5daeb51e-3aac-4c81-add1-4e24209e62b4: > UserUpdatedEvent [ userId=b0942806-9744-4571-9216-d9fb57bd9d2f, > username=admin, email=null ] > > 2018-08-16 14:42:24,065 TRACE > [org.keycloak.connections.jpa.DefaultJpaConnectionProvider] (default > task-3) DefaultJpaConnectionProvider close() > > > > > Could it be a potential bug? Or the way I use the admin rest api is not > right? > > > Thanks a lot! > > Y. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From caiyegui at gmail.com Thu Aug 16 19:18:00 2018 From: caiyegui at gmail.com (Yegui Cai) Date: Thu, 16 Aug 2018 19:18:00 -0400 Subject: [keycloak-user] Admin access token In-Reply-To: <1534460761.7811.13.camel@acutus.pro> References: <1534460761.7811.13.camel@acutus.pro> Message-ID: I was using 4.1.0. I will see if I can reproduce it. Thanks. On Thu, Aug 16, 2018 at 7:06 PM Dmitry Telegin
wrote: > Hi Yegui, > > I kept curl running in cycle for ~15mins, but couldn't reproduce the > issue. What version of Keycloak are you using? Could you try latest stable? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-08-16 at 15:00 -0400, Yegui Cai wrote: > > Hi all. > > > > I am using the admin REST api to obtain an access token using curl: > > curl --insecure -i --request POST > > https://127.0.0.1:8666/auth/realms/master/protocol/openid-connect/token > > --header 'Accept: application/json' --header 'Content-Type: > > application/x-www-form-urlencoded' --data > > 'grant_type=password&username=admin&password=admin&client_id=admin-cli' > > > > > > The problem is after my standalone Keycloak running for a while (in > between > > I keep curling access token), I can not get token anymore. The out put of > > curl is: > > > > {"error":"invalid_grant","error_description":"Invalid user credentials"}% > > > > > From TRACE level log, I read the following: > > > > 2018-08-16 14:42:23,438 DEBUG > > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) new > > JtaTransactionWrapper > > > > 2018-08-16 14:42:23,439 DEBUG > > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) was > > existing? false > > > > 2018-08-16 14:42:23,454 TRACE > > [org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory] > (default > > task-3) Create JpaConnectionProvider > > > > 2018-08-16 14:42:23,457 TRACE > > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > > by id cache hit: master > > > > 2018-08-16 14:42:23,495 DEBUG > > [org.keycloak.authentication.AuthenticationProcessor] (default task-3) > > AUTHENTICATE CLIENT > > > > 2018-08-16 14:42:23,497 TRACE > > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > > Using executions for client authentication: > > [33858fd1-64d3-42ae-8713-7a98e7e83700, > > 63bca01e-0342-4150-9b9c-7e7ceaeda8c6, > 9b46d8e9-0331-4554-8d84-0ad8d5944b3e] > > > > 2018-08-16 14:42:23,497 DEBUG > > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > > client authenticator: client-secret > > > > 2018-08-16 14:42:23,510 TRACE > > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > > adding client by name cache miss: admin-cli > > > > 2018-08-16 14:42:23,515 TRACE > > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > > client by id cache hit: admin-cli > > > > 2018-08-16 14:42:23,516 DEBUG > > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > > client authenticator SUCCESS: client-secret > > > > 2018-08-16 14:42:23,517 DEBUG > > [org.keycloak.authentication.ClientAuthenticationFlow] (default task-3) > > Client admin-cli authenticated by client-secret > > > > 2018-08-16 14:42:23,519 DEBUG > > > [org.keycloak.models.sessions.infinispan.InfinispanAuthenticationSessionProviderFactory] > > (default task-3) [null] Registered cluster listeners > > > > 2018-08-16 14:42:23,523 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: ADD on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,527 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,528 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,528 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,529 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,529 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,530 TRACE > > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > > client by id cache hit: admin-cli > > > > 2018-08-16 14:42:23,530 DEBUG > > [org.keycloak.authentication.AuthenticationProcessor] (default task-3) > > AUTHENTICATE ONLY > > > > 2018-08-16 14:42:23,532 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,533 TRACE > > [org.keycloak.models.cache.infinispan.RealmCacheSession] (default task-3) > > client by id cache hit: admin-cli > > > > 2018-08-16 14:42:23,534 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > processFlow > > > > 2018-08-16 14:42:23,534 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > check execution: direct-grant-validate-username requirement: REQUIRED > > > > 2018-08-16 14:42:23,534 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > authenticator: direct-grant-validate-username > > > > 2018-08-16 14:42:23,534 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > invoke authenticator.authenticate: direct-grant-validate-username > > > > 2018-08-16 14:42:23,535 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,535 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getUserByUsername: admin > > > > 2018-08-16 14:42:23,535 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > query null > > > > 2018-08-16 14:42:23,583 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,583 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > authenticator SUCCESS: direct-grant-validate-username > > > > 2018-08-16 14:42:23,584 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:23,584 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > check execution: direct-grant-validate-password requirement: REQUIRED > > > > 2018-08-16 14:42:23,584 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > authenticator: direct-grant-validate-password > > > > 2018-08-16 14:42:23,584 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > > > 2018-08-16 14:42:23,584 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > return managedusers > > > > 2018-08-16 14:42:23,584 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > invoke authenticator.authenticate: direct-grant-validate-password > > > > 2018-08-16 14:42:23,584 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > > > 2018-08-16 14:42:23,584 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > return managedusers > > > > 2018-08-16 14:42:24,010 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > authenticator SUCCESS: direct-grant-validate-password > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:24,010 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > check execution: direct-grant-validate-otp requirement: OPTIONAL > > > > 2018-08-16 14:42:24,010 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > authenticator: direct-grant-validate-otp > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > return managedusers > > > > 2018-08-16 14:42:24,010 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > invoke authenticator.authenticate: direct-grant-validate-otp > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > return managedusers > > > > 2018-08-16 14:42:24,010 DEBUG > > [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-3) > > authenticator ATTEMPTED: direct-grant-validate-otp > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.sessions.infinispan.InfinispanKeycloakTransaction] > > (default task-3) Adding cache operation: REPLACE on > > d43ccba6-2640-48a6-9c21-0f777b2fd972 > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > return managedusers > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > > > 2018-08-16 14:42:24,010 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > return managedusers > > > > 2018-08-16 14:42:24,014 DEBUG > > [org.keycloak.authentication.requiredactions.VerifyEmail] (default > task-3) > > User is required to verify email > > > > 2018-08-16 14:42:24,014 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > getuserById b0942806-9744-4571-9216-d9fb57bd9d2f > > > > 2018-08-16 14:42:24,015 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheSession] (default task-3) > > registered for invalidation return delegate > > > > 2018-08-16 14:42:24,017 TRACE [org.keycloak.events] (default task-3) > > type=LOGIN_ERROR, realmId=master, clientId=admin-cli, userId=null, > > ipAddress=127.0.0.1, error=resolve_required_actions, > > auth_method=openid-connect, grant_type=password, > > client_auth_method=client-secret, username=admin, requestUri= > > https://127.0.0.1:8666/auth/realms/master/protocol/openid-connect/token, > > cookies=[] > > > > 2018-08-16 14:42:24,027 TRACE [org.keycloak.services.resources.Cors] > > (default task-3) No origin header ignoring > > > > 2018-08-16 14:42:24,028 TRACE [org.keycloak.services.resources.Cors] > > (default task-3) No origin header ignoring > > > > 2018-08-16 14:42:24,028 TRACE [org.keycloak.services.resources.Cors] > > (default task-3) No origin header ignoring > > > > 2018-08-16 14:42:24,030 DEBUG > > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) > > JtaTransactionWrapper commit > > > > 2018-08-16 14:42:24,032 DEBUG > > [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) > > JtaTransactionWrapper end > > > > 2018-08-16 14:42:24,034 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheManager] (default task-3) > > Removed key='master.username.admin', > > value='UserListQuery{id='master.username.admin'realmName='master'}' from > > cache > > > > 2018-08-16 14:42:24,036 TRACE > > [org.keycloak.models.cache.infinispan.UserCacheManager] (default task-3) > > Removed key='b0942806-9744-4571-9216-d9fb57bd9d2f', > > value='org.keycloak.models.cache.infinispan.entities.CachedUser at 2ae0edf1 > ' > > from cache > > > > 2018-08-16 14:42:24,037 TRACE > > [org.keycloak.cluster.infinispan.InfinispanNotificationsManager] (default > > task-3) Sending event with key 5daeb51e-3aac-4c81-add1-4e24209e62b4: > > UserUpdatedEvent [ userId=b0942806-9744-4571-9216-d9fb57bd9d2f, > > username=admin, email=null ] > > > > 2018-08-16 14:42:24,065 TRACE > > [org.keycloak.connections.jpa.DefaultJpaConnectionProvider] (default > > task-3) DefaultJpaConnectionProvider close() > > > > > > > > > > Could it be a potential bug? Or the way I use the admin rest api is not > > right? > > > > > > Thanks a lot! > > > > Y. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dt at acutus.pro Thu Aug 16 19:48:41 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 17 Aug 2018 02:48:41 +0300 Subject: [keycloak-user] IDP SAML Processing Error In-Reply-To: References: Message-ID: <1534463321.7811.15.camel@acutus.pro> Hi Suleyman, You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > Hi, > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > Details > > When I use dummy IDP of Keycloak server, I use https://myapplicationurl/auth/realms/springboot-quickstart/protocol/saml as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > Regards, > Suleyman > > > ________________________________ > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > ______________________________________________________________________________________ > > www.accenture.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Fri Aug 17 01:47:58 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Fri, 17 Aug 2018 11:17:58 +0530 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> Message-ID: Update: Facing the same issue on keycloak 4.3.0.final. I have taken a fresh instance of keycloak 4.3.0 and created just 2 users, but still facing the same issue of browser not maintaining session. On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo wrote: > Can someone please help me on this issue? > > On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo > wrote: > >> Another update: >> >> Though the login form appears every time but if i login with a different >> user the second time i.e. launch client app -> login with user1 -> relaunch >> client app (browser shows login form instead of already logged in message) >> -> now login with user2. >> >> I get following message: >> " We're sorry...You are already authenticated as different user 'user1' >> in this session. Please logout first." >> If it's able to know another user is logged in, then why the login form >> is appearing? >> >> >> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth >> wrote: >> >>> An update on my findings: When I checked developer console: I am getting >>> KC_RESTART cookie in cookies section. >>> >>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth >>> wrote: >>> >>>> Yes sir, >>>> I followed the doc https://www.keycloak.org/docs/ >>>> latest/securing_apps/index.html#_installed_adapter. And am seeing the >>>> same behavior on chrome and firefox. >>>> >>>> Also regarding the manual mode, I see the same behavior i.e I have to >>>> re-login for each re-run of the client app. >>>> >>>> But if I do this: >>>> >>>> System.out.println("Login through manual mode"); >>>> keycloak.loginManual(); >>>> System.out.println("Login through browser"); >>>> keycloak.loginDesktop(); >>>> >>>> i.e. if I call both modes in the same code or even same mode twice in >>>> the same code, then I don't have to re-login for second call (in the above >>>> example for loginDesktop). However when I re-run the application, I need to >>>> re-login. This might be a stupid guess but could these sessions be "java >>>> object specific"? >>>> >>>> >>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
wrote: >>>> >>>>> Hi, >>>>> >>>>> Did you do everything in accordance with the docs? >>>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm >>>>> l#_installed_adapter >>>>> >>>>> Do you experience this in "manual" mode too? >>>>> >>>>> Cheers, >>>>> Dmitry Telegin >>>>> CTO, Acutus s.r.o. >>>>> Keycloak Consulting and Training >>>>> >>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>>>> +42 (022) 888-30-71 >>>>> E-mail: info at acutus.pro >>>>> >>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >>>>> > I am using openid-connect for authenticating users. After successful >>>>> > authentication, browser windows says: >>>>> > "Login Successful >>>>> > >>>>> > You may close this browser window and go back to your console >>>>> application." >>>>> > >>>>> > However, even without closing the window if I relaunch my application >>>>> > (using keycloak.loginDesktop();) even within 10 seconds, still the >>>>> login >>>>> > page appears instead of : you are already logged in. >>>>> > >>>>> > Browser: Firefox. >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From Tom.Billiet at technicolor.com Fri Aug 17 02:28:24 2018 From: Tom.Billiet at technicolor.com (Billiet Tom) Date: Fri, 17 Aug 2018 06:28:24 +0000 Subject: [keycloak-user] accessing client JWT token in token mapper when using signed JWT authenticator. Message-ID: Hi, I'm currently trying to create a Mapper for a client that uses "Signed JWT" as the client authenticator. In the mapper I would like to access some fields from the JWT token that's used to authenticate the client. I cannot figure out a way to do so. I've tried to create a custom mapper that extends AbstractOIDCProtocolMapper, but I don't seem to be able to access the client JWT token anywhere. When digging somewhat deeper, I think the JWTClientAuthenticator (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java) should expose this if I want to be able to use it later in a mapper. If the JsonWebToken would be stored on the userSession note object that would be possible. But that would require a feature request to have this exposed. Is there another way to make this possible? Thanks, Tom From testoauth55 at gmail.com Fri Aug 17 03:40:05 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Fri, 17 Aug 2018 13:10:05 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Pedro, After further debugging I found out that following line in keycloak json is causing the issue: "policy-enforcer": {}. If I remove this line, then 403 error is removed but I guess doing this disables authorization altogether. 2 questions on this: 1. When I have configured policies on the Admin console under the authorization tab, why is this empty? 2. Is there a way to put some default values (not manually) in here to make authorization work? On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva wrote: > Yeah, it should be relative. I was wondering if the correct URI would be > '/keycloak/secure/role' instead. > > In any case, I would ask you to try the same deployment using tomcat or > wildfly to see how it goes. We have a few quickstarts running on these two. > Maybe you could also try to enable DEBUG log level to see how the policy > enforcer is matching URIs to your resources. > > If none of them work, I can give a try and run jetty. > > Regards. > Pedro Igor > > On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo > wrote: > >> Pedro, thanks for replying. I tried putting the absolute URI,but it does >> not work either. The documentation anyway states that the URI in resource >> can be relative to client root URL which I have configured to be >> http://localhost:7200/{app}/keycloak , therefore putting relateve URI '/secure/role' >> in resource should be equivalent to putting absolute URI : >> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there >> is something else I can try? >> >> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva >> wrote: >> >>> Hi, >>> >>> Your configuration looks correct. But I noticed that in the postman >>> request you are sending requests to `http://localhost:7200/{app}/k >>> eycloak/secure/role` >>> . However in your >>> resource definition the URI is configured to `/secure/role`. Both URIs >>> should match otherwise the adapter won't be able to map the URI in your >>> application to a resource in Keycloak (and related permissions). >>> >>> Regards. >>> Pedro Igor >>> >>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo >>> wrote: >>> >>>> With all the configuration(shared below), when I test using the evaluate >>>> option under authorization tab, result is permit: >>>> >>>> *But when I make a request to this resource through postman, I get 403.* >>>> >>>> *Which part of configuration is wrong which is leading to 403 error?* >>>> >>>> CONFIGURATION: >>>> >>>> >>>> *Detailed configuration with images shown here:* >>>> >>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f >>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>> >>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* >>>> >>>> *1.* Following the >>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created a >>>> realm role : *role_special_user* and created a user : *user_special* >>>> with >>>> this role and role *user*. >>>> >>>> *2.* Next, my resource server / client is with *full scope enabled*: >>>> *3.* Under authorization tab, I created a resource with the role based >>>> policy is. >>>> >>>> *4.* Now, keycloak json is: >>>> >>>> { >>>> "realm": "demo12", >>>> "auth-server-url": "http://localhost:8180/auth", >>>> "ssl-required": "none", >>>> "resource": "server12", >>>> "credentials": { >>>> "secret": "XXXXXXX" >>>> }, >>>> "confidential-port": 0, >>>> "policy-enforcer": {}} >>>> >>>> *5.* And Keycloak Jetty adapter configuration is: >>>> >>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>> InputStream is = >>>> Thread.currentThread().getContextClassLoader().getResourceAs >>>> Stream(KEYCLOAK_JSON);AdapterConfig >>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>> SystemPropertiesJsonParserFactory()); >>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>> KeycloakJettyAuthenticator kcAuthenticator = >>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>> ConstraintSecurityHandler securityHandler = new >>>> ConstraintSecurityHandler(); >>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>> constraintMapping.setPathSpec("/*"); >>>> Constraint constraint = new Constraint(); >>>> constraint.setAuthenticate(true); >>>> constraint.setRoles(new String[]{"**"}); >>>> constraintMapping.setConstraint(constraint); >>>> securityHandler.addConstraintMapping(constraintMapping); >>>> securityHandler.setAuthenticator(kcAuthenticator); >>>> context.setSecurityHandler(securityHandler);} >>>> >>>> *6.* Also, the decoded jwt token sample is: >>>> >>>> { >>>> "jti": "XXXXXXX", >>>> "exp": 1533798704, >>>> "nbf": 0, >>>> "iat": 1533798404, >>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>> "aud": "server12", >>>> "sub": "XXXXXXX", >>>> "typ": "Bearer", >>>> "azp": "server12", >>>> "auth_time": 1533798404, >>>> "session_state": "XXXXXX", >>>> "acr": "1", >>>> "allowed-origins": [], >>>> "realm_access": { >>>> "roles": [ >>>> "role_special_user", >>>> "offline_access", >>>> "uma_authorization", >>>> "user" >>>> ] >>>> }, >>>> "resource_access": { >>>> "server12": { >>>> "roles": [ >>>> "uma_protection" >>>> ] >>>> }, >>>> "account": { >>>> "roles": [ >>>> "manage-account", >>>> "manage-account-links", >>>> "view-profile" >>>> ] >>>> } >>>> }, >>>> "scope": "openid email profile", >>>> "email_verified": false, >>>> "preferred_username": "user_special"} >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> > From pdomsk at gmail.com Fri Aug 17 05:32:48 2018 From: pdomsk at gmail.com (Dmitry Pichugin) Date: Fri, 17 Aug 2018 12:32:48 +0300 Subject: [keycloak-user] UMA vs OAuth In-Reply-To: References: Message-ID: Have created - https://issues.jboss.org/browse/KEYCLOAK-8071 On Thu, 16 Aug 2018 at 15:46, Pedro Igor Silva wrote: > This seems to be a bug. I also tried here and I could reproduce the issue > (after removing default client scopes email and profile from client). Would > you mind creating a JIRA, please ? > > Regards. > > On Wed, Aug 15, 2018 at 7:33 PM, Dmitry Pichugin wrote: > >> We do support. Could you elaborate more what you are trying to achieve ? >> >> >> Pedro, thank you for the answer! You are right. >> >> We tried to apply UMA for simple OAuth scenario "Client Credential flow" >> and it was a mistake. We only need to get access token, which contains >> scopes. Yes, it's work in KeyCloak. >> >> But we have another problem: when we tried to request an access token >> with scopes which are not been existed or not been assigned to the client, >> as a result, we received the access token with fill "scope" parameters. >> >> Request: >> >> curl -X "POST" -d "client_id=testclient&client_secret=secret&grant_type= >> client_credentials&scope=unexisted_scope" >> http://keykcloak_server:8080/auth/realms/master/protocol/openid-connect/token >> >> >> Response: >> >> { >> "access_token": "eyJhbG[...]1LQ", >> "token_type": "Bearer", >> "expires_in": 3600, >> *"scope": ""* >> } >> >> But, according to RFC 6749 The OAuth 2.0 Authorization Framework >> point, we must get the error " >> invalid_scope". >> >> 4.1.4 . Access Token >> Response >> >> If the access token request is valid and authorized, the >> authorization server issues an access token and optional refresh >> token as described in Section 5.1 . If the request client >> authentication failed or is invalid, the authorization server returns >> an error response as described in Section 5.2 . >> >> >> and point >> >> >> 5.2 . Error Response >> >> *.....* >> >> invalid_scope >> The requested scope is invalid, unknown, malformed, or >> exceeds the scope granted by the resource owner. >> >> >> >> We tried to find something in client settings for fixing problem, but nothing to find. Could you reply, is it a KeyCloak's error or we can't find some special "setting" in the interface? >> >> >> Best regards. Dmitry Pichugin. >> >> >> On Wed, 15 Aug 2018 at 14:31, Pedro Igor Silva wrote: >> >>> On Wed, Aug 15, 2018 at 7:35 AM, Dmitry Pichugin >>> wrote: >>> >>>> Good day! >>>> >>>> We are using Keyclaok in our project, have installed version 4.2.1. >>>> >>>> Our task: >>>> >>>> - integration with API gateway and use KeyCloak for resources protect. >>>> >>>> We would be to use "Client Credentials Flow" from OAuth specs. But >>>> during >>>> version 4, KeyCloak does not support OAuth and is recommended to apply >>>> UMA >>>> 2.0. >>>> >>> >>> I'm not sure what you mean here. Where did you find this recommendation ? >>> >>> >>>> >>>> Yes, the differences between UMA and OAuth not huge, as a request and >>>> response(JWT token) formats, UMA has specific logic with RPT-token etc >>>> and >>>> UMA gives some advantages(we do not have the plan to use it). >>>> >>> >>> UMA is a standard mainly targeted for privacy (although there are other >>> benefits in using even if not for privacy), if you don't need users >>> managing their own resources, sharing, etc, yeah, you probably don't need >>> it. However, keep in mind that UMA support is one of the capabilities we >>> support in Keycloak Authorization Services, you can still use Keycloak to >>> enforce access to your protected resources using permissions >>> managed/granted by the server. >>> >>> >>>> >>>> We try to make a request in OAuth specs but got the error. >>>> >>>> Why does KeyCloak not support OAuth and UMA 2.0 same time? Do you have >>>> some >>>> specific reasons for this? >>>> >>> >>> We do support. Could you elaborate more what you are trying to achieve ? >>> >>> >>>> >>>> Thank you! >>>> >>>> Best regards. Dmitry Pichugin. >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> > From jambo_mcd at yahoo.co.uk Fri Aug 17 06:32:41 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Fri, 17 Aug 2018 10:32:41 +0000 (UTC) Subject: [keycloak-user] Multiple password policies In-Reply-To: <504557615.12069269.1534429942790@mail.yahoo.com> References: <1356792787.9540666.1534168050614.ref@mail.yahoo.com> <1356792787.9540666.1534168050614@mail.yahoo.com> <504557615.12069269.1534429942790@mail.yahoo.com> Message-ID: <1843434580.12659228.1534501961679@mail.yahoo.com> Hi, Further to my email below can you have a password policy assigned to a realm role?? Regards, Jamie On Thursday, 16 August 2018, 15:32:22 BST, Jamie McDowell wrote: Hi, Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated) We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity.? We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies? Has anyone configured this before or can suggest alternatives? Regards, Jamie From psilva at redhat.com Fri Aug 17 07:41:12 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 17 Aug 2018 08:41:12 -0300 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo wrote: > Pedro, > > After further debugging I found out that following line in keycloak json > is causing the issue: "policy-enforcer": {}. If I remove this line, then > 403 error is removed but I guess doing this disables authorization > altogether. 2 questions on this: > 1. When I have configured policies on the Admin console under the > authorization tab, why is this empty? > I'm not sure. When you enable authorization services to a client default resource/permissions are created. Where these permissions grant access to any resource in your application (uri == /*). > 2. Is there a way to put some default values (not manually) in here to > make authorization work? > Like I said, when you just enable the authorization services switch, default settings are created automatically. Did you try to run any of our quickstarts ? > > On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva > wrote: > >> Yeah, it should be relative. I was wondering if the correct URI would be >> '/keycloak/secure/role' instead. >> >> In any case, I would ask you to try the same deployment using tomcat or >> wildfly to see how it goes. We have a few quickstarts running on these two. >> Maybe you could also try to enable DEBUG log level to see how the policy >> enforcer is matching URIs to your resources. >> >> If none of them work, I can give a try and run jetty. >> >> Regards. >> Pedro Igor >> >> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo >> wrote: >> >>> Pedro, thanks for replying. I tried putting the absolute URI,but it does >>> not work either. The documentation anyway states that the URI in resource >>> can be relative to client root URL which I have configured to be >>> http://localhost:7200/{app}/keycloak , therefore putting relateve URI '/secure/role' >>> in resource should be equivalent to putting absolute URI : >>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, there >>> is something else I can try? >>> >>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva >>> wrote: >>> >>>> Hi, >>>> >>>> Your configuration looks correct. But I noticed that in the postman >>>> request you are sending requests to `http://localhost:7200/{app}/k >>>> eycloak/secure/role` >>>> . However in >>>> your resource definition the URI is configured to `/secure/role`. Both URIs >>>> should match otherwise the adapter won't be able to map the URI in your >>>> application to a resource in Keycloak (and related permissions). >>>> >>>> Regards. >>>> Pedro Igor >>>> >>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo >>>> wrote: >>>> >>>>> With all the configuration(shared below), when I test using the >>>>> evaluate >>>>> option under authorization tab, result is permit: >>>>> >>>>> *But when I make a request to this resource through postman, I get >>>>> 403.* >>>>> >>>>> *Which part of configuration is wrong which is leading to 403 error?* >>>>> >>>>> CONFIGURATION: >>>>> >>>>> >>>>> *Detailed configuration with images shown here:* >>>>> >>>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f >>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>> >>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* >>>>> >>>>> *1.* Following the >>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I created >>>>> a >>>>> realm role : *role_special_user* and created a user : *user_special* >>>>> with >>>>> this role and role *user*. >>>>> >>>>> *2.* Next, my resource server / client is with *full scope enabled*: >>>>> *3.* Under authorization tab, I created a resource with the role based >>>>> policy is. >>>>> >>>>> *4.* Now, keycloak json is: >>>>> >>>>> { >>>>> "realm": "demo12", >>>>> "auth-server-url": "http://localhost:8180/auth", >>>>> "ssl-required": "none", >>>>> "resource": "server12", >>>>> "credentials": { >>>>> "secret": "XXXXXXX" >>>>> }, >>>>> "confidential-port": 0, >>>>> "policy-enforcer": {}} >>>>> >>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>> >>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>> InputStream is = >>>>> Thread.currentThread().getContextClassLoader().getResourceAs >>>>> Stream(KEYCLOAK_JSON);AdapterConfig >>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>> SystemPropertiesJsonParserFactory()); >>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>> ConstraintSecurityHandler securityHandler = new >>>>> ConstraintSecurityHandler(); >>>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>>> constraintMapping.setPathSpec("/*"); >>>>> Constraint constraint = new Constraint(); >>>>> constraint.setAuthenticate(true); >>>>> constraint.setRoles(new String[]{"**"}); >>>>> constraintMapping.setConstraint(constraint); >>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>> context.setSecurityHandler(securityHandler);} >>>>> >>>>> *6.* Also, the decoded jwt token sample is: >>>>> >>>>> { >>>>> "jti": "XXXXXXX", >>>>> "exp": 1533798704, >>>>> "nbf": 0, >>>>> "iat": 1533798404, >>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>> "aud": "server12", >>>>> "sub": "XXXXXXX", >>>>> "typ": "Bearer", >>>>> "azp": "server12", >>>>> "auth_time": 1533798404, >>>>> "session_state": "XXXXXX", >>>>> "acr": "1", >>>>> "allowed-origins": [], >>>>> "realm_access": { >>>>> "roles": [ >>>>> "role_special_user", >>>>> "offline_access", >>>>> "uma_authorization", >>>>> "user" >>>>> ] >>>>> }, >>>>> "resource_access": { >>>>> "server12": { >>>>> "roles": [ >>>>> "uma_protection" >>>>> ] >>>>> }, >>>>> "account": { >>>>> "roles": [ >>>>> "manage-account", >>>>> "manage-account-links", >>>>> "view-profile" >>>>> ] >>>>> } >>>>> }, >>>>> "scope": "openid email profile", >>>>> "email_verified": false, >>>>> "preferred_username": "user_special"} >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>> >> > From ssilvert at redhat.com Fri Aug 17 08:25:53 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 17 Aug 2018 08:25:53 -0400 Subject: [keycloak-user] How to logout In-Reply-To: <1511503812.20960187.1534423273828.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <593cf6b9-a24c-46c1-bbd6-95d3721e972c@redhat.com> <1309100967.20445585.1534341037703.JavaMail.zimbra@jlab.org> <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> <63ba64de-9049-155b-f3fb-6e85bda85a73@redhat.com> <1511503812.20960187.1534423273828.JavaMail.zimbra@jlab.org> Message-ID: <75e63dcb-b9bf-8425-db1c-10b96fb8c803@redhat.com> On 8/16/2018 8:41 AM, Ryan Slominski wrote: > I've enabled backchannel logout in the brokered identity providers, and I've confirmed it keeps all of the brokered identity providers in sync. For example if I log into my broker 3 IdP and logout of my realm then I'm also logged out of broker IdP 3. So, backchannel logout seems to work with the link between the realm and brokered identity providers. However, unless I'm not understanding backchannel logout, it doesn't affect clients who manage their own session state such as the Wildfly client adapter, which creates an independent JSESSIONID cookie to store session state. So right now logging out of application A does destroy the Keycloak token, but if a login with application B was already established then it remains locally logged in even after application A is logged out. Is that not how it is supposed to work? If not, how do I configure a Wildfly client to honor another application's logout? I would have to study the code a bit to know the specifics.? I'm guessing that backchannel logout doesn't invalidate the local session as you suggest.? That might be a little too intrusive, though the app developer could handle it with an HttpSessionListener. But it seems to me that you should be able to just use isUserInRole() with each request and then act accordingly.? If you log out of application A then isUserInRole() on application B should always return false. > > ----- Original Message ----- > From: "Stan Silvert" > To: "Ryan Slominski" > Cc: "keycloak-user" > Sent: Thursday, August 16, 2018 7:44:01 AM > Subject: Re: [keycloak-user] How to logout > > On 8/15/2018 4:34 PM, Ryan Slominski wrote: >> Two issues: >> >> (1) Wildfly client adapter doesn't detect when a user is logged into Keycloak on pages in which HttpServletRequest.isUserInRole() method is used to programmatically determine who sees what until after hitting a declaratively protected (web.xml) page first. Wildfly client adapter assumes all pages which use isUserInRole are declaratively protected, but that is not always true (and essentially never true in my case). This means when jumping from one application to another you lose your SSO. > If you are correct about isUserInRole() then the WildFly adapter needs > to be fixed. > > What should happen is that when you logout of application A then the > Keycloak server sends a backchannel logout to application B.? At that > point, a call to isUserInRole() from application B should return false. > > Do you have backchannel logout working? > >> (2) Trying to switch users in an environment where it is unknown whether you are logged in or not results in surprise logins as the previous account when you really want to enter new credentials >> >> Essentially all my application pages show something no matter if you are logged in or not, but if you are logged in you see extra stuff like edit buttons. When working in a group around a computer and someone asks to switch users (login as admin or move over and let me show you scenarios) confusion ensues as the application might show the user as not logged in, but then attempting to login detects existing token and skips login form. Now user must logout and try again. >> >> >> ----- Original Message ----- >> From: "Stan Silvert" >> To: "Ryan Slominski" >> Cc: "keycloak-user" >> Sent: Wednesday, August 15, 2018 4:04:03 PM >> Subject: Re: [keycloak-user] How to logout >> >> On 8/15/2018 3:27 PM, Ryan Slominski wrote: >>> Hi Stan, >>> If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: >> I don't understand why this matters.? If you are not going to a >> protected page in application B then why do you care if you are logged >> into Keycloak? >> >> I guess I'm not understanding your use case. >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__javaee.github.io_tutorial_security-2Dwebtier003.html&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=c_G5XCh4KyQNw7rawL_GHLQZ9GEm05ARlz-C-jeVx3o&s=bXb-7yw6Njk4DirMWLlxJAxGwUFKULf9HM-3_Imo35g&e= >>> >>> And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? >>> >>> Ryan >>> >>> >>> >>> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: "Ryan Slominski" >>> Cc: "keycloak-user" >>> Sent: Wednesday, August 15, 2018 3:02:18 PM >>> Subject: Re: [keycloak-user] How to logout >>> >>> Why is your client out of sync with the keycloak server?? If you are >>> building a servlet-based application (JSF, JSP, Struts, etc.), then why >>> not use the WildFly adapter in the JEE way as described in the Keycloak >>> documentation? ? The WildFly Keycloak adapter takes care of all the hard >>> stuff for you. >>> >>> On 8/15/2018 9:50 AM, Ryan Slominski wrote: >>>> Hi Stan, >>>> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? >>>> >>>> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: >>>> >>>> {"error":"invalid_request","error_description":"No refresh token"} >>>> >>>> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). >>>> >>>> Thanks, >>>> >>>> Ryan >>>> >>>> ----- Original Message ----- >>>> From: "Stan Silvert" >>>> To: "keycloak-user" >>>> Sent: Monday, August 13, 2018 7:15:15 PM >>>> Subject: Re: [keycloak-user] How to logout >>>> >>>> HttpServletRequest.logout() should not be a no-op.? It was implemented a >>>> long time ago: >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= >>>> >>>> If there is an issue with it you should report it in JIRA. >>>> >>>> Stan >>>> >>>> On 8/13/2018 4:19 PM, Ryan Slominski wrote: >>>>> Hi Keycloak Users, >>>>> >>>>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >>>>> >>>>> 1. Call HttpServletRequest.logout() >>>>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >>>>> >>>>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >>>>> >>>>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >>>>> >>>>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >>>>> >>>>> Thanks, >>>>> >>>>> Ryan >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From alistair.doswald at elca.ch Fri Aug 17 08:33:07 2018 From: alistair.doswald at elca.ch (Doswald Alistair) Date: Fri, 17 Aug 2018 12:33:07 +0000 Subject: [keycloak-user] Keycloak Modules developed for the Cloudtrust project In-Reply-To: References: <3a4dd47c3a254568bfa381a1de804fc6@elca.ch> <48987109-e18c-2908-118f-98a4213ed9e9@redhat.com> Message-ID: <6ec4a52360ac46d0a8b7890a2b4bdbb3@elca.ch> I?ve done the PR for the extension page (keycloak-authorization and keycloak-export), and it?s been accepted. For the client-mapper I?ll see what?s necessary to be done to have it merged directly into Keycloak. For the mechanism of keycloak-authorization, I for one would like having this functionality supported OOTB, whether through our (admittedly not very sophisticated) system, or another. I received a message from Stian Thorgersen on the dev mailing (here: http://lists.jboss.org/pipermail/keycloak-dev/2018-August/011116.html ) list asking more details about the module, so I?ll at least be discussing the matter with him. Cheers, Alistair From: Pedro Igor Silva Sent: vendredi 10 ao?t 2018 18:52 To: Marek Posolda Cc: Doswald Alistair ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak Modules developed for the Cloudtrust project Cool stuff ! Thanks for sharing. I've looked keycloak-authorization very quickly and changes look really simple, I'm glad to start a discussion about supporting this OOTB. Maybe this can be part of the review of admin fine-grained permissions we are planning. Regards. Pedro Igor On Fri, Aug 10, 2018 at 9:43 AM, Marek Posolda > wrote: Thanks for the heads up! IMO it will be cool if you send PR for the javascript mapper directly to Keycloak, however we may need automated test and also docs (separate PR needs to be sent for the docs). For the keycloak-authorization and keycloak-export (and maybe for keycloak-client-mappers too if you don't have time for the PR to upstream), it may be good to send PR to update the extensions page maybe? It's here: https://www.keycloak.org/extensions.html and sources are here: https://github.com/keycloak/keycloak-web/tree/master/src/main/resources/extensions . Assuming that those things are generally useful for the other users from the community (I am not 100% sure about the keycloak-authorization. Rather leaving to you to decide if it's generally useful or not). The keycloak-wsfed is already on the extensions page. Thanks! Marek On 10/08/18 11:44, Doswald Alistair wrote: > Hello, > > I just wanted to let this mailing list know that for the Cloudtrust project (https://github.com/cloudtrust), we have developed a certain number modules for Keycloak. These are currently compatible with the version 3.4.3.Final of Keycloak, but we will make them compatible with Keycloak 4.X (where X will be the latest sub-version of Keycloak when we start working on this) as soon as we can. These modules are: > > * keycloak-wsfed (https://github.com/cloudtrust/keycloak-wsfed): an implementation of the WS-Federation protocol for keycloak. This allows to select the WS-Federation protocol for Keycloak clients and for identity brokers. > > * keycloak-authorization (https://github.com/cloudtrust/keycloak-authorization): this module allows the use of the client authorization system to prevent a user which is authenticated in a Keycloak realm to access a given client. It works no matter which protocol is used, and without the client having to support any extra protocol. Note: this solution is a bit hacky, but necessary for one of our use-cases. > > * keycloak-client-mappers (https://github.com/cloudtrust/keycloak-client-mappers): a module for adding any mappers that we might need that are not yet part of Keycloak. Currently only contains a JavaScript mapper for SAML, analogous to the OIDC script mapper. I've noticed that there's an open issue for this feature (https://issues.jboss.org/browse/KEYCLOAK-5520). If desirable I could submit this code not as a module but a solution to the issue. > > * keycloak-export (https://github.com/cloudtrust/keycloak-export): a module adding an endpoint to fully export a realm while Keycloak is still running (no need for restarts!). > > Cheers, > > Alistair > > PS: I'm mailing this both dev and user mailing lists as I believe it may interest members of both mailing lists > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From wgao at utsc.utoronto.ca Fri Aug 17 08:55:44 2018 From: wgao at utsc.utoronto.ca (Weijun Gao) Date: Fri, 17 Aug 2018 08:55:44 -0400 Subject: [keycloak-user] SSO for two groups of web applications? In-Reply-To: <1534459636.7811.11.camel@acutus.pro> References: <9eab6388-98d0-1fe5-c96a-1b753b83dfbb@utsc.utoronto.ca> <1534459636.7811.11.camel@acutus.pro> Message-ID: <91ed102f-8c10-f2ef-f285-b5ccec56a98d@utsc.utoronto.ca> Thank you Dmitry and Graham! Using separate SSO realms? is good enough for my need. I'll check more about your posts and setting replications Dmitry. Regards, Weijun On 8/16/2018 6:47 PM, Dmitry Telegin wrote: > Hi Weijun, > > And what if the user first signs in a 1st group app, and then in a 2nd group? Should the user be able to access both groups now? > > If so: seems like you want two separate SSO realms for your application groups, but with the shared user data? > > Let's rephrase it; imagine that in your Keycloak: > - there are two different realms, realmA and realmB; > - apps from the 1st groups are configured as clients of realmA; > - the same for the 2nd group and realmB; > - users in both realms are the same; > would that solve your problem? > > So it seems like you need some kind of proxy/slave/shadow realm, that > would have its own client definitions, but will proxy to another realm > for user data. I think this is not available OOTB, but could be > implemented as a Keycloak extension using Realm SPI, however > implementation can be really tricky. > > Another way to go is to set up ad-hoc partial replication between the realms. This is neither available OOTB, however implementation should be much simpler (at the price of data duplication, of course). > > Good news is that you're not alone with this; see Tuesday's posting from Gregor Tudan, the problem statement is almost the same (modulo the kind of data to be replicated, users vs. clients). I'll reply to that post a bit later, so stay tuned. > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail:?info at acutus.pro > > On Thu, 2018-08-16 at 15:20 -0400, Weijun Gao wrote: >> Hi, >> >> Is it possible to authenticate users using *one* Keycloak server for >> *two* groups of web applications. For example, if a user signs in a web >> app in the 1st group, the user can access all the apps in the 1st group >> but none in the 2nd group, vice versa. If it's possible, how? Or any >> documentation? >> >> Thanks and regards, >> >> Weijun >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From suleyman.yildirim at accenture.com Fri Aug 17 09:57:43 2018 From: suleyman.yildirim at accenture.com (Yildirim, Suleyman) Date: Fri, 17 Aug 2018 13:57:43 +0000 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: <1534463321.7811.15.camel@acutus.pro> References: <1534463321.7811.15.camel@acutus.pro> Message-ID: Thanks a lot Dmitry, It works! When I use my application link, I can successfully get SAML response from MS ADFS and redirected to application back. Use case is as below. However, my client wanted to test directly on their MS ADFS using their url (https://client_adfs_link/adfs/ls/idpinitiatedsignon.aspx). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://myapplication/auth/realms/springboot-quickstart/broker/myIDPAlias/endpoint and get the Internal Server Error again but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that. Use case: 1. The user visits the http://myapplication:8443 application. 2. https-client(open_id) finds the user is not authenticated and generates an XML authentication request document. It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is configured as https://client_adfs/adfs/ls/ 3. The ADFS server extracts the XML auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server. 4. The user enters the credentials to be authenticated. 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the http://myapplication:8443 application. Regards, Suleyman -----Original Message----- From: Dmitry Telegin
Sent: 17 August 2018 00:49 To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org Subject: [External] Re: [keycloak-user] IDP SAML Processing Error Hi Suleyman, You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > Hi, > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > Details > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > Regards, > Suleyman > > > ________________________________ > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > ______________________________________________________________________ > ________________ > > www.accenture.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8n > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNn > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wocm > nmEIzqruzVr9Gg&e= -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: idpinitiatedsso.txt Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20180817/ba4c066f/attachment-0001.txt From dt at acutus.pro Fri Aug 17 10:24:14 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 17 Aug 2018 17:24:14 +0300 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: References: <1534463321.7811.15.camel@acutus.pro> Message-ID: <1534515854.3620.2.camel@acutus.pro> Hi Suleyman, you're welcome :) Glad your SP-initiated SSO finally worked. As for IdP-initiated SSO, this is also a well-known situation. In a few words, it will work out of the box *only* if you Keycloak client (target?application) is also using SAML. You mentioned some "https-client(open_id)", does that mean that the application is secured by Keycloak OpenID Connect adapter? (Don't despair, there is a workaround nevertheless.) Dmitry On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote: > Thanks a lot Dmitry, > > It works! When I use my application link, I can successfully get SAML response from MS ADFS and redirected to application back. Use case is as below.? > > > However, my client wanted to test directly on their MS ADFS using their url (https://client_adfs_link/adfs/ls/idpinitiatedsignon.aspx). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://myapplication/auth/realms/springboot-quickstart/broker/myIDPAlias/endpoint and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that.? > > Use case:? > > > 1. The user visits the http://myapplication:8443 application. > > 2. https-client(open_id) finds the user is not authenticated and generates an XML authentication request document. It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is configured as https://client_adfs/adfs/ls/ > > 3. The ADFS server extracts the XML auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server.? > > 4. The user enters the credentials to be authenticated. > > > 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the http://myapplication:8443 application. > > Regards, > Suleyman > > -----Original Message----- > > From: Dmitry Telegin
? > Sent: 17 August 2018 00:49 > > To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error > > Hi Suleyman, > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > > Hi, > > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > > > Details > > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > > > Regards, > > Suleyman > > > > > > ________________________________ > > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > > ______________________________________________________________________ > > ________________ > > > > www.accenture.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8n > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNn > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wocm > > nmEIzqruzVr9Gg&e= From vandana0242 at gmail.com Fri Aug 17 10:31:19 2018 From: vandana0242 at gmail.com (vandana thota) Date: Fri, 17 Aug 2018 09:31:19 -0500 Subject: [keycloak-user] keycloak 4.2.1 saml adapater Message-ID: Hello We have built wildfly 11.0.0 RPM Sceanrio 1 : Is it good way to have keycloak -saml-adapter 4.2.1 related stuff in wildfly rpm or Scenario 2 : its good to have wildfly 11.0.0. rpm as separate and keycloak -saml adapter 4.2.1 rpm separate ? Please send the details with pros and cons for both scenarios From graham.burgess at razer.com Fri Aug 17 10:31:47 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Fri, 17 Aug 2018 14:31:47 +0000 Subject: [keycloak-user] Problem Integration with OAuth2 provider In-Reply-To: <6B87FE87-AC99-4710-9340-CCC35FE602DD@doksafe.de> References: <6B87FE87-AC99-4710-9340-CCC35FE602DD@doksafe.de> Message-ID: Christian, Thanks for the response, I suspect something along those lines but I can thus far prove it. Do you by chance know how they saw the /token call from Keycloak? Or how to find out what the response from the IdP to Keycloak is? This is the hole in my knowledge that is stopping me from figuring it out. Best regards, Graham Burgess -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Christian Neudert Sent: Thursday, August 16, 2018 3:07 AM To: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Problem Integration with OAuth2 provider Hello Graham, Maybe a little help: I remember a similar case in which the client-secret was wrong and the response that Keycloak got, was empty. Keycloak then didn't handle it as error, just went on and found no token. Best regards, Christian Neudert On 15.08.18, 00:55, "keycloak-user-bounces at lists.jboss.org on behalf of Graham Burgess" wrote: I am trying to use Keycloak to broker our internally managed OAuth2 provider. I am unable to get it complete the "First Broker Login" workflow. The logs show "No token from server" as an error but I have thus far being able to get my Google-fu to help me figure out what the issue might be. I even went as far as looking at the code based on the stack trace and that would suggest that it is looking for an id_token, but my understanding for response_type=code as chosen by Keycloak, id_token isn't returned. I suspect I am doing something wrong but I don't know what and I am at a point that I don't know where to look to figure it out. I have looked at the different requests as they go through the workflow and can see all the redirects, etc. but it hasn't shown anything that has help me either. Anyone have any suggestions on how to proceed with troubleshooting this issue? Best regards, Graham Burgess R?Z?R|stormmore Sr. DevOps Engineer (USA) Email: graham.burgess at razer.com DID: (415) 374 0639 [http://assets.razerzone.com/email/email-sig.jpg] Razer.com | Razer Game Store | Razer Insider | Razer zVault [https://upload.wikimedia.org/wikipedia/commons/thumb/c/c2/F_icon.svg/200px-F_icon.svg.png] [Twitter_Social_Icon_Rounded_Square_Color] [glyph-logo_May2016] [youtube_social_squircle_red] Razer Inc. (San Francisco) 201 3rd Street, Suite 900 San Francisco CA 94103, USA Tel: +1 (415) 266 5300 Razer Inc. Stock Code: 1337.HK IMPORTANT NOTICE: This e-mail may be confidential, legally privileged or otherwise protected from disclosure. If you are not an intended recipient, do not copy, distribute or use its contents. Do inform the sender that you have received the message in error and delete it from your system. E-mails are not secure and may suffer errors, computer viruses, delay, interception and amendment. Razer accepts neither risk nor liability for any damage or loss caused by this e-mail. To the extent permitted by applicable law, Razer reserves the right to retain, monitor and intercept e-mails to and from its systems. ________________________________ [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg] Kanzleisoftware f?r moderne Anw?lte Kostenlos testen unter www.actaport.de ________________________________ [https://www.actaport.de/images/doksafe_logo_200.png] dokSAFE GmbH Goethestra?e 1 04109 Leipzig www.doksafe.de ________________________________ Sitz der Gesellschaft: Goethestra?e 1, 04109 Leipzig Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer ________________________________ Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. ________________________________ This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From suleyman.yildirim at accenture.com Fri Aug 17 10:44:37 2018 From: suleyman.yildirim at accenture.com (Yildirim, Suleyman) Date: Fri, 17 Aug 2018 14:44:37 +0000 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: <1534515854.3620.2.camel@acutus.pro> References: <1534463321.7811.15.camel@acutus.pro> <1534515854.3620.2.camel@acutus.pro> Message-ID: Hi Dmitry, I have been struggling for many days for that? I have two clients and a IDP broker in Keycloak. https-client: Yes, this is the client that secured the application. Redirect urls point to our application (http://myapplication:8443 application).It is "resource" : "https-client" in Keycloak.json in AngularJS. saml client: sends SAML request via IDP broker IDP broker: deals with MS ADFS requests/responses Regards, Suleyman -----Original Message----- From: Dmitry Telegin
Sent: 17 August 2018 15:24 To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error Hi Suleyman, you're welcome :) Glad your SP-initiated SSO finally worked. As for IdP-initiated SSO, this is also a well-known situation. In a few words, it will work out of the box *only* if you Keycloak client (target?application) is also using SAML. You mentioned some "https-client(open_id)", does that mean that the application is secured by Keycloak OpenID Connect adapter? (Don't despair, there is a workaround nevertheless.) Dmitry On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote: > Thanks a lot Dmitry, > > It works! When I use my application link, I can successfully get SAML > response from MS ADFS and redirected to application back. Use case is as below. > > > However, my client wanted to test directly on their MS ADFS using > > their url (https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=pe8ySJNlKetBMIYwYcaV_1LVhx-aTX2gDdk15e-VbjY&e=). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_realms_springboot-2Dquickstart_broker_myIDPAlias_endpoint&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=0BKswkj_bBt6d0dMqEKurFsuBL0tilkKtemQvb00vYQ&e= and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that. > > Use case: > > > 1. The user visits the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > 2. https-client(open_id) finds the user is not authenticated and generates an XML authentication request document. It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is configured as https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCVZDWQ&e= > > 3. The ADFS server extracts the XML auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server.? > > 4. The user enters the credentials to be authenticated. > > > 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > Regards, > Suleyman > > -----Original Message----- > > From: Dmitry Telegin
> Sent: 17 August 2018 00:49 > > To: Yildirim, Suleyman ; > > keycloak-user at lists.jboss.org > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error > > Hi Suleyman, > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. > > Good luck! > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > > Hi, > > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > > > Details > > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > > > Regards, > > Suleyman > > > > > > ________________________________ > > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > > ____________________________________________________________________ > > __ > > ________________ > > > > www.accenture.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org > > _m > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU > > 8n > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8f > > Nn > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wo > > cm > > nmEIzqruzVr9Gg&e= From dt at acutus.pro Fri Aug 17 11:40:33 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Fri, 17 Aug 2018 18:40:33 +0300 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: References: <1534463321.7811.15.camel@acutus.pro> <1534515854.3620.2.camel@acutus.pro> Message-ID: <1534520433.3620.6.camel@acutus.pro> Suleyman, thanks for the clarifications, So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP (ADFS). Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one (https-client)? Dmitry On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote: > Hi Dmitry, > > I have been struggling for many days for that? I have two clients and a IDP broker in Keycloak.?? > > > https-client: Yes, this is the client that secured the application. Redirect urls point to our application (http://myapplication:8443 application).It is "resource" : "https-client" in Keycloak.json in AngularJS.? > saml client: sends SAML request via IDP broker > IDP broker: deals with MS ADFS requests/responses > > Regards, > Suleyman > > -----Original Message----- > > From: Dmitry Telegin
? > Sent: 17 August 2018 15:24 > > To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error > > Hi Suleyman, you're welcome :) > > Glad your SP-initiated SSO finally worked. > > As for IdP-initiated SSO, this is also a well-known situation. > > In a few words, it will work out of the box *only* if you Keycloak client (target?application) is also using SAML. > > You mentioned some "https-client(open_id)", does that mean that the application is secured by Keycloak OpenID Connect adapter? (Don't despair, there is a workaround nevertheless.) > > Dmitry > > On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote: > > Thanks a lot Dmitry, > > > > It works! When I use my application link, I can successfully get SAML? > > response from MS ADFS and redirected to application back. Use case is as below. > > > > > However, my client wanted to test directly on their MS ADFS using? > > > their url (https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=pe8ySJNlKetBMIYwYcaV_1LVhx-aTX2gDdk15e-VbjY&e=). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_realms_springboot-2Dquickstart_broker_myIDPAlias_endpoint&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=0BKswkj_bBt6d0dMqEKurFsuBL0tilkKtemQvb00vYQ&e= and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that. > > > > Use case: > > > > 1. The user visits the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > > > > 2. https-client(open_id) finds the user is not authenticated and generates an XML authentication request document. It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is configured as https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCVZDWQ&e= > > > > > > 3. The ADFS server extracts the XML auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server.? > > > > > > 4. The user enters the credentials to be authenticated. > > > > 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > Regards, > > Suleyman > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: 17 August 2018 00:49 > > > > > > To: Yildirim, Suleyman ;? > > > keycloak-user at lists.jboss.org > > > > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error > > > > Hi Suleyman, > > > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. > > > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > > > Hi, > > > > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > > > > > Details > > > > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > > > > > Regards, > > > Suleyman > > > > > > > > > ________________________________ > > > > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > > > ____________________________________________________________________ > > > __ > > > ________________ > > > > > > www.accenture.com > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org > > > _m? > > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU > > > 8n? > > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8f > > > Nn? > > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69Wo > > > cm > > > nmEIzqruzVr9Gg&e= From suleyman.yildirim at accenture.com Fri Aug 17 12:14:15 2018 From: suleyman.yildirim at accenture.com (Yildirim, Suleyman) Date: Fri, 17 Aug 2018 16:14:15 +0000 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: <1534520433.3620.6.camel@acutus.pro> References: <1534463321.7811.15.camel@acutus.pro> <1534515854.3620.2.camel@acutus.pro> <1534520433.3620.6.camel@acutus.pro> Message-ID: Hi Dmitry, Thanks for asking details. It is only OIDC one (https-client). When we hit https://adfslink/adfs/ls/idpinitiatedsignon.aspx, the end goal is to be redirected to our application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC (https-client) though. MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve here(?) --> OIDC (https-client) Regards, Suleyman -----Original Message----- From: Dmitry Telegin
Sent: 17 August 2018 16:41 To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error Suleyman, thanks for the clarifications, So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP (ADFS). Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one (https-client)? Dmitry On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote: > Hi Dmitry, > > I have been struggling for many days for that? I have two clients and > a IDP broker in Keycloak. > > > https-client: Yes, this is the client that secured the application. > > Redirect urls point to our application (https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=IulH-801VXeZdCzc7_zYbgRmhY0S-VuHFBs6Zfr5rCc&s=loKf3waEqd-htgMfrzRVAoZdvYWWfL7LAQ_ALaAmfZo&e= application).It is "resource" : "https-client" in Keycloak.json in AngularJS. > saml client: sends SAML request via IDP broker IDP broker: deals with > MS ADFS requests/responses > > Regards, > Suleyman > > -----Original Message----- > > From: Dmitry Telegin
> Sent: 17 August 2018 15:24 > > To: Yildirim, Suleyman ; > > keycloak-user at lists.jboss.org > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error > > Hi Suleyman, you're welcome :) > > Glad your SP-initiated SSO finally worked. > > As for IdP-initiated SSO, this is also a well-known situation. > > In a few words, it will work out of the box *only* if you Keycloak client (target?application) is also using SAML. > > You mentioned some "https-client(open_id)", does that mean that the > application is secured by Keycloak OpenID Connect adapter? (Don't > despair, there is a workaround nevertheless.) > > Dmitry > > On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote: > > Thanks a lot Dmitry, > > > > It works! When I use my application link, I can successfully get > > SAML response from MS ADFS and redirected to application back. Use case is as below. > > > > > However, my client wanted to test directly on their MS ADFS using > > > their url (https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=pe8ySJNlKetBMIYwYcaV_1LVhx-aTX2gDdk15e-VbjY&e=). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_realms_springboot-2Dquickstart_broker_myIDPAlias_endpoint&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=0BKswkj_bBt6d0dMqEKurFsuBL0tilkKtemQvb00vYQ&e= and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that. > > > > Use case: > > > > 1. The user visits the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > > > > 2. https-client(open_id) finds the user is not authenticated and generates an XML authentication request document. It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is configured as https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCVZDWQ&e= > > > > > > 3. The ADFS server extracts the XML auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server.? > > > > > > 4. The user enters the credentials to be authenticated. > > > > 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > Regards, > > Suleyman > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: 17 August 2018 00:49 > > > > > > To: Yildirim, Suleyman ; > > > keycloak-user at lists.jboss.org > > > > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error > > > > Hi Suleyman, > > > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. > > > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. > > > > Good luck! > > Dmitry Telegin > > CTO, Acutus s.r.o. > > Keycloak Consulting and Training > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > +42 (022) 888-30-71 > > E-mail: info at acutus.pro > > > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > > > Hi, > > > > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > > > > > Details > > > > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > > > > > Regards, > > > Suleyman > > > > > > > > > ________________________________ > > > > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > > > __________________________________________________________________ > > > __ > > > __ > > > ________________ > > > > > > www.accenture.com > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.o > > > rg > > > _m > > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJ > > > vU > > > 8n > > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=- > > > 8f > > > Nn > > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69 > > > Wo > > > cm > > > nmEIzqruzVr9Gg&e= From dt at acutus.pro Fri Aug 17 17:50:16 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Sat, 18 Aug 2018 00:50:16 +0300 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: References: <1534463321.7811.15.camel@acutus.pro> <1534515854.3620.2.camel@acutus.pro> <1534520433.3620.6.camel@acutus.pro> Message-ID: <1534542616.31808.1.camel@acutus.pro> On Fri, 2018-08-17 at 16:14 +0000, Yildirim, Suleyman wrote: > Hi Dmitry, > > > Thanks for asking details. It is only OIDC one (https-client). When we hit https://adfslink/adfs/ls/idpinitiatedsignon.aspx, the end goal is to be redirected to our application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC (https-client) though.? > > MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve here(?) --> OIDC (https-client) You've depicted it?correctly. The problem is, it currently works only if both legs are SAML: IdP (SAML) ---> Keycloak (broker) ---> SAML Client IdP (SAML) ---> Keycloak (broker) -x-> OIDC Client This is partially because in the OpenID Connect spec there is no equivalent for "IdP initiated login". However, you can use the following trick to emulate it: 1) the user signs into AD FS; 2) the user clicks the special link pointing to your Keycloak that signs him/her into your OIDC application transparently. Is that doable, WDYT? I mean to make the user click an auxiliary link after ADFS login? In fact, it's not the first time I hear about this particular requirement (IdP-initiated login from SAML IdP through Keycloak to OIDC client). Maybe it's right time to suggest a feature idea to the devs. Stay tuned, I'll post it to keycloak-dev soon. Cheers, Dmitry > > Regards, > Suleyman > > -----Original Message----- > > From: Dmitry Telegin
? > Sent: 17 August 2018 16:41 > > To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error > > Suleyman, thanks for the clarifications, > > So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP (ADFS). > Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one (https-client)? > > Dmitry > > On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote: > > Hi Dmitry, > > > > I have been struggling for many days for that? I have two clients and? > > a IDP broker in Keycloak. > > > > > https-client: Yes, this is the client that secured the application.? > > > Redirect urls point to our application (https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=IulH-801VXeZdCzc7_zYbgRmhY0S-VuHFBs6Zfr5rCc&s=loKf3waEqd-htgMfrzRVAoZdvYWWfL7LAQ_ALaAmfZo&e= application).It is "resource" : "https-client" in Keycloak.json in AngularJS. > > > > saml client: sends SAML request via IDP broker IDP broker: deals with? > > MS ADFS requests/responses > > > > Regards, > > Suleyman > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: 17 August 2018 15:24 > > > > > > To: Yildirim, Suleyman ;? > > > keycloak-user at lists.jboss.org > > > > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error > > > > Hi Suleyman, you're welcome :) > > > > Glad your SP-initiated SSO finally worked. > > > > As for IdP-initiated SSO, this is also a well-known situation. > > > > In a few words, it will work out of the box *only* if you Keycloak client (target?application) is also using SAML. > > > > You mentioned some "https-client(open_id)", does that mean that the? > > application is secured by Keycloak OpenID Connect adapter? (Don't? > > despair, there is a workaround nevertheless.) > > > > Dmitry > > > > On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote: > > > Thanks a lot Dmitry, > > > > > > It works! When I use my application link, I can successfully get? > > > SAML response from MS ADFS and redirected to application back. Use case is as below. > > > > > > > However, my client wanted to test directly on their MS ADFS using? > > > > their url (https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=pe8ySJNlKetBMIYwYcaV_1LVhx-aTX2gDdk15e-VbjY&e=). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_realms_springboot-2Dquickstart_broker_myIDPAlias_endpoint&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=0BKswkj_bBt6d0dMqEKurFsuBL0tilkKtemQvb00vYQ&e= and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that. > > > > > > Use case: > > > > > > > > > > 1. The user visits the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > > > > > > > > > 2. https-client(open_id) finds the user is not authenticated and generates an XML authentication request document. It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is configured as https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCVZDWQ&e= > > > > > > > > > > > > > > 3. The ADFS server extracts the XML auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server.? > > > > > > > 4. The user enters the credentials to be authenticated. > > > > > > > > > > 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > Regards, > > > Suleyman > > > > > > -----Original Message----- > > > > From: Dmitry Telegin
> > > > > > Sent: 17 August 2018 00:49 > > > > > > > To: Yildirim, Suleyman ; > > > > > > > > keycloak-user at lists.jboss.org > > > > > > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error > > > > > > Hi Suleyman, > > > > > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. > > > > > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. > > > > > > Good luck! > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > > > > Hi, > > > > > > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > > > > > > > Details > > > > > > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > > > > > > > Regards, > > > > Suleyman > > > > > > > > > > > > ________________________________ > > > > > > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > > > > __________________________________________________________________ > > > > __ > > > > __ > > > > ________________ > > > > > > > > www.accenture.com > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.o > > > > rg > > > > _m > > > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJ > > > > vU > > > > 8n > > > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=- > > > > 8f > > > > Nn > > > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG69 > > > > Wo > > > > cm > > > > nmEIzqruzVr9Gg&e= From graham.burgess at razer.com Fri Aug 17 18:00:21 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Fri, 17 Aug 2018 22:00:21 +0000 Subject: [keycloak-user] Problem Integration with OAuth2 provider In-Reply-To: References: <6B87FE87-AC99-4710-9340-CCC35FE602DD@doksafe.de> Message-ID: So to help me to understand what is going on being Keycloak and my IdP, I spun up an Nginx instance with a PHP script to dump the request to the /token endpoint on the IdP. The following is an example of the output that I can get from it: POST /dump.php HTTP/1.1 HTTP headers: X-Forwarded-Proto: https X-Forwarded-Port: 443 X-Forwarded-For: Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip,deflate Content-Length: 266 User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_161) Host: php-dump Request body: code=&grant_type=authorization_code&client_secret=&redirect_uri=&client_id= This allowed me to confirm the request was sending the right details to the IdP as part of the /token request. I was also able to get an output from the IdP?s /token endpoint: { "access_token": "", "expires_in": 3600, "token_type": "Bearer", "scope": "openid cop profile email", "refresh_token": "" } This looks right to me, so makes the ?No token from server? error even weirder, or am I missing something? Kind regards, Graham From graham.burgess at razer.com Fri Aug 17 18:57:22 2018 From: graham.burgess at razer.com (Graham Burgess) Date: Fri, 17 Aug 2018 22:57:22 +0000 Subject: [keycloak-user] Problem Integration with OAuth2 provider In-Reply-To: References: <6B87FE87-AC99-4710-9340-CCC35FE602DD@doksafe.de> Message-ID: OK, I think I have figured it out, at least on ?paper?. If I am reading http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest, section 3.1.3.3 right, then the token endpoint should be returning an id_token as well as access_token. I have already notified my IdP of the issue. Graham From: Graham Burgess Sent: Friday, August 17, 2018 3:00 PM To: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Problem Integration with OAuth2 provider So to help me to understand what is going on being Keycloak and my IdP, I spun up an Nginx instance with a PHP script to dump the request to the /token endpoint on the IdP. The following is an example of the output that I can get from it: POST /dump.php HTTP/1.1 HTTP headers: X-Forwarded-Proto: https X-Forwarded-Port: 443 X-Forwarded-For: Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip,deflate Content-Length: 266 User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_161) Host: php-dump Request body: code=&grant_type=authorization_code&client_secret=&redirect_uri=&client_id= This allowed me to confirm the request was sending the right details to the IdP as part of the /token request. I was also able to get an output from the IdP?s /token endpoint: { "access_token": "", "expires_in": 3600, "token_type": "Bearer", "scope": "openid cop profile email", "refresh_token": "" } This looks right to me, so makes the ?No token from server? error even weirder, or am I missing something? Kind regards, Graham From polochepu at gmail.com Sat Aug 18 11:49:19 2018 From: polochepu at gmail.com (paolo lizarazu) Date: Sat, 18 Aug 2018 11:49:19 -0400 Subject: [keycloak-user] help with getting users from angular app Message-ID: Hi list, I have an angular app that is configured to login with keycloak, I have configured web-origin and the login is working well, now I want to get all the users from my realm and i am calling to http://:/auth/admin/realmns//users? but this is answering with 404 and error in console for cors. zone.js:2969 OPTIONS http://:/auth/ admin/realmns//users ? 404 (Not Found) scheduleTask @ zone.js:2969 ZoneDelegate.scheduleTask @ zone.js:407 ...... localhost/:1 Failed to load http://:/auth/ admin/realmns//users?: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:4200' is therefore not allowed access. any help will be appreciate. From testoauth55 at gmail.com Mon Aug 20 02:37:21 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Mon, 20 Aug 2018 12:07:21 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Pedro, Yes default permissions grant access to any resource in my application (uri == /*). But problem starts when I specify a resource with specific URI (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api * ). Just to summarize the real problem: Apart from default resource having `/*`, I have a second resource having URI: /secure/role/* and this resource also has a role based policy to allow access to only users having role "special", the expected behavior is the users who don't have role "special" should not be able to access this resource, right? But I am able to access this resource with any user, any role. So I thought that may be default resource URI with '/*' is overriding behavior of second resource, so I changed default resource URI to '/test/*', and then I started receiving 403 error for accessing both '/test' as well as second resource ' /secure/role/* ' for all users including user with "special" role assigned. I looked into realm resource configuration in one of the quick starts and the only difference I found was that quick start resources specify scope in each of resources whereas I have kept it blank. Could this be an issue. I understand you already spent time in trying to resolve this but problem still persists. On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva wrote: > > > On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo > wrote: > >> Pedro, >> >> After further debugging I found out that following line in keycloak json >> is causing the issue: "policy-enforcer": {}. If I remove this line, >> then 403 error is removed but I guess doing this disables authorization >> altogether. 2 questions on this: >> 1. When I have configured policies on the Admin console under the >> authorization tab, why is this empty? >> > > I'm not sure. When you enable authorization services to a client default > resource/permissions are created. Where these permissions grant access to > any resource in your application (uri == /*). > > >> 2. Is there a way to put some default values (not manually) in here to >> make authorization work? >> > > Like I said, when you just enable the authorization services switch, > default settings are created automatically. > > Did you try to run any of our quickstarts ? > > > >> >> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva >> wrote: >> >>> Yeah, it should be relative. I was wondering if the correct URI would be >>> '/keycloak/secure/role' instead. >>> >>> In any case, I would ask you to try the same deployment using tomcat or >>> wildfly to see how it goes. We have a few quickstarts running on these two. >>> Maybe you could also try to enable DEBUG log level to see how the policy >>> enforcer is matching URIs to your resources. >>> >>> If none of them work, I can give a try and run jetty. >>> >>> Regards. >>> Pedro Igor >>> >>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo >>> wrote: >>> >>>> Pedro, thanks for replying. I tried putting the absolute URI,but it >>>> does not work either. The documentation anyway states that the URI in >>>> resource can be relative to client root URL which I have configured to be >>>> http://localhost:7200/{app}/keycloak , therefore putting relateve URI >>>> '/secure/role' in resource should be equivalent to putting absolute >>>> URI : http://localhost:7200/{app}/keycloak/secure/role'. Do you >>>> think, there is something else I can try? >>>> >>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Your configuration looks correct. But I noticed that in the postman >>>>> request you are sending requests to `http://localhost:7200/{app}/k >>>>> eycloak/secure/role` >>>>> . However in >>>>> your resource definition the URI is configured to `/secure/role`. Both URIs >>>>> should match otherwise the adapter won't be able to map the URI in your >>>>> application to a resource in Keycloak (and related permissions). >>>>> >>>>> Regards. >>>>> Pedro Igor >>>>> >>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo >>>>> wrote: >>>>> >>>>>> With all the configuration(shared below), when I test using the >>>>>> evaluate >>>>>> option under authorization tab, result is permit: >>>>>> >>>>>> *But when I make a request to this resource through postman, I get >>>>>> 403.* >>>>>> >>>>>> *Which part of configuration is wrong which is leading to 403 error?* >>>>>> >>>>>> CONFIGURATION: >>>>>> >>>>>> >>>>>> *Detailed configuration with images shown here:* >>>>>> >>>>>> *https://stackoverflow.com/questions/51761779/keycloak-403-f >>>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>> >>>>> orbidden-error-while-accessing-rest-resource-where-as-evaluate-api>* >>>>>> >>>>>> *1.* Following the >>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>> created a >>>>>> realm role : *role_special_user* and created a user : *user_special* >>>>>> with >>>>>> this role and role *user*. >>>>>> >>>>>> *2.* Next, my resource server / client is with *full scope enabled*: >>>>>> *3.* Under authorization tab, I created a resource with the role >>>>>> based >>>>>> policy is. >>>>>> >>>>>> *4.* Now, keycloak json is: >>>>>> >>>>>> { >>>>>> "realm": "demo12", >>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>> "ssl-required": "none", >>>>>> "resource": "server12", >>>>>> "credentials": { >>>>>> "secret": "XXXXXXX" >>>>>> }, >>>>>> "confidential-port": 0, >>>>>> "policy-enforcer": {}} >>>>>> >>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>> >>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>> InputStream is = >>>>>> Thread.currentThread().getContextClassLoader().getResourceAs >>>>>> Stream(KEYCLOAK_JSON);AdapterConfig >>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>> SystemPropertiesJsonParserFactory()); >>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>> ConstraintSecurityHandler securityHandler = new >>>>>> ConstraintSecurityHandler(); >>>>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>>>> constraintMapping.setPathSpec("/*"); >>>>>> Constraint constraint = new Constraint(); >>>>>> constraint.setAuthenticate(true); >>>>>> constraint.setRoles(new String[]{"**"}); >>>>>> constraintMapping.setConstraint(constraint); >>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>> context.setSecurityHandler(securityHandler);} >>>>>> >>>>>> *6.* Also, the decoded jwt token sample is: >>>>>> >>>>>> { >>>>>> "jti": "XXXXXXX", >>>>>> "exp": 1533798704, >>>>>> "nbf": 0, >>>>>> "iat": 1533798404, >>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>> "aud": "server12", >>>>>> "sub": "XXXXXXX", >>>>>> "typ": "Bearer", >>>>>> "azp": "server12", >>>>>> "auth_time": 1533798404, >>>>>> "session_state": "XXXXXX", >>>>>> "acr": "1", >>>>>> "allowed-origins": [], >>>>>> "realm_access": { >>>>>> "roles": [ >>>>>> "role_special_user", >>>>>> "offline_access", >>>>>> "uma_authorization", >>>>>> "user" >>>>>> ] >>>>>> }, >>>>>> "resource_access": { >>>>>> "server12": { >>>>>> "roles": [ >>>>>> "uma_protection" >>>>>> ] >>>>>> }, >>>>>> "account": { >>>>>> "roles": [ >>>>>> "manage-account", >>>>>> "manage-account-links", >>>>>> "view-profile" >>>>>> ] >>>>>> } >>>>>> }, >>>>>> "scope": "openid email profile", >>>>>> "email_verified": false, >>>>>> "preferred_username": "user_special"} >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>> >>>>> >>>>> >>>> >>> >> > From Tom.Billiet at technicolor.com Mon Aug 20 03:53:47 2018 From: Tom.Billiet at technicolor.com (Billiet Tom) Date: Mon, 20 Aug 2018 07:53:47 +0000 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: <1534542616.31808.1.camel@acutus.pro> References: <1534463321.7811.15.camel@acutus.pro> <1534515854.3620.2.camel@acutus.pro> <1534520433.3620.6.camel@acutus.pro> <1534542616.31808.1.camel@acutus.pro> Message-ID: I'm also interested on this. We also want to make IDP initiated login (SAML) work on our application (OIDC). I've been thinking about trying out exactly the same setup as you describe. But if keycloak would support this out-of-the-box, that would be great! Tom -----Original Message----- From: keycloak-user-bounces at lists.jboss.org On Behalf Of Dmitry Telegin Sent: Friday, August 17, 2018 11:50 PM To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] [External] Re: IDP SAML Processing Error ** WARNING: This mail is from an external source ** On Fri, 2018-08-17 at 16:14 +0000, Yildirim, Suleyman wrote: > Hi Dmitry, > > > Thanks for asking details. It is only OIDC one (https-client). When we hit https://adfslink/adfs/ls/idpinitiatedsignon.aspx, the end goal is to be redirected to our application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC (https-client) though. > > MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve > here(?) --> OIDC (https-client) You've depicted it correctly. The problem is, it currently works only if both legs are SAML: IdP (SAML) ---> Keycloak (broker) ---> SAML Client IdP (SAML) ---> Keycloak (broker) -x-> OIDC Client This is partially because in the OpenID Connect spec there is no equivalent for "IdP initiated login". However, you can use the following trick to emulate it: 1) the user signs into AD FS; 2) the user clicks the special link pointing to your Keycloak that signs him/her into your OIDC application transparently. Is that doable, WDYT? I mean to make the user click an auxiliary link after ADFS login? In fact, it's not the first time I hear about this particular requirement (IdP-initiated login from SAML IdP through Keycloak to OIDC client). Maybe it's right time to suggest a feature idea to the devs. Stay tuned, I'll post it to keycloak-dev soon. Cheers, Dmitry > > Regards, > Suleyman > > -----Original Message----- > > From: Dmitry Telegin
> Sent: 17 August 2018 16:41 > > To: Yildirim, Suleyman ; > > keycloak-user at lists.jboss.org > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error > > Suleyman, thanks for the clarifications, > > So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP (ADFS). > Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one (https-client)? > > Dmitry > > On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote: > > Hi Dmitry, > > > > I have been struggling for many days for that? I have two clients > > and a IDP broker in Keycloak. > > > > > https-client: Yes, this is the client that secured the application. > > > Redirect urls point to our application (https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=IulH-801VXeZdCzc7_zYbgRmhY0S-VuHFBs6Zfr5rCc&s=loKf3waEqd-htgMfrzRVAoZdvYWWfL7LAQ_ALaAmfZo&e= application).It is "resource" : "https-client" in Keycloak.json in AngularJS. > > > > saml client: sends SAML request via IDP broker IDP broker: deals > > with MS ADFS requests/responses > > > > Regards, > > Suleyman > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: 17 August 2018 15:24 > > > > > > To: Yildirim, Suleyman ; > > > keycloak-user at lists.jboss.org > > > > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing > > Error > > > > Hi Suleyman, you're welcome :) > > > > Glad your SP-initiated SSO finally worked. > > > > As for IdP-initiated SSO, this is also a well-known situation. > > > > In a few words, it will work out of the box *only* if you Keycloak client (target application) is also using SAML. > > > > You mentioned some "https-client(open_id)", does that mean that the > > application is secured by Keycloak OpenID Connect adapter? (Don't > > despair, there is a workaround nevertheless.) > > > > Dmitry > > > > On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote: > > > Thanks a lot Dmitry, > > > > > > It works! When I use my application link, I can successfully get > > > SAML response from MS ADFS and redirected to application back. Use case is as below. > > > > > > > However, my client wanted to test directly on their MS ADFS > > > > using their url (https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=pe8ySJNlKetBMIYwYcaV_1LVhx-aTX2gDdk15e-VbjY&e=). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_realms_springboot-2Dquickstart_broker_myIDPAlias_endpoint&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=0BKswkj_bBt6d0dMqEKurFsuBL0tilkKtemQvb00vYQ&e= and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that. > > > > > > Use case: > > > > > > > > > > 1. The user visits the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > > > > > > > > > 2. https-client(open_id) finds the user is > > > > > > > > > > > > > > not authenticated and generates an XML > > > > > > > > > > > > > > authentication request document. It is > > > > > > > > > > > > > > redirected to the Keycloak Identity > > > > > > > > > > > > > > Provider, of which Single Sign-On Service > > > > > > > > > > > > > > URL is configured as > > > > > > > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=h > > > > > > > > > > > > > > ttps-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=e > > > > > > > > > > > > > > IGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r > > > > > > > > > > > > > > =W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g > > > > > > > > > > > > > > &m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaev > > > > > > > > > > > > > > NE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCV > > > > > > > > > > > > > > ZDWQ&e= 3. The ADFS server extracts the XML > > > > > > > > > > > > > > auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server. > > > > > > > 4. The user enters the credentials to be authenticated. > > > > > > > > > > 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > Regards, > > > Suleyman > > > > > > -----Original Message----- > > > > From: Dmitry Telegin
> > > > > > Sent: 17 August 2018 00:49 > > > > > > > To: Yildirim, Suleyman ; > > > > > > > > keycloak-user at lists.jboss.org > > > > > > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error > > > > > > Hi Suleyman, > > > > > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. > > > > > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element and copy its value to the box verbatim. > > > > > > Good luck! > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > > > > Hi, > > > > > > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > > > > > > > Details > > > > > > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > > > > > > > Regards, > > > > Suleyman > > > > > > > > > > > > ________________________________ > > > > > > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > > > > ________________________________________________________________ > > > > __ > > > > __ > > > > __ > > > > ________________ > > > > > > > > www.accenture.com > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss > > > > .o > > > > rg > > > > _m > > > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEH > > > > XJ > > > > vU > > > > 8n > > > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m > > > > =- > > > > 8f > > > > Nn > > > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG > > > > 69 > > > > Wo > > > > cm > > > > nmEIzqruzVr9Gg&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From hmlnarik at redhat.com Mon Aug 20 04:09:53 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 20 Aug 2018 10:09:53 +0200 Subject: [keycloak-user] keycloak 4.2.1 saml adapater In-Reply-To: References: Message-ID: Always keep the two separately, wildfly and keycloak have different release cycles, so you'd only need to rebuild keycloak rpms on update in keycloak SAML adapter. On Fri, Aug 17, 2018 at 4:32 PM vandana thota wrote: > Hello > > > We have built wildfly 11.0.0 RPM > Sceanrio 1 : Is it good way to have keycloak -saml-adapter 4.2.1 > related stuff in wildfly rpm or > > Scenario 2 : its good to have wildfly 11.0.0. rpm as separate and keycloak > -saml adapter 4.2.1 rpm separate ? > Please send the details with pros and cons for both scenarios > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ryans at jlab.org Mon Aug 20 09:27:01 2018 From: ryans at jlab.org (Ryan Slominski) Date: Mon, 20 Aug 2018 09:27:01 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <1874739124.23811663.1534771506340.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> <63ba64de-9049-155b-f3fb-6e85bda85a73@redhat.com> <1511503812.20960187.1534423273828.JavaMail.zimbra@jlab.org> <75e63dcb-b9bf-8425-db1c-10b96fb8c803@redhat.com> Message-ID: <833391351.23812098.1534771621309.JavaMail.zimbra@jlab.org> I'm starting to wonder if the Wildfly client adapter is implemented all wrong. Doesn't it make more sense to have the state maintained in the web browser using the JavaScript client (since only the browser can really know the state) and then having a stateless server that uses bearer tokens to determine if web service requests are authenticated and authorized? There should be no JSESSIONID at all. ----- Original Message ----- From: "Stan Silvert" To: "Ryan Slominski" Cc: "keycloak-user" Sent: Friday, August 17, 2018 8:25:53 AM Subject: Re: [keycloak-user] How to logout On 8/16/2018 8:41 AM, Ryan Slominski wrote: > I've enabled backchannel logout in the brokered identity providers, and I've confirmed it keeps all of the brokered identity providers in sync. For example if I log into my broker 3 IdP and logout of my realm then I'm also logged out of broker IdP 3. So, backchannel logout seems to work with the link between the realm and brokered identity providers. However, unless I'm not understanding backchannel logout, it doesn't affect clients who manage their own session state such as the Wildfly client adapter, which creates an independent JSESSIONID cookie to store session state. So right now logging out of application A does destroy the Keycloak token, but if a login with application B was already established then it remains locally logged in even after application A is logged out. Is that not how it is supposed to work? If not, how do I configure a Wildfly client to honor another application's logout? I would have to study the code a bit to know the specifics.? I'm guessing that backchannel logout doesn't invalidate the local session as you suggest.? That might be a little too intrusive, though the app developer could handle it with an HttpSessionListener. But it seems to me that you should be able to just use isUserInRole() with each request and then act accordingly.? If you log out of application A then isUserInRole() on application B should always return false. > > ----- Original Message ----- > From: "Stan Silvert" > To: "Ryan Slominski" > Cc: "keycloak-user" > Sent: Thursday, August 16, 2018 7:44:01 AM > Subject: Re: [keycloak-user] How to logout > > On 8/15/2018 4:34 PM, Ryan Slominski wrote: >> Two issues: >> >> (1) Wildfly client adapter doesn't detect when a user is logged into Keycloak on pages in which HttpServletRequest.isUserInRole() method is used to programmatically determine who sees what until after hitting a declaratively protected (web.xml) page first. Wildfly client adapter assumes all pages which use isUserInRole are declaratively protected, but that is not always true (and essentially never true in my case). This means when jumping from one application to another you lose your SSO. > If you are correct about isUserInRole() then the WildFly adapter needs > to be fixed. > > What should happen is that when you logout of application A then the > Keycloak server sends a backchannel logout to application B.? At that > point, a call to isUserInRole() from application B should return false. > > Do you have backchannel logout working? > >> (2) Trying to switch users in an environment where it is unknown whether you are logged in or not results in surprise logins as the previous account when you really want to enter new credentials >> >> Essentially all my application pages show something no matter if you are logged in or not, but if you are logged in you see extra stuff like edit buttons. When working in a group around a computer and someone asks to switch users (login as admin or move over and let me show you scenarios) confusion ensues as the application might show the user as not logged in, but then attempting to login detects existing token and skips login form. Now user must logout and try again. >> >> >> ----- Original Message ----- >> From: "Stan Silvert" >> To: "Ryan Slominski" >> Cc: "keycloak-user" >> Sent: Wednesday, August 15, 2018 4:04:03 PM >> Subject: Re: [keycloak-user] How to logout >> >> On 8/15/2018 3:27 PM, Ryan Slominski wrote: >>> Hi Stan, >>> If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: >> I don't understand why this matters.? If you are not going to a >> protected page in application B then why do you care if you are logged >> into Keycloak? >> >> I guess I'm not understanding your use case. >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__javaee.github.io_tutorial_security-2Dwebtier003.html&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=c_G5XCh4KyQNw7rawL_GHLQZ9GEm05ARlz-C-jeVx3o&s=bXb-7yw6Njk4DirMWLlxJAxGwUFKULf9HM-3_Imo35g&e= >>> >>> And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? >>> >>> Ryan >>> >>> >>> >>> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: "Ryan Slominski" >>> Cc: "keycloak-user" >>> Sent: Wednesday, August 15, 2018 3:02:18 PM >>> Subject: Re: [keycloak-user] How to logout >>> >>> Why is your client out of sync with the keycloak server?? If you are >>> building a servlet-based application (JSF, JSP, Struts, etc.), then why >>> not use the WildFly adapter in the JEE way as described in the Keycloak >>> documentation? ? The WildFly Keycloak adapter takes care of all the hard >>> stuff for you. >>> >>> On 8/15/2018 9:50 AM, Ryan Slominski wrote: >>>> Hi Stan, >>>> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? >>>> >>>> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: >>>> >>>> {"error":"invalid_request","error_description":"No refresh token"} >>>> >>>> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). >>>> >>>> Thanks, >>>> >>>> Ryan >>>> >>>> ----- Original Message ----- >>>> From: "Stan Silvert" >>>> To: "keycloak-user" >>>> Sent: Monday, August 13, 2018 7:15:15 PM >>>> Subject: Re: [keycloak-user] How to logout >>>> >>>> HttpServletRequest.logout() should not be a no-op.? It was implemented a >>>> long time ago: >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= >>>> >>>> If there is an issue with it you should report it in JIRA. >>>> >>>> Stan >>>> >>>> On 8/13/2018 4:19 PM, Ryan Slominski wrote: >>>>> Hi Keycloak Users, >>>>> >>>>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >>>>> >>>>> 1. Call HttpServletRequest.logout() >>>>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >>>>> >>>>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >>>>> >>>>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >>>>> >>>>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >>>>> >>>>> Thanks, >>>>> >>>>> Ryan >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From hmlnarik at redhat.com Mon Aug 20 09:38:07 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Mon, 20 Aug 2018 15:38:07 +0200 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: <20180625154229.GA17717@abstractj.org> References: <20180625154229.GA17717@abstractj.org> Message-ID: Based on discussion on Stian, let me reopen this topic and add a suggestion. How about "Standalone Keycloak Adapter" or just "Standalone Adapter"? On Mon, Jun 25, 2018 at 5:44 PM Bruno Oliveira wrote: > Good afternoon, > > We are considering to transfer or fork the keycloak-proxy[1] to Keycloak > organization. In order to accomplish that, I've been working with Rohith > updating some of its dependencies[2]. > > While discussing with our team, we reached the conclusion that call it a > proxy could potentially increase the scope of the project and also give > people the wrong idea. Because would be expected things like load > balancing, > rate limiting, and other features. That's not what we want right now. > > I would like to gather some feedback from the community before we move > forward. > So please vote on the following Doodle: > > https://doodle.com/poll/gux626ktscgpr96t > > Also, feel free to suggest other names and it will be included. > > [1] - https://github.com/gambol99/keycloak-proxy > [2] - https://issues.jboss.org/browse/KEYCLOAK-7265 > > > -- > > abstractj > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From suleyman.yildirim at accenture.com Mon Aug 20 11:29:20 2018 From: suleyman.yildirim at accenture.com (Yildirim, Suleyman) Date: Mon, 20 Aug 2018 15:29:20 +0000 Subject: [keycloak-user] [External] Re: IDP SAML Processing Error In-Reply-To: <1534542616.31808.1.camel@acutus.pro> References: <1534463321.7811.15.camel@acutus.pro> <1534515854.3620.2.camel@acutus.pro> <1534520433.3620.6.camel@acutus.pro> <1534542616.31808.1.camel@acutus.pro> Message-ID: Hi Dmitry, I am not sure if it can be done. I realized that flow is as below. ADFS first redirects to idp broker in Keycloak and I get internal server error (attached). Does it sounds like Keycloak issue or we need to change some settings in MS ADFS? I am tring different configurations for this right now https://www.keycloak.org/docs/2.5/server_admin/topics/clients/saml/idp-initiated-login.html. Flow: MS ADFS server https://weblink/adfs/ls/idpinitiatedsignon ---> Keycloak (broker) https://testinsight.wmp.accentureanalytics.com/auth/realms/springboot-quickstart/broker/WMP-DDI-ES-Test2/endpoint ---> ??? --> OIDC Client (https://testinsight.wmp.accentureanalytics.com:8443) Regards, Suleyman -----Original Message----- From: Dmitry Telegin
Sent: 17 August 2018 22:50 To: Yildirim, Suleyman ; keycloak-user at lists.jboss.org Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error On Fri, 2018-08-17 at 16:14 +0000, Yildirim, Suleyman wrote: > Hi Dmitry, > > > Thanks for asking details. It is only OIDC one (https-client). When > > we hit https://urldefense.proofpoint.com/v2/url?u=https-3A__adfslink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=04mSFAI50H4J66pkD-EzQ-pBfa4PSJRbxmPxQKyW0vw&s=va2cYcUaiy7ZZ65I5N-RspB2RclfdqTwMsF0vPWUCtw&e=, the end goal is to be redirected to our application, which is OIDC. I am not sure about the flow between MS ADFS and OIDC (https-client) though. > > MS ADFS --> Which Keycloak entities (clients, IDP broker) are involve > here(?) --> OIDC (https-client) You've depicted it?correctly. The problem is, it currently works only if both legs are SAML: IdP (SAML) ---> Keycloak (broker) ---> SAML Client IdP (SAML) ---> Keycloak (broker) -x-> OIDC Client This is partially because in the OpenID Connect spec there is no equivalent for "IdP initiated login". However, you can use the following trick to emulate it: 1) the user signs into AD FS; 2) the user clicks the special link pointing to your Keycloak that signs him/her into your OIDC application transparently. Is that doable, WDYT? I mean to make the user click an auxiliary link after ADFS login? In fact, it's not the first time I hear about this particular requirement (IdP-initiated login from SAML IdP through Keycloak to OIDC client). Maybe it's right time to suggest a feature idea to the devs. Stay tuned, I'll post it to keycloak-dev soon. Cheers, Dmitry > > Regards, > Suleyman > > -----Original Message----- > > From: Dmitry Telegin
> Sent: 17 August 2018 16:41 > > To: Yildirim, Suleyman ; > > keycloak-user at lists.jboss.org > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing Error > > Suleyman, thanks for the clarifications, > > So in your Keycloak you've got two clients: one OIDC and one SAML, and a SAML IdP (ADFS). > Do you want IdP-initiated SSO from ADFS to both clients? or is it only OIDC one (https-client)? > > Dmitry > > On Fri, 2018-08-17 at 14:44 +0000, Yildirim, Suleyman wrote: > > Hi Dmitry, > > > > I have been struggling for many days for that? I have two clients > > and a IDP broker in Keycloak. > > > > > https-client: Yes, this is the client that secured the > > > application. Redirect urls point to our application (https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=IulH-801VXeZdCzc7_zYbgRmhY0S-VuHFBs6Zfr5rCc&s=loKf3waEqd-htgMfrzRVAoZdvYWWfL7LAQ_ALaAmfZo&e= application).It is "resource" : "https-client" in Keycloak.json in AngularJS. > > > > saml client: sends SAML request via IDP broker IDP broker: deals > > with MS ADFS requests/responses > > > > Regards, > > Suleyman > > > > -----Original Message----- > > > From: Dmitry Telegin
> > > > Sent: 17 August 2018 15:24 > > > > > > To: Yildirim, Suleyman ; > > > keycloak-user at lists.jboss.org > > > > Subject: Re: [External] Re: [keycloak-user] IDP SAML Processing > > Error > > > > Hi Suleyman, you're welcome :) > > > > Glad your SP-initiated SSO finally worked. > > > > As for IdP-initiated SSO, this is also a well-known situation. > > > > In a few words, it will work out of the box *only* if you Keycloak client (target?application) is also using SAML. > > > > You mentioned some "https-client(open_id)", does that mean that the > > application is secured by Keycloak OpenID Connect adapter? (Don't > > despair, there is a workaround nevertheless.) > > > > Dmitry > > > > On Fri, 2018-08-17 at 13:57 +0000, Yildirim, Suleyman wrote: > > > Thanks a lot Dmitry, > > > > > > It works! When I use my application link, I can successfully get > > > SAML response from MS ADFS and redirected to application back. Use case is as below. > > > > > > > However, my client wanted to test directly on their MS ADFS > > > > using their url (https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs-5Flink_adfs_ls_idpinitiatedsignon.aspx&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=pe8ySJNlKetBMIYwYcaV_1LVhx-aTX2gDdk15e-VbjY&e=). I think it is IDP initiated SSO. He wrote his credentials on login page of MS ADFS clicked sign in. I am redirected to Keycloak IDP https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplication_auth_realms_springboot-2Dquickstart_broker_myIDPAlias_endpoint&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=0BKswkj_bBt6d0dMqEKurFsuBL0tilkKtemQvb00vYQ&e= and get the Internal Server Error again* but with different error (attached file). I wonder if I need to change any Keycloak settings to enable that. > > > > > > Use case: > > > > > > > > > > 1. The user visits the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > > > > > > > > > 2. https-client(open_id) finds the user is not authenticated and generates an XML authentication request document. It is redirected to the Keycloak Identity Provider, of which Single Sign-On Service URL is configured as https://urldefense.proofpoint.com/v2/url?u=https-3A__client-5Fadfs_adfs_ls_&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=wv1iQEWJPlOTFlKSLpfzb6XhnImsHO-7wUi2SCVZDWQ&e= > > > > > > > > > > > > > > 3. The ADFS server extracts the XML auth request document and verifies the signature. Then, user is redirected to the SAML client in Keycloak server.? > > > > > > > 4. The user enters the credentials to be authenticated. > > > > > > > > > > 5. After authentication, the Identity Provider generates an XML authentication response document, which contains a SAML assertion that holds metadata about the user like name and email. User is redirected to the https://urldefense.proofpoint.com/v2/url?u=http-3A__myapplication-3A8443&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=67Jdm10z1uM35jlf76_8hLfYG6Jw218kWhrnGkaevNE&s=g_xo6nRowZ1kiFxn2QrsLzUTP2Oz3pRB6veKjTX6sqY&e= application. > > > > > > Regards, > > > Suleyman > > > > > > -----Original Message----- > > > > From: Dmitry Telegin
> > > > > > Sent: 17 August 2018 00:49 > > > > > > > To: Yildirim, Suleyman ; > > > > > > > > keycloak-user at lists.jboss.org > > > > > > Subject: [External] Re: [keycloak-user] IDP SAML Processing Error > > > > > > Hi Suleyman, > > > > > > You're right, the contents of the Validating X509 Certificates box is invalid, your stacktrace tells that unambiguously. The field is pre- populated once you import FederationMetadata.xml, and you shouldn't change it afterwards. > > > > > > To avoid recreating the whole IdP, open your FederationMetadata.xml, find the element?and copy its value to the box verbatim. > > > > > > Good luck! > > > Dmitry Telegin > > > CTO, Acutus s.r.o. > > > Keycloak Consulting and Training > > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > > > +42 (022) 888-30-71 > > > E-mail: info at acutus.pro > > > > > > On Thu, 2018-08-16 at 17:19 +0000, Yildirim, Suleyman wrote: > > > > Hi, > > > > > > > > I have a "Uncaught server error: org.keycloak.broker.provider.IdentityBrokerException: Could not process response from SAML identity provider" when get response from MS ADFS server. The route cause of the error is Caused by: java.io.IOException: Short read of DER length. So I suspect that Validating X509 Certificates input box doesn't work as expected in Keycloak: "Certificates must be in PEM format and multiple certificates can be entered by comma (,) ". I have to use Public key and the certificates of the realm separated by comma but I get 500 - Internal Server Error from MS ADFS server and the??error in Keycloak (Attached file: IDP_error.txt). If I only use realm certificate, I get invalid requester error. Any idea of how I can proceed? > > > > > > > > Details > > > > > > > > When I use dummy IDP of Keycloak server, I use https://urldefense.proofpoint.com/v2/url?u=https-3A__myapplicationurl_auth_realms_springboot-2Dquickstart_protocol_saml&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=x6wk6gvgqtVRyOfMPb1wegC1CZGmu21auzX3iFU-85g&e= as SSO url, "email" as "NameID Policy Format" (Attached file: dummyIDPSettings.png). As for real ADFS integration, I setup everything according to that blog https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.keycloak.org_2017_03_how-2Dto-2Dsetup-2Dms-2Dad-2Dfs-2D30-2Das-2Dbrokered.html&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m=-8fNnCezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=X9S93qI_kOVUhIWAq4qzd6DkJBfFb5lVIIiFzin9ixg&e= and use the client's SSO url (Attached file: ADFSIDPSettings.png). I think I did everything right. Keycloak endpoints, SSL keystore and truststore files are at the right locations and places. > > > > > > > > Regards, > > > > Suleyman > > > > > > > > > > > > ________________________________ > > > > > > > > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy. > > > > ________________________________________________________________ > > > > __ > > > > __ > > > > __ > > > > ________________ > > > > > > > > www.accenture.com > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss > > > > .o > > > > rg > > > > _m > > > > ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=eIGjsITfXP_y-DLLX0uEH > > > > XJ > > > > vU > > > > 8n > > > > OHrUK8IrwNKOtkVU&r=W6co1eMBjqBh4emCmcok5fidBI1eOf715bxeMRmm3-g&m > > > > =- > > > > 8f > > > > Nn > > > > CezquRNyr7Io0tF57v6RXFvwaZ-DKyKnOYEQyo&s=WX8gpk0AMQYxSW_IQGR_SxG > > > > 69 > > > > Wo > > > > cm > > > > nmEIzqruzVr9Gg&e= -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: nullpointerexception.txt Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20180820/251ef339/attachment-0001.txt From bruno at abstractj.org Mon Aug 20 11:54:42 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Mon, 20 Aug 2018 12:54:42 -0300 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: References: <20180625154229.GA17717@abstractj.org> Message-ID: Only to give a brief context for people not aware of it. Keycloak Generic Adapter was not well accepted, because the naming is too vague. So we have to reopen this discussion and think about a better naming. During our team call today I suggested just "keycloak-adapter", which would cover the apps which don't have its own specific adapter solution. That said, maybe we should open a new poll? I just created a new one where people can vote/suggest: https://poll.ly/#/Lbww4ebG On Mon, Aug 20, 2018 at 10:38 AM Hynek Mlnarik wrote: > > Based on discussion on Stian, let me reopen this topic and add a suggestion. > > How about "Standalone Keycloak Adapter" or just "Standalone Adapter"? > > > On Mon, Jun 25, 2018 at 5:44 PM Bruno Oliveira wrote: >> >> Good afternoon, >> >> We are considering to transfer or fork the keycloak-proxy[1] to Keycloak >> organization. In order to accomplish that, I've been working with Rohith >> updating some of its dependencies[2]. >> >> While discussing with our team, we reached the conclusion that call it a >> proxy could potentially increase the scope of the project and also give >> people the wrong idea. Because would be expected things like load balancing, >> rate limiting, and other features. That's not what we want right now. >> >> I would like to gather some feedback from the community before we move forward. >> So please vote on the following Doodle: >> >> https://doodle.com/poll/gux626ktscgpr96t >> >> Also, feel free to suggest other names and it will be included. >> >> [1] - https://github.com/gambol99/keycloak-proxy >> [2] - https://issues.jboss.org/browse/KEYCLOAK-7265 >> >> >> -- >> >> abstractj >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user -- - abstractj From ntle at castortech.com Mon Aug 20 12:43:58 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Mon, 20 Aug 2018 12:43:58 -0400 Subject: [keycloak-user] how to protect servlet deployed as OSGI service in pax-web-jetty? In-Reply-To: <1533657715.12011.1.camel@acutus.pro> References: <1533657715.12011.1.camel@acutus.pro> Message-ID: Hello Dmitri, I see 4.3 came out, is there documentation on this osgi adapter with pax-web yet? Thai On Tue, Aug 7, 2018 at 12:01 PM, Dmitry Telegin
wrote: > Hello Thai Le, > > This is tracked under this PR: https://github.com/keycloak/ > keycloak/pull/5383 > > I hope to have it completed by this evening, so stay tuned. Hopefully this > will be included into Keycloak 4.3.0, but you can start using it right away > (you'll need to recompile a couple of modules though). > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Tue, 2018-08-07 at 10:34 -0400, Nhut Thai Le wrote: > > Hello, > > > > We are using Felix OSGI container with pax-web-jetty to run our servlets. > > Can I use keycloak to protect my servlet deployed as OSGI service? If yes > > is there a documentation on how to config? > > > > Thai Le > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Castor Technologies Inc 460 rue St-Catherine St Ouest, Suite 613 Montr?al, Qu?bec H3B-1A7 (514) 360-7208 o (514) 798-2044 f ntle at castortech.com www.castortech.com CONFIDENTIALITY NOTICE: The information contained in this e-mail is confidential and may be proprietary information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, disclosure, copy or use of the information contained in this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete it from your system without reading, forwarding, copying or saving in any manner. Thank you. AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv? ? l'usage exclusif du destinataire. Toute autre personne est par les pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer ou reproduire ce message. Si vous avez re?u cette communication par erreur, veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci. From mposolda at redhat.com Mon Aug 20 13:08:04 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 20 Aug 2018 19:08:04 +0200 Subject: [keycloak-user] attributes are not persisted In-Reply-To: References: Message-ID: Maybe it's better to rather extend registration form as described here: https://www.keycloak.org/docs/latest/server_development/index.html#modifying-extending-the-registration-form Alternative is, to update user directly in the LOGIN event after REGISTER event, but not 100% sure this one will work. Also even if it works, it's more a workaround. Marek On 10/08/18 19:32, Max Bruchmann wrote: > > Hmm unfortunatelly if I use > > KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), > (session) -> { > ????? UserModel user = getUserModel(session, userId, realmId); > > ... > > The user is null :/ > > > Max > > > Am 10.08.18 um 09:03 schrieb Marek Posolda: >> I am not 100% sure, but it's possible that updating users in the >> events don't currently work. Reason is, that transaction might be >> already commited. The possible solution long term is to use pre/post >> events for this (which we don't yet support). >> >> For the short term, it may be possible to manually trigger your own >> temporarily transaction (You can take a look at >> KeycloakModelUtils.runJobInTransaction method). Note that in the new >> transaction, you need to ensure to not use Hibernate entities from >> the "outer" transaction (EG. all the things like RealmModel, >> UserModel need to be look-up again through the Model API in the new >> transaction). >> >> >> Marek >> >> >> >> On 09/08/18 21:39, Max Bruchmann wrote: >>> Hi, >>> >>> I have a custom EventListenerProvider that consumes Register and >>> Login events. >>> >>> On register it creates some external resource >>> >>> ...//on register >>> >>> String externalID? = createSomethingWithUserEmail(userModel.getEmail()) >>> >>> userModel.setSingleAttribute("foo", externalID) >>> >>> ... >>> >>> On login I need to todo some additional calls with the already >>> created id. >>> >>> ...// on login >>> >>> String externalID = userModel.getFirstAttribute("foo"); >>> >>> doSomeUpdate(externalID, userModel.getFirstName(), >>> userModel.getLastName()) >>> >>> ... >>> >>> >>> Unfortunatelly the retrieved id via getFirstAttribute seems to be null. >>> >>> Is there anything I need todo when modifying attributes so they are >>> persisted? >>> >>> >>> Kind Regards, >>> >>> Max >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From ssilvert at redhat.com Mon Aug 20 14:34:17 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Mon, 20 Aug 2018 14:34:17 -0400 Subject: [keycloak-user] How to logout In-Reply-To: <833391351.23812098.1534771621309.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <1061639882.20565544.1534361250954.JavaMail.zimbra@jlab.org> <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> <63ba64de-9049-155b-f3fb-6e85bda85a73@redhat.com> <1511503812.20960187.1534423273828.JavaMail.zimbra@jlab.org> <75e63dcb-b9bf-8425-db1c-10b96fb8c803@redhat.com> <833391351.23812098.1534771621309.JavaMail.zimbra@jlab.org> Message-ID: <0daa4e16-e71c-5ef1-deb0-bdb671d4e919@redhat.com> On 8/20/2018 9:27 AM, Ryan Slominski wrote: > I'm starting to wonder if the Wildfly client adapter is implemented all wrong. Doesn't it make more sense to have the state maintained in the web browser using the JavaScript client (since only the browser can really know the state) and then having a stateless server that uses bearer tokens to determine if web service requests are authenticated and authorized? There should be no JSESSIONID at all. I don't think that makes sense.? If you want everything handled in the browser then you can use the javascript adapter. If you absolutely need to know the Keycloak session state without making a server request then javascript adapter would be the solution.? In that case, you wouldn't use the WildFly adapter at all. > > > > ----- Original Message ----- > From: "Stan Silvert" > To: "Ryan Slominski" > Cc: "keycloak-user" > Sent: Friday, August 17, 2018 8:25:53 AM > Subject: Re: [keycloak-user] How to logout > > On 8/16/2018 8:41 AM, Ryan Slominski wrote: >> I've enabled backchannel logout in the brokered identity providers, and I've confirmed it keeps all of the brokered identity providers in sync. For example if I log into my broker 3 IdP and logout of my realm then I'm also logged out of broker IdP 3. So, backchannel logout seems to work with the link between the realm and brokered identity providers. However, unless I'm not understanding backchannel logout, it doesn't affect clients who manage their own session state such as the Wildfly client adapter, which creates an independent JSESSIONID cookie to store session state. So right now logging out of application A does destroy the Keycloak token, but if a login with application B was already established then it remains locally logged in even after application A is logged out. Is that not how it is supposed to work? If not, how do I configure a Wildfly client to honor another application's logout? > I would have to study the code a bit to know the specifics.? I'm > guessing that backchannel logout doesn't invalidate the local session as > you suggest.? That might be a little too intrusive, though the app > developer could handle it with an HttpSessionListener. > > But it seems to me that you should be able to just use isUserInRole() > with each request and then act accordingly.? If you log out of > application A then isUserInRole() on application B should always return > false. >> ----- Original Message ----- >> From: "Stan Silvert" >> To: "Ryan Slominski" >> Cc: "keycloak-user" >> Sent: Thursday, August 16, 2018 7:44:01 AM >> Subject: Re: [keycloak-user] How to logout >> >> On 8/15/2018 4:34 PM, Ryan Slominski wrote: >>> Two issues: >>> >>> (1) Wildfly client adapter doesn't detect when a user is logged into Keycloak on pages in which HttpServletRequest.isUserInRole() method is used to programmatically determine who sees what until after hitting a declaratively protected (web.xml) page first. Wildfly client adapter assumes all pages which use isUserInRole are declaratively protected, but that is not always true (and essentially never true in my case). This means when jumping from one application to another you lose your SSO. >> If you are correct about isUserInRole() then the WildFly adapter needs >> to be fixed. >> >> What should happen is that when you logout of application A then the >> Keycloak server sends a backchannel logout to application B.? At that >> point, a call to isUserInRole() from application B should return false. >> >> Do you have backchannel logout working? >> >>> (2) Trying to switch users in an environment where it is unknown whether you are logged in or not results in surprise logins as the previous account when you really want to enter new credentials >>> >>> Essentially all my application pages show something no matter if you are logged in or not, but if you are logged in you see extra stuff like edit buttons. When working in a group around a computer and someone asks to switch users (login as admin or move over and let me show you scenarios) confusion ensues as the application might show the user as not logged in, but then attempting to login detects existing token and skips login form. Now user must logout and try again. >>> >>> >>> ----- Original Message ----- >>> From: "Stan Silvert" >>> To: "Ryan Slominski" >>> Cc: "keycloak-user" >>> Sent: Wednesday, August 15, 2018 4:04:03 PM >>> Subject: Re: [keycloak-user] How to logout >>> >>> On 8/15/2018 3:27 PM, Ryan Slominski wrote: >>>> Hi Stan, >>>> If you have multiple applications you can get out-of-sync. If you open application A in one browser tab, login, and then navigate to application B in another browser tab then application B is now out of sync with keycloak until you hit a "protected" page. The problem arises because I use programmatic security instead of declarative security: >>> I don't understand why this matters.? If you are not going to a >>> protected page in application B then why do you care if you are logged >>> into Keycloak? >>> >>> I guess I'm not understanding your use case. >>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__javaee.github.io_tutorial_security-2Dwebtier003.html&d=DwIFaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=c_G5XCh4KyQNw7rawL_GHLQZ9GEm05ARlz-C-jeVx3o&s=bXb-7yw6Njk4DirMWLlxJAxGwUFKULf9HM-3_Imo35g&e= >>>> >>>> And it looks like the Wildfly client adapter doesn't handle users of programmatic security in that it doesn't detect if a SSO token exists on pages which are not declaratively protected (actually programmatic security doesn't work at all with the Keycloak adapter and I am faking it by redirecting users off of a dummy declaratively protected URL). It might be possible to have a Servlet filter do a check with the keycloak server on each request, but that would be costly. The JavaScript client has a huge advantage because it can watch the keycloak cookie presence via a hidden iframe. In fact, I realize now exposing the confidential client secret in a form client side is not a good idea. It seems like to do what I want (track SSO state across multiple tabs and multiple applications) I might have to actually have two "clients" per application: (1) on the web server side and (2) another on the browser client side. The browser client side can then detect the actual state of SSO. Or maybe I can have a single JavaScript client that is shared among multiple server side Keycloak clients and handles tracking SSO state and provides the information as a service. Maybe this is built-in to keycloak server itself? >>>> >>>> Ryan >>>> >>>> >>>> >>>> ----- Original Message ----- >>>> From: "Stan Silvert" >>>> To: "Ryan Slominski" >>>> Cc: "keycloak-user" >>>> Sent: Wednesday, August 15, 2018 3:02:18 PM >>>> Subject: Re: [keycloak-user] How to logout >>>> >>>> Why is your client out of sync with the keycloak server?? If you are >>>> building a servlet-based application (JSF, JSP, Struts, etc.), then why >>>> not use the WildFly adapter in the JEE way as described in the Keycloak >>>> documentation? ? The WildFly Keycloak adapter takes care of all the hard >>>> stuff for you. >>>> >>>> On 8/15/2018 9:50 AM, Ryan Slominski wrote: >>>>> Hi Stan, >>>>> The documentation doesn't mention this, but it seems the logout URL should be a POST, not a GET request. Is that true? >>>>> >>>>> So, I'm trying to create an HTML logout form with method post and action to the documented logout URL. The form has a submit button and two hidden fields: "client_id" and "client_secret". Clicking the submit button results in the following JSON response from the keycloak server: >>>>> >>>>> {"error":"invalid_request","error_description":"No refresh token"} >>>>> >>>>> So, I guess I need a third field, something like "refresh_token"? How would I get a refresh token? Remember I'm using the Wildfly client adapter and in my scenario the client is out-of-sync with the keycloak server (the user is logged into keycloak, but not the local client). >>>>> >>>>> Thanks, >>>>> >>>>> Ryan >>>>> >>>>> ----- Original Message ----- >>>>> From: "Stan Silvert" >>>>> To: "keycloak-user" >>>>> Sent: Monday, August 13, 2018 7:15:15 PM >>>>> Subject: Re: [keycloak-user] How to logout >>>>> >>>>> HttpServletRequest.logout() should not be a no-op.? It was implemented a >>>>> long time ago: >>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D478&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=S5OUPSD_8iiVarBP9JPCB6Uhz5n56mXIMUwl5oCahwE&e= >>>>> >>>>> If there is an issue with it you should report it in JIRA. >>>>> >>>>> Stan >>>>> >>>>> On 8/13/2018 4:19 PM, Ryan Slominski wrote: >>>>>> Hi Keycloak Users, >>>>>> >>>>>> I'm using the Wildfly client adapter and trying to logout of Keycloak, even if a client application container doesn't think it is logged in. This is a problem because login state with Keycloak and login state with JSESSION_ID in servlet container are two separate things that can get out-of-sync. The documentation says you can logout in one of two ways: >>>>>> >>>>>> 1. Call HttpServletRequest.logout() >>>>>> 2. Navigate to URL https://urldefense.proofpoint.com/v2/url?u=http-3A__auth-2Dserver_auth_realms_&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=_59Wic6w6LhkACOwcCwlGFp0s-px_5ETP9toZFHnPrc&e= {realm-name}/protocol/openid-connect/logout?redirect_uri=encodedRedirectUri >>>>>> >>>>>> See: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_docs_latest_securing-5Fapps_index.html-23logout&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=eo8LPXrVvTI2IYhZ6JScwrbjMxBD8R_SuATg2KkMD10&e= >>>>>> >>>>>> The first appears to be a no-op because the Java container itself isn't logged in, in this case. This does work if the client container is aware that it is logged in, but doesn't otherwise. The second also doesn't seem to do anything and just redirects back to redirect_uri. Any tips? >>>>>> >>>>>> A forceful logout is useful in the scenario when one client (client A) logs into Keycloak, and a different client (cilent B) wants to forcefully logout as to switch users. In this scenario client B doesn't think it is logged in because the client adapter is using container managed security with JSESSIONID, and locally the client isn't logged in. However if a login was attempted it would succeed automatically without prompting for a username and password and therefore the user wouldn't get a chance to provide an alternate username. A switch user ability is useful when users need to login with separate admin credentials or also in scenarios where a user says "move over and I'll drive" to a colleague. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ryan >>>>>> _______________________________________________ >>>>>> keycloak-user mailing list >>>>>> keycloak-user at lists.jboss.org >>>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIGaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rRzSMqrH9tw1NhwWdoX-ODe_7DvyE-Cr-9bHZoQKxX4&s=FbEV2k4Er-KnjVX6ZK9kCS8XTIqDuF6Oc7LdvEa8TlQ&e= From ryans at jlab.org Mon Aug 20 16:31:58 2018 From: ryans at jlab.org (Ryan Slominski) Date: Mon, 20 Aug 2018 16:31:58 -0400 (EDT) Subject: [keycloak-user] How to logout In-Reply-To: <54022922.23905363.1534797086856.JavaMail.zimbra@jlab.org> References: <1415344228.19548503.1534191547782.JavaMail.zimbra@jlab.org> <320677642.20581905.1534365255588.JavaMail.zimbra@jlab.org> <63ba64de-9049-155b-f3fb-6e85bda85a73@redhat.com> <1511503812.20960187.1534423273828.JavaMail.zimbra@jlab.org> <75e63dcb-b9bf-8425-db1c-10b96fb8c803@redhat.com> <833391351.23812098.1534771621309.JavaMail.zimbra@jlab.org> <0daa4e16-e71c-5ef1-deb0-bdb671d4e919@redhat.com> Message-ID: <734891816.23905462.1534797118582.JavaMail.zimbra@jlab.org> I need the Wildfly client adapter because database lookups are provided by the server. I think I've found a JIRA related to the logout issue: https://issues.jboss.org/browse/KEYCLOAK-2939 Taking a cue from the issue ticket above I noticed that if I create my own hidden iframe and navigate to the keycloak logout URL from within it then the logout works. Using a XMLHttpRequest (AJAX) request to the logout URL wasn't working, but the hidden iframe does. Weird. Must be something to do with cross-site scripting / cookies? ----- Original Message ----- From: "Stan Silvert" To: "Ryan Slominski" Cc: "keycloak-user" Sent: Monday, August 20, 2018 2:34:17 PM Subject: Re: [keycloak-user] How to logout On 8/20/2018 9:27 AM, Ryan Slominski wrote: > I'm starting to wonder if the Wildfly client adapter is implemented all wrong. Doesn't it make more sense to have the state maintained in the web browser using the JavaScript client (since only the browser can really know the state) and then having a stateless server that uses bearer tokens to determine if web service requests are authenticated and authorized? There should be no JSESSIONID at all. I don't think that makes sense.? If you want everything handled in the browser then you can use the javascript adapter. If you absolutely need to know the Keycloak session state without making a server request then javascript adapter would be the solution.? In that case, you wouldn't use the WildFly adapter at all. From aszczucz at redhat.com Mon Aug 20 17:04:18 2018 From: aszczucz at redhat.com (Alex Szczuczko) Date: Mon, 20 Aug 2018 15:04:18 -0600 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: References: <20180625154229.GA17717@abstractj.org> Message-ID: <153479905785.6959.1361851594171681280@tyrfing> In thinking a new name, I tried to look hard at these things: 1. what this software actually does. 2. what makes this software desirable to a user. 3. what "adapter" has meant for keycloak in the past. I'm not the best person to answer these questions, but here's what I've dug up: 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if the client it serves should treat the requests as authenticated and/or authorized. 2. It avoids the need to install a bit of Keycloak software into the users' applications. 3. According to the docs[1]: Keycloak client adapters are libraries that makes it very easy to secure applications and services with Keycloak ... our adapters easy to use and they require less boilerplate code than what is typically required by a library. #1 is what we've been focusing on with names like "proxy". The reasons such names are dissatisfying is there is nothing unique about sitting in between two endpoints and doing stuff. So, we need to look at what that "stuff" means for Keycloak. #3 in combination with #2 tells us what this "stuff" means for Keycloak. This new software is clearly not an adapter. Actually, this new software accomplishes the mission of an adapter better than adapters themselves! Following that logic, Superadapter is my main proposal for a new name. Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a saml-superadapter. Alternatively, we could focus on the lack of an adapter, with names based on terms like Adapterless: - AKI: Adapterless Keycloak Integrator - KOSA: Keycloak OIDC Sans-Adapter - AKOS: Adapterless Keycloak OIDC Server - KOAF: Keycloak OIDC Adapter-Free - etc... Alex [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-client-adapters Quoting Bruno Oliveira (2018-08-20 09:54:42) > Only to give a brief context for people not aware of it. Keycloak > Generic Adapter was not well accepted, because the naming is too > vague. So we have to reopen this discussion and think about a better > naming. > > During our team call today I suggested just "keycloak-adapter", which > would cover the apps which don't have its own specific adapter > solution. > > That said, maybe we should open a new poll? I just created a new one > where people can vote/suggest: > > https://poll.ly/#/Lbww4ebG From jan.garaj at gmail.com Mon Aug 20 17:18:57 2018 From: jan.garaj at gmail.com (Jan Garaj) Date: Mon, 20 Aug 2018 22:18:57 +0100 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: References: Message-ID: (auth) "proxy" is a common and well-known name for this type of component - for example https://github.com/bitly/oauth2_proxy , http://docs.grafana.org/tutorials/authproxy/. See Google trends: https://trends.google.com/trends/explore?q=auth%20proxy,auth%20adapter,auth%20component,auth%20module,auth%20extension Github repo/code stat shows "proxy" preference as well. What I don't like is a "keycloak" in the name - actually it's a generic "proxy" implementation, which works with (almost) any OpenID provider. There is no "keycloak" project lock-in at the moment. My current prefered name is "OAuth Standalone Proxy" from Keycloak project, repo keycloak/oauth-standalone-proxy. A similar case is etcd from coreos project, repo coreos/etcd - you really don't need to keep organization name in the project name. *Jan Garaj* Web: http://www.jangaraj.com / http://monitoringartist.com LinkedIn: http://www.linkedin.com/in/jangaraj On Mon, Aug 20, 2018 at 9:30 PM wrote: > ---------- Forwarded message ---------- > From: Bruno Oliveira > To: Hynek Mlnarik > Cc: keycloak-dev , keycloak-user < > keycloak-user at lists.jboss.org> > Bcc: > Date: Mon, 20 Aug 2018 12:54:42 -0300 > Subject: Re: [keycloak-user] Keycloak Proxy Rename > Only to give a brief context for people not aware of it. Keycloak > Generic Adapter was not well accepted, because the naming is too > vague. So we have to reopen this discussion and think about a better > naming. > > During our team call today I suggested just "keycloak-adapter", which > would cover the apps which don't have its own specific adapter > solution. > > That said, maybe we should open a new poll? I just created a new one > where people can vote/suggest: > > https://poll.ly/#/Lbww4ebG > > > On Mon, Aug 20, 2018 at 10:38 AM Hynek Mlnarik > wrote: > > > > Based on discussion on Stian, let me reopen this topic and add a > suggestion. > > > > How about "Standalone Keycloak Adapter" or just "Standalone Adapter"? > > > > > > On Mon, Jun 25, 2018 at 5:44 PM Bruno Oliveira > wrote: > >> > >> Good afternoon, > >> > >> We are considering to transfer or fork the keycloak-proxy[1] to Keycloak > >> organization. In order to accomplish that, I've been working with Rohith > >> updating some of its dependencies[2]. > >> > >> While discussing with our team, we reached the conclusion that call it a > >> proxy could potentially increase the scope of the project and also give > >> people the wrong idea. Because would be expected things like load > balancing, > >> rate limiting, and other features. That's not what we want right now. > >> > >> I would like to gather some feedback from the community before we move > forward. > >> So please vote on the following Doodle: > >> > >> https://doodle.com/poll/gux626ktscgpr96t > >> > >> Also, feel free to suggest other names and it will be included. > >> > >> [1] - https://github.com/gambol99/keycloak-proxy > >> [2] - https://issues.jboss.org/browse/KEYCLOAK-7265 > >> > >> > >> -- > >> > >> abstractj > >> _______________________________________________ > From robert.smol at stereoit.com Mon Aug 20 18:15:30 2018 From: robert.smol at stereoit.com (Robert Smol) Date: Tue, 21 Aug 2018 00:15:30 +0200 Subject: [keycloak-user] How to get java libraries Message-ID: Hi, where do I get Java libraries so I can develop against the Keycloak? I would like to implement some interfaces from `org.keycloak.storage` but I cannot find those anywhere. I've looked at https://www.keycloak.org/docs/latest/server_development/index.html but there is no such information. I am new to Java, but I know I either need to provide some jar files or use gradle/maven to load the modules? Thanks, Robert From joy at autonomic.ai Mon Aug 20 19:55:00 2018 From: joy at autonomic.ai (Joy Kent) Date: Mon, 20 Aug 2018 16:55:00 -0700 Subject: [keycloak-user] jboss/keycloak-postgres docker hub page not found Message-ID: It looks like there are some issues with jboss/keycloak-postgres docker hub page? When I went to https://hub.docker.com/r/jboss/keycloak-postgres/, I got this Not Found (404) error, see the attachment. Did anyone else see the same issue? Thanks, Joy -------------- next part -------------- A non-text attachment was scrubbed... Name: Screen Shot 2018-08-20 at 4.52.29 PM.png Type: image/png Size: 129710 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180820/93662561/attachment-0001.png From Kevin.Fox at pnnl.gov Mon Aug 20 20:27:03 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Tue, 21 Aug 2018 00:27:03 +0000 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: <153479905785.6959.1361851594171681280@tyrfing> References: <20180625154229.GA17717@abstractj.org> , <153479905785.6959.1361851594171681280@tyrfing> Message-ID: <1A3C52DFCD06494D8528644858247BF01C180537@EX10MBOX03.pnnl.gov> Coming from the outside world, I mostly searched for oidc and proxy as thats what I needed. I found oauth2_proxy after a little searching, but have been disappointed in how slow its releases are. Bugs aren't getting fixed quickly. When I looked at keycloak-proxy initially, I didn't look closer for a while as i thought is was keycloak specific. So, something like oidc-proxy might get you more successful hits. Thanks, Kevin ________________________________________ From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Alex Szczuczko [aszczucz at redhat.com] Sent: Monday, August 20, 2018 2:04 PM To: Bruno Oliveira; Hynek Mlnarik Cc: keycloak-dev; keycloak-user Subject: Re: [keycloak-user] Keycloak Proxy Rename In thinking a new name, I tried to look hard at these things: 1. what this software actually does. 2. what makes this software desirable to a user. 3. what "adapter" has meant for keycloak in the past. I'm not the best person to answer these questions, but here's what I've dug up: 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if the client it serves should treat the requests as authenticated and/or authorized. 2. It avoids the need to install a bit of Keycloak software into the users' applications. 3. According to the docs[1]: Keycloak client adapters are libraries that makes it very easy to secure applications and services with Keycloak ... our adapters easy to use and they require less boilerplate code than what is typically required by a library. #1 is what we've been focusing on with names like "proxy". The reasons such names are dissatisfying is there is nothing unique about sitting in between two endpoints and doing stuff. So, we need to look at what that "stuff" means for Keycloak. #3 in combination with #2 tells us what this "stuff" means for Keycloak. This new software is clearly not an adapter. Actually, this new software accomplishes the mission of an adapter better than adapters themselves! Following that logic, Superadapter is my main proposal for a new name. Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a saml-superadapter. Alternatively, we could focus on the lack of an adapter, with names based on terms like Adapterless: - AKI: Adapterless Keycloak Integrator - KOSA: Keycloak OIDC Sans-Adapter - AKOS: Adapterless Keycloak OIDC Server - KOAF: Keycloak OIDC Adapter-Free - etc... Alex [1] https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-client-adapters Quoting Bruno Oliveira (2018-08-20 09:54:42) > Only to give a brief context for people not aware of it. Keycloak > Generic Adapter was not well accepted, because the naming is too > vague. So we have to reopen this discussion and think about a better > naming. > > During our team call today I suggested just "keycloak-adapter", which > would cover the apps which don't have its own specific adapter > solution. > > That said, maybe we should open a new poll? I just created a new one > where people can vote/suggest: > > https://poll.ly/#/Lbww4ebG _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From rafaelweingartner at gmail.com Mon Aug 20 20:57:10 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Mon, 20 Aug 2018 21:57:10 -0300 Subject: [keycloak-user] How to get java libraries In-Reply-To: References: Message-ID: You can find the code at github.com/keycloak Em seg, 20 de ago de 2018 21:43, Robert Smol escreveu: > Hi, > > where do I get Java libraries so I can develop against the Keycloak? I > would like to implement some interfaces from `org.keycloak.storage` but I > cannot find those anywhere. > > I've looked at > https://www.keycloak.org/docs/latest/server_development/index.html but > there is no such information. > > I am new to Java, but I know I either need to provide some jar files or use > gradle/maven to load the modules? > > Thanks, > > Robert > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From robert.smol at stereoit.com Tue Aug 21 03:10:14 2018 From: robert.smol at stereoit.com (Robert Smol) Date: Tue, 21 Aug 2018 09:10:14 +0200 Subject: [keycloak-user] How to get java libraries In-Reply-To: References: Message-ID: I am sorry but I do not think I follow. Of course I did have a look at the github site, it has 130mb of downloads and the README describes how to build keycloak. What I need is to be able to have completion in lets say IDEA, I need to override User SPI from org.keycloak.storage. But when I type it into IDEA, it says it cannot fined the libraries. In other languages I can just install package and you are set to go. Nothing like that in Java|Keycloak world? You need to download all source code for all libraries you want to use? Robert On Tue, Aug 21, 2018 at 2:57 AM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > You can find the code at github.com/keycloak > > Em seg, 20 de ago de 2018 21:43, Robert Smol > escreveu: > >> Hi, >> >> where do I get Java libraries so I can develop against the Keycloak? I >> would like to implement some interfaces from `org.keycloak.storage` but I >> cannot find those anywhere. >> >> I've looked at >> https://www.keycloak.org/docs/latest/server_development/index.html but >> there is no such information. >> >> I am new to Java, but I know I either need to provide some jar files or >> use >> gradle/maven to load the modules? >> >> Thanks, >> >> Robert >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- stereoIT s.r.o. He?manova 23 107 00 Praha 7 mob: +420 776 76 23 78 From Tom.Billiet at technicolor.com Tue Aug 21 03:32:10 2018 From: Tom.Billiet at technicolor.com (Billiet Tom) Date: Tue, 21 Aug 2018 07:32:10 +0000 Subject: [keycloak-user] How to get java libraries In-Reply-To: References: , Message-ID: You can add the required dependencies in your build environment (gradle/maven) Search mavencentral: https://search.maven.org/search?q=g:org.keycloak org.keycloak:keycloak-server-spi and org.keycloak:keycloak-services are some likely candidates you need. Tom ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Robert Smol Sent: Tuesday, August 21, 2018 9:10:14 AM To: rafaelweingartner at gmail.com Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] How to get java libraries ** WARNING: This mail is from an external source ** I am sorry but I do not think I follow. Of course I did have a look at the github site, it has 130mb of downloads and the README describes how to build keycloak. What I need is to be able to have completion in lets say IDEA, I need to override User SPI from org.keycloak.storage. But when I type it into IDEA, it says it cannot fined the libraries. In other languages I can just install package and you are set to go. Nothing like that in Java|Keycloak world? You need to download all source code for all libraries you want to use? Robert On Tue, Aug 21, 2018 at 2:57 AM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > You can find the code at github.com/keycloak > > Em seg, 20 de ago de 2018 21:43, Robert Smol > escreveu: > >> Hi, >> >> where do I get Java libraries so I can develop against the Keycloak? I >> would like to implement some interfaces from `org.keycloak.storage` but I >> cannot find those anywhere. >> >> I've looked at >> https://www.keycloak.org/docs/latest/server_development/index.html but >> there is no such information. >> >> I am new to Java, but I know I either need to provide some jar files or >> use >> gradle/maven to load the modules? >> >> Thanks, >> >> Robert >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > -- stereoIT s.r.o. He?manova 23 107 00 Praha 7 mob: +420 776 76 23 78 _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From christian.neudert at doksafe.de Tue Aug 21 03:37:42 2018 From: christian.neudert at doksafe.de (Christian Neudert) Date: Tue, 21 Aug 2018 07:37:42 +0000 Subject: [keycloak-user] Limitations of create_realm role or a bug? Message-ID: Hi, Has someone an opinion on this? Should I create a bug for it? Best regards, Christian Neudert ?On 16.08.18, 12:07, "keycloak-user-bounces at lists.jboss.org on behalf of Christian Neudert" wrote: Hello, I have a permission problem with realms created by an user in the master realm, who has the ?create_realm? role only. This user can create a realm and new users in it but can?t assign the ?impersonation? role to them. From my understanding, it?s because this user doesn?t have the ?impersonation? role in the master realm and therefor can?t assign it to another user in another realm. This is expected as of what?s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#realm-specific-roles. My problem is that I can?t configure the created realm completely with this user without that posibility. It also contradicts what?s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#global-roles: ?Users with the create-realm role are allowed to create new realms. They will be granted full access to any new realm they create.?. Should a user with the ?create_realm? role be allowed to set the ?impersonation? role for users in realms created by her or is it a bug? If it?s a wanted restriction I don?t know how to solve that problem without giving this user the admin permission in the master realm which is? not so good. FYI: I?m using Keycloak 3.4 with the Java Keycloak Admin CLI atm. Best regards, Christian Neudert ________________________________ [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg] Kanzleisoftware f?r moderne Anw?lte Kostenlos testen unter www.actaport.de ________________________________ [https://www.actaport.de/images/doksafe_logo_200.png] dokSAFE GmbH Goethestra?e 1 04109 Leipzig www.doksafe.de ________________________________ Sitz der Gesellschaft: Goethestra?e 1, 04109 Leipzig Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer ________________________________ Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. ________________________________ This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ________________________________ doksafe GmbH: Goethestra?e 1, 04109 Leipzig Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer ________________________________ Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. ________________________________ This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. ________________________________ [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg] Kanzleisoftware f?r moderne Anw?lte Kostenlos testen unter www.actaport.de ________________________________ [https://www.actaport.de/images/doksafe_logo_200.png] dokSAFE GmbH Goethestra?e 1 04109 Leipzig www.doksafe.de ________________________________ Sitz der Gesellschaft: Goethestra?e 1, 04109 Leipzig Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer ________________________________ Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. ________________________________ This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. From robert.smol at stereoit.com Tue Aug 21 04:43:45 2018 From: robert.smol at stereoit.com (Robert Smol) Date: Tue, 21 Aug 2018 10:43:45 +0200 Subject: [keycloak-user] How to get java libraries In-Reply-To: References: Message-ID: Thanks alot! I've managed to update the gradle to: apply plugin: "java" repositories { mavenCentral() } dependencies { compile 'org.keycloak:keycloak-server-spi:4.3.0.Final' compile 'org.keycloak:keycloak-services:4.3.0.Final' } And it works. Robert On Tue, Aug 21, 2018 at 9:32 AM Billiet Tom wrote: > You can add the required dependencies in your build environment > (gradle/maven) > > Search mavencentral: https://search.maven.org/search?q=g:org.keycloak > > org.keycloak:keycloak-server-spi and org.keycloak:keycloak-services are > some likely candidates you need. > > > Tom > ------------------------------ > *From:* keycloak-user-bounces at lists.jboss.org < > keycloak-user-bounces at lists.jboss.org> on behalf of Robert Smol < > robert.smol at stereoit.com> > *Sent:* Tuesday, August 21, 2018 9:10:14 AM > *To:* rafaelweingartner at gmail.com > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] How to get java libraries > > ** WARNING: This mail is from an external source ** > > > I am sorry but I do not think I follow. Of course I did have a look at the > github site, it has 130mb of downloads and the README describes how to > build keycloak. > > What I need is to be able to have completion in lets say IDEA, I need to > override User SPI from org.keycloak.storage. But when I type it into IDEA, > it says it cannot fined the libraries. > > In other languages I can just install package and you > are set to go. Nothing like that in Java|Keycloak world? You need to > download all source code for all libraries you want to use? > > Robert > > On Tue, Aug 21, 2018 at 2:57 AM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > > > You can find the code at github.com/keycloak > > > > Em seg, 20 de ago de 2018 21:43, Robert Smol > > escreveu: > > > >> Hi, > >> > >> where do I get Java libraries so I can develop against the Keycloak? I > >> would like to implement some interfaces from `org.keycloak.storage` but > I > >> cannot find those anywhere. > >> > >> I've looked at > >> https://www.keycloak.org/docs/latest/server_development/index.html but > >> there is no such information. > >> > >> I am new to Java, but I know I either need to provide some jar files or > >> use > >> gradle/maven to load the modules? > >> > >> Thanks, > >> > >> Robert > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > > > -- > stereoIT s.r.o. > He?manova 23 > 107 00 Praha 7 > mob: +420 776 76 23 78 > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- stereoIT s.r.o. He?manova 23 107 00 Praha 7 mob: +420 776 76 23 78 From mposolda at redhat.com Tue Aug 21 05:26:16 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 21 Aug 2018 11:26:16 +0200 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache In-Reply-To: References: <346b6795-ed86-287b-7ed5-cc7668044b35@redhat.com> Message-ID: <15c67762-c1a3-5d9e-1be8-c52c4314c672@redhat.com> On 11/08/18 14:26, Sebastian Laskawiec wrote: > > > pt., 10.08.2018, 21:59 u?ytkownik Hayden Fuss > napisa?: > > Hello Sebastian and Marek, > > Thank you very much for suggestions. We had confirmed replication > across the ISPN clusters was working with the CLI, so we tried > attaching the remote debugger but didn't find anything useful to > tell us why Keycloak couldn't remotely store the sessions in the > ISPN cluster. > > > Thanks for letting us know. > > > Based on what Marek described, we decided to downgrade our ISPN > cluster to 8.2.8 rather than use 9.3.1 and incorporate the demo > code. It was our understanding that demo code would provide an SPI > that enabled the ISPN cluster for persistent user storage (but not > realms, clients, keys) which is not desirable for us as of now. > > > Hmmm that's pretty interesting. For the Summit demo we used a fresh > master build. So ISPN 9.x should work without any problems. Perhaps > Marek can shed some light on this issue. The current Keycloak master supports cross-dc integration with infinispan server 8.2.8.Final and JDG 7.1. That's what we are testing and what is officially described as recommended infinispan-server version in our documentation: https://www.keycloak.org/docs/latest/server_installation/index.html#crossdc-mode In the recent PR for upgrade Keycloak to Wildfly 13, there will be the upgrade to JDG 7.2 and infinispan server to 9.2.4.Final (this is same as the infinispan version in the Wildfly 13). The summit demo used the infinispan server 9.3 AFAIR, but this required some updates in the Keycloak code, which was done by overriding default userSessions to the "updated-infinispan" provider. The code of this updated-infinispan is in the rh-sso project sources: https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 Even with this overriden provider, I've tested just the Keycloak parts, which were needed for the demo itself. I did not try to run our cross-dc automated tests. So no guarantee that everything works as expected. In other words, if you have a choice for the infinispan-server version and you don't need infinispan-server 9.X, it's recommended to stay with the infinispan-server 8.2.8. Marek > > BTW, do you have a demo pushed into some repo, so that we could check > it out? > > > Downgrading to 8.2.8 (had to create our own image > https://github.com/brix4dayz/infinispan/tree/8.2.x) fixed our > sessions replication issue, the only thing is KUBE_PING/DNS_PING > isn't available with the JGroups version that comes with 8.2.8. > Based on what I'm seeing from this PR > https://github.com/jboss-dockerfiles/keycloak/pull/96/files its > possible to add a newer version of JGroups to Keycloak so I'll > attempt to do that for ISPN so we can have local clustering for > ISPN and Keycloak in OpenShift. > > > Kube ping has basically two versions, 1.x which requires JGroups 4 and > 0.9.x, which works with JGroups 3 and 4. Let me know if you hit any > problems incorporating kube ping into your project. I might be able to > help you. > > > If there's a better way to go about the JGroups version issue let > us know. Thanks again! > > > TBH I'm really interested why keycloak doesn't store sessions in ISPN. > In my opinion, we should find out how to fix this problem and stay > with ISPN 9. I would recommend downgrading ISPN as the last resort > approach. > > > Best, > Hayd > > On Thu, Aug 9, 2018 at 3:27 AM Marek Posolda > wrote: > > Hi, > > I didn't check everything, but one thing I noted is, that in your > keycloak-standalone-ha.xml, you don't have "alternative" > providers > configured. > > For Keycloak to work with the infinispan 9.2.X server or > newer, it was > needed to configure providers like this: > https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 > > . > > There is also a need to add the userStorage to your realm, > which can be > done through admin console or by importing the realm. See: > https://github.com/rhdemo/rh-sso/blob/master/realm-summit.json#L1051 > > Marek > > > On 08/08/18 15:07, Sebastian Laskawiec wrote: > > On Tue, Aug 7, 2018 at 3:28 PM Hayden Fuss > > wrote: > > > >> Hello, > >> > >> We are attempting to run Keycloak on two OpenShift clusters > using remote > >> ISPNs and a single MariaDB instance. We're hacking together > the Keycloak on > >> Openshift blogpost, the JDG-as-a-service demo from Summit, > RH SSO demo from > >> Summit, and following the Keycloak/RH SSO basic setup guide > to Cross-DC > >> replication. The hope is do an initial evaluation of Keycloak's > >> availability. > >> > >> We were able to create a new user on master (site1), > disable the user on > >> master2 (site2), and see the user was disabled on master. > So ISPN > >> replication seems to be working because the work cache was > replicated to > >> invalidate the local caches. However, the sessions cache > does not seem to > >> be replicated because when logged in as the same user on > the two different > >> Keycloaks (in Incognito mode) there is only one active > session shown on > >> both UIs and the timestamp/IP/etc is different for the > listed session. > >> > > So at this point the Infinispan cluster within a single DC > works correctly > > [1] (the one that is formed by KUBE_PING). The Cross-DC > cluster (also known > > as the Global Cluster) also works correctly [2]. Users cache > replicates > > fine but sessions don't. > > > > If I understood everything correctly, there might be two > issues there. > > > > The first one is Infinispan misconfiguration (I briefly > looked through the > > configuration and can not spot any mistake but there might > be some typo or > > anything like that). That one is easy to be verified, just > put an entry on > > one node (e.g. using REST [3]) and see if it's available on > the other one > > (again, using REST for example [4]). > > > > If this test works fine, you can check if Keycloak forwards > traffic to the > > Infinispan cluster. The easiest way is to set a breakpoint > somewhere > > in > org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveClientSessionToRemoteCache > > and > org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveUserSessionToRemoteCache. > > > > [1] can be verified by calling `oc logs infinispan-app | > grep view` > > [2] can be verified by calling `oc logs infinispan-app | > grep "x-site"` > > [3] curl -d test ISPN_IP:8080/rest/sessions/test > > [4] curl ISPN_IP2:8080/rest/sessions/test > > > > > >> We are using the latest, stable Keycloak image, version > 4.1.0.Final, and > >> the latest, stable Infinispan image for to act as our data > grid, version > >> 9.3.1.Final, which we know differs from the 8.2.8 version > Keycloak uses for > >> its local caches. > >> > >> We were trying one Keycloak node and two ISPN nodes in each > cluster, but > >> for simplicity we've attached logs where we only ran one > Keycloak and one > >> ISPN in each cluster. > >> We were connecting to the two different Keycloaks via two > different > >> OpenShift Routes without a load balancer to fake sticky > sessions for now. > >> Keycloak connects to ISPN via a "HotRod" Service. ISPN > connects to other > >> nodes within the same cluster via KUBE_PING, and discovers > the other > >> cluster via TCPPING hitting a particular OpenShift app node > from that > >> cluster that exposes the "discovery" Service with a > NodePort. The Keycloaks > >> share the single MariaDB through a NodePort Service in one > of the clusters > >> as well. > >> > >> The logs didn't seem to contain any of the messages in the > trouble shooting > >> guide. We had trouble using JMX to check the ISPNs because > they were > >> running in containers, but we've using the CLI tool and the > Infinispan > >> management console to try to troubleshoot but any key we > pulled from the > >> logs that we thought was a session ID was not in the caches > and we could > >> not find a way to simply list all keys in the caches. > >> > >> Below is a viewable link to a zip containing logs from the > scenario > >> described in the second paragraph, and our config files. > >> > >> > >> > https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 > >> > >> Thanks for your time and help! > >> > >> Best, > >> Hayden > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From gambol99 at gmail.com Tue Aug 21 06:25:38 2018 From: gambol99 at gmail.com (gambol) Date: Tue, 21 Aug 2018 11:25:38 +0100 Subject: [keycloak-user] Custom SPI Deployment v4.3.0 Message-ID: Hiya I've checked the release document but nothing stands out .. Has anything changed in the way SPI are deployed in keycloak 4.3.0 Final? As part of the image build we'd copy a number of jars in the keycloak/providers/ directory (event logs, prometheus metrics, a custom authenticator etc) which in 4.2.1 is working fine, but in v4.3.0 is doesn't appear to find anything. Rohith From mposolda at redhat.com Tue Aug 21 06:43:47 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 21 Aug 2018 12:43:47 +0200 Subject: [keycloak-user] Limitations of create_realm role or a bug? In-Reply-To: References: Message-ID: Did you try to look at fine-grain admin permissions and check if they can help you? I am not 100% sure, but I think that with fine-grain admin permissions enabled, there will be new "resource" created when the user creates the realm and this resource will have the user as an owner. hopefully this can help to achieve what you want (EG. specify that owner/creator of the realm can do anything in that realm). Marek On 21/08/18 09:37, Christian Neudert wrote: > Hi, > > Has someone an opinion on this? Should I create a bug for it? > > Best regards, > Christian Neudert > > ?On 16.08.18, 12:07, "keycloak-user-bounces at lists.jboss.org on behalf of Christian Neudert" wrote: > > Hello, > > I have a permission problem with realms created by an user in the master realm, who has the ?create_realm? role only. This user can create a realm and new users in it but can?t assign the ?impersonation? role to them. From my understanding, it?s because this user doesn?t have the ?impersonation? role in the master realm and therefor can?t assign it to another user in another realm. This is expected as of what?s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#realm-specific-roles. > > My problem is that I can?t configure the created realm completely with this user without that posibility. It also contradicts what?s written in https://www.keycloak.org/docs/3.4/server_admin/index.html#global-roles: ?Users with the create-realm role are allowed to create new realms. They will be granted full access to any new realm they create.?. > > Should a user with the ?create_realm? role be allowed to set the ?impersonation? role for users in realms created by her or is it a bug? If it?s a wanted restriction I don?t know how to solve that problem without giving this user the admin permission in the master realm which is? not so good. > > FYI: I?m using Keycloak 3.4 with the Java Keycloak Admin CLI atm. > > Best regards, > Christian Neudert > > ________________________________ > > [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg] > > Kanzleisoftware f?r moderne Anw?lte > Kostenlos testen unter www.actaport.de > > ________________________________ > [https://www.actaport.de/images/doksafe_logo_200.png] > > dokSAFE GmbH > Goethestra?e 1 > 04109 Leipzig > www.doksafe.de > > ________________________________ > Sitz der Gesellschaft: Goethestra?e 1, 04109 Leipzig > Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer > ________________________________ > Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. > Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, > eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. > Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. > ________________________________ > This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. > If you have received this e-mail in error, you are hereby notified that any review, > copying, or distribution of it is strictly prohibited. > Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > ________________________________ > doksafe GmbH: Goethestra?e 1, 04109 Leipzig > Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer > ________________________________ > Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. > Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, > eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. > Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. > ________________________________ > This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. > If you have received this e-mail in error, you are hereby notified that any review, > copying, or distribution of it is strictly prohibited. > Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. > ________________________________ > > [https://www.actaport.de/images/doksafe_mailclosing_actaport.jpg] > > Kanzleisoftware f?r moderne Anw?lte > Kostenlos testen unter www.actaport.de > > ________________________________ > [https://www.actaport.de/images/doksafe_logo_200.png] > > dokSAFE GmbH > Goethestra?e 1 > 04109 Leipzig > www.doksafe.de > > ________________________________ > Sitz der Gesellschaft: Goethestra?e 1, 04109 Leipzig > Amtsgericht Leipzig HRB 32536, Gesch?ftsf?hrer Steffen Scholz, Dr. Michael Sch?fer > ________________________________ > Diese E-Mail kann Betriebs- oder Gesch?ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. > Sollten Sie diese E-Mail irrt?mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, > eine Vervielf?ltigung oder Weitergabe der E-Mail ausdr?cklich untersagt. > Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. > ________________________________ > This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. > If you have received this e-mail in error, you are hereby notified that any review, > copying, or distribution of it is strictly prohibited. > Please inform us immediately and destroy the original transmittal. Thank you for your cooperation. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Aug 21 06:56:48 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 21 Aug 2018 12:56:48 +0200 Subject: [keycloak-user] accessing client JWT token in token mapper when using signed JWT authenticator. In-Reply-To: References: Message-ID: <4f734606-03ce-f9a0-e028-76146fdbda88@redhat.com> Hmm... I am not sure if this use-case is something generally useful. TBH looks to me rather like something specific to your deployment. You can create new provider (likely subclass of JWTClientAuthenticator) and override things according to your needs - likely add the note to clientSession or userSession (clientSession is more proper IMO as it's specific to single client, but you will probably need to implement new protocolMapper for clientSessions). Then create new protocol mapper for propagate the info from clientSession/userSession to the token. Hope this helps, Marek On 17/08/18 08:28, Billiet Tom wrote: > Hi, > > I'm currently trying to create a Mapper for a client that uses "Signed JWT" as the client authenticator. In the mapper I would like to access some fields from the JWT token that's used to authenticate the client. > > I cannot figure out a way to do so. I've tried to create a custom mapper that extends AbstractOIDCProtocolMapper, but I don't seem to be able to access the client JWT token anywhere. > When digging somewhat deeper, I think the JWTClientAuthenticator (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java) should expose this if I want to be able to use it later in a mapper. If the JsonWebToken would be stored on the userSession note object that would be possible. > But that would require a feature request to have this exposed. Is there another way to make this possible? > > Thanks, > Tom > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From gambol99 at gmail.com Tue Aug 21 06:58:22 2018 From: gambol99 at gmail.com (gambol) Date: Tue, 21 Aug 2018 11:58:22 +0100 Subject: [keycloak-user] Custom SPI Deployment v4.3.0 In-Reply-To: References: Message-ID: Please ignore this, I jumped the gun .. Holding my head in shame the issue was related to an internal artifacts repository Rohith On Tue, Aug 21, 2018 at 11:25 AM gambol wrote: > Hiya > > I've checked the release document but nothing stands out .. Has anything > changed in the way SPI are deployed in keycloak 4.3.0 Final? > > As part of the image build we'd copy a number of jars in the > keycloak/providers/ directory (event logs, prometheus metrics, a custom > authenticator etc) which in 4.2.1 is working fine, but in v4.3.0 is doesn't > appear to find anything. > > Rohith > From mposolda at redhat.com Tue Aug 21 08:28:14 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 21 Aug 2018 14:28:14 +0200 Subject: [keycloak-user] Multiple password policies In-Reply-To: <1843434580.12659228.1534501961679@mail.yahoo.com> References: <1356792787.9540666.1534168050614.ref@mail.yahoo.com> <1356792787.9540666.1534168050614@mail.yahoo.com> <504557615.12069269.1534429942790@mail.yahoo.com> <1843434580.12659228.1534501961679@mail.yahoo.com> Message-ID: <5b9de4b1-d75e-25dc-9d23-af09dc4d2855@redhat.com> No, neither of the things you mentioned is available OOTB. I wonder that we may need something like FilterPasswordPolicy, which will allow to configure child/delegate password policy and the filter (for example with usage of the scripting engine like our ScriptBasedAuthenticator is using)? The filter may allow you to specify for example that: - User in role "admin" must have password of at least 10 characters - User, who is not in the role "admin" must have password of at least 7 characters etc. Fact is, that it's not available OOTB at this moment. You may either try to create some custom PasswordPolicyProvider(s) by yourself. Or you can try to contribute something generic (like the FilterPasswordPolicy provider I mentioned above) and contribute to Keycloak? Marek On 17/08/18 12:32, Jamie McDowell wrote: > Hi, > Further to my email below can you have a password policy assigned to a realm role? > > Regards, > Jamie > > On Thursday, 16 August 2018, 15:32:22 BST, Jamie McDowell wrote: > > Hi, > > Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated) > We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity. > We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies? > Has anyone configured this before or can suggest alternatives? > Regards, > Jamie > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Aug 21 08:38:09 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 21 Aug 2018 14:38:09 +0200 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> Message-ID: We have opened JIRA for this: https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully it's fixed relatively soon in one of the next releases. Marek On 17/08/18 07:47, keycloak demo wrote: > Update: > > Facing the same issue on keycloak 4.3.0.final. I have taken a fresh > instance of keycloak 4.3.0 and created just 2 users, but still facing the > same issue of browser not maintaining session. > > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo > wrote: > >> Can someone please help me on this issue? >> >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo >> wrote: >> >>> Another update: >>> >>> Though the login form appears every time but if i login with a different >>> user the second time i.e. launch client app -> login with user1 -> relaunch >>> client app (browser shows login form instead of already logged in message) >>> -> now login with user2. >>> >>> I get following message: >>> " We're sorry...You are already authenticated as different user 'user1' >>> in this session. Please logout first." >>> If it's able to know another user is logged in, then why the login form >>> is appearing? >>> >>> >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth >>> wrote: >>> >>>> An update on my findings: When I checked developer console: I am getting >>>> KC_RESTART cookie in cookies section. >>>> >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth >>>> wrote: >>>> >>>>> Yes sir, >>>>> I followed the doc https://www.keycloak.org/docs/ >>>>> latest/securing_apps/index.html#_installed_adapter. And am seeing the >>>>> same behavior on chrome and firefox. >>>>> >>>>> Also regarding the manual mode, I see the same behavior i.e I have to >>>>> re-login for each re-run of the client app. >>>>> >>>>> But if I do this: >>>>> >>>>> System.out.println("Login through manual mode"); >>>>> keycloak.loginManual(); >>>>> System.out.println("Login through browser"); >>>>> keycloak.loginDesktop(); >>>>> >>>>> i.e. if I call both modes in the same code or even same mode twice in >>>>> the same code, then I don't have to re-login for second call (in the above >>>>> example for loginDesktop). However when I re-run the application, I need to >>>>> re-login. This might be a stupid guess but could these sessions be "java >>>>> object specific"? >>>>> >>>>> >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Did you do everything in accordance with the docs? >>>>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm >>>>>> l#_installed_adapter >>>>>> >>>>>> Do you experience this in "manual" mode too? >>>>>> >>>>>> Cheers, >>>>>> Dmitry Telegin >>>>>> CTO, Acutus s.r.o. >>>>>> Keycloak Consulting and Training >>>>>> >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>>>>> +42 (022) 888-30-71 >>>>>> E-mail: info at acutus.pro >>>>>> >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >>>>>>> I am using openid-connect for authenticating users. After successful >>>>>>> authentication, browser windows says: >>>>>>> "Login Successful >>>>>>> >>>>>>> You may close this browser window and go back to your console >>>>>> application." >>>>>>> However, even without closing the window if I relaunch my application >>>>>>> (using keycloak.loginDesktop();) even within 10 seconds, still the >>>>>> login >>>>>>> page appears instead of : you are already logged in. >>>>>>> >>>>>>> Browser: Firefox. >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Aug 21 08:45:49 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 21 Aug 2018 14:45:49 +0200 Subject: [keycloak-user] Keycloak 3.4.3 - Importing Terms and Conditions Required Action In-Reply-To: <865A51D9-261B-428A-AA02-4F86C0B9A31E@bearingpoint.com> References: <865A51D9-261B-428A-AA02-4F86C0B9A31E@bearingpoint.com> Message-ID: <727b7c87-8f41-38dc-c9c6-8ef2e8264f7e@redhat.com> Not 100% sure, but it may be a bug. Feel free to create JIRA for this. Marek On 15/08/18 13:04, McDonnell, John wrote: > Hi, > > I?m working on an integration project against Keycloak 3.4.3-FINAL, and so am limited to what KeyCloak version in use. > > At the moment I have spotted that when I import realm settings as JSON via rest, the terms and conditions required actions enabled/defaultAction settings are not being considered. > > I am using the API: HTTP PUT: "/auth/admin/realms/R6", where R6 is the realm I?m updating, and the content of the update I?m trying is: > > { > "realm": "R6", > "loginTheme": "btcms-default", > "accountTheme": "r6-default", > "emailTheme": "btcms-default", > "passwordPolicy": "regexPattern(^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$@$!?&])[A-Za-z\\d$@$!?&]{8,32}) and forceExpiredPasswordChange(90) and passwordHistory(3)", > "resetPasswordAllowed": true, > "requiredActions": [ > { > "alias": "CONFIGURE_TOTP", > "name": "Configure OTP", > "providerId": "CONFIGURE_TOTP", > "enabled": true, > "defaultAction": false, > "config": {} > }, > { > "alias": "UPDATE_PASSWORD", > "name": "Update Password", > "providerId": "UPDATE_PASSWORD", > "enabled": true, > "defaultAction": false, > "config": {} > }, > { > "alias": "UPDATE_PROFILE", > "name": "Update Profile", > "providerId": "UPDATE_PROFILE", > "enabled": true, > "defaultAction": false, > "config": {} > }, > { > "alias": "VERIFY_EMAIL", > "name": "Verify Email", > "providerId": "VERIFY_EMAIL", > "enabled": true, > "defaultAction": false, > "config": {} > }, > { > "alias": "terms_and_conditions", > "name": "Terms and Conditions", > "providerId": "terms_and_conditions", > "enabled": true, > "defaultAction": true, > "config": {} > } > ] > } > > The issue I?m seeing in the UI is that the terms and conditions require actions is disabled. I can change this in the UI, and export, which exports this correctly, but I am unable to import this configuration. Is there something else needed to configure required actions? > > Regards > > John McDonnell > Manager > > [signature_831592184] > > BearingPoint > Montague House > Adelaide Road > Dublin > D02 K039 > Ireland > > john.mcdonnell at bearingpoint.com > www.bearingpoint.com > > ________________________________ > BearingPoint Ireland uc > registered in Dublin, Ireland No. 489298. > Registered office: Montague House, Adelaide Road, Dublin 2. > > The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Aug 21 08:50:31 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 21 Aug 2018 14:50:31 +0200 Subject: [keycloak-user] How a end-user can delete his account In-Reply-To: References: Message-ID: We don't have this OOTB. I agree that it can be useful in some systems. Feel free to create feature-request JIRA (if not already exists for the same feature request). Marek On 16/08/18 12:01, Olivier Guilloux wrote: > Hello, > > How a end-user can delete his account using the account page > (auth/realms/<...>/account/) ? > > I have found the API "DELETE /{realm}/users/{id}" but the account page > doesn't have any delete account button ? > > Regards, > > From hfuss at bandwidth.com Tue Aug 21 09:12:27 2018 From: hfuss at bandwidth.com (Hayden Fuss) Date: Tue, 21 Aug 2018 09:12:27 -0400 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache In-Reply-To: <15c67762-c1a3-5d9e-1be8-c52c4314c672@redhat.com> References: <346b6795-ed86-287b-7ed5-cc7668044b35@redhat.com> <15c67762-c1a3-5d9e-1be8-c52c4314c672@redhat.com> Message-ID: Hey guys, Thank you for the updates! We'll stick to Infinispan 8.2.8 so that there an no surprises. We upgraded JGroups 3 and added KUBE_PING to Infinispan 8.2.8, as well as for Keycloak, and so we've gotten cross-DC working with two Keycloaks and two ISPN's in each DC. In our first round of HA testing, Keycloak's OIDC endpoints have been fairly resilient when unable to connect LDAP, MariaDB, and the whole ISPN cluster (we just destroy the OpenShift Services and wait 5 minutes while testing the endpoints). However, we've noticed if we delete a ISPN pod forcefully, we'll experience some timeouts with the /token?username&password grant as the *new *pod comes up. We believe its due to our liveness/readiness probes being too optimistic since ISPN 8.2.8 does not have a health check like ISPN 9.X. I've been unable to find a prescribed way of health checking ISPN 8.2.8. For now I'm waiting for the 9990 socket to open as the liveness probe, and reusing the is_running.sh from ISPN 9.X for the readiness probe (attached), and ISPN pods are considered "Ready" to receive traffic from the OpenShift Service much sooner than they were when we used the probes that came with ISPN 9.X. Aside from setting the delay on the probes to be longer, do either of you know a more accurate way to health check ISPN 8.2.8? Thanks again for the time and info. We greatly appreciate it as its been very helpful! Best, Hayden On Tue, Aug 21, 2018 at 5:26 AM Marek Posolda wrote: > On 11/08/18 14:26, Sebastian Laskawiec wrote: > > > > pt., 10.08.2018, 21:59 u?ytkownik Hayden Fuss > napisa?: > >> Hello Sebastian and Marek, >> >> Thank you very much for suggestions. We had confirmed replication across >> the ISPN clusters was working with the CLI, so we tried attaching the >> remote debugger but didn't find anything useful to tell us why Keycloak >> couldn't remotely store the sessions in the ISPN cluster. >> > > Thanks for letting us know. > > >> Based on what Marek described, we decided to downgrade our ISPN cluster >> to 8.2.8 rather than use 9.3.1 and incorporate the demo code. It was our >> understanding that demo code would provide an SPI that enabled the ISPN >> cluster for persistent user storage (but not realms, clients, keys) which >> is not desirable for us as of now. >> > > Hmmm that's pretty interesting. For the Summit demo we used a fresh master > build. So ISPN 9.x should work without any problems. Perhaps Marek can shed > some light on this issue. > > The current Keycloak master supports cross-dc integration with infinispan > server 8.2.8.Final and JDG 7.1. That's what we are testing and what is > officially described as recommended infinispan-server version in our > documentation: > https://www.keycloak.org/docs/latest/server_installation/index.html#crossdc-mode > > In the recent PR for upgrade Keycloak to Wildfly 13, there will be the > upgrade to JDG 7.2 and infinispan server to 9.2.4.Final (this is same as > the infinispan version in the Wildfly 13). > > The summit demo used the infinispan server 9.3 AFAIR, but this required > some updates in the Keycloak code, which was done by overriding default > userSessions to the "updated-infinispan" provider. The code of this > updated-infinispan is in the rh-sso project sources: > > https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 > > Even with this overriden provider, I've tested just the Keycloak parts, > which were needed for the demo itself. I did not try to run our cross-dc > automated tests. So no guarantee that everything works as expected. > > In other words, if you have a choice for the infinispan-server version and > you don't need infinispan-server 9.X, it's recommended to stay with the > infinispan-server 8.2.8. > > Marek > > > BTW, do you have a demo pushed into some repo, so that we could check it > out? > > >> Downgrading to 8.2.8 (had to create our own image >> https://github.com/brix4dayz/infinispan/tree/8.2.x) fixed our sessions >> replication issue, the only thing is KUBE_PING/DNS_PING isn't available >> with the JGroups version that comes with 8.2.8. Based on what I'm seeing >> from this PR https://github.com/jboss-dockerfiles/keycloak/pull/96/files >> its possible to add a newer version of JGroups to Keycloak so I'll attempt >> to do that for ISPN so we can have local clustering for ISPN and Keycloak >> in OpenShift. >> > > Kube ping has basically two versions, 1.x which requires JGroups 4 and > 0.9.x, which works with JGroups 3 and 4. Let me know if you hit any > problems incorporating kube ping into your project. I might be able to help > you. > > >> If there's a better way to go about the JGroups version issue let us >> know. Thanks again! >> > > TBH I'm really interested why keycloak doesn't store sessions in ISPN. In > my opinion, we should find out how to fix this problem and stay with ISPN > 9. I would recommend downgrading ISPN as the last resort approach. > > >> Best, >> Hayd >> >> On Thu, Aug 9, 2018 at 3:27 AM Marek Posolda wrote: >> >>> Hi, >>> >>> I didn't check everything, but one thing I noted is, that in your >>> keycloak-standalone-ha.xml, you don't have "alternative" providers >>> configured. >>> >>> For Keycloak to work with the infinispan 9.2.X server or newer, it was >>> needed to configure providers like this: >>> >>> https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 >>> . >>> >>> There is also a need to add the userStorage to your realm, which can be >>> done through admin console or by importing the realm. See: >>> https://github.com/rhdemo/rh-sso/blob/master/realm-summit.json#L1051 >>> >>> Marek >>> >>> >>> On 08/08/18 15:07, Sebastian Laskawiec wrote: >>> > On Tue, Aug 7, 2018 at 3:28 PM Hayden Fuss >>> wrote: >>> > >>> >> Hello, >>> >> >>> >> We are attempting to run Keycloak on two OpenShift clusters using >>> remote >>> >> ISPNs and a single MariaDB instance. We're hacking together the >>> Keycloak on >>> >> Openshift blogpost, the JDG-as-a-service demo from Summit, RH SSO >>> demo from >>> >> Summit, and following the Keycloak/RH SSO basic setup guide to >>> Cross-DC >>> >> replication. The hope is do an initial evaluation of Keycloak's >>> >> availability. >>> >> >>> >> We were able to create a new user on master (site1), disable the user >>> on >>> >> master2 (site2), and see the user was disabled on master. So ISPN >>> >> replication seems to be working because the work cache was replicated >>> to >>> >> invalidate the local caches. However, the sessions cache does not >>> seem to >>> >> be replicated because when logged in as the same user on the two >>> different >>> >> Keycloaks (in Incognito mode) there is only one active session shown >>> on >>> >> both UIs and the timestamp/IP/etc is different for the listed session. >>> >> >>> > So at this point the Infinispan cluster within a single DC works >>> correctly >>> > [1] (the one that is formed by KUBE_PING). The Cross-DC cluster (also >>> known >>> > as the Global Cluster) also works correctly [2]. Users cache replicates >>> > fine but sessions don't. >>> > >>> > If I understood everything correctly, there might be two issues there. >>> > >>> > The first one is Infinispan misconfiguration (I briefly looked through >>> the >>> > configuration and can not spot any mistake but there might be some >>> typo or >>> > anything like that). That one is easy to be verified, just put an >>> entry on >>> > one node (e.g. using REST [3]) and see if it's available on the other >>> one >>> > (again, using REST for example [4]). >>> > >>> > If this test works fine, you can check if Keycloak forwards traffic to >>> the >>> > Infinispan cluster. The easiest way is to set a breakpoint somewhere >>> > in >>> org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveClientSessionToRemoteCache >>> > and >>> org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveUserSessionToRemoteCache. >>> > >>> > [1] can be verified by calling `oc logs infinispan-app | grep view` >>> > [2] can be verified by calling `oc logs infinispan-app | grep "x-site"` >>> > [3] curl -d test ISPN_IP:8080/rest/sessions/test >>> > [4] curl ISPN_IP2:8080/rest/sessions/test >>> > >>> > >>> >> We are using the latest, stable Keycloak image, version 4.1.0.Final, >>> and >>> >> the latest, stable Infinispan image for to act as our data grid, >>> version >>> >> 9.3.1.Final, which we know differs from the 8.2.8 version Keycloak >>> uses for >>> >> its local caches. >>> >> >>> >> We were trying one Keycloak node and two ISPN nodes in each cluster, >>> but >>> >> for simplicity we've attached logs where we only ran one Keycloak and >>> one >>> >> ISPN in each cluster. >>> >> We were connecting to the two different Keycloaks via two different >>> >> OpenShift Routes without a load balancer to fake sticky sessions for >>> now. >>> >> Keycloak connects to ISPN via a "HotRod" Service. ISPN connects to >>> other >>> >> nodes within the same cluster via KUBE_PING, and discovers the other >>> >> cluster via TCPPING hitting a particular OpenShift app node from that >>> >> cluster that exposes the "discovery" Service with a NodePort. The >>> Keycloaks >>> >> share the single MariaDB through a NodePort Service in one of the >>> clusters >>> >> as well. >>> >> >>> >> The logs didn't seem to contain any of the messages in the trouble >>> shooting >>> >> guide. We had trouble using JMX to check the ISPNs because they were >>> >> running in containers, but we've using the CLI tool and the Infinispan >>> >> management console to try to troubleshoot but any key we pulled from >>> the >>> >> logs that we thought was a session ID was not in the caches and we >>> could >>> >> not find a way to simply list all keys in the caches. >>> >> >>> >> Below is a viewable link to a zip containing logs from the scenario >>> >> described in the second paragraph, and our config files. >>> >> >>> >> >>> >> >>> https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 >>> >> >>> >> Thanks for your time and help! >>> >> >>> >> Best, >>> >> Hayden >>> >> _______________________________________________ >>> >> keycloak-user mailing list >>> >> keycloak-user at lists.jboss.org >>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> > -------------- next part -------------- A non-text attachment was scrubbed... Name: is_running.sh Type: text/x-sh Size: 218 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180821/f4dcecc7/attachment-0001.bin From thierry.delbart at ext.soprasteria.com Tue Aug 21 10:46:30 2018 From: thierry.delbart at ext.soprasteria.com (DELBART Thierry) Date: Tue, 21 Aug 2018 14:46:30 +0000 Subject: [keycloak-user] Is Keycloak with a large number of clients or groups viable? Message-ID: Hi all, I'm contacting you to try to enlighten our conception worries. We'll be using the latest Keycloak version. Our users are linked to firms with different roles in each firm, basically founders and members. Potentially, there would be up to 100.000 firms registered (we hope so! :) ). We envisioned two solutions: - using groups: each firm is a group that includes a group for each roles, one of the group would be able to add users in the other groups (possible?) - using clients: each firm is a client that has its specific roles, only users with role "founder" can grant the client's roles to other users (possible?) At first we wanted to use Keycloak SPIs to manage that but we'll probably have to build our own back-office and use REST requests. Which option would suite our case best? Is there a limit for groups or clients in Keycloak? And how would you handle application based roles? or is it better for each application to handle them internally? Thanks, Thierry. From sthorger at redhat.com Tue Aug 21 14:13:26 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 21 Aug 2018 20:13:26 +0200 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: <1A3C52DFCD06494D8528644858247BF01C180537@EX10MBOX03.pnnl.gov> References: <20180625154229.GA17717@abstractj.org> <153479905785.6959.1361851594171681280@tyrfing> <1A3C52DFCD06494D8528644858247BF01C180537@EX10MBOX03.pnnl.gov> Message-ID: Sure, proxy is the obvious name, but for reasons already mentioned by Bruno it's not really an option for us. It comes from the Keycloak team, so it should have the Keycloak name in it. I agree that doesn't automatically state it's a generic OIDC adapter, but I'd like to keep our name in there. >From the suggestions so far there are two I like: * Keycloak Gatekeeper - suggested by Thomas on the poll. I really like this and it fits nicely with Keycloak. It's also so much cooler than proxy/standalone/etc. * Keycloak Standalone Adapter On Tue, 21 Aug 2018 at 04:27, Fox, Kevin M wrote: > Coming from the outside world, I mostly searched for oidc and proxy as > thats what I needed. I found oauth2_proxy after a little searching, but > have been disappointed in how slow its releases are. Bugs aren't getting > fixed quickly. When I looked at keycloak-proxy initially, I didn't look > closer for a while as i thought is was keycloak specific. > > So, something like oidc-proxy might get you more successful hits. > > Thanks, > Kevin > ________________________________________ > From: keycloak-user-bounces at lists.jboss.org [ > keycloak-user-bounces at lists.jboss.org] on behalf of Alex Szczuczko [ > aszczucz at redhat.com] > Sent: Monday, August 20, 2018 2:04 PM > To: Bruno Oliveira; Hynek Mlnarik > Cc: keycloak-dev; keycloak-user > Subject: Re: [keycloak-user] Keycloak Proxy Rename > > In thinking a new name, I tried to look hard at these things: > > 1. what this software actually does. > > 2. what makes this software desirable to a user. > > 3. what "adapter" has meant for keycloak in the past. > > I'm not the best person to answer these questions, but here's what I've > dug up: > > 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if > the client it serves should treat the requests as authenticated > and/or authorized. > > 2. It avoids the need to install a bit of Keycloak software into the > users' applications. > > 3. According to the docs[1]: Keycloak client adapters are libraries > that makes it very easy to secure applications and services with > Keycloak ... our adapters easy to use and they require less > boilerplate code than what is typically required by a library. > > #1 is what we've been focusing on with names like "proxy". The reasons > such names are dissatisfying is there is nothing unique about sitting in > between two endpoints and doing stuff. So, we need to look at what that > "stuff" means for Keycloak. > > #3 in combination with #2 tells us what this "stuff" means for Keycloak. > This new software is clearly not an adapter. Actually, this new software > accomplishes the mission of an adapter better than adapters themselves! > > Following that logic, Superadapter is my main proposal for a new name. > Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a > saml-superadapter. > > Alternatively, we could focus on the lack of an adapter, with names > based on terms like Adapterless: > > - AKI: Adapterless Keycloak Integrator > - KOSA: Keycloak OIDC Sans-Adapter > - AKOS: Adapterless Keycloak OIDC Server > - KOAF: Keycloak OIDC Adapter-Free > - etc... > > Alex > > [1] > https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-client-adapters > > Quoting Bruno Oliveira (2018-08-20 09:54:42) > > Only to give a brief context for people not aware of it. Keycloak > > Generic Adapter was not well accepted, because the naming is too > > vague. So we have to reopen this discussion and think about a better > > naming. > > > > During our team call today I suggested just "keycloak-adapter", which > > would cover the apps which don't have its own specific adapter > > solution. > > > > That said, maybe we should open a new poll? I just created a new one > > where people can vote/suggest: > > > > https://poll.ly/#/Lbww4ebG > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ryans at jlab.org Tue Aug 21 14:43:49 2018 From: ryans at jlab.org (Ryan Slominski) Date: Tue, 21 Aug 2018 14:43:49 -0400 (EDT) Subject: [keycloak-user] prompt=login does not override Kerberos Message-ID: <315207004.24042567.1534877029403.JavaMail.zimbra@jlab.org> My understanding is sending the parameter prompt=login to the Keycloak authentication URL should force the login form and re-authentication. However, if Kerberos SPNEGO is available it ignores this parameter and logs the user in without showing a login form. Is this a bug? I guess currently the prompt=login is only honored by the cookie execution in the browser flow? Another possible bug: if you create a copy of the browser flow and swap the order of the Kerberos execution with the Identity Provider Redirector execution then Kerberos SPNEGO authentication won't work (fails with checksum error). Combine both issues and it means you can not selectively force some users to use a particular identity broker while sending others to another. With the normal browser flow if a user has Kerberos SPNEGO credentials then they will ignore the kc_idp_hint parameter as the Kerberos execution comes before the IDP redirect. If you configure an alternative browser flow where the IDP redirect execution comes before the Kerberos execution then users without the kc_idp_hint who legitimately should login automatically via Kerberos SPNEGO will fail to do so because it appears having IDP redirect execution first breaks the SPNEGO process. Anyone else run into this? From katariakhyati11 at gmail.com Tue Aug 21 15:33:40 2018 From: katariakhyati11 at gmail.com (Khyati Kataria) Date: Tue, 21 Aug 2018 15:33:40 -0400 Subject: [keycloak-user] Trying to use offline captcha on forgot password page Message-ID: Hi, I am new to keycloak. As per one of our requirements we need to have something like offline captcha ( having no internet access) on forgot password page. I am planning to add external jar file for captcha. Is it possible or not ?Is anyone having same kind of thing ? Apart from external jar is there any better way to add captcha without internet ? Thanks, Khyati From slaskawi at redhat.com Tue Aug 21 21:52:26 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 22 Aug 2018 03:52:26 +0200 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: References: <20180625154229.GA17717@abstractj.org> <153479905785.6959.1361851594171681280@tyrfing> <1A3C52DFCD06494D8528644858247BF01C180537@EX10MBOX03.pnnl.gov> Message-ID: So if Keycloak Proxy is not an option (nor anything similar to that), I would also stay away from anything close to the "adapter". Therefore, +1 to Keycloak Gatekeeper (@Bruno, I changed my vote in the Polly). On Tue, Aug 21, 2018 at 11:58 PM Stian Thorgersen wrote: > Sure, proxy is the obvious name, but for reasons already mentioned by Bruno > it's not really an option for us. > > It comes from the Keycloak team, so it should have the Keycloak name in it. > I agree that doesn't automatically state it's a generic OIDC adapter, but > I'd like to keep our name in there. > > >From the suggestions so far there are two I like: > > * Keycloak Gatekeeper - suggested by Thomas on the poll. I really like this > and it fits nicely with Keycloak. It's also so much cooler than > proxy/standalone/etc. > * Keycloak Standalone Adapter > > On Tue, 21 Aug 2018 at 04:27, Fox, Kevin M wrote: > > > Coming from the outside world, I mostly searched for oidc and proxy as > > thats what I needed. I found oauth2_proxy after a little searching, but > > have been disappointed in how slow its releases are. Bugs aren't getting > > fixed quickly. When I looked at keycloak-proxy initially, I didn't look > > closer for a while as i thought is was keycloak specific. > > > > So, something like oidc-proxy might get you more successful hits. > > > > Thanks, > > Kevin > > ________________________________________ > > From: keycloak-user-bounces at lists.jboss.org [ > > keycloak-user-bounces at lists.jboss.org] on behalf of Alex Szczuczko [ > > aszczucz at redhat.com] > > Sent: Monday, August 20, 2018 2:04 PM > > To: Bruno Oliveira; Hynek Mlnarik > > Cc: keycloak-dev; keycloak-user > > Subject: Re: [keycloak-user] Keycloak Proxy Rename > > > > In thinking a new name, I tried to look hard at these things: > > > > 1. what this software actually does. > > > > 2. what makes this software desirable to a user. > > > > 3. what "adapter" has meant for keycloak in the past. > > > > I'm not the best person to answer these questions, but here's what I've > > dug up: > > > > 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if > > the client it serves should treat the requests as authenticated > > and/or authorized. > > > > 2. It avoids the need to install a bit of Keycloak software into the > > users' applications. > > > > 3. According to the docs[1]: Keycloak client adapters are libraries > > that makes it very easy to secure applications and services with > > Keycloak ... our adapters easy to use and they require less > > boilerplate code than what is typically required by a library. > > > > #1 is what we've been focusing on with names like "proxy". The reasons > > such names are dissatisfying is there is nothing unique about sitting in > > between two endpoints and doing stuff. So, we need to look at what that > > "stuff" means for Keycloak. > > > > #3 in combination with #2 tells us what this "stuff" means for Keycloak. > > This new software is clearly not an adapter. Actually, this new software > > accomplishes the mission of an adapter better than adapters themselves! > > > > Following that logic, Superadapter is my main proposal for a new name. > > Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a > > saml-superadapter. > > > > Alternatively, we could focus on the lack of an adapter, with names > > based on terms like Adapterless: > > > > - AKI: Adapterless Keycloak Integrator > > - KOSA: Keycloak OIDC Sans-Adapter > > - AKOS: Adapterless Keycloak OIDC Server > > - KOAF: Keycloak OIDC Adapter-Free > > - etc... > > > > Alex > > > > [1] > > > https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-client-adapters > > > > Quoting Bruno Oliveira (2018-08-20 09:54:42) > > > Only to give a brief context for people not aware of it. Keycloak > > > Generic Adapter was not well accepted, because the naming is too > > > vague. So we have to reopen this discussion and think about a better > > > naming. > > > > > > During our team call today I suggested just "keycloak-adapter", which > > > would cover the apps which don't have its own specific adapter > > > solution. > > > > > > That said, maybe we should open a new poll? I just created a new one > > > where people can vote/suggest: > > > > > > https://poll.ly/#/Lbww4ebG > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Wed Aug 22 02:35:01 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 22 Aug 2018 08:35:01 +0200 Subject: [keycloak-user] Trying to use offline captcha on forgot password page In-Reply-To: References: Message-ID: <76e5a578-ba39-1ac0-94ac-88e9bb1ad685@redhat.com> I think it should be possible to do it somehow as you mentioned. Maybe you will need to tweak the code of Registration Forms (see the "Server development Guide" for the details). Marek On 21/08/18 21:33, Khyati Kataria wrote: > Hi, > > I am new to keycloak. As per one of our requirements we need to have > something like offline captcha ( having no internet access) on forgot > password page. I am planning to add external jar file for captcha. Is > it possible or not ?Is anyone having same kind of thing ? Apart from > external jar is there any better way to add captcha without internet ? > > > Thanks, > Khyati > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Aug 22 02:52:28 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 22 Aug 2018 08:52:28 +0200 Subject: [keycloak-user] prompt=login does not override Kerberos In-Reply-To: <315207004.24042567.1534877029403.JavaMail.zimbra@jlab.org> References: <315207004.24042567.1534877029403.JavaMail.zimbra@jlab.org> Message-ID: <756c011f-926d-cc1d-eb41-a0df315861eb@redhat.com> On 21/08/18 20:43, Ryan Slominski wrote: > My understanding is sending the parameter prompt=login to the Keycloak authentication URL should force the login form and re-authentication. However, if Kerberos SPNEGO is available it ignores this parameter and logs the user in without showing a login form. Is this a bug? I guess currently the prompt=login is only honored by the cookie execution in the browser flow? Per OIDC specification, when using prompt=login, the server should re-authenticate user. IMO Re-authentication doesn't strictly mean that login form must be shown and all the authenticators, which don't have any HTML form to display, must be ignored. So we just ignore the cookie authenticator at this moment. In the future, we plan to use "Authentication levels" and I think this will allow to address your usecase better. For example you will create 2 authentication flows and based on the value of the "amr" parameter sent from the adapter, the Keycloak will show the correct authentication flow. So for example you can have one flow with Kerberos Authenticator and one flow with IdentityProviderRedirector etc. For now, maybe you will need to customize the source-code of SpnegoAuthenticator (create your own provider subclass) to deal with the prompt=login according your needs. > > Another possible bug: if you create a copy of the browser flow and swap the order of the Kerberos execution with the Identity Provider Redirector execution then Kerberos SPNEGO authentication won't work (fails with checksum error). Sounds strange. Maybe this is a bug. Does it happen even if there are not any "kc_idp_hint" parameter sent, so the IdentityProvider Redirector doesn't do any redirection HTTP requests? If yes, looks like a bug to me. Feel free to create JIRA. Marek > > Combine both issues and it means you can not selectively force some users to use a particular identity broker while sending others to another. With the normal browser flow if a user has Kerberos SPNEGO credentials then they will ignore the kc_idp_hint parameter as the Kerberos execution comes before the IDP redirect. If you configure an alternative browser flow where the IDP redirect execution comes before the Kerberos execution then users without the kc_idp_hint who legitimately should login automatically via Kerberos SPNEGO will fail to do so because it appears having IDP redirect execution first breaks the SPNEGO process. Anyone else run into this? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mkanis at redhat.com Wed Aug 22 03:42:35 2018 From: mkanis at redhat.com (Martin Kanis) Date: Wed, 22 Aug 2018 09:42:35 +0200 Subject: [keycloak-user] How a end-user can delete his account In-Reply-To: References: Message-ID: We have the JIRA for that: https://issues.jboss.org/browse/KEYCLOAK-953 Martin On Tue, Aug 21, 2018 at 2:56 PM Marek Posolda wrote: > We don't have this OOTB. I agree that it can be useful in some systems. > Feel free to create feature-request JIRA (if not already exists for the > same feature request). > > Marek > > On 16/08/18 12:01, Olivier Guilloux wrote: > > Hello, > > > > How a end-user can delete his account using the account page > > (auth/realms/<...>/account/) ? > > > > I have found the API "DELETE /{realm}/users/{id}" but the account page > > doesn't have any delete account button ? > > > > Regards, > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From max.bruchmann at hotmail.com Wed Aug 22 04:35:36 2018 From: max.bruchmann at hotmail.com (Max Bruchmann) Date: Wed, 22 Aug 2018 08:35:36 +0000 Subject: [keycloak-user] attributes are not persisted In-Reply-To: References: Message-ID: Ok, do you think the "extending registration form" will work if users register via google, facebook etc...? With the LOGIN directly after REGISTER you mean I could try something like this: onLogin: String externalID = userModel.getFirstAttribute("foo"); if(externalID == null){ String externalID = createSomethingWithUserEmail(userModel.getEmail()) userModel.setSingleAttribute("foo", externalID) } You think the transaction state is a different which then really perists the data or is the runJobInTransaction better working and will find the user? Max Am 20.08.18 um 19:08 schrieb Marek Posolda: Maybe it's better to rather extend registration form as described here: https://www.keycloak.org/docs/latest/server_development/index.html#modifying-extending-the-registration-form Alternative is, to update user directly in the LOGIN event after REGISTER event, but not 100% sure this one will work. Also even if it works, it's more a workaround. Marek On 10/08/18 19:32, Max Bruchmann wrote: Hmm unfortunatelly if I use KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (session) -> { UserModel user = getUserModel(session, userId, realmId); ... The user is null :/ Max Am 10.08.18 um 09:03 schrieb Marek Posolda: I am not 100% sure, but it's possible that updating users in the events don't currently work. Reason is, that transaction might be already commited. The possible solution long term is to use pre/post events for this (which we don't yet support). For the short term, it may be possible to manually trigger your own temporarily transaction (You can take a look at KeycloakModelUtils.runJobInTransaction method). Note that in the new transaction, you need to ensure to not use Hibernate entities from the "outer" transaction (EG. all the things like RealmModel, UserModel need to be look-up again through the Model API in the new transaction). Marek On 09/08/18 21:39, Max Bruchmann wrote: Hi, I have a custom EventListenerProvider that consumes Register and Login events. On register it creates some external resource ...//on register String externalID = createSomethingWithUserEmail(userModel.getEmail()) userModel.setSingleAttribute("foo", externalID) ... On login I need to todo some additional calls with the already created id. ...// on login String externalID = userModel.getFirstAttribute("foo"); doSomeUpdate(externalID, userModel.getFirstName(), userModel.getLastName()) ... Unfortunatelly the retrieved id via getFirstAttribute seems to be null. Is there anything I need todo when modifying attributes so they are persisted? Kind Regards, Max _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jlieskov at redhat.com Wed Aug 22 04:51:44 2018 From: jlieskov at redhat.com (Jan Lieskovsky) Date: Wed, 22 Aug 2018 10:51:44 +0200 Subject: [keycloak-user] [keycloak-dev] Keycloak Proxy Rename In-Reply-To: References: <20180625154229.GA17717@abstractj.org> <153479905785.6959.1361851594171681280@tyrfing> <1A3C52DFCD06494D8528644858247BF01C180537@EX10MBOX03.pnnl.gov> Message-ID: Added keycloak-envoy, keycloak-intermediary, and keycloak-mediator for the considerations there yet (unsure though having keycloak-envoy wouldn't induce same feature expectations [thus load balancing, fault injection etc.] with istio-envoy for those familiar with istio). On Wed, Aug 22, 2018 at 3:52 AM, Sebastian Laskawiec wrote: > So if Keycloak Proxy is not an option (nor anything similar to that), I > would also stay away from anything close to the "adapter". > > Therefore, +1 to Keycloak Gatekeeper (@Bruno, I changed my vote in the > Polly). > > On Tue, Aug 21, 2018 at 11:58 PM Stian Thorgersen > wrote: > > > Sure, proxy is the obvious name, but for reasons already mentioned by > Bruno > > it's not really an option for us. > > > > It comes from the Keycloak team, so it should have the Keycloak name in > it. > > I agree that doesn't automatically state it's a generic OIDC adapter, but > > I'd like to keep our name in there. > > > > >From the suggestions so far there are two I like: > > > > * Keycloak Gatekeeper - suggested by Thomas on the poll. I really like > this > > and it fits nicely with Keycloak. It's also so much cooler than > > proxy/standalone/etc. > > * Keycloak Standalone Adapter > > > > On Tue, 21 Aug 2018 at 04:27, Fox, Kevin M wrote: > > > > > Coming from the outside world, I mostly searched for oidc and proxy as > > > thats what I needed. I found oauth2_proxy after a little searching, but > > > have been disappointed in how slow its releases are. Bugs aren't > getting > > > fixed quickly. When I looked at keycloak-proxy initially, I didn't look > > > closer for a while as i thought is was keycloak specific. > > > > > > So, something like oidc-proxy might get you more successful hits. > > > > > > Thanks, > > > Kevin > > > ________________________________________ > > > From: keycloak-user-bounces at lists.jboss.org [ > > > keycloak-user-bounces at lists.jboss.org] on behalf of Alex Szczuczko [ > > > aszczucz at redhat.com] > > > Sent: Monday, August 20, 2018 2:04 PM > > > To: Bruno Oliveira; Hynek Mlnarik > > > Cc: keycloak-dev; keycloak-user > > > Subject: Re: [keycloak-user] Keycloak Proxy Rename > > > > > > In thinking a new name, I tried to look hard at these things: > > > > > > 1. what this software actually does. > > > > > > 2. what makes this software desirable to a user. > > > > > > 3. what "adapter" has meant for keycloak in the past. > > > > > > I'm not the best person to answer these questions, but here's what I've > > > dug up: > > > > > > 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if > > > the client it serves should treat the requests as authenticated > > > and/or authorized. > > > > > > 2. It avoids the need to install a bit of Keycloak software into > the > > > users' applications. > > > > > > 3. According to the docs[1]: Keycloak client adapters are libraries > > > that makes it very easy to secure applications and services with > > > Keycloak ... our adapters easy to use and they require less > > > boilerplate code than what is typically required by a library. > > > > > > #1 is what we've been focusing on with names like "proxy". The reasons > > > such names are dissatisfying is there is nothing unique about sitting > in > > > between two endpoints and doing stuff. So, we need to look at what that > > > "stuff" means for Keycloak. > > > > > > #3 in combination with #2 tells us what this "stuff" means for > Keycloak. > > > This new software is clearly not an adapter. Actually, this new > software > > > accomplishes the mission of an adapter better than adapters themselves! > > > > > > Following that logic, Superadapter is my main proposal for a new name. > > > Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a > > > saml-superadapter. > > > > > > Alternatively, we could focus on the lack of an adapter, with names > > > based on terms like Adapterless: > > > > > > - AKI: Adapterless Keycloak Integrator > > > - KOSA: Keycloak OIDC Sans-Adapter > > > - AKOS: Adapterless Keycloak OIDC Server > > > - KOAF: Keycloak OIDC Adapter-Free > > > - etc... > > > > > > Alex > > > > > > [1] > > > > > https://www.keycloak.org/docs/latest/securing_apps/index. > html#what-are-client-adapters > > > > > > Quoting Bruno Oliveira (2018-08-20 09:54:42) > > > > Only to give a brief context for people not aware of it. Keycloak > > > > Generic Adapter was not well accepted, because the naming is too > > > > vague. So we have to reopen this discussion and think about a better > > > > naming. > > > > > > > > During our team call today I suggested just "keycloak-adapter", which > > > > would cover the apps which don't have its own specific adapter > > > > solution. > > > > > > > > That said, maybe we should open a new poll? I just created a new one > > > > where people can vote/suggest: > > > > > > > > https://poll.ly/#/Lbww4ebG > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev > From pskopek at redhat.com Wed Aug 22 04:52:26 2018 From: pskopek at redhat.com (Peter Skopek) Date: Wed, 22 Aug 2018 10:52:26 +0200 Subject: [keycloak-user] Keycloak Proxy Rename In-Reply-To: References: <20180625154229.GA17717@abstractj.org> <153479905785.6959.1361851594171681280@tyrfing> <1A3C52DFCD06494D8528644858247BF01C180537@EX10MBOX03.pnnl.gov> Message-ID: +1 I like Keycloak Gatekeeper too. Peter On Wed, Aug 22, 2018 at 6:15 AM Sebastian Laskawiec wrote: > > So if Keycloak Proxy is not an option (nor anything similar to that), I > would also stay away from anything close to the "adapter". > > Therefore, +1 to Keycloak Gatekeeper (@Bruno, I changed my vote in the > Polly). > > On Tue, Aug 21, 2018 at 11:58 PM Stian Thorgersen > wrote: > > > Sure, proxy is the obvious name, but for reasons already mentioned by Bruno > > it's not really an option for us. > > > > It comes from the Keycloak team, so it should have the Keycloak name in it. > > I agree that doesn't automatically state it's a generic OIDC adapter, but > > I'd like to keep our name in there. > > > > >From the suggestions so far there are two I like: > > > > * Keycloak Gatekeeper - suggested by Thomas on the poll. I really like this > > and it fits nicely with Keycloak. It's also so much cooler than > > proxy/standalone/etc. > > * Keycloak Standalone Adapter > > > > On Tue, 21 Aug 2018 at 04:27, Fox, Kevin M wrote: > > > > > Coming from the outside world, I mostly searched for oidc and proxy as > > > thats what I needed. I found oauth2_proxy after a little searching, but > > > have been disappointed in how slow its releases are. Bugs aren't getting > > > fixed quickly. When I looked at keycloak-proxy initially, I didn't look > > > closer for a while as i thought is was keycloak specific. > > > > > > So, something like oidc-proxy might get you more successful hits. > > > > > > Thanks, > > > Kevin > > > ________________________________________ > > > From: keycloak-user-bounces at lists.jboss.org [ > > > keycloak-user-bounces at lists.jboss.org] on behalf of Alex Szczuczko [ > > > aszczucz at redhat.com] > > > Sent: Monday, August 20, 2018 2:04 PM > > > To: Bruno Oliveira; Hynek Mlnarik > > > Cc: keycloak-dev; keycloak-user > > > Subject: Re: [keycloak-user] Keycloak Proxy Rename > > > > > > In thinking a new name, I tried to look hard at these things: > > > > > > 1. what this software actually does. > > > > > > 2. what makes this software desirable to a user. > > > > > > 3. what "adapter" has meant for keycloak in the past. > > > > > > I'm not the best person to answer these questions, but here's what I've > > > dug up: > > > > > > 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if > > > the client it serves should treat the requests as authenticated > > > and/or authorized. > > > > > > 2. It avoids the need to install a bit of Keycloak software into the > > > users' applications. > > > > > > 3. According to the docs[1]: Keycloak client adapters are libraries > > > that makes it very easy to secure applications and services with > > > Keycloak ... our adapters easy to use and they require less > > > boilerplate code than what is typically required by a library. > > > > > > #1 is what we've been focusing on with names like "proxy". The reasons > > > such names are dissatisfying is there is nothing unique about sitting in > > > between two endpoints and doing stuff. So, we need to look at what that > > > "stuff" means for Keycloak. > > > > > > #3 in combination with #2 tells us what this "stuff" means for Keycloak. > > > This new software is clearly not an adapter. Actually, this new software > > > accomplishes the mission of an adapter better than adapters themselves! > > > > > > Following that logic, Superadapter is my main proposal for a new name. > > > Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a > > > saml-superadapter. > > > > > > Alternatively, we could focus on the lack of an adapter, with names > > > based on terms like Adapterless: > > > > > > - AKI: Adapterless Keycloak Integrator > > > - KOSA: Keycloak OIDC Sans-Adapter > > > - AKOS: Adapterless Keycloak OIDC Server > > > - KOAF: Keycloak OIDC Adapter-Free > > > - etc... > > > > > > Alex > > > > > > [1] > > > > > https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-client-adapters > > > > > > Quoting Bruno Oliveira (2018-08-20 09:54:42) > > > > Only to give a brief context for people not aware of it. Keycloak > > > > Generic Adapter was not well accepted, because the naming is too > > > > vague. So we have to reopen this discussion and think about a better > > > > naming. > > > > > > > > During our team call today I suggested just "keycloak-adapter", which > > > > would cover the apps which don't have its own specific adapter > > > > solution. > > > > > > > > That said, maybe we should open a new poll? I just created a new one > > > > where people can vote/suggest: > > > > > > > > https://poll.ly/#/Lbww4ebG > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at amdocs.com Wed Aug 22 07:38:44 2018 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Wed, 22 Aug 2018 11:38:44 +0000 Subject: [keycloak-user] Authorization services performance Message-ID: Hi, We are using Policy Enforcer in Java client (JBOSS FUSE) to send the permission ticket to Keycloak PDP for evaluating a pre-configured Javascript policy rule. We are using Keycloak version 2.5.5. Is that evaluation in Keycloak PDP occur in-memory, or does it perform a DB access each time? Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png at 01D2C8DE.BFF33E10] ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3506 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180822/e7dc4d66/attachment.png From psilva at redhat.com Wed Aug 22 08:11:15 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 22 Aug 2018 09:11:15 -0300 Subject: [keycloak-user] Authorization services performance In-Reply-To: References: Message-ID: On Wed, Aug 22, 2018 at 8:38 AM, Ori Doolman wrote: > Hi, > > We are using Policy Enforcer in Java client (JBOSS FUSE) to send the > permission ticket to Keycloak PDP for evaluating a pre-configured > Javascript policy rule. > We are using Keycloak version 2.5.5. > > Is that evaluation in Keycloak PDP occur in-memory, or does it perform a > DB access each time? > If cache is warm, it should not happen any database hits. We cache not only entities (resources, policies, etc) but also specific queries that are executed during evaluation. In latest version, 4.3.0.Final, we delivered quite a few performance improvements to the evaluation engine like removal of redundant code and refactoring to optimize execution and decision cache on a per authorization request basis. We are still working on some other improvements as this is one of our main goals for future releases. I would recommend you to try latest version. There are other improvements too that I think you may benefit. Things like being able to define response format (if just a decision, list of granted permissions or standard oauth2 response), limit the number of permissions that the server should process, pushed claims (with or without permission tickets), additional methods to the evaluation api, etc. > > Thanks, > > Ori Doolman > Lead Software Architect > Amdocs Optima > > +972 9 778 6914 (office) > +972 50 9111442 (mobile) > > [cid:image001.png at 01D2C8DE.BFF33E10] > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based > system. Any emails sent to Amdocs will be processed and stored using such > system and are accessible by third party providers of such system on a > limited basis. Your sending of emails to Amdocs evidences your consent to > the use of such system and such processing, storing and access?. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From slaskawi at redhat.com Wed Aug 22 08:48:16 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Wed, 22 Aug 2018 14:48:16 +0200 Subject: [keycloak-user] jboss/keycloak-postgres docker hub page not found In-Reply-To: References: Message-ID: I guess this is the image you're looking for: https://hub.docker.com/r/jboss/keycloak-ha-postgres/ On Tue, Aug 21, 2018 at 4:21 AM Joy Kent wrote: > It looks like there are some issues with jboss/keycloak-postgres docker hub > page? When I went to https://hub.docker.com/r/jboss/keycloak-postgres/, I > got this Not Found (404) error, see the attachment. Did anyone else see the > same issue? > > Thanks, > Joy > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Ori.Doolman at amdocs.com Wed Aug 22 09:23:39 2018 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Wed, 22 Aug 2018 13:23:39 +0000 Subject: [keycloak-user] Authorization services performance In-Reply-To: References: Message-ID: Thanks Pedro for the quick response. I am not sure the high DB CPU load is only because of authorization requests. We need to do further analyzing. We are using the RedHat SSO version, hence it would be difficult to try latest Keycloak version now. Will we see any improvement when trying RHSSO version 7.2 (currently latest)? Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png at 01D2C8DE.BFF33E10] From: Pedro Igor Silva Sent: Wednesday, August 22, 2018 15:11 To: Ori Doolman Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Authorization services performance On Wed, Aug 22, 2018 at 8:38 AM, Ori Doolman > wrote: Hi, We are using Policy Enforcer in Java client (JBOSS FUSE) to send the permission ticket to Keycloak PDP for evaluating a pre-configured Javascript policy rule. We are using Keycloak version 2.5.5. Is that evaluation in Keycloak PDP occur in-memory, or does it perform a DB access each time? If cache is warm, it should not happen any database hits. We cache not only entities (resources, policies, etc) but also specific queries that are executed during evaluation. In latest version, 4.3.0.Final, we delivered quite a few performance improvements to the evaluation engine like removal of redundant code and refactoring to optimize execution and decision cache on a per authorization request basis. We are still working on some other improvements as this is one of our main goals for future releases. I would recommend you to try latest version. There are other improvements too that I think you may benefit. Things like being able to define response format (if just a decision, list of granted permissions or standard oauth2 response), limit the number of permissions that the server should process, pushed claims (with or without permission tickets), additional methods to the evaluation api, etc. Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png at 01D2C8DE.BFF33E10] ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user ?Amdocs? email platform is based on a third-party, worldwide, cloud-based system. Any emails sent to Amdocs will be processed and stored using such system and are accessible by third party providers of such system on a limited basis. Your sending of emails to Amdocs evidences your consent to the use of such system and such processing, storing and access?. -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3506 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180822/14fbd101/attachment-0001.png From psilva at redhat.com Wed Aug 22 09:27:55 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 22 Aug 2018 10:27:55 -0300 Subject: [keycloak-user] Authorization services performance In-Reply-To: References: Message-ID: Hi Ori, AFAIK, only 7.3. It would be nice if you could give a try to the community version before checking 7.3. Regards. Pedro Igor On Wed, Aug 22, 2018 at 10:23 AM, Ori Doolman wrote: > Thanks Pedro for the quick response. > > I am not sure the high DB CPU load is only because of authorization > requests. We need to do further analyzing. > > We are using the RedHat SSO version, hence it would be difficult to try > latest Keycloak version now. Will we see any improvement when trying RHSSO > version 7.2 (currently latest)? > > > > > > Thanks, > > > > *Ori Doolman* > > Lead Software Architect > > Amdocs Optima > > > > +972 9 778 6914 (office) > > +972 50 9111442 (mobile) > > > > [image: cid:image001.png at 01D2C8DE.BFF33E10] > > > > *From:* Pedro Igor Silva > *Sent:* Wednesday, August 22, 2018 15:11 > *To:* Ori Doolman > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Authorization services performance > > > > On Wed, Aug 22, 2018 at 8:38 AM, Ori Doolman > wrote: > > Hi, > > We are using Policy Enforcer in Java client (JBOSS FUSE) to send the > permission ticket to Keycloak PDP for evaluating a pre-configured > Javascript policy rule. > We are using Keycloak version 2.5.5. > > Is that evaluation in Keycloak PDP occur in-memory, or does it perform a > DB access each time? > > > > If cache is warm, it should not happen any database hits. We cache not > only entities (resources, policies, etc) but also specific queries that are > executed during evaluation. > > > > In latest version, 4.3.0.Final, we delivered quite a few performance > improvements to the evaluation engine like removal of redundant code and > refactoring to optimize execution and decision cache on a per authorization > request basis. We are still working on some other improvements as this is > one of our main goals for future releases. > > > > I would recommend you to try latest version. There are other improvements > too that I think you may benefit. Things like being able to define response > format (if just a decision, list of granted permissions or standard oauth2 > response), limit the number of permissions that the server should process, > pushed claims (with or without permission tickets), additional methods to > the evaluation api, etc. > > > > > > Thanks, > > Ori Doolman > Lead Software Architect > Amdocs Optima > > +972 9 778 6914 (office) > +972 50 9111442 (mobile) > > [cid:image001.png at 01D2C8DE.BFF33E10] > > ?Amdocs? email platform is based on a third-party, worldwide, cloud-based > system. Any emails sent to Amdocs will be processed and stored using such > system and are accessible by third party providers of such system on a > limited basis. Your sending of emails to Amdocs evidences your consent to > the use of such system and such processing, storing and access?. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > *?Amdocs? email platform is based on a third-party, worldwide, cloud-based > system. Any emails sent to Amdocs will be processed and stored using such > system and are accessible by third party providers of such system on a > limited basis. Your sending of emails to Amdocs evidences your consent to > the use of such system and such processing, storing and access?.* > -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3506 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180822/d97fd7a1/attachment.png From ryans at jlab.org Wed Aug 22 09:32:28 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 22 Aug 2018 09:32:28 -0400 (EDT) Subject: [keycloak-user] prompt=login does not override Kerberos In-Reply-To: <977212273.71650.1534944743810.JavaMail.zimbra@jlab.org> References: <315207004.24042567.1534877029403.JavaMail.zimbra@jlab.org> <756c011f-926d-cc1d-eb41-a0df315861eb@redhat.com> Message-ID: <744934762.71702.1534944748763.JavaMail.zimbra@jlab.org> Hi Marek, Reordering the Identity Provider Redirector execution such that it comes before the Kerberos SPNEGO execution actually does work on second look. I was running into caching and cross-site scripting issues. So the workaround for prompt=login being ignored by SPNEGO authenticator is to just reorder authenticator priority. Ryan ----- Original Message ----- From: "Marek Posolda" To: "Ryan Slominski" , "keycloak-user" Sent: Wednesday, August 22, 2018 2:52:28 AM Subject: Re: [keycloak-user] prompt=login does not override Kerberos On 21/08/18 20:43, Ryan Slominski wrote: > My understanding is sending the parameter prompt=login to the Keycloak authentication URL should force the login form and re-authentication. However, if Kerberos SPNEGO is available it ignores this parameter and logs the user in without showing a login form. Is this a bug? I guess currently the prompt=login is only honored by the cookie execution in the browser flow? Per OIDC specification, when using prompt=login, the server should re-authenticate user. IMO Re-authentication doesn't strictly mean that login form must be shown and all the authenticators, which don't have any HTML form to display, must be ignored. So we just ignore the cookie authenticator at this moment. In the future, we plan to use "Authentication levels" and I think this will allow to address your usecase better. For example you will create 2 authentication flows and based on the value of the "amr" parameter sent from the adapter, the Keycloak will show the correct authentication flow. So for example you can have one flow with Kerberos Authenticator and one flow with IdentityProviderRedirector etc. For now, maybe you will need to customize the source-code of SpnegoAuthenticator (create your own provider subclass) to deal with the prompt=login according your needs. > > Another possible bug: if you create a copy of the browser flow and swap the order of the Kerberos execution with the Identity Provider Redirector execution then Kerberos SPNEGO authentication won't work (fails with checksum error). Sounds strange. Maybe this is a bug. Does it happen even if there are not any "kc_idp_hint" parameter sent, so the IdentityProvider Redirector doesn't do any redirection HTTP requests? If yes, looks like a bug to me. Feel free to create JIRA. Marek > > Combine both issues and it means you can not selectively force some users to use a particular identity broker while sending others to another. With the normal browser flow if a user has Kerberos SPNEGO credentials then they will ignore the kc_idp_hint parameter as the Kerberos execution comes before the IDP redirect. If you configure an alternative browser flow where the IDP redirect execution comes before the Kerberos execution then users without the kc_idp_hint who legitimately should login automatically via Kerberos SPNEGO will fail to do so because it appears having IDP redirect execution first breaks the SPNEGO process. Anyone else run into this? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICaQ&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=1qwOFtDDUjNIFHd4cHajk-bR6U9v4ONNEXiOE5S8EMY&s=CBxKq3tKSGOSb2-JH2ju4NmKCx_s8QoYHT_vreeFvBU&e= From sthorger at redhat.com Wed Aug 22 09:35:35 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 22 Aug 2018 15:35:35 +0200 Subject: [keycloak-user] Keycloak master Docker image Message-ID: If you ever wanted to try something in Keycloak master without building it yourself you can now use the jboss/keycloak:master tag. It is automatically rebuilt every time there is a merge to master. From nikola.malenic at netsetglobal.rs Wed Aug 22 09:43:31 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Wed, 22 Aug 2018 15:43:31 +0200 Subject: [keycloak-user] Choosing authentication method on login page Message-ID: <002c01d43a1e$1d5e0d80$581a2880$@netsetglobal.rs> I would like to let my users have a choice which authentication method to use. For example, they could be presented with a menu to pick an option (username/pass, username/pass+OTP, etc). Then, Keycloak should, based on their choice, assign specific scope to the token. Is this possible to do with Keycloak (probably by somehow utilizing auth methods chaining) and how? I couldn't find this in documentation but it seems reasonable use-case to me. Thanks in advance, Nikola From Tom.Billiet at technicolor.com Wed Aug 22 09:54:14 2018 From: Tom.Billiet at technicolor.com (Billiet Tom) Date: Wed, 22 Aug 2018 13:54:14 +0000 Subject: [keycloak-user] accessing client JWT token in token mapper when using signed JWT authenticator. In-Reply-To: <4f734606-03ce-f9a0-e028-76146fdbda88@redhat.com> References: <4f734606-03ce-f9a0-e028-76146fdbda88@redhat.com> Message-ID: I partially agree with you. I'm fully aware this is probably rather specific for our deployment. That's also why I don't mind to create a custom protocolMapper. But I don't think it would hurt to add the token to the userSession/clientSession (I leave that open) so that protocol mapper _can_ use it if they would want to. I think it just adds an extra possibility. I did look at overriding the JWTClientAuthenticator, but I did not see a clean way to extract the token even from a subclass without copy/pasting code (which is error-prone during upgrades), so I'm not a big fan here. Obviously if there would be another possibility I missed to get to the token in a protocolMapper, that would also be great. Thanks, Tom -----Original Message----- From: Marek Posolda Sent: Tuesday, August 21, 2018 12:57 PM To: Billiet Tom ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] accessing client JWT token in token mapper when using signed JWT authenticator. ** WARNING: This mail is from an external source ** Hmm... I am not sure if this use-case is something generally useful. TBH looks to me rather like something specific to your deployment. You can create new provider (likely subclass of JWTClientAuthenticator) and override things according to your needs - likely add the note to clientSession or userSession (clientSession is more proper IMO as it's specific to single client, but you will probably need to implement new protocolMapper for clientSessions). Then create new protocol mapper for propagate the info from clientSession/userSession to the token. Hope this helps, Marek On 17/08/18 08:28, Billiet Tom wrote: > Hi, > > I'm currently trying to create a Mapper for a client that uses "Signed JWT" as the client authenticator. In the mapper I would like to access some fields from the JWT token that's used to authenticate the client. > > I cannot figure out a way to do so. I've tried to create a custom mapper that extends AbstractOIDCProtocolMapper, but I don't seem to be able to access the client JWT token anywhere. > When digging somewhat deeper, I think the JWTClientAuthenticator (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/client/JWTClientAuthenticator.java) should expose this if I want to be able to use it later in a mapper. If the JsonWebToken would be stored on the userSession note object that would be possible. > But that would require a feature request to have this exposed. Is there another way to make this possible? > > Thanks, > Tom > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From Kevin.Fox at pnnl.gov Wed Aug 22 12:09:32 2018 From: Kevin.Fox at pnnl.gov (Fox, Kevin M) Date: Wed, 22 Aug 2018 16:09:32 +0000 Subject: [keycloak-user] [keycloak-dev] Keycloak Proxy Rename In-Reply-To: References: <20180625154229.GA17717@abstractj.org> <153479905785.6959.1361851594171681280@tyrfing> <1A3C52DFCD06494D8528644858247BF01C180537@EX10MBOX03.pnnl.gov> , Message-ID: <1A3C52DFCD06494D8528644858247BF01C1830A3@EX10MBOX03.pnnl.gov> yeah, keycloak-envoy implies istio/envoy to me. Still thinking proxy and oidc in the title is important. maybe not keycloak if its goal is to be not keycloak only. Thanks, Kevin ________________________________ From: Jan Lieskovsky [jlieskov at redhat.com] Sent: Wednesday, August 22, 2018 1:51 AM To: Sebastian Laskawiec Cc: Stian Thorgersen; keycloak-dev; keycloak-user; Fox, Kevin M Subject: Re: [keycloak-dev] [keycloak-user] Keycloak Proxy Rename Added keycloak-envoy, keycloak-intermediary, and keycloak-mediator for the considerations there yet (unsure though having keycloak-envoy wouldn't induce same feature expectations [thus load balancing, fault injection etc.] with istio-envoy for those familiar with istio). On Wed, Aug 22, 2018 at 3:52 AM, Sebastian Laskawiec > wrote: So if Keycloak Proxy is not an option (nor anything similar to that), I would also stay away from anything close to the "adapter". Therefore, +1 to Keycloak Gatekeeper (@Bruno, I changed my vote in the Polly). On Tue, Aug 21, 2018 at 11:58 PM Stian Thorgersen > wrote: > Sure, proxy is the obvious name, but for reasons already mentioned by Bruno > it's not really an option for us. > > It comes from the Keycloak team, so it should have the Keycloak name in it. > I agree that doesn't automatically state it's a generic OIDC adapter, but > I'd like to keep our name in there. > > >From the suggestions so far there are two I like: > > * Keycloak Gatekeeper - suggested by Thomas on the poll. I really like this > and it fits nicely with Keycloak. It's also so much cooler than > proxy/standalone/etc. > * Keycloak Standalone Adapter > > On Tue, 21 Aug 2018 at 04:27, Fox, Kevin M > wrote: > > > Coming from the outside world, I mostly searched for oidc and proxy as > > thats what I needed. I found oauth2_proxy after a little searching, but > > have been disappointed in how slow its releases are. Bugs aren't getting > > fixed quickly. When I looked at keycloak-proxy initially, I didn't look > > closer for a while as i thought is was keycloak specific. > > > > So, something like oidc-proxy might get you more successful hits. > > > > Thanks, > > Kevin > > ________________________________________ > > From: keycloak-user-bounces at lists.jboss.org [ > > keycloak-user-bounces at lists.jboss.org] on behalf of Alex Szczuczko [ > > aszczucz at redhat.com] > > Sent: Monday, August 20, 2018 2:04 PM > > To: Bruno Oliveira; Hynek Mlnarik > > Cc: keycloak-dev; keycloak-user > > Subject: Re: [keycloak-user] Keycloak Proxy Rename > > > > In thinking a new name, I tried to look hard at these things: > > > > 1. what this software actually does. > > > > 2. what makes this software desirable to a user. > > > > 3. what "adapter" has meant for keycloak in the past. > > > > I'm not the best person to answer these questions, but here's what I've > > dug up: > > > > 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if > > the client it serves should treat the requests as authenticated > > and/or authorized. > > > > 2. It avoids the need to install a bit of Keycloak software into the > > users' applications. > > > > 3. According to the docs[1]: Keycloak client adapters are libraries > > that makes it very easy to secure applications and services with > > Keycloak ... our adapters easy to use and they require less > > boilerplate code than what is typically required by a library. > > > > #1 is what we've been focusing on with names like "proxy". The reasons > > such names are dissatisfying is there is nothing unique about sitting in > > between two endpoints and doing stuff. So, we need to look at what that > > "stuff" means for Keycloak. > > > > #3 in combination with #2 tells us what this "stuff" means for Keycloak. > > This new software is clearly not an adapter. Actually, this new software > > accomplishes the mission of an adapter better than adapters themselves! > > > > Following that logic, Superadapter is my main proposal for a new name. > > Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a > > saml-superadapter. > > > > Alternatively, we could focus on the lack of an adapter, with names > > based on terms like Adapterless: > > > > - AKI: Adapterless Keycloak Integrator > > - KOSA: Keycloak OIDC Sans-Adapter > > - AKOS: Adapterless Keycloak OIDC Server > > - KOAF: Keycloak OIDC Adapter-Free > > - etc... > > > > Alex > > > > [1] > > > https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-client-adapters > > > > Quoting Bruno Oliveira (2018-08-20 09:54:42) > > > Only to give a brief context for people not aware of it. Keycloak > > > Generic Adapter was not well accepted, because the naming is too > > > vague. So we have to reopen this discussion and think about a better > > > naming. > > > > > > During our team call today I suggested just "keycloak-adapter", which > > > would cover the apps which don't have its own specific adapter > > > solution. > > > > > > That said, maybe we should open a new poll? I just created a new one > > > where people can vote/suggest: > > > > > > https://poll.ly/#/Lbww4ebG > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-dev mailing list keycloak-dev at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev From damien.douteaux at gmail.com Wed Aug 22 12:17:46 2018 From: damien.douteaux at gmail.com (Damien Douteaux) Date: Wed, 22 Aug 2018 18:17:46 +0200 Subject: [keycloak-user] Replication timeout and retransmission table issues when using Keycloak on 5 nodes Message-ID: *SUMMARY* I am currently trying to build an authentication app using Keycloak deployed as a Docker service. My infrastructure is as follow : - Server : CentOS 7 - Docker : 17.06.2-ce, with weaveworks net plugin - Keycloak : 3.3.0-Final - Postgre : 9.4 - 5 Keycloak deployed as a cluster in a Docker swarm I encounter an issue with the cache when building up the cluster. I do not have any error while building a 2 nodes cluster, but when scaling to 5 node, many warning like this one appear : WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-3) JGRP000041: bd3eeb23695b: message d8896fbba960::14 not found in retransmission table When these messages begin to appear, the containers stop responding correctly and eventualy some of them stop their instance of Keycloak. This kind of errors has occured on various occasions: - When starting the services, hence the app does not even success to start. - A few ours after a correct start of Keycloak, even with few activity on the nodes. *SYMPTOMS* When the app crashes I see : 1) Numerous logs based on the one shown above that seem to iterate (ie. the same messages coming from a node that are not found "for ever") : 2018-08-22 09:59:33,346 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::15 not found in retransmission table 2018-08-22 09:59:33,346 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::16 not found in retransmission table 2018-08-22 09:59:33,346 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::17 not found in retransmission table 2018-08-22 09:59:33,346 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::18 not found in retransmission table ... 2018-08-22 09:59:33,040 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::15 not found in retransmission table 2018-08-22 09:59:33,040 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::16 not found in retransmission table 2018-08-22 09:59:33,040 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::17 not found in retransmission table 2018-08-22 09:59:33,040 WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) JGRP000041: bd3eeb23695b: message d8896fbba960::18 not found in retransmission table ... 2) The node from which the messaged should come that display various cache errors : 2018-08-22 09:58:37,130 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (ServerService Thread Pool -- 61) ISPN000136: Error executing command PutKeyValueCommand, writing keys [cluster-start-time]: org.infinispan.util.concurrent.TimeoutException: Replication timeout 2018-08-22 09:58:37,149 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 61) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) 2018-08-22 09:58:37,178 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth" => "java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) Caused by: org.infinispan.util.concurrent.TimeoutException: Replication timeout"}} 2018-08-22 09:58:37,409 WARN [org.infinispan.topology.CacheTopologyControlCommand] (ServerService Thread Pool -- 60) ISPN000071: Caught exception when handling command CacheTopologyControlCommand{cache=actionTokens, type=LEAVE, sender=d8896fbba960, joinInfo=null, topologyId=0, rebalanceId=0, currentCH=null, pendingCH=null, availabilityMode=null, actualMembers=null, throwable=null, viewId=3}: java.lang.IllegalArgumentException: A cache topology's pending consistent hash must contain all the current consistent hash's members Then, this node usually stops all caches and Keycloak. *CONFIG AND SOLUTION ATTEMPTED* I have unsuccessfully tried to : - Change timeout params on the various cache of Keycloak (in order to give more time to stabilize the cluster) - Change some default values for protocol NAKACK2 in Keycloak configuration file. The aim of this was to limit trafic between nodes and increase number of elements in retransmission table so that messages are not lost before all nodes received them. However, my issues are not lessen by those changes. The configuration I am currently using is the following : ... ... false 200 Hence do you have any idea why this is happing and how to update my configuration to solve this issue? -- *Damien Douteaux* From joy at autonomic.ai Wed Aug 22 12:21:21 2018 From: joy at autonomic.ai (Joy Kent) Date: Wed, 22 Aug 2018 09:21:21 -0700 Subject: [keycloak-user] jboss/keycloak-postgres docker hub page not found In-Reply-To: References: Message-ID: Thanks Sebastian! We found that the image was removed by this change: https://github.com/jboss-dockerfiles/keycloak/commit/760c1a8247c2a4c5d8f4e5008f0fa28d1609b7e7. The image you posted is also deprecated. We switched to use jboss/keycloak instead. Thanks, Joy On Wed, Aug 22, 2018 at 5:48 AM, Sebastian Laskawiec wrote: > I guess this is the image you're looking for: https://hub.docker.com/r/ > jboss/keycloak-ha-postgres/ > > On Tue, Aug 21, 2018 at 4:21 AM Joy Kent wrote: > >> It looks like there are some issues with jboss/keycloak-postgres docker >> hub >> page? When I went to https://hub.docker.com/r/jboss/keycloak-postgres/, I >> got this Not Found (404) error, see the attachment. Did anyone else see >> the >> same issue? >> >> Thanks, >> Joy >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From ryans at jlab.org Wed Aug 22 12:26:43 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 22 Aug 2018 12:26:43 -0400 (EDT) Subject: [keycloak-user] @SecurityDomain("keycloak") in EJB Message-ID: <1038719157.118690.1534955203816.JavaMail.zimbra@jlab.org> Using the Wildfly adapter I've noticed that the security context is propagated to EJBs without the SecurityDomain annotation in some cases, but not others. Does anyone know in what case it is needed? My only clue so far is Windows vs Linux, as I thought I configured both test boxes identically, but maybe I missed something. My application currently does not use the annotation and on my Windows test box authentication is propagated fine. However, on my Linux test box with the same war file I see unauthorized exception in the EJB layer even though the servlet reports I'm authenticated with proper roles. Does it have to do with Wildfly client adapter online vs offline install or adapter vs adapter-elytron install? If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain that would break platform independence, which container managed security is supposed to support. From ceri.coburn at gmail.com Wed Aug 22 12:55:38 2018 From: ceri.coburn at gmail.com (Ceri Coburn) Date: Wed, 22 Aug 2018 17:55:38 +0100 Subject: [keycloak-user] Mixing Identity Broker with Federated provider Message-ID: Hi, Is it possible to use Federated LDAP/AD for importing accounts but use OAuth broker for authenticating them users? I am importing users from local AD server which sets up the users upn as the login name and email address. I have then setup Azure AD using OIDC identity broker and setup a "Username Template Importer" to use the same upn attribute from the OAuth claims so that the username and email match that of the imported LDAP accounts. But when I login using Azure AD, keycloak complains of an existing username already present. Is there a way I can have Azure AD and Federated LDAP imports work together so that it assumes the same identity? Thanks. From ryans at jlab.org Wed Aug 22 14:05:26 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 22 Aug 2018 14:05:26 -0400 (EDT) Subject: [keycloak-user] @SecurityDomain("keycloak") in EJB In-Reply-To: <690603174.146607.1534961103915.JavaMail.zimbra@jlab.org> References: <1038719157.118690.1534955203816.JavaMail.zimbra@jlab.org> Message-ID: <57643206.146676.1534961126834.JavaMail.zimbra@jlab.org> Looks like @SecurityRealm("keycloak") is needed only if you have the elytron configuration in your wildfly standalone.xml file. I noticed that one test server had a bunch of extra keycloak elytron configuration while the other didn't. I deleted the extra configuration and now my application works as expected (authentication and authorization info is propagated to EJBs without any extra annotations). I guess this is the difference between legacy configuration and new elytron configuration. Seems like the new elytron client adapter is not as good as the legacy adapter / integration. Any reason not to stick with the legacy adapter? ----- Original Message ----- From: "Ryan Slominski" To: "keycloak-user" Sent: Wednesday, August 22, 2018 12:26:43 PM Subject: @SecurityDomain("keycloak") in EJB Using the Wildfly adapter I've noticed that the security context is propagated to EJBs without the SecurityDomain annotation in some cases, but not others. Does anyone know in what case it is needed? My only clue so far is Windows vs Linux, as I thought I configured both test boxes identically, but maybe I missed something. My application currently does not use the annotation and on my Windows test box authentication is propagated fine. However, on my Linux test box with the same war file I see unauthorized exception in the EJB layer even though the servlet reports I'm authenticated with proper roles. Does it have to do with Wildfly client adapter online vs offline install or adapter vs adapter-elytron install? If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain that would break platform independence, which container managed security is supposed to support. From rafaelweingartner at gmail.com Wed Aug 22 15:22:05 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Wed, 22 Aug 2018 16:22:05 -0300 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? Message-ID: Hello Keycloakers, I have some doubts regarding Keycloak and load balancers. I set up two keycloak replicas to provide HA. To start them I am using ?./standalone.sh --server-config=standalone-ha.xml?. I am assuming that they will use multicast to replicate information between nodes, right? Then, I set up a load balancer layer using Apache HTTPD and AJP connector via 8009 port. To make everything work I needed to use sticky session; otherwise, the login would never happen. I am fine with the sticky session, however, if I stop one of the replicas where the user is logged in, when the user access Keycloak again, he/she is asked to present the credentials as if he/she was not logged in the other Keycloak replica. Is that the expected behavior? Is there some troubleshooting or test that I can perform to check if replication is being executed? -- Rafael Weing?rtner From ntle at castortech.com Wed Aug 22 16:03:50 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Wed, 22 Aug 2018 16:03:50 -0400 Subject: [keycloak-user] servlet filter (KeycloakOIDCFilter) not working 4.0.0 Message-ID: Hello, I compiled the oidc servlet-filter then wrap both the servlet-filter and the servlet-adapter-spi jar in an osgi bundle (attached) in order to use them in our osgi env. Here is the code: Dictionary filterProps = new Hashtable(); String[] urls = { "/*" }; // String[] servlets = {"My Servlet", "Faces Servlet"}; filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME, "keycloakFilter"); //$NON-NLS-1$ filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN, urls); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_INIT_PARAM_PREFIX + "realm", "realm1"); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_INIT_PARAM_PREFIX + "resource", "tenant1"); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_INIT_PARAM_PREFIX + "auth-server-url", "https://testa.com:8543/auth"); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_INIT_PARAM_PREFIX + "ssl-required", "all"); Dictionary creds = new Hashtable(); creds.put("secret", "this is not a secret"); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_INIT_PARAM_PREFIX + "credentials", creds); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_INIT_PARAM_PREFIX + "use-resource-role-mappings", "true"); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_SERVLET_INIT_PARAM_PREFIX + "disable-trust-manager", "true"); // filterProps.put("servletNames", servlets); keycloakFilter = context.registerService(Filter.class, new KeycloakOIDCFilter(), filterProps); When I start equinox, i see the bundle get activated but going to the protected url (here is /) i got 403 instead of a redirect to keycloak login page. The code above is inspired from the KC documentation "The Keycloak filter has the same configuration parameters as the other adapters except you must define them as filter init params instead of context params "( https://www.keycloak.org/docs/latest/securing_apps/index.html#_servlet_filter_adapter ) , and the example of registering servlet filter using whiteboard pattern on pax-web ( https://github.com/ops4j/org.ops4j.pax.web/blob/master/samples/whiteboard/src/main/java/org/ops4j/pax/web/extender/samples/whiteboard/internal/Activator.java). Therefore i'm not sure the problem is on keycloak (bad bundle, wrong configuration supplied to the filter) or pax-web (wrong registration syntax). Hope to get some insight here Thai From psilva at redhat.com Wed Aug 22 16:11:26 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 22 Aug 2018 17:11:26 -0300 Subject: [keycloak-user] @SecurityDomain("keycloak") in EJB In-Reply-To: <57643206.146676.1534961126834.JavaMail.zimbra@jlab.org> References: <1038719157.118690.1534955203816.JavaMail.zimbra@jlab.org> <690603174.146607.1534961103915.JavaMail.zimbra@jlab.org> <57643206.146676.1534961126834.JavaMail.zimbra@jlab.org> Message-ID: Hi Ryan, Elytron is the new security framework in Wildfly. It is indeed different than legacy (although compliant with legacy config using JAAS) but with a lot of capabilities we lack in legacy. One of the main features you have with elytron is the possibility to propagate the security context to remote EJBs/servers. Ideally, you should start using elytron subsystem given that legacy is deprecated. Please, take a look at some quickstarts [1] about how to protect EJBs using elytron subsystem. I know it's new stuff, but is worthy to give it some time and learn how it works. [1] https://github.com/wildfly/quickstart On Wed, Aug 22, 2018 at 3:05 PM, Ryan Slominski wrote: > Looks like @SecurityRealm("keycloak") is needed only if you have the > elytron configuration in your wildfly standalone.xml file. I noticed that > one test server had a bunch of extra keycloak elytron configuration while > the other didn't. I deleted the extra configuration and now my application > works as expected (authentication and authorization info is propagated to > EJBs without any extra annotations). I guess this is the difference > between legacy configuration and new elytron configuration. Seems like > the new elytron client adapter is not as good as the legacy adapter / > integration. Any reason not to stick with the legacy adapter? > > > > > ----- Original Message ----- > From: "Ryan Slominski" > To: "keycloak-user" > Sent: Wednesday, August 22, 2018 12:26:43 PM > Subject: @SecurityDomain("keycloak") in EJB > > Using the Wildfly adapter I've noticed that the security context is > propagated to EJBs without the SecurityDomain annotation in some cases, but > not others. Does anyone know in what case it is needed? My only clue so > far is Windows vs Linux, as I thought I configured both test boxes > identically, but maybe I missed something. My application currently does > not use the annotation and on my Windows test box authentication is > propagated fine. However, on my Linux test box with the same war file I > see unauthorized exception in the EJB layer even though the servlet reports > I'm authenticated with proper roles. Does it have to do with Wildfly > client adapter online vs offline install or adapter vs adapter-elytron > install? > > If I end up having to import the org.jboss.ejb3.annotation.SecurityDomain > that would break platform independence, which container managed security is > supposed to support. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From max.bruchmann at hotmail.com Wed Aug 22 18:54:41 2018 From: max.bruchmann at hotmail.com (Max Bruchmann) Date: Wed, 22 Aug 2018 22:54:41 +0000 Subject: [keycloak-user] attributes are not persisted In-Reply-To: References: Message-ID: So I tried the "do everything on login" approach which works. But still I think it would be way cleaner to have a synchronous callback for processing/onboarding new users (including their name). No matter if they registred via form or an identity provider. Kind Regards, Max Am 22.08.18 um 10:35 schrieb Max Bruchmann: > Ok, do you think the "extending registration form" will work if users register via google, facebook etc...? > > With the LOGIN directly after REGISTER > > you mean I could try something like this: > > onLogin: > > String externalID = userModel.getFirstAttribute("foo"); > > if(externalID == null){ > > String externalID = createSomethingWithUserEmail(userModel.getEmail()) > > userModel.setSingleAttribute("foo", externalID) > > } > > You think the transaction state is a different which then really perists the data or is the runJobInTransaction better working and will find the user? > > Max > > Am 20.08.18 um 19:08 schrieb Marek Posolda: > Maybe it's better to rather extend registration form as described here: https://www.keycloak.org/docs/latest/server_development/index.html#modifying-extending-the-registration-form > > Alternative is, to update user directly in the LOGIN event after REGISTER event, but not 100% sure this one will work. Also even if it works, it's more a workaround. > > Marek > > On 10/08/18 19:32, Max Bruchmann wrote: > > Hmm unfortunatelly if I use > > KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), (session) -> { > UserModel user = getUserModel(session, userId, realmId); > > ... > > The user is null :/ > > > Max > > Am 10.08.18 um 09:03 schrieb Marek Posolda: > I am not 100% sure, but it's possible that updating users in the events don't currently work. Reason is, that transaction might be already commited. The possible solution long term is to use pre/post events for this (which we don't yet support). > > For the short term, it may be possible to manually trigger your own temporarily transaction (You can take a look at KeycloakModelUtils.runJobInTransaction method). Note that in the new transaction, you need to ensure to not use Hibernate entities from the "outer" transaction (EG. all the things like RealmModel, UserModel need to be look-up again through the Model API in the new transaction). > > > Marek > > > > On 09/08/18 21:39, Max Bruchmann wrote: > Hi, > > I have a custom EventListenerProvider that consumes Register and Login events. > > On register it creates some external resource > > ...//on register > > String externalID = createSomethingWithUserEmail(userModel.getEmail()) > > userModel.setSingleAttribute("foo", externalID) > > ... > > On login I need to todo some additional calls with the already created id. > > ...// on login > > String externalID = userModel.getFirstAttribute("foo"); > > doSomeUpdate(externalID, userModel.getFirstName(), userModel.getLastName()) > > ... > > > Unfortunatelly the retrieved id via getFirstAttribute seems to be null. > > Is there anything I need todo when modifying attributes so they are persisted? > > > Kind Regards, > > Max > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From testoauth55 at gmail.com Thu Aug 23 01:25:24 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Thu, 23 Aug 2018 10:55:24 +0530 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> Message-ID: Thanks Marek for the update, I understand that https://issues.jboss.org/browse/KEYCLOAK-5179 mentions the issue pertaining to message: "You are already logged in". But will the second issue that I reported also be fixed in this bug? *Issue summary:* When a user logs in he is shown the message: "You may close this browser window and go back to your console application.". Now if I open a new tab, the user should be logged in right? But he is shown the login form again. This issue was not coming in Keycloak 3.4.3 and session was being maintained by browser. But I found this issue on 4.1.0 and also on 4.3.0. In the 4.x version I see a cookie *KC_RESTART* cookie instead of *KC_SESSION* cookie in cookies section which might be the reason. *Here's the post containing complete details of above issue with screenshots:* https://stackoverflow.com/questions/51592647/keycloak-is-not-maintaining-session-in-browser On Tue, Aug 21, 2018 at 6:08 PM Marek Posolda wrote: > We have opened JIRA for this: > https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully it's fixed > relatively soon in one of the next releases. > > Marek > > On 17/08/18 07:47, keycloak demo wrote: > > Update: > > > > Facing the same issue on keycloak 4.3.0.final. I have taken a fresh > > instance of keycloak 4.3.0 and created just 2 users, but still facing the > > same issue of browser not maintaining session. > > > > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo > > wrote: > > > >> Can someone please help me on this issue? > >> > >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo > >> wrote: > >> > >>> Another update: > >>> > >>> Though the login form appears every time but if i login with a > different > >>> user the second time i.e. launch client app -> login with user1 -> > relaunch > >>> client app (browser shows login form instead of already logged in > message) > >>> -> now login with user2. > >>> > >>> I get following message: > >>> " We're sorry...You are already authenticated as different user 'user1' > >>> in this session. Please logout first." > >>> If it's able to know another user is logged in, then why the login form > >>> is appearing? > >>> > >>> > >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth > >>> wrote: > >>> > >>>> An update on my findings: When I checked developer console: I am > getting > >>>> KC_RESTART cookie in cookies section. > >>>> > >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth > >>>> wrote: > >>>> > >>>>> Yes sir, > >>>>> I followed the doc https://www.keycloak.org/docs/ > >>>>> latest/securing_apps/index.html#_installed_adapter. And am seeing the > >>>>> same behavior on chrome and firefox. > >>>>> > >>>>> Also regarding the manual mode, I see the same behavior i.e I have to > >>>>> re-login for each re-run of the client app. > >>>>> > >>>>> But if I do this: > >>>>> > >>>>> System.out.println("Login through manual mode"); > >>>>> keycloak.loginManual(); > >>>>> System.out.println("Login through browser"); > >>>>> keycloak.loginDesktop(); > >>>>> > >>>>> i.e. if I call both modes in the same code or even same mode twice in > >>>>> the same code, then I don't have to re-login for second call (in the > above > >>>>> example for loginDesktop). However when I re-run the application, I > need to > >>>>> re-login. This might be a stupid guess but could these sessions be > "java > >>>>> object specific"? > >>>>> > >>>>> > >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
> wrote: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> Did you do everything in accordance with the docs? > >>>>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm > >>>>>> l#_installed_adapter > >>>>>> > >>>>>> Do you experience this in "manual" mode too? > >>>>>> > >>>>>> Cheers, > >>>>>> Dmitry Telegin > >>>>>> CTO, Acutus s.r.o. > >>>>>> Keycloak Consulting and Training > >>>>>> > >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > >>>>>> +42 (022) 888-30-71 > >>>>>> E-mail: info at acutus.pro > >>>>>> > >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: > >>>>>>> I am using openid-connect for authenticating users. After > successful > >>>>>>> authentication, browser windows says: > >>>>>>> "Login Successful > >>>>>>> > >>>>>>> You may close this browser window and go back to your console > >>>>>> application." > >>>>>>> However, even without closing the window if I relaunch my > application > >>>>>>> (using keycloak.loginDesktop();) even within 10 seconds, still the > >>>>>> login > >>>>>>> page appears instead of : you are already logged in. > >>>>>>> > >>>>>>> Browser: Firefox. > >>>>>>> _______________________________________________ > >>>>>>> keycloak-user mailing list > >>>>>>> keycloak-user at lists.jboss.org > >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From sthorger at redhat.com Thu Aug 23 02:41:59 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 23 Aug 2018 06:41:59 +0000 Subject: [keycloak-user] jboss/keycloak-postgres docker hub page not found In-Reply-To: References: Message-ID: A long time ago we moved Postgres support directly into jboss/keycloak. jboss/keycloak-postgres has been listed as deprecated for a long time and now was the time to make some cleanup of old stuff. So, yes jboss/keycloak is what you want. For the record jboss/keycloak will soon have HA/clustering support as well. Hopefully this will be ready for Keycloak 4.5. On Wed, 22 Aug 2018 at 16:49, Joy Kent wrote: > Thanks Sebastian! We found that the image was removed by this change: > > https://github.com/jboss-dockerfiles/keycloak/commit/760c1a8247c2a4c5d8f4e5008f0fa28d1609b7e7 > . > The image you posted is also deprecated. We switched to use jboss/keycloak > instead. > > Thanks, > Joy > > > On Wed, Aug 22, 2018 at 5:48 AM, Sebastian Laskawiec > wrote: > > > I guess this is the image you're looking for: https://hub.docker.com/r/ > > jboss/keycloak-ha-postgres/ > > > > On Tue, Aug 21, 2018 at 4:21 AM Joy Kent wrote: > > > >> It looks like there are some issues with jboss/keycloak-postgres docker > >> hub > >> page? When I went to https://hub.docker.com/r/jboss/keycloak-postgres/, > I > >> got this Not Found (404) error, see the attachment. Did anyone else see > >> the > >> same issue? > >> > >> Thanks, > >> Joy > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Thu Aug 23 03:34:22 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 23 Aug 2018 09:34:22 +0200 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> Message-ID: <3830aba6-3b46-7dc3-b56a-3c1318cd36d6@redhat.com> Hmm... in your post, I see that cookies KEYCLOAK_IDENTITY and KEYCLOAK_SESSION are not present in Keycloak 4.X. Those are the cookies, which are important for the automatic SSO re-authentication. Those cookies should be added by Keycloak after successful first authentication. So at the moment, when you first authenticate and the page "You may close this browser window and go back to your console application.", the cookies should be there. BTV. Do you have Keycloak behind some proxy/loadbalancer or are you accessing it directly? If you're behind proxy/LB, could you try to access KEycloak host directly without any proxy/LB involved in between? Marek On 23/08/18 07:25, keycloak demo wrote: > Thanks Marek for the update, > > I understand that https://issues.jboss.org/browse/KEYCLOAK-5179 > mentions the issue pertaining to message: "You are already logged in". > But will the second issue that I reported also be fixed in this bug? > > /*Issue summary:*/? When a user logs in he is shown the message: "You > may close this browser window and go back to your console > application.". Now if I open a new tab, the user should be logged in > right? But he is shown the login form again. > > This issue was not coming in Keycloak 3.4.3 and session was being > maintained by browser. But I found this issue on 4.1.0 and also on > 4.3.0. In the 4.x version I see a cookie *KC_RESTART* cookie instead > of *KC_SESSION* cookie in cookies section which might be the reason. > > *Here's the post containing complete details of above issue with > screenshots:* > https://stackoverflow.com/questions/51592647/keycloak-is-not-maintaining-session-in-browser > > > > On Tue, Aug 21, 2018 at 6:08 PM Marek Posolda > wrote: > > We have opened JIRA for this: > https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully it's fixed > relatively soon in one of the next releases. > > Marek > > On 17/08/18 07:47, keycloak demo wrote: > > Update: > > > > Facing the same issue on keycloak 4.3.0.final. I have taken a fresh > > instance of keycloak 4.3.0 and created just 2 users, but still > facing the > > same issue of browser not maintaining session. > > > > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo > > > > wrote: > > > >> Can someone please help me on this issue? > >> > >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo > > > >> wrote: > >> > >>> Another update: > >>> > >>> Though the login form appears every time but if i login with a > different > >>> user the second time i.e. launch client app -> login with > user1 -> relaunch > >>> client app (browser shows login form instead of already logged > in message) > >>> -> now login with user2. > >>> > >>> I get following message: > >>> " We're sorry...You are already authenticated as different > user 'user1' > >>> in this session. Please logout first." > >>> If it's able to know another user is logged in, then why the > login form > >>> is appearing? > >>> > >>> > >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth > > > >>> wrote: > >>> > >>>> An update on my findings: When I checked developer console: I > am getting > >>>> KC_RESTART cookie in cookies section. > >>>> > >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth > > > >>>> wrote: > >>>> > >>>>> Yes sir, > >>>>> I followed the doc https://www.keycloak.org/docs/ > >>>>> latest/securing_apps/index.html#_installed_adapter. And am > seeing the > >>>>> same behavior on chrome and firefox. > >>>>> > >>>>> Also regarding the manual mode, I see the same behavior i.e > I have to > >>>>> re-login for each re-run of the client app. > >>>>> > >>>>> But if I do this: > >>>>> > >>>>> System.out.println("Login through manual mode"); > >>>>> keycloak.loginManual(); > >>>>> System.out.println("Login through browser"); > >>>>> keycloak.loginDesktop(); > >>>>> > >>>>> i.e. if I call both modes in the same code or even same mode > twice in > >>>>> the same code, then I don't have to re-login for second call > (in the above > >>>>> example for loginDesktop). However when I re-run the > application, I need to > >>>>> re-login. This might be a stupid guess but could these > sessions be "java > >>>>> object specific"? > >>>>> > >>>>> > >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin >
> wrote: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> Did you do everything in accordance with the docs? > >>>>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm > >>>>>> l#_installed_adapter > >>>>>> > >>>>>> Do you experience this in "manual" mode too? > >>>>>> > >>>>>> Cheers, > >>>>>> Dmitry Telegin > >>>>>> CTO, Acutus s.r.o. > >>>>>> Keycloak Consulting and Training > >>>>>> > >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > >>>>>> +42 (022) 888-30-71 > >>>>>> E-mail: info at acutus.pro > >>>>>> > >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: > >>>>>>> I am using openid-connect for authenticating users. After > successful > >>>>>>> authentication, browser windows says: > >>>>>>> "Login Successful > >>>>>>> > >>>>>>> You may close this browser window and go back to your console > >>>>>> application." > >>>>>>> However, even without closing the window if I relaunch my > application > >>>>>>> (using keycloak.loginDesktop();) even within 10 seconds, > still the > >>>>>> login > >>>>>>> page appears instead of : you are already logged in. > >>>>>>> > >>>>>>> Browser: Firefox. > >>>>>>> _______________________________________________ > >>>>>>> keycloak-user mailing list > >>>>>>> keycloak-user at lists.jboss.org > > >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>>> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mposolda at redhat.com Thu Aug 23 03:51:12 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 23 Aug 2018 09:51:12 +0200 Subject: [keycloak-user] attributes are not persisted In-Reply-To: References: Message-ID: <6f0329f7-f201-6bad-20cd-81557faad659@redhat.com> On 22/08/18 10:35, Max Bruchmann wrote: > > Ok, do you think the "extending registration form" will work if users > register via google, facebook etc...? > No, it won't. For broker login, it will need to be something (EG. IdentityBroker mapper or create new authenticator and somehow enhance the firstBrokerLogin flow...) Or maybe just stick with the "event" option, which may work for both "broker" registration and "classic" registration. > > With the LOGIN directly after REGISTER > > you mean I could try something like this: > > onLogin: > > String externalID = userModel.getFirstAttribute("foo"); > > ?if(externalID == null){ > > ?String externalID? = createSomethingWithUserEmail(userModel.getEmail()) > > ?userModel.setSingleAttribute("foo", externalID) > > } > > You think the transaction state is a different which then really > perists the data or is the runJobInTransaction better working and will > find the user? > Yes, something along those lines. I am not 100% sure about the transaction state and whether login is always executed in the new transaction after the "registration" transaction is commited. You may need to doublecheck... Marek > > Max > > Am 20.08.18 um 19:08 schrieb Marek Posolda: >> Maybe it's better to rather extend registration form as described >> here: >> https://www.keycloak.org/docs/latest/server_development/index.html#modifying-extending-the-registration-form >> >> >> Alternative is, to update user directly in the LOGIN event after >> REGISTER event, but not 100% sure this one will work. Also even if it >> works, it's more a workaround. >> >> Marek >> >> On 10/08/18 19:32, Max Bruchmann wrote: >>> >>> Hmm unfortunatelly if I use >>> >>> KeycloakModelUtils.runJobInTransaction(session.getKeycloakSessionFactory(), >>> (session) -> { >>> ????? UserModel user = getUserModel(session, userId, realmId); >>> >>> ... >>> >>> The user is null :/ >>> >>> >>> Max >>> >>> >>> Am 10.08.18 um 09:03 schrieb Marek Posolda: >>>> I am not 100% sure, but it's possible that updating users in the >>>> events don't currently work. Reason is, that transaction might be >>>> already commited. The possible solution long term is to use >>>> pre/post events for this (which we don't yet support). >>>> >>>> For the short term, it may be possible to manually trigger your own >>>> temporarily transaction (You can take a look at >>>> KeycloakModelUtils.runJobInTransaction method). Note that in the >>>> new transaction, you need to ensure to not use Hibernate entities >>>> from the "outer" transaction (EG. all the things like RealmModel, >>>> UserModel need to be look-up again through the Model API in the new >>>> transaction). >>>> >>>> >>>> Marek >>>> >>>> >>>> >>>> On 09/08/18 21:39, Max Bruchmann wrote: >>>>> Hi, >>>>> >>>>> I have a custom EventListenerProvider that consumes Register and >>>>> Login events. >>>>> >>>>> On register it creates some external resource >>>>> >>>>> ...//on register >>>>> >>>>> String externalID? = >>>>> createSomethingWithUserEmail(userModel.getEmail()) >>>>> >>>>> userModel.setSingleAttribute("foo", externalID) >>>>> >>>>> ... >>>>> >>>>> On login I need to todo some additional calls with the already >>>>> created id. >>>>> >>>>> ...// on login >>>>> >>>>> String externalID = userModel.getFirstAttribute("foo"); >>>>> >>>>> doSomeUpdate(externalID, userModel.getFirstName(), >>>>> userModel.getLastName()) >>>>> >>>>> ... >>>>> >>>>> >>>>> Unfortunatelly the retrieved id via getFirstAttribute seems to be >>>>> null. >>>>> >>>>> Is there anything I need todo when modifying attributes so they >>>>> are persisted? >>>>> >>>>> >>>>> Kind Regards, >>>>> >>>>> Max >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> >> > From slaskawi at redhat.com Thu Aug 23 04:24:49 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 23 Aug 2018 10:24:49 +0200 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: References: Message-ID: On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Hello Keycloakers, > > I have some doubts regarding Keycloak and load balancers. I set up two > keycloak replicas to provide HA. To start them I am using ?./standalone.sh > --server-config=standalone-ha.xml?. I am assuming that they will use > multicast to replicate information between nodes, right? > That is correct. It uses PING protocol, which in turn uses IP Multicasting for discovery. Note, that IP Multicasting is disabled in many data centers (I have never found out why they do it, but I've seen it many, many times). So make sure your cluster forms correctly (just grep logs and look for "view"). > Then, I set up a load balancer layer using Apache HTTPD and AJP connector > via 8009 port. To make everything work I needed to use sticky session; > otherwise, the login would never happen. I am fine with the sticky session, > however, if I stop one of the replicas where the user is logged in, when > the user access Keycloak again, he/she is asked to present the credentials > as if he/she was not logged in the other Keycloak replica. Is that the > expected behavior? > My intuition tells me that your cluster didn't form correctly (as I mentioned before, grep the logs and look for "view" generated by JGroups). Therefore, if you enable sticky session, all your requests get to the same Keycloak instance, which has everything in the local cache. That's why it works fine. > > Is there some troubleshooting or test that I can perform to check if > replication is being executed? > Let's start with investigating the logs. Later on we can check JMX. > > -- > Rafael Weing?rtner > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ceri.coburn at gmail.com Thu Aug 23 05:14:18 2018 From: ceri.coburn at gmail.com (Ceri Coburn) Date: Thu, 23 Aug 2018 10:14:18 +0100 Subject: [keycloak-user] Mixing Identity Broker with Federated provider In-Reply-To: References: Message-ID: On Wed, Aug 22, 2018 at 5:55 PM Ceri Coburn wrote: > Is it possible to use Federated LDAP/AD for importing accounts but use > OAuth broker for authenticating them users? Found the answer to my own question. I came across a custom Authenticator on GitHub that does just that. https://github.com/ohioit/keycloak-link-idp-with-user From testoauth55 at gmail.com Thu Aug 23 06:04:09 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Thu, 23 Aug 2018 15:34:09 +0530 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: <3830aba6-3b46-7dc3-b56a-3c1318cd36d6@redhat.com> References: <1532997860.5207.8.camel@acutus.pro> <3830aba6-3b46-7dc3-b56a-3c1318cd36d6@redhat.com> Message-ID: Marek, Proxy/Load balancer are not being used and I am accessing keycloak directly. In fact both 3.4.3 version and 4.X version are running on same machine and are accessed through same browser locally via http://localhost:/auth by apps. So the only difference the 2 instance(3.x and 4.x) have are different port numbers(which won't make any difference anyway.) and yet they show different behavior in terms of setting cookies. I assume the absence of KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie would be the reason for session not getting maintained. On Thu, Aug 23, 2018 at 1:04 PM Marek Posolda wrote: > Hmm... in your post, I see that cookies KEYCLOAK_IDENTITY and > KEYCLOAK_SESSION are not present in Keycloak 4.X. Those are the cookies, > which are important for the automatic SSO re-authentication. > > Those cookies should be added by Keycloak after successful first > authentication. So at the moment, when you first authenticate and the page > "You may close this browser window and go back to your console > application.", the cookies should be there. BTV. Do you have Keycloak > behind some proxy/loadbalancer or are you accessing it directly? If you're > behind proxy/LB, could you try to access KEycloak host directly without any > proxy/LB involved in between? > > Marek > > On 23/08/18 07:25, keycloak demo wrote: > > Thanks Marek for the update, > > I understand that https://issues.jboss.org/browse/KEYCLOAK-5179 > mentions the issue pertaining to message: "You are already logged in". But > will the second issue that I reported also be fixed in this bug? > > *Issue summary:* When a user logs in he is shown the message: "You may > close this browser window and go back to your console application.". Now if > I open a new tab, the user should be logged in right? But he is shown the > login form again. > > This issue was not coming in Keycloak 3.4.3 and session was being > maintained by browser. But I found this issue on 4.1.0 and also on 4.3.0. > In the 4.x version I see a cookie *KC_RESTART* cookie instead of > *KC_SESSION* cookie in cookies section which might be the reason. > > *Here's the post containing complete details of above issue with > screenshots:* > https://stackoverflow.com/questions/51592647/keycloak-is-not-maintaining-session-in-browser > > > > On Tue, Aug 21, 2018 at 6:08 PM Marek Posolda wrote: > >> We have opened JIRA for this: >> https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully it's fixed >> relatively soon in one of the next releases. >> >> Marek >> >> On 17/08/18 07:47, keycloak demo wrote: >> > Update: >> > >> > Facing the same issue on keycloak 4.3.0.final. I have taken a fresh >> > instance of keycloak 4.3.0 and created just 2 users, but still facing >> the >> > same issue of browser not maintaining session. >> > >> > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo >> > wrote: >> > >> >> Can someone please help me on this issue? >> >> >> >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo >> >> wrote: >> >> >> >>> Another update: >> >>> >> >>> Though the login form appears every time but if i login with a >> different >> >>> user the second time i.e. launch client app -> login with user1 -> >> relaunch >> >>> client app (browser shows login form instead of already logged in >> message) >> >>> -> now login with user2. >> >>> >> >>> I get following message: >> >>> " We're sorry...You are already authenticated as different user >> 'user1' >> >>> in this session. Please logout first." >> >>> If it's able to know another user is logged in, then why the login >> form >> >>> is appearing? >> >>> >> >>> >> >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth >> >>> wrote: >> >>> >> >>>> An update on my findings: When I checked developer console: I am >> getting >> >>>> KC_RESTART cookie in cookies section. >> >>>> >> >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth >> >>>> wrote: >> >>>> >> >>>>> Yes sir, >> >>>>> I followed the doc https://www.keycloak.org/docs/ >> >>>>> latest/securing_apps/index.html#_installed_adapter. And am seeing >> the >> >>>>> same behavior on chrome and firefox. >> >>>>> >> >>>>> Also regarding the manual mode, I see the same behavior i.e I have >> to >> >>>>> re-login for each re-run of the client app. >> >>>>> >> >>>>> But if I do this: >> >>>>> >> >>>>> System.out.println("Login through manual mode"); >> >>>>> keycloak.loginManual(); >> >>>>> System.out.println("Login through browser"); >> >>>>> keycloak.loginDesktop(); >> >>>>> >> >>>>> i.e. if I call both modes in the same code or even same mode twice >> in >> >>>>> the same code, then I don't have to re-login for second call (in >> the above >> >>>>> example for loginDesktop). However when I re-run the application, I >> need to >> >>>>> re-login. This might be a stupid guess but could these sessions be >> "java >> >>>>> object specific"? >> >>>>> >> >>>>> >> >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
>> wrote: >> >>>>> >> >>>>>> Hi, >> >>>>>> >> >>>>>> Did you do everything in accordance with the docs? >> >>>>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm >> >>>>>> l#_installed_adapter >> >>>>>> >> >>>>>> Do you experience this in "manual" mode too? >> >>>>>> >> >>>>>> Cheers, >> >>>>>> Dmitry Telegin >> >>>>>> CTO, Acutus s.r.o. >> >>>>>> Keycloak Consulting and Training >> >>>>>> >> >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> >>>>>> +42 (022) 888-30-71 >> >>>>>> E-mail: info at acutus.pro >> >>>>>> >> >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >> >>>>>>> I am using openid-connect for authenticating users. After >> successful >> >>>>>>> authentication, browser windows says: >> >>>>>>> "Login Successful >> >>>>>>> >> >>>>>>> You may close this browser window and go back to your console >> >>>>>> application." >> >>>>>>> However, even without closing the window if I relaunch my >> application >> >>>>>>> (using keycloak.loginDesktop();) even within 10 seconds, still the >> >>>>>> login >> >>>>>>> page appears instead of : you are already logged in. >> >>>>>>> >> >>>>>>> Browser: Firefox. >> >>>>>>> _______________________________________________ >> >>>>>>> keycloak-user mailing list >> >>>>>>> keycloak-user at lists.jboss.org >> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From rafaelweingartner at gmail.com Thu Aug 23 07:25:20 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 23 Aug 2018 08:25:20 -0300 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: References: Message-ID: Thanks for the reply Sebastian! Note, that IP Multicasting is disabled in many data centers (I have never > found out why they do it, but I've seen it many, many times). So make sure > your cluster forms correctly (just grep logs and look for "view"). > I thought about that. Then, I used tcpdump, and I can see the multicast packets from both Keycloak replicas. However, it seems that these packets are being ignored. root at Keycloak01:/# tcpdump -i eth0 port 7600 or port 55200 or port 45700 or > port 45688 or port 23364 or port 4712 or port 4713 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes > 11:13:36.540080 IP keycloak02.local.55200 > 230.0.0.4.45688: UDP, length 83 > 11:13:41.288449 IP keycloak02.local.55200 > 230.0.0.4.45688: UDP, length 83 > 11:13:46.342606 IP keycloak02.local.55200 > 230.0.0.4.45688: UDP, length 83 > > root at keycloak02:/# tcpdump -i eth0 port 7600 or port 55200 or port 45700 > or port 45688 or port 23364 or port 4712 or port 4713 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes > 11:12:14.218317 IP Keycloak01.local.55200 > 230.0.0.4.45688: UDP, length 83 > 11:12:23.146798 IP Keycloak01.local.55200 > 230.0.0.4.45688: UDP, length 83 > 11:12:27.201888 IP Keycloak01.local.55200 > 230.0.0.4.45688: UDP, length 83 > Here go the log entries. I filtered by ?view?. This is from Keycloak01. > ^[[0m^[[0m11:16:57,896 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-4) ISPN000094: Received new cluster view for channel ejb: > [keycloak01|0] (1) [keycloak01] > ^[[0m^[[0m11:16:57,896 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel ejb: > [keycloak01|0] (1) [keycloak01] > ^[[0m^[[0m11:16:57,897 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [keycloak01|0] (1) [keycloak01] > ^[[0m^[[0m11:16:57,898 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-3) ISPN000094: Received new cluster view for channel ejb: > [keycloak01|0] (1) [keycloak01] > ^[[0m^[[0m11:16:57,962 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [keycloak01|0] (1) [keycloak01] > I expected it to be only one. I mean, I first started Keycloak01, and just then Keycloak02. Next, we have the logs from Keycloak02. ^[[0m^[[0m11:17:34,950 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-3) ISPN000094: Received new cluster view for channel ejb: > [keycloak02|0] (1) [keycloak02] > ^[[0m^[[0m11:17:34,952 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-4) ISPN000094: Received new cluster view for channel ejb: > [keycloak02|0] (1) [keycloak02] > ^[[0m^[[0m11:17:34,957 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [keycloak02|0] (1) [keycloak02] > ^[[0m^[[0m11:17:34,957 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel ejb: > [keycloak02|0] (1) [keycloak02] > ^[[0m^[[0m11:17:35,052 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [keycloak02|0] (1) [keycloak02 > They are similar. It seems that both applications are not seeing each other. At first, I thought that the problem was caused by ?owners=1? configuration (the lack of data synchronization between replicas). I then changed it to ?owners=2?, but still, if I log in the Keycloak01 and then force my request to go two Keycloak02, my session is not there, and I am requested to log in again. Do you need some other log entries or configuration files? Again, thanks for your reply and help! On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec wrote: > > > On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> Hello Keycloakers, >> >> I have some doubts regarding Keycloak and load balancers. I set up two >> keycloak replicas to provide HA. To start them I am using ?./standalone.sh >> --server-config=standalone-ha.xml?. I am assuming that they will use >> multicast to replicate information between nodes, right? >> > > That is correct. It uses PING protocol, which in turn uses IP Multicasting > for discovery. > > Note, that IP Multicasting is disabled in many data centers (I have never > found out why they do it, but I've seen it many, many times). So make sure > your cluster forms correctly (just grep logs and look for "view"). > > >> Then, I set up a load balancer layer using Apache HTTPD and AJP connector >> via 8009 port. To make everything work I needed to use sticky session; >> otherwise, the login would never happen. I am fine with the sticky >> session, >> however, if I stop one of the replicas where the user is logged in, when >> the user access Keycloak again, he/she is asked to present the credentials >> as if he/she was not logged in the other Keycloak replica. Is that the >> expected behavior? >> > > My intuition tells me that your cluster didn't form correctly (as I > mentioned before, grep the logs and look for "view" generated by JGroups). > Therefore, if you enable sticky session, all your requests get to the same > Keycloak instance, which has everything in the local cache. That's why it > works fine. > > >> >> Is there some troubleshooting or test that I can perform to check if >> replication is being executed? >> > > Let's start with investigating the logs. Later on we can check JMX. > > >> >> -- >> Rafael Weing?rtner >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Rafael Weing?rtner From slaskawi at redhat.com Thu Aug 23 07:53:23 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 23 Aug 2018 13:53:23 +0200 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: References: Message-ID: +Bela Ban As I expected, the cluster doesn't form. I'm not sure where and why those UDP discovery packets are rejected. I just stumbled upon this thread [1], which you may find useful. Maybe Bela will also have an idea what's going on there. If you won't manage to get UDP working, you can always fall back into TCP (and MPING). [1] https://serverfault.com/questions/211482/tools-to-test-multicast-routing On Thu, Aug 23, 2018 at 1:26 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Thanks for the reply Sebastian! > > > Note, that IP Multicasting is disabled in many data centers (I have never >> found out why they do it, but I've seen it many, many times). So make sure >> your cluster forms correctly (just grep logs and look for "view"). >> > > I thought about that. Then, I used tcpdump, and I can see the multicast > packets from both Keycloak replicas. However, it seems that these packets > are being ignored. > > root at Keycloak01:/# tcpdump -i eth0 port 7600 or port 55200 or port 45700 >> or port 45688 or port 23364 or port 4712 or port 4713 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes >> 11:13:36.540080 IP keycloak02.local.55200 > 230.0.0.4.45688: UDP, length >> 83 >> 11:13:41.288449 IP keycloak02.local.55200 > 230.0.0.4.45688: UDP, length >> 83 >> 11:13:46.342606 IP keycloak02.local.55200 > 230.0.0.4.45688: UDP, length >> 83 >> > > >> root at keycloak02:/# tcpdump -i eth0 port 7600 or port 55200 or port 45700 >> or port 45688 or port 23364 or port 4712 or port 4713 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes >> 11:12:14.218317 IP Keycloak01.local.55200 > 230.0.0.4.45688: UDP, length >> 83 >> 11:12:23.146798 IP Keycloak01.local.55200 > 230.0.0.4.45688: UDP, length >> 83 >> 11:12:27.201888 IP Keycloak01.local.55200 > 230.0.0.4.45688: UDP, length >> 83 >> > > > Here go the log entries. I filtered by ?view?. This is from Keycloak01. > >> ^[[0m^[[0m11:16:57,896 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-4) ISPN000094: Received new cluster view for channel ejb: >> [keycloak01|0] (1) [keycloak01] >> ^[[0m^[[0m11:16:57,896 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000094: Received new cluster view for channel ejb: >> [keycloak01|0] (1) [keycloak01] >> ^[[0m^[[0m11:16:57,897 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel ejb: >> [keycloak01|0] (1) [keycloak01] >> ^[[0m^[[0m11:16:57,898 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-3) ISPN000094: Received new cluster view for channel ejb: >> [keycloak01|0] (1) [keycloak01] >> ^[[0m^[[0m11:16:57,962 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel ejb: >> [keycloak01|0] (1) [keycloak01] >> > > I expected it to be only one. I mean, I first started Keycloak01, and > just then Keycloak02. Next, we have the logs from Keycloak02. > > ^[[0m^[[0m11:17:34,950 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-3) ISPN000094: Received new cluster view for channel ejb: >> [keycloak02|0] (1) [keycloak02] >> ^[[0m^[[0m11:17:34,952 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-4) ISPN000094: Received new cluster view for channel ejb: >> [keycloak02|0] (1) [keycloak02] >> ^[[0m^[[0m11:17:34,957 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel ejb: >> [keycloak02|0] (1) [keycloak02] >> ^[[0m^[[0m11:17:34,957 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000094: Received new cluster view for channel ejb: >> [keycloak02|0] (1) [keycloak02] >> ^[[0m^[[0m11:17:35,052 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel ejb: >> [keycloak02|0] (1) [keycloak02 >> > > They are similar. It seems that both applications are not seeing each > other. At first, I thought that the problem was caused by ?owners=1? > configuration (the lack of data synchronization between replicas). I then > changed it to ?owners=2?, but still, if I log in the Keycloak01 and then > force my request to go two Keycloak02, my session is not there, and I am > requested to log in again. > > Do you need some other log entries or configuration files? > > Again, thanks for your reply and help! > > On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec > wrote: > >> >> >> On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner < >> rafaelweingartner at gmail.com> wrote: >> >>> Hello Keycloakers, >>> >>> I have some doubts regarding Keycloak and load balancers. I set up two >>> keycloak replicas to provide HA. To start them I am using >>> ?./standalone.sh >>> --server-config=standalone-ha.xml?. I am assuming that they will use >>> multicast to replicate information between nodes, right? >>> >> >> That is correct. It uses PING protocol, which in turn uses IP >> Multicasting for discovery. >> >> Note, that IP Multicasting is disabled in many data centers (I have never >> found out why they do it, but I've seen it many, many times). So make sure >> your cluster forms correctly (just grep logs and look for "view"). >> >> >>> Then, I set up a load balancer layer using Apache HTTPD and AJP connector >>> via 8009 port. To make everything work I needed to use sticky session; >>> otherwise, the login would never happen. I am fine with the sticky >>> session, >>> however, if I stop one of the replicas where the user is logged in, when >>> the user access Keycloak again, he/she is asked to present the >>> credentials >>> as if he/she was not logged in the other Keycloak replica. Is that the >>> expected behavior? >>> >> >> My intuition tells me that your cluster didn't form correctly (as I >> mentioned before, grep the logs and look for "view" generated by JGroups). >> Therefore, if you enable sticky session, all your requests get to the same >> Keycloak instance, which has everything in the local cache. That's why it >> works fine. >> >> >>> >>> Is there some troubleshooting or test that I can perform to check if >>> replication is being executed? >>> >> >> Let's start with investigating the logs. Later on we can check JMX. >> >> >>> >>> -- >>> Rafael Weing?rtner >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > -- > Rafael Weing?rtner > From slaskawi at redhat.com Thu Aug 23 08:11:29 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 23 Aug 2018 14:11:29 +0200 Subject: [keycloak-user] Cross-DC Replication not working for `sessions` cache In-Reply-To: References: <346b6795-ed86-287b-7ed5-cc7668044b35@redhat.com> <15c67762-c1a3-5d9e-1be8-c52c4314c672@redhat.com> Message-ID: On Tue, Aug 21, 2018 at 3:12 PM Hayden Fuss wrote: > Hey guys, > > Thank you for the updates! We'll stick to Infinispan 8.2.8 so that there > an no surprises. > > We upgraded JGroups 3 and added KUBE_PING to Infinispan 8.2.8, as well as > for Keycloak, and so we've gotten cross-DC working with two Keycloaks and > two ISPN's in each DC. > > In our first round of HA testing, Keycloak's OIDC endpoints have been > fairly resilient when unable to connect LDAP, MariaDB, and the whole ISPN > cluster (we just destroy the OpenShift Services and wait 5 minutes while > testing the endpoints). However, we've noticed if we delete a ISPN pod > forcefully, we'll experience some timeouts with the > /token?username&password grant as the *new *pod comes up. > > If I remember correctly, during the summit we used Sync Replicated caches. So each request needs to be committed by all the nodes before Infinispan's put method returns. So if you're not doing a graceful leave (e.g. kill pods with a very short termination time), a killed node won't be able to say "goodbye" to the cluster. The cluster will need to detect that a node died. That's why you observe those kind of behavior. > We believe its due to our liveness/readiness probes being too optimistic > since ISPN 8.2.8 does not have a health check like ISPN 9.X. I've been > unable to find a prescribed way of health checking ISPN 8.2.8. > It's tricky for 8.2.8. In general you will need to use similar approach to is_running.sh but query different fields. Maybe try something similar to this (of course you may adjust cache container and cache names): /subsystem=infinispan/cache-container=keycloak/replicated-cache=work:read-attribute(name=cache-status) > > For now I'm waiting for the 9990 socket to open as the liveness probe, and > reusing the is_running.sh from ISPN 9.X for the readiness probe (attached), > and ISPN pods are considered "Ready" to receive traffic from the OpenShift > Service much sooner than they were when we used the probes that came with > ISPN 9.X. Aside from setting the delay on the probes to be longer, do > either of you know a more accurate way to health check ISPN 8.2.8? > You may try to use the cli and extract some values out of it. However I usually advice to be conservative and give Infinispan some time to become ready. > > Thanks again for the time and info. We greatly appreciate it as its been > very helpful! > > Best, > Hayden > > On Tue, Aug 21, 2018 at 5:26 AM Marek Posolda wrote: > >> On 11/08/18 14:26, Sebastian Laskawiec wrote: >> >> >> >> pt., 10.08.2018, 21:59 u?ytkownik Hayden Fuss >> napisa?: >> >>> Hello Sebastian and Marek, >>> >>> Thank you very much for suggestions. We had confirmed replication across >>> the ISPN clusters was working with the CLI, so we tried attaching the >>> remote debugger but didn't find anything useful to tell us why Keycloak >>> couldn't remotely store the sessions in the ISPN cluster. >>> >> >> Thanks for letting us know. >> >> >>> Based on what Marek described, we decided to downgrade our ISPN cluster >>> to 8.2.8 rather than use 9.3.1 and incorporate the demo code. It was our >>> understanding that demo code would provide an SPI that enabled the ISPN >>> cluster for persistent user storage (but not realms, clients, keys) which >>> is not desirable for us as of now. >>> >> >> Hmmm that's pretty interesting. For the Summit demo we used a fresh >> master build. So ISPN 9.x should work without any problems. Perhaps Marek >> can shed some light on this issue. >> >> The current Keycloak master supports cross-dc integration with infinispan >> server 8.2.8.Final and JDG 7.1. That's what we are testing and what is >> officially described as recommended infinispan-server version in our >> documentation: >> https://www.keycloak.org/docs/latest/server_installation/index.html#crossdc-mode >> >> In the recent PR for upgrade Keycloak to Wildfly 13, there will be the >> upgrade to JDG 7.2 and infinispan server to 9.2.4.Final (this is same as >> the infinispan version in the Wildfly 13). >> >> The summit demo used the infinispan server 9.3 AFAIR, but this required >> some updates in the Keycloak code, which was done by overriding default >> userSessions to the "updated-infinispan" provider. The code of this >> updated-infinispan is in the rh-sso project sources: >> >> https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 >> >> Even with this overriden provider, I've tested just the Keycloak parts, >> which were needed for the demo itself. I did not try to run our cross-dc >> automated tests. So no guarantee that everything works as expected. >> >> In other words, if you have a choice for the infinispan-server version >> and you don't need infinispan-server 9.X, it's recommended to stay with the >> infinispan-server 8.2.8. >> >> Marek >> >> >> BTW, do you have a demo pushed into some repo, so that we could check it >> out? >> >> >>> Downgrading to 8.2.8 (had to create our own image >>> https://github.com/brix4dayz/infinispan/tree/8.2.x) fixed our sessions >>> replication issue, the only thing is KUBE_PING/DNS_PING isn't available >>> with the JGroups version that comes with 8.2.8. Based on what I'm seeing >>> from this PR https://github.com/jboss-dockerfiles/keycloak/pull/96/files >>> its possible to add a newer version of JGroups to Keycloak so I'll attempt >>> to do that for ISPN so we can have local clustering for ISPN and Keycloak >>> in OpenShift. >>> >> >> Kube ping has basically two versions, 1.x which requires JGroups 4 and >> 0.9.x, which works with JGroups 3 and 4. Let me know if you hit any >> problems incorporating kube ping into your project. I might be able to help >> you. >> >> >>> If there's a better way to go about the JGroups version issue let us >>> know. Thanks again! >>> >> >> TBH I'm really interested why keycloak doesn't store sessions in ISPN. In >> my opinion, we should find out how to fix this problem and stay with ISPN >> 9. I would recommend downgrading ISPN as the last resort approach. >> >> >>> Best, >>> Hayd >>> >>> On Thu, Aug 9, 2018 at 3:27 AM Marek Posolda >>> wrote: >>> >>>> Hi, >>>> >>>> I didn't check everything, but one thing I noted is, that in your >>>> keycloak-standalone-ha.xml, you don't have "alternative" providers >>>> configured. >>>> >>>> For Keycloak to work with the infinispan 9.2.X server or newer, it was >>>> needed to configure providers like this: >>>> >>>> https://github.com/rhdemo/rh-sso/blob/master/standalone-openshift-cfg/configuration/standalone-openshift-jdg.xml#L676-L681 >>>> . >>>> >>>> There is also a need to add the userStorage to your realm, which can be >>>> done through admin console or by importing the realm. See: >>>> https://github.com/rhdemo/rh-sso/blob/master/realm-summit.json#L1051 >>>> >>>> Marek >>>> >>>> >>>> On 08/08/18 15:07, Sebastian Laskawiec wrote: >>>> > On Tue, Aug 7, 2018 at 3:28 PM Hayden Fuss >>>> wrote: >>>> > >>>> >> Hello, >>>> >> >>>> >> We are attempting to run Keycloak on two OpenShift clusters using >>>> remote >>>> >> ISPNs and a single MariaDB instance. We're hacking together the >>>> Keycloak on >>>> >> Openshift blogpost, the JDG-as-a-service demo from Summit, RH SSO >>>> demo from >>>> >> Summit, and following the Keycloak/RH SSO basic setup guide to >>>> Cross-DC >>>> >> replication. The hope is do an initial evaluation of Keycloak's >>>> >> availability. >>>> >> >>>> >> We were able to create a new user on master (site1), disable the >>>> user on >>>> >> master2 (site2), and see the user was disabled on master. So ISPN >>>> >> replication seems to be working because the work cache was >>>> replicated to >>>> >> invalidate the local caches. However, the sessions cache does not >>>> seem to >>>> >> be replicated because when logged in as the same user on the two >>>> different >>>> >> Keycloaks (in Incognito mode) there is only one active session shown >>>> on >>>> >> both UIs and the timestamp/IP/etc is different for the listed >>>> session. >>>> >> >>>> > So at this point the Infinispan cluster within a single DC works >>>> correctly >>>> > [1] (the one that is formed by KUBE_PING). The Cross-DC cluster (also >>>> known >>>> > as the Global Cluster) also works correctly [2]. Users cache >>>> replicates >>>> > fine but sessions don't. >>>> > >>>> > If I understood everything correctly, there might be two issues there. >>>> > >>>> > The first one is Infinispan misconfiguration (I briefly looked >>>> through the >>>> > configuration and can not spot any mistake but there might be some >>>> typo or >>>> > anything like that). That one is easy to be verified, just put an >>>> entry on >>>> > one node (e.g. using REST [3]) and see if it's available on the other >>>> one >>>> > (again, using REST for example [4]). >>>> > >>>> > If this test works fine, you can check if Keycloak forwards traffic >>>> to the >>>> > Infinispan cluster. The easiest way is to set a breakpoint somewhere >>>> > in >>>> org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveClientSessionToRemoteCache >>>> > and >>>> org.keycloak.models.sessions.infinispan.changes.sessions.LastSessionRefreshChecker#shouldSaveUserSessionToRemoteCache. >>>> > >>>> > [1] can be verified by calling `oc logs infinispan-app | grep view` >>>> > [2] can be verified by calling `oc logs infinispan-app | grep >>>> "x-site"` >>>> > [3] curl -d test ISPN_IP:8080/rest/sessions/test >>>> > [4] curl ISPN_IP2:8080/rest/sessions/test >>>> > >>>> > >>>> >> We are using the latest, stable Keycloak image, version 4.1.0.Final, >>>> and >>>> >> the latest, stable Infinispan image for to act as our data grid, >>>> version >>>> >> 9.3.1.Final, which we know differs from the 8.2.8 version Keycloak >>>> uses for >>>> >> its local caches. >>>> >> >>>> >> We were trying one Keycloak node and two ISPN nodes in each cluster, >>>> but >>>> >> for simplicity we've attached logs where we only ran one Keycloak >>>> and one >>>> >> ISPN in each cluster. >>>> >> We were connecting to the two different Keycloaks via two different >>>> >> OpenShift Routes without a load balancer to fake sticky sessions for >>>> now. >>>> >> Keycloak connects to ISPN via a "HotRod" Service. ISPN connects to >>>> other >>>> >> nodes within the same cluster via KUBE_PING, and discovers the other >>>> >> cluster via TCPPING hitting a particular OpenShift app node from that >>>> >> cluster that exposes the "discovery" Service with a NodePort. The >>>> Keycloaks >>>> >> share the single MariaDB through a NodePort Service in one of the >>>> clusters >>>> >> as well. >>>> >> >>>> >> The logs didn't seem to contain any of the messages in the trouble >>>> shooting >>>> >> guide. We had trouble using JMX to check the ISPNs because they were >>>> >> running in containers, but we've using the CLI tool and the >>>> Infinispan >>>> >> management console to try to troubleshoot but any key we pulled from >>>> the >>>> >> logs that we thought was a session ID was not in the caches and we >>>> could >>>> >> not find a way to simply list all keys in the caches. >>>> >> >>>> >> Below is a viewable link to a zip containing logs from the scenario >>>> >> described in the second paragraph, and our config files. >>>> >> >>>> >> >>>> >> >>>> https://drive.google.com/open?id=0B_OCdNCEtoCYOU12T3dEUFplS193VFNFbEFYclB4Tm5WR0o4 >>>> >> >>>> >> Thanks for your time and help! >>>> >> >>>> >> Best, >>>> >> Hayden >>>> >> _______________________________________________ >>>> >> keycloak-user mailing list >>>> >> keycloak-user at lists.jboss.org >>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >> >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >> From sthorger at redhat.com Thu Aug 23 13:35:01 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 23 Aug 2018 19:35:01 +0200 Subject: [keycloak-user] Removal of adapters for older containers Message-ID: We are going to remove support for the following containers soon: * WildFly 8 * JBoss AS 7.1 * Jetty 8.1 and 9.1 * Tomcat 6 We've also started discussing if we can remove support for more WildFly versions. Is anyone still using our adapters on WildFly 9, 10 or 11? Any general comments around when we should remove support for old and no longer maintained versions of containers would also be welcome. From Dustin.Teel at leidos.com Thu Aug 23 14:10:02 2018 From: Dustin.Teel at leidos.com (Teel, Dustin L.) Date: Thu, 23 Aug 2018 18:10:02 +0000 Subject: [keycloak-user] FW: Keycloak fails to parse SAML Response In-Reply-To: <401BAF24-A334-4F82-8F34-3AB6C167BEE5@leidos.com> References: <401BAF24-A334-4F82-8F34-3AB6C167BEE5@leidos.com> Message-ID: <4981EE06-23A7-48DF-8DE4-E9BB13103F74@leidos.com> Hi all, I am having trouble with Keycloak parsing a SAML Response. I am getting an error that ds namespace is not bound. If I write a sample class that uses DocumentBuilder, then it correctly parses the SAML. The SAML being parsed is: http://sample.com digesthere sighere certhere KeyNameHere cipherhere cipherhere Any idea on why it would be complaining about the ?ds? prefix and how to fix it without asking the identity provider sending this response to change the way their SAML is formed, as it is valid SAML according to every validator I have tried. Thanks, Dustin From testoauth55 at gmail.com Fri Aug 24 03:04:31 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Fri, 24 Aug 2018 12:34:31 +0530 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> <3830aba6-3b46-7dc3-b56a-3c1318cd36d6@redhat.com> Message-ID: Marek, I tried one more thing today. Exported entire realm from Keycloak 3.4 server and imported it in 4.3 server *and I still see the same behavior i.e. even with same realm , session is being maintained in keycloak 3.4, whereas with same realm/config the keycloak 4.3 installation is not maintaining session* (due to absence of KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie in case of 4.x) (Again, both the keycloak 3.4.3 and 4.3.0 are on same machine. Client app is also on same machine. Accessed from same browser. Realm + client is also same in above test and yet the 2 installations show different behavior) On Thu, Aug 23, 2018 at 3:34 PM keycloak demo wrote: > Marek, > > Proxy/Load balancer are not being used and I am accessing keycloak > directly. In fact both 3.4.3 version and 4.X version are running on same > machine and are accessed through same browser locally via http://localhost:/auth > by apps. > > So the only difference the 2 instance(3.x and 4.x) have are different port > numbers(which won't make any difference anyway.) and yet they show > different behavior in terms of setting cookies. > > I assume the absence of KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie > would be the reason for session not getting maintained. > > > On Thu, Aug 23, 2018 at 1:04 PM Marek Posolda wrote: > >> Hmm... in your post, I see that cookies KEYCLOAK_IDENTITY and >> KEYCLOAK_SESSION are not present in Keycloak 4.X. Those are the cookies, >> which are important for the automatic SSO re-authentication. >> >> Those cookies should be added by Keycloak after successful first >> authentication. So at the moment, when you first authenticate and the page >> "You may close this browser window and go back to your console >> application.", the cookies should be there. BTV. Do you have Keycloak >> behind some proxy/loadbalancer or are you accessing it directly? If you're >> behind proxy/LB, could you try to access KEycloak host directly without any >> proxy/LB involved in between? >> >> Marek >> >> On 23/08/18 07:25, keycloak demo wrote: >> >> Thanks Marek for the update, >> >> I understand that https://issues.jboss.org/browse/KEYCLOAK-5179 >> mentions the issue pertaining to message: "You are already logged in". But >> will the second issue that I reported also be fixed in this bug? >> >> *Issue summary:* When a user logs in he is shown the message: "You may >> close this browser window and go back to your console application.". Now if >> I open a new tab, the user should be logged in right? But he is shown the >> login form again. >> >> This issue was not coming in Keycloak 3.4.3 and session was being >> maintained by browser. But I found this issue on 4.1.0 and also on 4.3.0. >> In the 4.x version I see a cookie *KC_RESTART* cookie instead of >> *KC_SESSION* cookie in cookies section which might be the reason. >> >> *Here's the post containing complete details of above issue with >> screenshots:* >> https://stackoverflow.com/questions/51592647/keycloak-is-not-maintaining-session-in-browser >> >> >> >> On Tue, Aug 21, 2018 at 6:08 PM Marek Posolda >> wrote: >> >>> We have opened JIRA for this: >>> https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully it's fixed >>> relatively soon in one of the next releases. >>> >>> Marek >>> >>> On 17/08/18 07:47, keycloak demo wrote: >>> > Update: >>> > >>> > Facing the same issue on keycloak 4.3.0.final. I have taken a fresh >>> > instance of keycloak 4.3.0 and created just 2 users, but still facing >>> the >>> > same issue of browser not maintaining session. >>> > >>> > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo >> > >>> > wrote: >>> > >>> >> Can someone please help me on this issue? >>> >> >>> >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo >>> >> wrote: >>> >> >>> >>> Another update: >>> >>> >>> >>> Though the login form appears every time but if i login with a >>> different >>> >>> user the second time i.e. launch client app -> login with user1 -> >>> relaunch >>> >>> client app (browser shows login form instead of already logged in >>> message) >>> >>> -> now login with user2. >>> >>> >>> >>> I get following message: >>> >>> " We're sorry...You are already authenticated as different user >>> 'user1' >>> >>> in this session. Please logout first." >>> >>> If it's able to know another user is logged in, then why the login >>> form >>> >>> is appearing? >>> >>> >>> >>> >>> >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth >>> >>> wrote: >>> >>> >>> >>>> An update on my findings: When I checked developer console: I am >>> getting >>> >>>> KC_RESTART cookie in cookies section. >>> >>>> >>> >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth >>> >>>> wrote: >>> >>>> >>> >>>>> Yes sir, >>> >>>>> I followed the doc https://www.keycloak.org/docs/ >>> >>>>> latest/securing_apps/index.html#_installed_adapter. And am seeing >>> the >>> >>>>> same behavior on chrome and firefox. >>> >>>>> >>> >>>>> Also regarding the manual mode, I see the same behavior i.e I have >>> to >>> >>>>> re-login for each re-run of the client app. >>> >>>>> >>> >>>>> But if I do this: >>> >>>>> >>> >>>>> System.out.println("Login through manual mode"); >>> >>>>> keycloak.loginManual(); >>> >>>>> System.out.println("Login through browser"); >>> >>>>> keycloak.loginDesktop(); >>> >>>>> >>> >>>>> i.e. if I call both modes in the same code or even same mode twice >>> in >>> >>>>> the same code, then I don't have to re-login for second call (in >>> the above >>> >>>>> example for loginDesktop). However when I re-run the application, >>> I need to >>> >>>>> re-login. This might be a stupid guess but could these sessions be >>> "java >>> >>>>> object specific"? >>> >>>>> >>> >>>>> >>> >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
>>> wrote: >>> >>>>> >>> >>>>>> Hi, >>> >>>>>> >>> >>>>>> Did you do everything in accordance with the docs? >>> >>>>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm >>> >>>>>> l#_installed_adapter >>> >>>>>> >>> >>>>>> Do you experience this in "manual" mode too? >>> >>>>>> >>> >>>>>> Cheers, >>> >>>>>> Dmitry Telegin >>> >>>>>> CTO, Acutus s.r.o. >>> >>>>>> Keycloak Consulting and Training >>> >>>>>> >>> >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>> >>>>>> +42 (022) 888-30-71 >>> >>>>>> E-mail: info at acutus.pro >>> >>>>>> >>> >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >>> >>>>>>> I am using openid-connect for authenticating users. After >>> successful >>> >>>>>>> authentication, browser windows says: >>> >>>>>>> "Login Successful >>> >>>>>>> >>> >>>>>>> You may close this browser window and go back to your console >>> >>>>>> application." >>> >>>>>>> However, even without closing the window if I relaunch my >>> application >>> >>>>>>> (using keycloak.loginDesktop();) even within 10 seconds, still >>> the >>> >>>>>> login >>> >>>>>>> page appears instead of : you are already logged in. >>> >>>>>>> >>> >>>>>>> Browser: Firefox. >>> >>>>>>> _______________________________________________ >>> >>>>>>> keycloak-user mailing list >>> >>>>>>> keycloak-user at lists.jboss.org >>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>>>> >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >>> >> From mposolda at redhat.com Fri Aug 24 03:23:29 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 24 Aug 2018 09:23:29 +0200 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> <3830aba6-3b46-7dc3-b56a-3c1318cd36d6@redhat.com> Message-ID: Hi, it seems this may be a bug. Please create JIRA, ideally with reliable steps to reproduce and your application attached. Marek On 24/08/18 09:04, keycloak demo wrote: > Marek, > > I tried one more thing today. Exported entire realm from Keycloak 3.4 > server and imported it in 4.3 server *and I still see the same > behavior i.e. even with same realm , session is being maintained in > keycloak 3.4, whereas with same realm/config the keycloak 4.3 > installation is not maintaining session*?(due to absence of > KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie in case of 4.x) > > (Again, both the keycloak 3.4.3 and 4.3.0 are on same machine. Client > app is also on same machine. Accessed from same browser. Realm?+ > client is also same in above test and yet the 2 installations show > different behavior) > > On Thu, Aug 23, 2018 at 3:34 PM keycloak demo > wrote: > > Marek, > > Proxy/Load balancer are not being used and I am accessing keycloak > directly. In fact both 3.4.3 version and 4.X version are running > on same machine and are accessed through same browser locally via > http://localhost:/auth by apps. > > So the only difference the 2 instance(3.x and 4.x) have are > different port numbers(which won't make any difference anyway.) > and yet they show different behavior in terms of setting cookies. > > I assume the absence of KEYCLOAK_IDENTITY and KEYCLOAK_SESSION > cookie would be the reason for session not getting maintained. > > > On Thu, Aug 23, 2018 at 1:04 PM Marek Posolda > wrote: > > Hmm... in your post, I see that cookies KEYCLOAK_IDENTITY and > KEYCLOAK_SESSION are not present in Keycloak 4.X. Those are > the cookies, which are important for the automatic SSO > re-authentication. > > Those cookies should be added by Keycloak after successful > first authentication. So at the moment, when you first > authenticate and the page "You may close this browser window > and go back to your console application.", the cookies should > be there. BTV. Do you have Keycloak behind some > proxy/loadbalancer or are you accessing it directly? If you're > behind proxy/LB, could you try to access KEycloak host > directly without any proxy/LB involved in between? > > Marek > > On 23/08/18 07:25, keycloak demo wrote: >> Thanks Marek for the update, >> >> I understand that >> https://issues.jboss.org/browse/KEYCLOAK-5179 mentions the >> issue pertaining to message: "You are already logged in". But >> will the second issue that I reported also be fixed in this bug? >> >> /*Issue summary:*/? When a user logs in he is shown the >> message: "You may close this browser window and go back to >> your console application.". Now if I open a new tab, the user >> should be logged in right? But he is shown the login form again. >> >> This issue was not coming in Keycloak 3.4.3 and session was >> being maintained by browser. But I found this issue on 4.1.0 >> and also on 4.3.0. In the 4.x version I see a cookie >> *KC_RESTART* cookie instead of *KC_SESSION* cookie in cookies >> section which might be the reason. >> >> *Here's the post containing complete details of above issue >> with screenshots:* >> https://stackoverflow.com/questions/51592647/keycloak-is-not-maintaining-session-in-browser >> >> >> >> On Tue, Aug 21, 2018 at 6:08 PM Marek Posolda >> > wrote: >> >> We have opened JIRA for this: >> https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully >> it's fixed >> relatively soon in one of the next releases. >> >> Marek >> >> On 17/08/18 07:47, keycloak demo wrote: >> > Update: >> > >> > Facing the same issue on keycloak 4.3.0.final. I have >> taken a fresh >> > instance of keycloak 4.3.0 and created just 2 users, >> but still facing the >> > same issue of browser not maintaining session. >> > >> > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo >> > >> > wrote: >> > >> >> Can someone please help me on this issue? >> >> >> >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo >> > >> >> wrote: >> >> >> >>> Another update: >> >>> >> >>> Though the login form appears every time but if i >> login with a different >> >>> user the second time i.e. launch client app -> login >> with user1 -> relaunch >> >>> client app (browser shows login form instead of >> already logged in message) >> >>> -> now login with user2. >> >>> >> >>> I get following message: >> >>> " We're sorry...You are already authenticated as >> different user 'user1' >> >>> in this session. Please logout first." >> >>> If it's able to know another user is logged in, then >> why the login form >> >>> is appearing? >> >>> >> >>> >> >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth >> > >> >>> wrote: >> >>> >> >>>> An update on my findings: When I checked developer >> console: I am getting >> >>>> KC_RESTART cookie in cookies section. >> >>>> >> >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth >> > >> >>>> wrote: >> >>>> >> >>>>> Yes sir, >> >>>>> I followed the doc https://www.keycloak.org/docs/ >> >>>>> latest/securing_apps/index.html#_installed_adapter. >> And am seeing the >> >>>>> same behavior on chrome and firefox. >> >>>>> >> >>>>> Also regarding the manual mode, I see the same >> behavior i.e I have to >> >>>>> re-login for each re-run of the client app. >> >>>>> >> >>>>> But if I do this: >> >>>>> >> >>>>> System.out.println("Login through manual mode"); >> >>>>> keycloak.loginManual(); >> >>>>> System.out.println("Login through browser"); >> >>>>> keycloak.loginDesktop(); >> >>>>> >> >>>>> i.e. if I call both modes in the same code or even >> same mode twice in >> >>>>> the same code, then I don't have to re-login for >> second call (in the above >> >>>>> example for loginDesktop). However when I re-run >> the application, I need to >> >>>>> re-login. This might be a stupid guess but could >> these sessions be "java >> >>>>> object specific"? >> >>>>> >> >>>>> >> >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin >>
> wrote: >> >>>>> >> >>>>>> Hi, >> >>>>>> >> >>>>>> Did you do everything in accordance with the docs? >> >>>>>> >> https://www.keycloak.org/docs/latest/securing_apps/index.htm >> >>>>>> l#_installed_adapter >> >>>>>> >> >>>>>> Do you experience this in "manual" mode too? >> >>>>>> >> >>>>>> Cheers, >> >>>>>> Dmitry Telegin >> >>>>>> CTO, Acutus s.r.o. >> >>>>>> Keycloak Consulting and Training >> >>>>>> >> >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech >> Republic >> >>>>>> +42 (022) 888-30-71 >> >>>>>> E-mail: info at acutus.pro >> >>>>>> >> >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >> >>>>>>> I am using openid-connect for authenticating >> users. After successful >> >>>>>>> authentication, browser windows says: >> >>>>>>> "Login Successful >> >>>>>>> >> >>>>>>> You may close this browser window and go back to >> your console >> >>>>>> application." >> >>>>>>> However, even without closing the window if I >> relaunch my application >> >>>>>>> (using keycloak.loginDesktop();) even within 10 >> seconds, still the >> >>>>>> login >> >>>>>>> page appears instead of : you are already logged in. >> >>>>>>> >> >>>>>>> Browser: Firefox. >> >>>>>>> _______________________________________________ >> >>>>>>> keycloak-user mailing list >> >>>>>>> keycloak-user at lists.jboss.org >> >> >>>>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >>>>> >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From testoauth55 at gmail.com Fri Aug 24 04:05:54 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Fri, 24 Aug 2018 13:35:54 +0530 Subject: [keycloak-user] Browser not maintaining session for keycloak users In-Reply-To: References: <1532997860.5207.8.camel@acutus.pro> <3830aba6-3b46-7dc3-b56a-3c1318cd36d6@redhat.com> Message-ID: Thanks Marek, Raised the following issue: https://issues.jboss.org/browse/KEYCLOAK-8137 On Fri, Aug 24, 2018 at 12:53 PM Marek Posolda wrote: > Hi, > > it seems this may be a bug. Please create JIRA, ideally with reliable > steps to reproduce and your application attached. > > Marek > > On 24/08/18 09:04, keycloak demo wrote: > > Marek, > > I tried one more thing today. Exported entire realm from Keycloak 3.4 > server and imported it in 4.3 server *and I still see the same behavior > i.e. even with same realm , session is being maintained in keycloak 3.4, > whereas with same realm/config the keycloak 4.3 installation is not > maintaining session* (due to absence of KEYCLOAK_IDENTITY and > KEYCLOAK_SESSION cookie in case of 4.x) > > (Again, both the keycloak 3.4.3 and 4.3.0 are on same machine. Client app > is also on same machine. Accessed from same browser. Realm + client is also > same in above test and yet the 2 installations show different behavior) > > On Thu, Aug 23, 2018 at 3:34 PM keycloak demo > wrote: > >> Marek, >> >> Proxy/Load balancer are not being used and I am accessing keycloak >> directly. In fact both 3.4.3 version and 4.X version are running on same >> machine and are accessed through same browser locally via >> http://localhost:/auth by apps. >> >> So the only difference the 2 instance(3.x and 4.x) have are different >> port numbers(which won't make any difference anyway.) and yet they show >> different behavior in terms of setting cookies. >> >> I assume the absence of KEYCLOAK_IDENTITY and KEYCLOAK_SESSION cookie >> would be the reason for session not getting maintained. >> >> >> On Thu, Aug 23, 2018 at 1:04 PM Marek Posolda >> wrote: >> >>> Hmm... in your post, I see that cookies KEYCLOAK_IDENTITY and >>> KEYCLOAK_SESSION are not present in Keycloak 4.X. Those are the cookies, >>> which are important for the automatic SSO re-authentication. >>> >>> Those cookies should be added by Keycloak after successful first >>> authentication. So at the moment, when you first authenticate and the page >>> "You may close this browser window and go back to your console >>> application.", the cookies should be there. BTV. Do you have Keycloak >>> behind some proxy/loadbalancer or are you accessing it directly? If you're >>> behind proxy/LB, could you try to access KEycloak host directly without any >>> proxy/LB involved in between? >>> >>> Marek >>> >>> On 23/08/18 07:25, keycloak demo wrote: >>> >>> Thanks Marek for the update, >>> >>> I understand that https://issues.jboss.org/browse/KEYCLOAK-5179 >>> mentions the issue pertaining to message: "You are already logged in". But >>> will the second issue that I reported also be fixed in this bug? >>> >>> *Issue summary:* When a user logs in he is shown the message: "You may >>> close this browser window and go back to your console application.". Now if >>> I open a new tab, the user should be logged in right? But he is shown the >>> login form again. >>> >>> This issue was not coming in Keycloak 3.4.3 and session was being >>> maintained by browser. But I found this issue on 4.1.0 and also on 4.3.0. >>> In the 4.x version I see a cookie *KC_RESTART* cookie instead of >>> *KC_SESSION* cookie in cookies section which might be the reason. >>> >>> *Here's the post containing complete details of above issue with >>> screenshots:* >>> https://stackoverflow.com/questions/51592647/keycloak-is-not-maintaining-session-in-browser >>> >>> >>> >>> On Tue, Aug 21, 2018 at 6:08 PM Marek Posolda >>> wrote: >>> >>>> We have opened JIRA for this: >>>> https://issues.jboss.org/browse/KEYCLOAK-5179 . Hopefully it's fixed >>>> relatively soon in one of the next releases. >>>> >>>> Marek >>>> >>>> On 17/08/18 07:47, keycloak demo wrote: >>>> > Update: >>>> > >>>> > Facing the same issue on keycloak 4.3.0.final. I have taken a fresh >>>> > instance of keycloak 4.3.0 and created just 2 users, but still facing >>>> the >>>> > same issue of browser not maintaining session. >>>> > >>>> > On Mon, Aug 13, 2018 at 12:10 PM, keycloak demo < >>>> testoauth55 at gmail.com> >>>> > wrote: >>>> > >>>> >> Can someone please help me on this issue? >>>> >> >>>> >> On Thu, Aug 9, 2018 at 9:51 AM, keycloak demo >>> > >>>> >> wrote: >>>> >> >>>> >>> Another update: >>>> >>> >>>> >>> Though the login form appears every time but if i login with a >>>> different >>>> >>> user the second time i.e. launch client app -> login with user1 -> >>>> relaunch >>>> >>> client app (browser shows login form instead of already logged in >>>> message) >>>> >>> -> now login with user2. >>>> >>> >>>> >>> I get following message: >>>> >>> " We're sorry...You are already authenticated as different user >>>> 'user1' >>>> >>> in this session. Please logout first." >>>> >>> If it's able to know another user is logged in, then why the login >>>> form >>>> >>> is appearing? >>>> >>> >>>> >>> >>>> >>> On Tue, Jul 31, 2018 at 4:58 PM, Test Oauth >>>> >>> wrote: >>>> >>> >>>> >>>> An update on my findings: When I checked developer console: I am >>>> getting >>>> >>>> KC_RESTART cookie in cookies section. >>>> >>>> >>>> >>>> On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth >>> > >>>> >>>> wrote: >>>> >>>> >>>> >>>>> Yes sir, >>>> >>>>> I followed the doc https://www.keycloak.org/docs/ >>>> >>>>> latest/securing_apps/index.html#_installed_adapter. And am seeing >>>> the >>>> >>>>> same behavior on chrome and firefox. >>>> >>>>> >>>> >>>>> Also regarding the manual mode, I see the same behavior i.e I >>>> have to >>>> >>>>> re-login for each re-run of the client app. >>>> >>>>> >>>> >>>>> But if I do this: >>>> >>>>> >>>> >>>>> System.out.println("Login through manual mode"); >>>> >>>>> keycloak.loginManual(); >>>> >>>>> System.out.println("Login through browser"); >>>> >>>>> keycloak.loginDesktop(); >>>> >>>>> >>>> >>>>> i.e. if I call both modes in the same code or even same mode >>>> twice in >>>> >>>>> the same code, then I don't have to re-login for second call (in >>>> the above >>>> >>>>> example for loginDesktop). However when I re-run the application, >>>> I need to >>>> >>>>> re-login. This might be a stupid guess but could these sessions >>>> be "java >>>> >>>>> object specific"? >>>> >>>>> >>>> >>>>> >>>> >>>>> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin
>>>> wrote: >>>> >>>>> >>>> >>>>>> Hi, >>>> >>>>>> >>>> >>>>>> Did you do everything in accordance with the docs? >>>> >>>>>> https://www.keycloak.org/docs/latest/securing_apps/index.htm >>>> >>>>>> l#_installed_adapter >>>> >>>>>> >>>> >>>>>> Do you experience this in "manual" mode too? >>>> >>>>>> >>>> >>>>>> Cheers, >>>> >>>>>> Dmitry Telegin >>>> >>>>>> CTO, Acutus s.r.o. >>>> >>>>>> Keycloak Consulting and Training >>>> >>>>>> >>>> >>>>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >>>> >>>>>> +42 (022) 888-30-71 >>>> >>>>>> E-mail: info at acutus.pro >>>> >>>>>> >>>> >>>>>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote: >>>> >>>>>>> I am using openid-connect for authenticating users. After >>>> successful >>>> >>>>>>> authentication, browser windows says: >>>> >>>>>>> "Login Successful >>>> >>>>>>> >>>> >>>>>>> You may close this browser window and go back to your console >>>> >>>>>> application." >>>> >>>>>>> However, even without closing the window if I relaunch my >>>> application >>>> >>>>>>> (using keycloak.loginDesktop();) even within 10 seconds, still >>>> the >>>> >>>>>> login >>>> >>>>>>> page appears instead of : you are already logged in. >>>> >>>>>>> >>>> >>>>>>> Browser: Firefox. >>>> >>>>>>> _______________________________________________ >>>> >>>>>>> keycloak-user mailing list >>>> >>>>>>> keycloak-user at lists.jboss.org >>>> >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>>> >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>> > From jambo_mcd at yahoo.co.uk Fri Aug 24 05:32:05 2018 From: jambo_mcd at yahoo.co.uk (Jamie McDowell) Date: Fri, 24 Aug 2018 09:32:05 +0000 (UTC) Subject: [keycloak-user] Multiple password policies In-Reply-To: <5b9de4b1-d75e-25dc-9d23-af09dc4d2855@redhat.com> References: <1356792787.9540666.1534168050614.ref@mail.yahoo.com> <1356792787.9540666.1534168050614@mail.yahoo.com> <504557615.12069269.1534429942790@mail.yahoo.com> <1843434580.12659228.1534501961679@mail.yahoo.com> <5b9de4b1-d75e-25dc-9d23-af09dc4d2855@redhat.com> Message-ID: <2047198188.2850809.1535103125503@mail.yahoo.com> Thanks for your reply.? What i have tried to do is Keycloak to use the password policy which has been defined on my OpenLDAP server however this does not seem to work either. See my email below which i have sent to keycloak-dev's. From:?Jamie McDowell To:?Keycloak-dev Sent:?Friday, 24 August 2018, 10:15:08 BST Subject:?Keycloak to OpenLDAP - Password Policies ? Hi Dev's, ? Appreciate if you can help me with an issue i have with password policies federating from Keycloak (v3.4.3) to OpenLDAP. I have created 2 password policies on the OpenLDAP server, where i require one for end users and one for service accounts - these are defined in the specific OU's to where the accounts are held.? ? I have set the password policies for both users and service accounts (policy module, schema, overlay etc..) and can confirm that the policy is being picked up on the OpenLDAP host when i run the command ldappasswd for the user and enter less characters than the required password length (for example) ? The issue i have is that within keycloak i haven't set any password policies as i would like this to use the one i have created within the OpenLDAP server. Can Keycloak be configured that this must check against the OpenLDAP password policy? I have one realm set up along with a client. ? I have been trying to get this working now for the last 10 days and not getting very far.? ? Within my LDAP Mapper i have tried creating a msad-user-account-control-mapper however this does not work, i get provided with an error when resetting my user password "Failed to update password in Active Directory. Exception message: [LDAP: error code 17 - pwdLastSet: attribute type undefined" ? I would have expected something like this considering i am not using AD.? ? Any suggestions would be appreciated? Regards, Jamie On Tuesday, 21 August 2018, 13:28:19 BST, Marek Posolda wrote: No, neither of the things you mentioned is available OOTB. I wonder that we may need something like FilterPasswordPolicy, which will allow to configure child/delegate password policy and the filter (for example with usage of the scripting engine like our ScriptBasedAuthenticator is using)? The filter may allow you to specify for example that: - User in role "admin" must have password of at least 10 characters - User, who is not in the role "admin" must have password of at least 7 characters etc. Fact is, that it's not available OOTB at this moment. You may either try to create some custom PasswordPolicyProvider(s) by yourself. Or you can try to contribute something generic (like the FilterPasswordPolicy provider I mentioned above) and contribute to Keycloak? Marek On 17/08/18 12:32, Jamie McDowell wrote: > Hi, > Further to my email below can you have a password policy assigned to a realm role? > > Regards, > Jamie > >? ? ? On Thursday, 16 August 2018, 15:32:22 BST, Jamie McDowell wrote: >? >? Hi, > > Can you have multiple password policies on the same realm where you are using an LDAP instance (Federated) > We have Keycloak set up federating to an OpenLDAP server. On the LDAP server we have 2 OU's, 1 for users and the other for service accounts - Both of these need to have different passwords such as length and complexity. > We have the password policy defined on the OpenLDAP. Can Keycloak have multiple policies? > Has anyone configured this before or can suggest alternatives? > Regards, > Jamie > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Fri Aug 24 06:28:06 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Fri, 24 Aug 2018 12:28:06 +0200 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: <5bcdc1f7-1a56-6db7-d905-3b621dc50f71@redhat.com> References: <5bcdc1f7-1a56-6db7-d905-3b621dc50f71@redhat.com> Message-ID: Great write-up! Bookmarked! On Thu, Aug 23, 2018 at 4:36 PM Bela Ban wrote: > Have you checked > > https://github.com/belaban/workshop/blob/master/slides/admin.adoc#problem-1-members-don-t-find-each-other > ? > > On 23/08/18 13:53, Sebastian Laskawiec wrote: > > +Bela Ban > > > > As I expected, the cluster doesn't form. > > > > I'm not sure where and why those UDP discovery packets are rejected. I > > just stumbled upon this thread [1], which you may find useful. Maybe > > Bela will also have an idea what's going on there. > > > > If you won't manage to get UDP working, you can always fall back into > > TCP (and MPING). > > > > [1] > https://serverfault.com/questions/211482/tools-to-test-multicast-routing > > > > On Thu, Aug 23, 2018 at 1:26 PM Rafael Weing?rtner > > > > wrote: > > > > Thanks for the reply Sebastian! > > > > > > Note, that IP Multicasting is disabled in many data centers (I > > have never found out why they do it, but I've seen it many, many > > times). So make sure your cluster forms correctly (just grep > > logs and look for "view"). > > > > > > I thought about that. Then, I used tcpdump, and I can see the > > multicast packets from both Keycloak replicas. However, it seems > > that these packets are being ignored. > > > > root at Keycloak01:/# tcpdump -i eth0 port 7600 or port 55200 or > > port 45700 or port 45688 or port 23364 or port 4712 or port 4713 > > tcpdump: verbose output suppressed, use -v or -vv for full > > protocol decode > > listening on eth0, link-type EN10MB (Ethernet), capture size > > 262144 bytes > > 11:13:36.540080 IP keycloak02.local.55200 > 230.0.0.4.45688: > > UDP, length 83 > > 11:13:41.288449 IP keycloak02.local.55200 > 230.0.0.4.45688: > > UDP, length 83 > > 11:13:46.342606 IP keycloak02.local.55200 > 230.0.0.4.45688: > > UDP, length 83 > > > > > > root at keycloak02:/# tcpdump -i eth0 port 7600 or port 55200 or > > port 45700 or port 45688 or port 23364 or port 4712 or port 4713 > > tcpdump: verbose output suppressed, use -v or -vv for full > > protocol decode > > listening on eth0, link-type EN10MB (Ethernet), capture size > > 262144 bytes > > 11:12:14.218317 IP Keycloak01.local.55200 > 230.0.0.4.45688: > > UDP, length 83 > > 11:12:23.146798 IP Keycloak01.local.55200 > 230.0.0.4.45688: > > UDP, length 83 > > 11:12:27.201888 IP Keycloak01.local.55200 > 230.0.0.4.45688: > > UDP, length 83 > > > > > > > > Here go the log entries. I filtered by ?view?. This is from > Keycloak01. > > > > ^[[0m^[[0m11:16:57,896 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-4) ISPN000094: Received new cluster view > > for channel ejb: [keycloak01|0] (1) [keycloak01] > > ^[[0m^[[0m11:16:57,896 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-2) ISPN000094: Received new cluster view > > for channel ejb: [keycloak01|0] (1) [keycloak01] > > ^[[0m^[[0m11:16:57,897 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-1) ISPN000094: Received new cluster view > > for channel ejb: [keycloak01|0] (1) [keycloak01] > > ^[[0m^[[0m11:16:57,898 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-3) ISPN000094: Received new cluster view > > for channel ejb: [keycloak01|0] (1) [keycloak01] > > ^[[0m^[[0m11:16:57,962 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-1) ISPN000094: Received new cluster view > > for channel ejb: [keycloak01|0] (1) [keycloak01] > > > > > > I expected it to be only one. I mean, I first started Keycloak01, > > and just then Keycloak02. Next, we have the logs from Keycloak02. > > > > ^[[0m^[[0m11:17:34,950 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-3) ISPN000094: Received new cluster view > > for channel ejb: [keycloak02|0] (1) [keycloak02] > > ^[[0m^[[0m11:17:34,952 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-4) ISPN000094: Received new cluster view > > for channel ejb: [keycloak02|0] (1) [keycloak02] > > ^[[0m^[[0m11:17:34,957 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-1) ISPN000094: Received new cluster view > > for channel ejb: [keycloak02|0] (1) [keycloak02] > > ^[[0m^[[0m11:17:34,957 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-2) ISPN000094: Received new cluster view > > for channel ejb: [keycloak02|0] (1) [keycloak02] > > ^[[0m^[[0m11:17:35,052 INFO > > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > > (MSC service thread 1-1) ISPN000094: Received new cluster view > > for channel ejb: [keycloak02|0] (1) [keycloak02 > > > > > > They are similar. It seems that both applications are not seeing > > each other. At first, I thought that the problem was caused by > > ?owners=1? configuration (the lack of data synchronization between > > replicas). I then changed it to ?owners=2?, but still, if I log in > > the Keycloak01 and then force my request to go two Keycloak02, my > > session is not there, and I am requested to log in again. > > > > Do you need some other log entries or configuration files? > > > > Again, thanks for your reply and help! > > > > On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec > > > wrote: > > > > > > > > On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner > > > > wrote: > > > > Hello Keycloakers, > > > > I have some doubts regarding Keycloak and load balancers. I > > set up two > > keycloak replicas to provide HA. To start them I am using > > ?./standalone.sh > > --server-config=standalone-ha.xml?. I am assuming that they > > will use > > multicast to replicate information between nodes, right? > > > > > > That is correct. It uses PING protocol, which in turn uses IP > > Multicasting for discovery. > > > > Note, that IP Multicasting is disabled in many data centers (I > > have never found out why they do it, but I've seen it many, many > > times). So make sure your cluster forms correctly (just grep > > logs and look for "view"). > > > > Then, I set up a load balancer layer using Apache HTTPD and > > AJP connector > > via 8009 port. To make everything work I needed to use > > sticky session; > > otherwise, the login would never happen. I am fine with the > > sticky session, > > however, if I stop one of the replicas where the user is > > logged in, when > > the user access Keycloak again, he/she is asked to present > > the credentials > > as if he/she was not logged in the other Keycloak replica. > > Is that the > > expected behavior? > > > > > > My intuition tells me that your cluster didn't form correctly > > (as I mentioned before, grep the logs and look for "view" > > generated by JGroups). Therefore, if you enable sticky session, > > all your requests get to the same Keycloak instance, which has > > everything in the local cache. That's why it works fine. > > > > > > Is there some troubleshooting or test that I can perform to > > check if > > replication is being executed? > > > > > > Let's start with investigating the logs. Later on we can check > JMX. > > > > > > -- > > Rafael Weing?rtner > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > -- > > Rafael Weing?rtner > > > > -- > Bela Ban | http://www.jgroups.org > > From andreas.lau at outlook.com Fri Aug 24 07:22:00 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Fri, 24 Aug 2018 11:22:00 +0000 Subject: [keycloak-user] Validation before account registration Message-ID: Hello, I'd like to use the keycloak to secure my web application. But I have a requirement to check a number like contract number to validity before registration process. If it's valid the registration is allowed and an account can be created if not nothing should happen. Is it possible to do that with keycloak? I suppose that I can not use the regular registration link in the log-in form right? Regards Andreas --- Diese E-Mail wurde von Avast Antivirus-Software auf Viren gepr?ft. https://www.avast.com/antivirus From robert.smol at stereoit.com Fri Aug 24 07:29:15 2018 From: robert.smol at stereoit.com (Robert Smol) Date: Fri, 24 Aug 2018 13:29:15 +0200 Subject: [keycloak-user] User import strategy Message-ID: Hello, we are migrating from old system to keycloak, and I've implemented several interfaces: UserStorageProvider, UserLookupProvider, CredentialInputValidator, CredentialInputUpdater, UserQueryProvider When I now go to Users tab and do View All Users, I do see some users twice, once for those that logged in via keycloak and got local account created (section 11.9.1 on server_development) and once because they are listed due to UserQueryProvider - but I do not see any way to distinguish between those entries. Both have Federatoin Link set to our Custom provider. I ideally would love so see which user is local and which one is remote so I know which users we still should migrated. What is your strategy on this? Shall I tweak `getUsers` method to check userLocalStorage() for already imported user and skip those? Robert From nikola.malenic at netsetglobal.rs Fri Aug 24 08:39:30 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Fri, 24 Aug 2018 14:39:30 +0200 Subject: [keycloak-user] Token with information about login method Message-ID: <002201d43ba7$80c63e80$8252bb80$@netsetglobal.rs> Suppose we have multiple login methods (multiple authenticators) user can be logged in with. Is there a way to place this information (which authenticator done the authentication) in access token? It would be even better to assign different scopes to the access token based on the authentication method. Many thanks, Nikola From ddevaal at rovecom.nl Fri Aug 24 08:47:05 2018 From: ddevaal at rovecom.nl (Dennis de Vaal | Rovecom) Date: Fri, 24 Aug 2018 12:47:05 +0000 Subject: [keycloak-user] Enabling login events causes ERROR: value too long for type character varying(2550) Message-ID: <7f4b3b75-f606-444b-9e5d-1a5d7304c6cf@Spark> When a user logs in via our custom SAML-based identity provider (which in turn is based on the one provided with keycloak), keycloak will throw the following exception: org.postgresql.util.PSQLException: ERROR: value too long for type character varying(2550). This happens when the user is redirected back to keycloak from the external IdP. I have traced this back to the details_json column in the event_entity table. This column has a varchar data type of length 2550. Can this limit be increased or removed? For now we decided to disable this feature (Save Events: OFF) under Events > Config > Login Events Settings. We are running keycloak 3.4.3 Final (from theofficial jboss docker image). See attached log for a full stacktrace. Regards, Dennis de Vaal [Rovecom] Dennis de Vaal webontwikkelaar [Rovecom] elbe 2, 7908 hb hoogeveen [Rovecom] 0528 22 35 35 / [Rovecom] postbus 2126, 7900 bc hoogeveen [Rovecom] rovecom.nl Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom. Disclaimer: https://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser. -------------- next part -------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: image819dd7.PNG Type: image/png Size: 2346 bytes Desc: image819dd7.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180824/5c2c5f02/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image02834f.PNG Type: image/png Size: 267 bytes Desc: image02834f.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180824/5c2c5f02/attachment-0006.png -------------- next part -------------- A non-text attachment was scrubbed... Name: imageb7033d.PNG Type: image/png Size: 412 bytes Desc: imageb7033d.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180824/5c2c5f02/attachment-0007.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image131f23.PNG Type: image/png Size: 173 bytes Desc: image131f23.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180824/5c2c5f02/attachment-0008.png -------------- next part -------------- A non-text attachment was scrubbed... Name: imaged84a55.PNG Type: image/png Size: 160 bytes Desc: imaged84a55.PNG Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180824/5c2c5f02/attachment-0009.png -------------- next part -------------- A non-text attachment was scrubbed... Name: keycloak-postgres-stacktrace-2.log Type: application/octet-stream Size: 47836 bytes Desc: keycloak-postgres-stacktrace-2.log Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180824/5c2c5f02/attachment-0001.obj From piper.ryan235 at gmail.com Fri Aug 24 10:13:14 2018 From: piper.ryan235 at gmail.com (Ryan Piper) Date: Fri, 24 Aug 2018 08:13:14 -0600 Subject: [keycloak-user] Load denied by X-Frame-Options Message-ID: Hello, I am receiving the error message on the `auth/admin/master/console/#/` page. I am running keycloak in a docker container which has nginx instance in front of it. The precise error I get is: ``` Load denied by X-Frame-Options: https://keycloak.fqdn.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html?version=4.3.0.final does not permit framing. ``` I configured the xml files so proxy-address-forwarding is set to true. Not sure how to correct this issue in context to keycloak. Any help would be appreciated! Thanks. From jernej.porenta at 3fs.si Fri Aug 24 10:15:29 2018 From: jernej.porenta at 3fs.si (Jernej Porenta) Date: Fri, 24 Aug 2018 16:15:29 +0200 Subject: [keycloak-user] admin/api interface ip restrictions Message-ID: <6A89E2BC-1A1D-457C-BF59-52D99958AB46@3fs.si> Hey, based on the documentation for IP restrictions (https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction), i?ve tried to set up a filter, which would allow accessing administrative interfaces only from specific IPs. We have used the following commands: /subsystem=undertow/configuration=filter/expression-filter=ipAccess:add(,expression="path-prefix[/auth/admin] -> ip-access-control(acl={?193.189.160.11/32 allow?})") /subsystem=undertow/server=default-server/host=default-host/filter-ref=ipAccess:add() But unfortunately, this has totally blocked our access to administrative interfaces. We are running this setup in k8s behind Azure Application Gateway and k8s ingress nginx controller. Both proxies have been configured to add `X-Forwarded-For` headers, while we are still receving 403 error. We have dig into the issue a bit more and we got a bit more information: - as it seems Keycloak sees the right IP when we try to login into fake realm 12:29:41,069 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=master, clientId=account, userId=null, ipAddress=193.189.160.11, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://taurus1.siol.net/auth/realms/master/account/login-redirect, code_id=13e0eb84-852a-47b0-94e8-d469fb66219d, username=asdfasd - but when we try to access admin console, we get 403. The requestDumper gives us this: ============================================================== 14:13:36,876 INFO [io.undertow.request.dump] (default I/O-6) ----------------------------REQUEST--------------------------- URI=/auth/admin/ characterEncoding=null contentLength=-1 contentType=null cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564 header=X-Real-IP=193.189.160.11 header=Cache-Control=max-age=0 header=Accept-Encoding=gzip, deflate, br header=X-Request-ID=2eb23a96b4fba4324505c7c5df424c64 header=X-Original-Forwarded-For=193.189.160.11:58359 header=X-Scheme=https header=Connection=close header=X-Forwarded-Port=443 header=X-ORIGINAL-HOST=taurus1.siol.net header=X-Forwarded-For=193.189.160.11 header=X-ARR-SSL=3072|256|C=FI, S=Jorvas, L=Jorvas, O=Ericsson, OU=IoT, CN=IoT, E=spam at ericsson.com|CN=dev.example.com, S=Stockholm, C=SE, O=Ericsson, OU=Development header=Cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564 header=Host=taurus1.siol.net header=X-Forwarded-Host=taurus1.siol.net header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 header=Accept-Language=en-US,en;q=0.9 header=Max-Forwards=10 header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 header=SEC-WEBSOCKET-EXTENSIONS= header=X-ARR-LOG-ID=5394f13f-d8a8-490b-9853-efd8e115e3a6 header=X-Forwarded-Proto=https header=X-Original-URI=/auth/admin/ header=X-Original-URL=/auth/admin/ header=Upgrade-Insecure-Requests=1 locale=[en_US, en] method=GET protocol=HTTP/1.1 queryString= remoteAddr=193.189.160.11:0 remoteHost=193.189.160.11 scheme=https host=taurus1.siol.net serverPort=443 --------------------------RESPONSE-------------------------- contentLength=74 contentType=text/html header=Connection=close header=Content-Length=74 header=Content-Type=text/html header=Date=Fri, 24 Aug 2018 14:13:36 GMT status=403 ============================================================== Any clues, what are we doing wrong? Thank you in advance, br, Jernej From vandana0242 at gmail.com Fri Aug 24 11:53:12 2018 From: vandana0242 at gmail.com (vandana thota) Date: Fri, 24 Aug 2018 10:53:12 -0500 Subject: [keycloak-user] Removal of adapters for older containers| Please don't remove for wildfly 11 Message-ID: Hello We have are using Wildfly 11 and keycloak 4.0.0 onwards for our SAML congiguratiion and it includes the keycloak 4.0.0 SAML adapaters also at our client project . Please don't reomve the suport for them yesterday have seen some email thread regarding this from Stain Thorgersen . Thanks, Vandana From vandana0242 at gmail.com Fri Aug 24 11:54:37 2018 From: vandana0242 at gmail.com (vandana thota) Date: Fri, 24 Aug 2018 10:54:37 -0500 Subject: [keycloak-user] Removal of adapters for older containers| Please don't remove for wildfly 11 Message-ID: Hello We have are using Wildfly 11 and keycloak 4.0.0 onwards for our SAML congiguratiion and it includes the keycloak 4.0.0 SAML adapaters also at our client project . Please don't reomve the suport for them If its removed what is the alternate option for us for SAML configuration ( Like for single sign on for our application. yesterday have seen some email thread regarding this from Stain Thorgersen . Thanks, Vandana From jernej.porenta at 3fs.si Sat Aug 25 05:13:57 2018 From: jernej.porenta at 3fs.si (Jernej Porenta) Date: Sat, 25 Aug 2018 11:13:57 +0200 Subject: [keycloak-user] admin/api interface ip restrictions In-Reply-To: <6A89E2BC-1A1D-457C-BF59-52D99958AB46@3fs.si> References: <6A89E2BC-1A1D-457C-BF59-52D99958AB46@3fs.si> Message-ID: <741EC106-1484-4EF5-AF41-851CB021C1CA@3fs.si> Hey, maybe to add a bit of more info: - keycloak installed with jboss/keycloak:4.0.0.Final image onto k8s using helm chart - proxy mode engaged: /socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https) /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true) I am really running out of ideas, what to change to get this running. I?ve tried without success: - changing the format of undertow acl specification - adding the proxy-peer-filter: /subsystem=undertow/configuration=filter/expression-filter=my-proxy-peer-address:add( expression="proxy-peer-address") /subsystem=undertow/server=default-server/host=default-host/filter-ref=my-proxy-peer-address:add() - tried without ingress controller using `X-Forwarded-For` directly to keycloak pod Any clues? Thank you in advance, br, Jernej > On 24 Aug 2018, at 16:15, Jernej Porenta wrote: > > Hey, > > based on the documentation for IP restrictions (https://www.keycloak.org/docs/latest/server_admin/index.html#ip-restriction), i?ve tried to set up a filter, which would allow accessing administrative interfaces only from specific IPs. > > We have used the following commands: > /subsystem=undertow/configuration=filter/expression-filter=ipAccess:add(,expression="path-prefix[/auth/admin] -> ip-access-control(acl={?193.189.160.11/32 allow?})") > /subsystem=undertow/server=default-server/host=default-host/filter-ref=ipAccess:add() > > But unfortunately, this has totally blocked our access to administrative interfaces. > > We are running this setup in k8s behind Azure Application Gateway and k8s ingress nginx controller. Both proxies have been configured to add `X-Forwarded-For` headers, while we are still receving 403 error. > > We have dig into the issue a bit more and we got a bit more information: > - as it seems Keycloak sees the right IP when we try to login into fake realm > 12:29:41,069 WARN [org.keycloak.events] (default task-40) type=LOGIN_ERROR, realmId=master, clientId=account, userId=null, ipAddress=193.189.160.11, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=https://taurus1.siol.net/auth/realms/master/account/login-redirect, code_id=13e0eb84-852a-47b0-94e8-d469fb66219d, username=asdfasd > > - but when we try to access admin console, we get 403. The requestDumper gives us this: > ============================================================== > 14:13:36,876 INFO [io.undertow.request.dump] (default I/O-6) > ----------------------------REQUEST--------------------------- > URI=/auth/admin/ > characterEncoding=null > contentLength=-1 > contentType=null > cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564 > header=X-Real-IP=193.189.160.11 > header=Cache-Control=max-age=0 > header=Accept-Encoding=gzip, deflate, br > header=X-Request-ID=2eb23a96b4fba4324505c7c5df424c64 > header=X-Original-Forwarded-For=193.189.160.11:58359 > header=X-Scheme=https > header=Connection=close > header=X-Forwarded-Port=443 > header=X-ORIGINAL-HOST=taurus1.siol.net > header=X-Forwarded-For=193.189.160.11 > header=X-ARR-SSL=3072|256|C=FI, S=Jorvas, L=Jorvas, O=Ericsson, OU=IoT, CN=IoT, E=spam at ericsson.com|CN=dev.example.com, S=Stockholm, C=SE, O=Ericsson, OU=Development > header=Cookie=ApplicationGatewayAffinity=4c57a5c596cc59c780c4045e602aa3becd7ca9409ebf4db2800ca163681d2564 > header=Host=taurus1.siol.net > header=X-Forwarded-Host=taurus1.siol.net > header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 > header=Accept-Language=en-US,en;q=0.9 > header=Max-Forwards=10 > header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 > header=SEC-WEBSOCKET-EXTENSIONS= > header=X-ARR-LOG-ID=5394f13f-d8a8-490b-9853-efd8e115e3a6 > header=X-Forwarded-Proto=https > header=X-Original-URI=/auth/admin/ > header=X-Original-URL=/auth/admin/ > header=Upgrade-Insecure-Requests=1 > locale=[en_US, en] > method=GET > protocol=HTTP/1.1 > queryString= > remoteAddr=193.189.160.11:0 > remoteHost=193.189.160.11 > scheme=https > host=taurus1.siol.net > serverPort=443 > --------------------------RESPONSE-------------------------- > contentLength=74 > contentType=text/html > header=Connection=close > header=Content-Length=74 > header=Content-Type=text/html > header=Date=Fri, 24 Aug 2018 14:13:36 GMT > status=403 > ============================================================== > > Any clues, what are we doing wrong? > > Thank you in advance, br, Jernej From eirilwan at gmail.com Sat Aug 25 05:59:49 2018 From: eirilwan at gmail.com (Eirik L. Wang) Date: Sat, 25 Aug 2018 11:59:49 +0200 Subject: [keycloak-user] Managing resource access Message-ID: Hi, We have a customer support portal where we are trying to use Keycloak for managing resources. As part of our portal we want to be able to show admins who has access to a given resource. Is it possible to get this information from the authorization api's? I'm mostly using RBAC, so our backup plan is just showing this information based on role membership. But it would be nice to be able to show calculated access, as there might be some special rules for some resources. Also, area you able to explain some curious behavior to me? It might be that I'm not fully aware on how the evaluation of permissions is happening: This is what I have drilled it down to: Say I have 2 resorces area_1 area_2 each with scopes area_1:read area_2:read area_1:write area_2:write I have two policies: IsAdmin policy that checks for a client admin role IsAreaAdmin - a generic js policy which tries to check for a role corresponding with the scope accessed eg: check if user is member of area_1:write client role Js-code: var context = $evaluation.getContext(); var id = $evaluation.permission.resourceServer.id; var client = $evaluation.authorizationProvider.realm.getClientById(id).clientId; var scope = $evaluation.permission.scopes[0].name; var identity = context.getIdentity(); logger.warn("evaluating " + scope) logger.warn("evaluating " + identity.hasClientRole(client, scope)) if(identity.hasClientRole(client, scope)){ $evaluation.grant(); } Then I have scope based permissions (one for each scope) Affirmate with both scopes. So either you are admin, or you have a role corresponding with the scope. Testing this: User1 is member of area1:read client role When evaluating user with only area1:read scope - access is granted When evaluating user with any resource, any scope - access is denied Debugging, it seems like only one of the scopes are tested through the policy for each resource. Is this expected behavior? Or is there a caching bug somewhere? Regards Eirik Wang From it.vidhyadharan at gmail.com Sun Aug 26 06:40:47 2018 From: it.vidhyadharan at gmail.com (vidhyadharan D) Date: Sun, 26 Aug 2018 16:10:47 +0530 Subject: [keycloak-user] Regarding resourcePath in email html template Message-ID: Hi, I am customizing the email template for password-reset. I wish to access the logo from *email *resources directory (i.e) \themes\\email\resources\img\marketing.jpg This can be possible for *login *module via ${url.resourcesPath} Some one please point out me how to access the email resource path. Regards, vidhya From esteiner at inventage.com Sun Aug 26 10:19:59 2018 From: esteiner at inventage.com (Edwin Steiner) Date: Sun, 26 Aug 2018 16:19:59 +0200 Subject: [keycloak-user] Access to EntityManager/KeycloakSession from a MessageDrivenBean inside Keycloak Message-ID: Hello All We would like to extended our Keycloak instance with a MessageDrivenBean for user synchronization. Inside the MessageDrivenBean we need access to the EntityManager for storing the imported users in the database. @MessageDriven(name = "ImportUserMessageHandler", activationConfig = { @ActivationConfigProperty(propertyName = "destinationType", propertyValue = "javax.jms.Queue"), @ActivationConfigProperty(propertyName = "destination", propertyValue = ?ImportQueue"), @ActivationConfigProperty(propertyName = "acknowledgeMode", propertyValue = "Auto-acknowledge") }) @ApplicationScoped public class ImportUserMessageHandler extends AbstractMessageDrivenBean { @PersistenceContext(unitName="keycloak-default") private EntityManager entityManager; } But the above code results in the following error message: ???????? Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYEE0041: Component class com.inventage.iam.import.ImportUserMessageHandler for component ImportUserMessageHandler has errors: WFLYJPA0033: Can't find a persistence unit named keycloak-default in deployment "keycloak-spi.jar" at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor$1.handle(ModuleJndiBindingProcessor.java:157) at org.jboss.as.ee.component.ClassDescriptionTraversal.run(ClassDescriptionTraversal.java:54) at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor.processClassConfigurations(ModuleJndiBindingProcessor.java:186) at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor.deploy(ModuleJndiBindingProcessor.java:143) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:165) ... 5 more ???????? Normally the EntityManager is gotten via keycloakSession.getProvider(JpaConnectionProvider.class).getEntityManager(), but in the MessageDrivenBean we have no access a KeycloakSession instance. Is there an other way to get the EntityManager? Or can we get somehow a KeycloakSession instance inside the MessageDrivenBean? Thanks Edwin From Murad.Almomani at progressoft.com Mon Aug 27 03:26:48 2018 From: Murad.Almomani at progressoft.com (Murad Almomani) Date: Mon, 27 Aug 2018 07:26:48 +0000 Subject: [keycloak-user] Adding Customized Message after successful Login Message-ID: Dears, I would like to add customized successful message after user successfully login to keycloak, how i can do this ? and is there a way to make this message configurable by keycloak admin console ? Thanks, Murad Momani. From nils.wild at sinnovate.de Mon Aug 27 03:34:21 2018 From: nils.wild at sinnovate.de (Nils Wild) Date: Mon, 27 Aug 2018 09:34:21 +0200 Subject: [keycloak-user] configure redirect url after impersonification Message-ID: <33dc9260-a9a1-c4c0-ec86-d519c1b82aa2@sinnovate.de> Hi, is it possible to define the redirect url for impersonation? I want to redirect to the application not to the keycloak userspage. Nils Wild From slaskawi at redhat.com Mon Aug 27 04:06:03 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Mon, 27 Aug 2018 10:06:03 +0200 Subject: [keycloak-user] Replication timeout and retransmission table issues when using Keycloak on 5 nodes In-Reply-To: References: Message-ID: Let me add +Bela Ban to this thread. Maybe he has any idea what happened. >From an other email thread, I say the suggestion was to try increasing FD_ALL timeout. Have you tried that? On Wed, Aug 22, 2018 at 6:41 PM Damien Douteaux wrote: > *SUMMARY* > > I am currently trying to build an authentication app using Keycloak > deployed as a Docker service. My infrastructure is as follow : > > - Server : CentOS 7 > - Docker : 17.06.2-ce, with weaveworks net plugin > - Keycloak : 3.3.0-Final > - Postgre : 9.4 > - 5 Keycloak deployed as a cluster in a Docker swarm > > I encounter an issue with the cache when building up the cluster. I do not > have any error while building a 2 nodes cluster, but when scaling to 5 > node, many warning like this one appear : > > WARN [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-3) > JGRP000041: bd3eeb23695b: message d8896fbba960::14 not found in > retransmission table > > When these messages begin to appear, the containers stop responding > correctly and eventualy some of them stop their instance of Keycloak. This > kind of errors has occured on various occasions: > > - When starting the services, hence the app does not even success to > start. > - A few ours after a correct start of Keycloak, even with few activity > on the nodes. > > *SYMPTOMS* > > When the app crashes I see : > > 1) Numerous logs based on the one shown above that seem to iterate (ie. the > same messages coming from a node that are not found "for ever") : > > 2018-08-22 09:59:33,346 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::15 not found in > retransmission table > 2018-08-22 09:59:33,346 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::16 not found in > retransmission table > 2018-08-22 09:59:33,346 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::17 not found in > retransmission table > 2018-08-22 09:59:33,346 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::18 not found in > retransmission table > ... > 2018-08-22 09:59:33,040 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::15 not found in > retransmission table > 2018-08-22 09:59:33,040 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::16 not found in > retransmission table > 2018-08-22 09:59:33,040 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::17 not found in > retransmission table > 2018-08-22 09:59:33,040 WARN > [org.jboss.as.clustering.jgroups.protocol.NAKACK2] (thread-2) > JGRP000041: bd3eeb23695b: message d8896fbba960::18 not found in > retransmission table > ... > > 2) The node from which the messaged should come that display various cache > errors : > > 2018-08-22 09:58:37,130 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] > (ServerService Thread Pool -- 61) ISPN000136: Error executing command > PutKeyValueCommand, writing keys [cluster-start-time]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout > > 2018-08-22 09:58:37,149 ERROR [org.jboss.msc.service.fail] > (ServerService Thread Pool -- 61) MSC000001: Failed to start service > > jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth: > org.jboss.msc.service.StartException in service > > jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > > 2018-08-22 09:58:37,178 ERROR > [org.jboss.as.controller.management-operation] (Controller Boot > Thread) WFLYCTL0013: Operation ("add") failed - address: > ([("deployment" => "keycloak-server.war")]) - failure description: > {"WFLYCTL0080: Failed services" => > > {"jboss.undertow.deployment.default-server.default-host./odino-stif-keycloak-int/auth" > => "java.lang.RuntimeException: RESTEASY003325: Failed to construct > public > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to > construct public > > org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > Caused by: org.infinispan.util.concurrent.TimeoutException: > Replication timeout"}} > > 2018-08-22 09:58:37,409 WARN > [org.infinispan.topology.CacheTopologyControlCommand] (ServerService > Thread Pool -- 60) ISPN000071: Caught exception when handling command > CacheTopologyControlCommand{cache=actionTokens, type=LEAVE, > sender=d8896fbba960, joinInfo=null, topologyId=0, rebalanceId=0, > currentCH=null, pendingCH=null, availabilityMode=null, > actualMembers=null, throwable=null, viewId=3}: > java.lang.IllegalArgumentException: A cache topology's pending > consistent hash must contain all the current consistent hash's members > > Then, this node usually stops all caches and Keycloak. > > *CONFIG AND SOLUTION ATTEMPTED* > > I have unsuccessfully tried to : > > - Change timeout params on the various cache of Keycloak (in order to > give more time to stabilize the cluster) > - Change some default values for protocol NAKACK2 in Keycloak > configuration file. The aim of this was to limit trafic between nodes > and > increase number of elements in retransmission table so that messages are > not lost before all nodes received them. However, my issues are not > lessen > by those changes. > > The configuration I am currently using is the following : > > > > > > > > > > > > owners="3"/> > > > > > > > > > > > > > > > > ... > module="org.wildfly.clustering.ejb.infinispan"> > > > > > > > > > ... > > false > 200 > > > Hence do you have any idea why this is happing and how to update my > configuration to solve this issue? > > > -- > *Damien Douteaux* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Murad.Almomani at progressoft.com Mon Aug 27 05:03:37 2018 From: Murad.Almomani at progressoft.com (Murad Almomani) Date: Mon, 27 Aug 2018 09:03:37 +0000 Subject: [keycloak-user] Disable and Enable Super User in keycloak Message-ID: Dears, I would like to ask if i can disable or enable the super user of keycloak, if i can then i need the full steps please. Thanks. From sinsn_619 at abv.bg Mon Aug 27 06:03:38 2018 From: sinsn_619 at abv.bg (Pedro Pedro) Date: Mon, 27 Aug 2018 13:03:38 +0300 (EEST) Subject: [keycloak-user] Keycloak JS adapter iframe origin Message-ID: <2128295674.143910.1535364218574@nm82.abv.bg> We have angular app and we use nginx in a docker image to deploy it. I'm trying to pass the keycloak url to the js adapter by using a constant like this: new Keycloak(url: '/idp'); and in nginx's config I try to proxy that constant to the passed args to the docker image: location /idp { proxy_pass ${IDP_PROTOCOL}://${IDP_ADDR}/${IDP_CONTEXT_PATH}; } When the logic in checkLoginIframe tries to send cross-origin request it fails because the adapter uses our app's origin. Is there any way to be able to proxy that via nginx? If I disable checkLoginIframe can the session be tracked when expired and etc? From ravishanker1284 at gmail.com Mon Aug 27 07:01:30 2018 From: ravishanker1284 at gmail.com (MyMail1284) Date: Mon, 27 Aug 2018 16:31:30 +0530 Subject: [keycloak-user] Keycloak Auth error message Message-ID: Hi, Currently on Authentication failure of the credentials we are observing the same error message it received when the user profile status is marked as disabled and when there is no user profile exists in Key Cloak. Pls let me know if there is any way I can correct this with any sort of customisation? Regards, Ravi Shanker From gareth at garethwestern.com Mon Aug 27 07:13:07 2018 From: gareth at garethwestern.com (gareth at garethwestern.com) Date: Mon, 27 Aug 2018 13:13:07 +0200 Subject: [keycloak-user] User Organization / Subset of group roles Message-ID: <000001d43df6$ef5f5b00$ce1e1100$@garethwestern.com> Hi, We have a requirement that the users of our application can be associated with an Organization (one of our application's business entities). The customer would like each Organization to have one or more "roles" associated with it, so that when a user is created and associated with that organization then the user will inherit those roles. One complication is that the customer may want the user to only have a subset of the Organization roles. The current thinking is that each organization could be a group, so that users and roles can be assigned to the group, but I'm not sure how to handle the 'subset of group roles' issue. Is this something that can be accomplished with Keycloak? Kind regards, Gareth From testoauth55 at gmail.com Mon Aug 27 07:22:58 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Mon, 27 Aug 2018 16:52:58 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: I have tried 1 more thing: I have imported realm from one of the keycloak quickstarts https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet and only replaced the URLs with my application URLs. But I get the same error *if* I remove the resource containing URI as */** (resource name is : *Protected Resource*). Furthermore, if i keep this resource (/*), I am able to authorize a user but putting a debugger in client app showed that authContext Permission list contains only 1 resource i.e. Protected Resource. Although the user which authenticated was assigned the role contained in resource name: Premium Resource. So ideally the Permission list must have contained this resource as well. (I am mentioning the names - Protected, Premium as mentioned in the keycloak quick start). I put in /* URI in my original app and 403 stopped. But the permission array contained only this resource (with URI /*) java.util.List perms = authzContext.getPermissions(); ********To summarize the above test:********* *I get 403 error if a resource containing URI /* is not present. If a URI containing /* is present, then I get only this resource in the Permissions Array / List in the java client app even if the resource with specific URI like /app/secure contains valid role/policy/permission. Also the evaluate API available under Authorization option shows result as permit.* *Screenshots present here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api * On Mon, Aug 20, 2018 at 12:07 PM keycloak demo wrote: > Pedro, > > Yes default permissions grant access to any resource in my application > (uri == /*). But problem starts when I specify a resource with specific URI > (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api > * > ). > > Just to summarize the real problem: > > Apart from default resource having `/*`, I have a second resource having > URI: /secure/role/* and this resource also has a role based policy to > allow access to only users having role "special", the expected behavior is > the users who don't have role "special" should not be able to access this > resource, right? > > But I am able to access this resource with any user, any role. So I > thought that may be default resource URI with '/*' is overriding behavior > of second resource, so I changed default resource URI to '/test/*', and > then I started receiving 403 error for accessing both '/test' as well as > second resource ' /secure/role/* ' for all users including user with > "special" role assigned. > > I looked into realm resource configuration in one of the quick starts and > the only difference I found was that quick start resources specify scope in > each of resources whereas I have kept it blank. Could this be an issue. > > I understand you already spent time in trying to resolve this but problem > still persists. > > On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva > wrote: > >> >> >> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo >> wrote: >> >>> Pedro, >>> >>> After further debugging I found out that following line in keycloak json >>> is causing the issue: "policy-enforcer": {}. If I remove this line, >>> then 403 error is removed but I guess doing this disables authorization >>> altogether. 2 questions on this: >>> 1. When I have configured policies on the Admin console under the >>> authorization tab, why is this empty? >>> >> >> I'm not sure. When you enable authorization services to a client default >> resource/permissions are created. Where these permissions grant access to >> any resource in your application (uri == /*). >> >> >>> 2. Is there a way to put some default values (not manually) in here to >>> make authorization work? >>> >> >> Like I said, when you just enable the authorization services switch, >> default settings are created automatically. >> >> Did you try to run any of our quickstarts ? >> >> >> >>> >>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva >>> wrote: >>> >>>> Yeah, it should be relative. I was wondering if the correct URI >>>> would be '/keycloak/secure/role' instead. >>>> >>>> In any case, I would ask you to try the same deployment using tomcat or >>>> wildfly to see how it goes. We have a few quickstarts running on these two. >>>> Maybe you could also try to enable DEBUG log level to see how the policy >>>> enforcer is matching URIs to your resources. >>>> >>>> If none of them work, I can give a try and run jetty. >>>> >>>> Regards. >>>> Pedro Igor >>>> >>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo >>>> wrote: >>>> >>>>> Pedro, thanks for replying. I tried putting the absolute URI,but it >>>>> does not work either. The documentation anyway states that the URI in >>>>> resource can be relative to client root URL which I have configured to be >>>>> http://localhost:7200/{app}/keycloak , therefore putting relateve >>>>> URI '/secure/role' in resource should be equivalent to putting >>>>> absolute URI : http://localhost:7200/{app}/keycloak/secure/role'. >>>>> Do you think, there is something else I can try? >>>>> >>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Your configuration looks correct. But I noticed that in the postman >>>>>> request you are sending requests to ` >>>>>> http://localhost:7200/{app}/keycloak/secure/role` >>>>>> . However in >>>>>> your resource definition the URI is configured to `/secure/role`. Both URIs >>>>>> should match otherwise the adapter won't be able to map the URI in your >>>>>> application to a resource in Keycloak (and related permissions). >>>>>> >>>>>> Regards. >>>>>> Pedro Igor >>>>>> >>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo >>>>>> wrote: >>>>>> >>>>>>> With all the configuration(shared below), when I test using the >>>>>>> evaluate >>>>>>> option under authorization tab, result is permit: >>>>>>> >>>>>>> *But when I make a request to this resource through postman, I get >>>>>>> 403.* >>>>>>> >>>>>>> *Which part of configuration is wrong which is leading to 403 error?* >>>>>>> >>>>>>> CONFIGURATION: >>>>>>> >>>>>>> >>>>>>> *Detailed configuration with images shown here:* >>>>>>> >>>>>>> * >>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>> < >>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>> >* >>>>>>> >>>>>>> *1.* Following the >>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>> created a >>>>>>> realm role : *role_special_user* and created a user : *user_special* >>>>>>> with >>>>>>> this role and role *user*. >>>>>>> >>>>>>> *2.* Next, my resource server / client is with *full scope enabled*: >>>>>>> *3.* Under authorization tab, I created a resource with the role >>>>>>> based >>>>>>> policy is. >>>>>>> >>>>>>> *4.* Now, keycloak json is: >>>>>>> >>>>>>> { >>>>>>> "realm": "demo12", >>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>> "ssl-required": "none", >>>>>>> "resource": "server12", >>>>>>> "credentials": { >>>>>>> "secret": "XXXXXXX" >>>>>>> }, >>>>>>> "confidential-port": 0, >>>>>>> "policy-enforcer": {}} >>>>>>> >>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>> >>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>> InputStream is = >>>>>>> >>>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>> ConstraintSecurityHandler(); >>>>>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>> Constraint constraint = new Constraint(); >>>>>>> constraint.setAuthenticate(true); >>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>> constraintMapping.setConstraint(constraint); >>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>> >>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>> >>>>>>> { >>>>>>> "jti": "XXXXXXX", >>>>>>> "exp": 1533798704, >>>>>>> "nbf": 0, >>>>>>> "iat": 1533798404, >>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>> "aud": "server12", >>>>>>> "sub": "XXXXXXX", >>>>>>> "typ": "Bearer", >>>>>>> "azp": "server12", >>>>>>> "auth_time": 1533798404, >>>>>>> "session_state": "XXXXXX", >>>>>>> "acr": "1", >>>>>>> "allowed-origins": [], >>>>>>> "realm_access": { >>>>>>> "roles": [ >>>>>>> "role_special_user", >>>>>>> "offline_access", >>>>>>> "uma_authorization", >>>>>>> "user" >>>>>>> ] >>>>>>> }, >>>>>>> "resource_access": { >>>>>>> "server12": { >>>>>>> "roles": [ >>>>>>> "uma_protection" >>>>>>> ] >>>>>>> }, >>>>>>> "account": { >>>>>>> "roles": [ >>>>>>> "manage-account", >>>>>>> "manage-account-links", >>>>>>> "view-profile" >>>>>>> ] >>>>>>> } >>>>>>> }, >>>>>>> "scope": "openid email profile", >>>>>>> "email_verified": false, >>>>>>> "preferred_username": "user_special"} >>>>>>> _______________________________________________ >>>>>>> keycloak-user mailing list >>>>>>> keycloak-user at lists.jboss.org >>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > From andreas.lau at outlook.com Mon Aug 27 09:00:58 2018 From: andreas.lau at outlook.com (Andreas Lau) Date: Mon, 27 Aug 2018 13:00:58 +0000 Subject: [keycloak-user] Extend account registration In-Reply-To: References: Message-ID: How can I extend the user registration to do some validation in first place - run custom code - so that if validation can not be detected, registration is canceled? Is it possible with the standard registration formular or should I use the API instead? From Murad.Almomani at progressoft.com Mon Aug 27 09:39:31 2018 From: Murad.Almomani at progressoft.com (Murad Almomani) Date: Mon, 27 Aug 2018 13:39:31 +0000 Subject: [keycloak-user] Maker checker on creating or users Message-ID: Dears, I would like to implement Maker checker on creation of users on the keycloak, how to make admin with role of creation and other admin with permession of approval for the creation request, Thanks. From psilva at redhat.com Mon Aug 27 09:52:33 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 27 Aug 2018 10:52:33 -0300 Subject: [keycloak-user] Managing resource access In-Reply-To: References: Message-ID: Hi Eirik, We did have an issue on caching which is fixed in upstream master and will be there in next release. However, there is something in your "isAreadAdmin" policy that might not work as expected. When evaluating a policy, Keycloak is actually running the evaluation for the resource and all requested scopes. That is why you may see a different result when checking permissions for a specific scope. If you don't specify a scope, the evaluation will be based on any scope associated with the resource. Your JS policy should have something like that to be able to be reused to evaluate multiple scopes regardless of resources: ```js var context = $evaluation.getContext(); var client = $evaluation.authorizationProvider.realm.getClientById($ evaluation.permission.resourceServer.id).clientId; var permission = $evaluation.permission; var granted = new Array(); var identity = context.getIdentity(); for (var i = 0; i < permission.scopes.length; i++) { var scope = permission.scopes[i]; if (identity.hasClientRole(client, scope.name)) { granted.push(scope); } } if (granted.length > 0) { $evaluation.grant(); permission.scopes.clear(); permission.scopes.addAll(granted); } ``` Note that from JS policies you are free to process requested permissions (permission.scopes), code above is basically removing any scope that shouldn't be granted. On Sat, Aug 25, 2018 at 6:59 AM, Eirik L. Wang wrote: > Hi, > > We have a customer support portal where we are trying to use Keycloak for > managing resources. > > As part of our portal we want to be able to show admins who has access to a > given resource. Is it possible to get this information from the > authorization api's? > I'm mostly using RBAC, so our backup plan is just showing this information > based on role membership. But it would be nice to be able to show > calculated access, as there might be some special rules for some resources. > > Also, area you able to explain some curious behavior to me? It might be > that I'm not fully aware on how the evaluation of permissions is happening: > > This is what I have drilled it down to: > Say I have 2 resorces > area_1 > area_2 > each with scopes > area_1:read > area_2:read > area_1:write > area_2:write > > I have two policies: > IsAdmin policy that checks for a client admin role > IsAreaAdmin - a generic js policy which tries to check for a role > corresponding with the scope accessed > eg: check if user is member of area_1:write client role > > Js-code: > var context = $evaluation.getContext(); > var id = $evaluation.permission.resourceServer.id; > var client = > $evaluation.authorizationProvider.realm.getClientById(id).clientId; > var scope = $evaluation.permission.scopes[0].name; > var identity = context.getIdentity(); > logger.warn("evaluating " + scope) > logger.warn("evaluating " + identity.hasClientRole(client, scope)) > if(identity.hasClientRole(client, scope)){ > $evaluation.grant(); > } > > > Then I have scope based permissions (one for each scope) Affirmate with > both scopes. > So either you are admin, or you have a role corresponding with the scope. > > Testing this: > > User1 is member of area1:read client role > > When evaluating user with only area1:read scope - access is granted > When evaluating user with any resource, any scope - access is denied > > Debugging, it seems like only one of the scopes are tested through the > policy for each resource. > Is this expected behavior? Or is there a caching bug somewhere? > > > Regards > Eirik Wang > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From r.goyard at groupeonepoint.com Mon Aug 27 09:56:01 2018 From: r.goyard at groupeonepoint.com (=?utf-8?B?UsOpbWkgR09ZQVJE?=) Date: Mon, 27 Aug 2018 13:56:01 +0000 Subject: [keycloak-user] How To Configure SAML2 for Workplace By Facebook Message-ID: Hi everyone, I?m trying to configure an SAML client for my Realm to enable SSO authentication in Workplace By Facebook Facebook ask for the following : URL SAML -> I Use the url of the client auth R?mi Goyard Communaut? Sud-Ouest M +33 6 46 69 15 76 28 avenue L?onard de Vinci 33600 Pessac. France T +335 57 26 37 37 www.groupeonepoint.com [cid:image001.jpg at 01D19BDF.CA798970][cid:image002.jpg at 01D19BDF.CA798970][cid:image003.jpg at 01D19BDF.CA798970] [cid:image004.jpg at 01D19BDF.CA798970] -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg at 01D3B9EE.07B31C10 Type: application/octet-stream Size: 553 bytes Desc: image001.jpg at 01D3B9EE.07B31C10 Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180827/33c578f6/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.jpg at 01D3B9EE.07B31C10 Type: application/octet-stream Size: 572 bytes Desc: image002.jpg at 01D3B9EE.07B31C10 Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180827/33c578f6/attachment-0001.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.jpg at 01D3B9EE.07B31C10 Type: application/octet-stream Size: 573 bytes Desc: image003.jpg at 01D3B9EE.07B31C10 Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180827/33c578f6/attachment-0002.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: image004.jpg at 01D3B9EE.07B31C10 Type: application/octet-stream Size: 2283 bytes Desc: image004.jpg at 01D3B9EE.07B31C10 Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180827/33c578f6/attachment-0003.obj From psilva at redhat.com Mon Aug 27 10:00:49 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Mon, 27 Aug 2018 11:00:49 -0300 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Hi, Thanks for continuing looking at this. Let's do this, I'll do the same steps using Jetty to reproduce the issue, will let you know during this week once I have something to share. Another weird thing is that the example actually should return all permissions and make them available after the login. Will check how this is working with Jetty too. The tests we have in the quickstarts are wildfly based .... On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo wrote: > I have tried 1 more thing: I have imported realm from one of the keycloak > quickstarts https://github.com/keycloak/keycloak- > quickstarts/tree/latest/app-authz-jee-servlet and only replaced the URLs > with my application URLs. > > But I get the same error *if* I remove the resource containing URI as */** > (resource name is : *Protected Resource*). Furthermore, if i keep this > resource (/*), I am able to authorize a user but putting a debugger in > client app showed that authContext Permission list contains only 1 resource > i.e. Protected Resource. Although the user which authenticated was assigned > the role contained in resource name: Premium Resource. So ideally the > Permission list must have contained this resource as well. (I am > mentioning the names - Protected, Premium as mentioned in the keycloak > quick start). I put in /* URI in my original app and 403 stopped. But the > permission array contained only this resource (with URI /*) > > java.util.List perms = authzContext.getPermissions(); > > ********To summarize the above test:********* > *I get 403 error if a resource containing URI /* is not present. If a URI > containing /* is present, then I get only this resource in the Permissions > Array / List in the java client app even if the resource with specific URI > like /app/secure contains valid role/policy/permission. Also the evaluate > API available under Authorization option shows result as permit.* > > *Screenshots present > here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api > * > > > On Mon, Aug 20, 2018 at 12:07 PM keycloak demo > wrote: > >> Pedro, >> >> Yes default permissions grant access to any resource in my application >> (uri == /*). But problem starts when I specify a resource with specific URI >> (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >> * >> ). >> >> Just to summarize the real problem: >> >> Apart from default resource having `/*`, I have a second resource having >> URI: /secure/role/* and this resource also has a role based policy to >> allow access to only users having role "special", the expected behavior is >> the users who don't have role "special" should not be able to access this >> resource, right? >> >> But I am able to access this resource with any user, any role. So I >> thought that may be default resource URI with '/*' is overriding behavior >> of second resource, so I changed default resource URI to '/test/*', and >> then I started receiving 403 error for accessing both '/test' as well as >> second resource ' /secure/role/* ' for all users including user with >> "special" role assigned. >> >> I looked into realm resource configuration in one of the quick starts and >> the only difference I found was that quick start resources specify scope in >> each of resources whereas I have kept it blank. Could this be an issue. >> >> I understand you already spent time in trying to resolve this but problem >> still persists. >> >> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva >> wrote: >> >>> >>> >>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo >>> wrote: >>> >>>> Pedro, >>>> >>>> After further debugging I found out that following line in keycloak >>>> json is causing the issue: "policy-enforcer": {}. If I remove this >>>> line, then 403 error is removed but I guess doing this disables >>>> authorization altogether. 2 questions on this: >>>> 1. When I have configured policies on the Admin console under the >>>> authorization tab, why is this empty? >>>> >>> >>> I'm not sure. When you enable authorization services to a client default >>> resource/permissions are created. Where these permissions grant access to >>> any resource in your application (uri == /*). >>> >>> >>>> 2. Is there a way to put some default values (not manually) in here to >>>> make authorization work? >>>> >>> >>> Like I said, when you just enable the authorization services switch, >>> default settings are created automatically. >>> >>> Did you try to run any of our quickstarts ? >>> >>> >>> >>>> >>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> Yeah, it should be relative. I was wondering if the correct URI >>>>> would be '/keycloak/secure/role' instead. >>>>> >>>>> In any case, I would ask you to try the same deployment using tomcat >>>>> or wildfly to see how it goes. We have a few quickstarts running on these >>>>> two. Maybe you could also try to enable DEBUG log level to see how the >>>>> policy enforcer is matching URIs to your resources. >>>>> >>>>> If none of them work, I can give a try and run jetty. >>>>> >>>>> Regards. >>>>> Pedro Igor >>>>> >>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo >>>> > wrote: >>>>> >>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but it >>>>>> does not work either. The documentation anyway states that the URI in >>>>>> resource can be relative to client root URL which I have configured to be >>>>>> http://localhost:7200/{app}/keycloak , therefore putting relateve >>>>>> URI '/secure/role' in resource should be equivalent to putting >>>>>> absolute URI : http://localhost:7200/{app}/keycloak/secure/role'. >>>>>> Do you think, there is something else I can try? >>>>>> >>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> Your configuration looks correct. But I noticed that in the postman >>>>>>> request you are sending requests to `http://localhost:7200/{app}/ >>>>>>> keycloak/secure/role` >>>>>>> . However in >>>>>>> your resource definition the URI is configured to `/secure/role`. Both URIs >>>>>>> should match otherwise the adapter won't be able to map the URI in your >>>>>>> application to a resource in Keycloak (and related permissions). >>>>>>> >>>>>>> Regards. >>>>>>> Pedro Igor >>>>>>> >>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo >>>>>> > wrote: >>>>>>> >>>>>>>> With all the configuration(shared below), when I test using the >>>>>>>> evaluate >>>>>>>> option under authorization tab, result is permit: >>>>>>>> >>>>>>>> *But when I make a request to this resource through postman, I get >>>>>>>> 403.* >>>>>>>> >>>>>>>> *Which part of configuration is wrong which is leading to 403 >>>>>>>> error?* >>>>>>>> >>>>>>>> CONFIGURATION: >>>>>>>> >>>>>>>> >>>>>>>> *Detailed configuration with images shown here:* >>>>>>>> >>>>>>>> *https://stackoverflow.com/questions/51761779/keycloak- >>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>> as-evaluate-api >>>>>>>> >>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>> as-evaluate-api>* >>>>>>>> >>>>>>>> *1.* Following the >>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>>> created a >>>>>>>> realm role : *role_special_user* and created a user : >>>>>>>> *user_special* with >>>>>>>> this role and role *user*. >>>>>>>> >>>>>>>> *2.* Next, my resource server / client is with *full scope enabled*: >>>>>>>> *3.* Under authorization tab, I created a resource with the role >>>>>>>> based >>>>>>>> policy is. >>>>>>>> >>>>>>>> *4.* Now, keycloak json is: >>>>>>>> >>>>>>>> { >>>>>>>> "realm": "demo12", >>>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>>> "ssl-required": "none", >>>>>>>> "resource": "server12", >>>>>>>> "credentials": { >>>>>>>> "secret": "XXXXXXX" >>>>>>>> }, >>>>>>>> "confidential-port": 0, >>>>>>>> "policy-enforcer": {}} >>>>>>>> >>>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>>> >>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>>> InputStream is = >>>>>>>> Thread.currentThread().getContextClassLoader(). >>>>>>>> getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>>> ConstraintSecurityHandler(); >>>>>>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>>> Constraint constraint = new Constraint(); >>>>>>>> constraint.setAuthenticate(true); >>>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>>> constraintMapping.setConstraint(constraint); >>>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>>> >>>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>>> >>>>>>>> { >>>>>>>> "jti": "XXXXXXX", >>>>>>>> "exp": 1533798704, >>>>>>>> "nbf": 0, >>>>>>>> "iat": 1533798404, >>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>>> "aud": "server12", >>>>>>>> "sub": "XXXXXXX", >>>>>>>> "typ": "Bearer", >>>>>>>> "azp": "server12", >>>>>>>> "auth_time": 1533798404, >>>>>>>> "session_state": "XXXXXX", >>>>>>>> "acr": "1", >>>>>>>> "allowed-origins": [], >>>>>>>> "realm_access": { >>>>>>>> "roles": [ >>>>>>>> "role_special_user", >>>>>>>> "offline_access", >>>>>>>> "uma_authorization", >>>>>>>> "user" >>>>>>>> ] >>>>>>>> }, >>>>>>>> "resource_access": { >>>>>>>> "server12": { >>>>>>>> "roles": [ >>>>>>>> "uma_protection" >>>>>>>> ] >>>>>>>> }, >>>>>>>> "account": { >>>>>>>> "roles": [ >>>>>>>> "manage-account", >>>>>>>> "manage-account-links", >>>>>>>> "view-profile" >>>>>>>> ] >>>>>>>> } >>>>>>>> }, >>>>>>>> "scope": "openid email profile", >>>>>>>> "email_verified": false, >>>>>>>> "preferred_username": "user_special"} >>>>>>>> _______________________________________________ >>>>>>>> keycloak-user mailing list >>>>>>>> keycloak-user at lists.jboss.org >>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> From r.goyard at groupeonepoint.com Mon Aug 27 10:04:45 2018 From: r.goyard at groupeonepoint.com (=?utf-8?B?UsOpbWkgR09ZQVJE?=) Date: Mon, 27 Aug 2018 14:04:45 +0000 Subject: [keycloak-user] Keycloak & SAML & Workplace By Facebook Message-ID: Hi everyone, I?m trying to configure an SAML client for my Realm to enable SSO authentication in Workplace By Facebook Facebook ask for the following : URL SAML -> I Use the url of the client auth URI SAML emitter => I use the same as above Certificate : I get Certificate from client / SAML Keys Facebook give me : Audience URL (I don?t know where to use) URL SAML : This is the web root (Master SAML Processing URL) URL ACS : (Assertion Consumer Service POST Binding URL ) When, in workplace, I clic on Test SSO, It open a popup, ask me to login, then redirect to an error ?SSO Unauthenticated? (SAML response is not valid) ? I don?t know why and do not have more informations. Does anyone had the same problem ? Any ideas ? Or even try to configure Workplace and Keycloak working together ? Regards R?mi From r.goyard at groupeonepoint.com Mon Aug 27 10:09:31 2018 From: r.goyard at groupeonepoint.com (=?utf-8?B?UsOpbWkgR09ZQVJE?=) Date: Mon, 27 Aug 2018 14:09:31 +0000 Subject: [keycloak-user] How To Configure SAML2 for Workplace By Facebook In-Reply-To: References: Message-ID: Sorry message has been sent before finished ? I write another one ... From ntle at castortech.com Mon Aug 27 14:52:20 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Mon, 27 Aug 2018 14:52:20 -0400 Subject: [keycloak-user] cxf filter Message-ID: Hello, I have a web app and a REST API running inside an OSGI environment. The web app has some servlets registered with the web container (jetty) as OSGI whiteboard services. All of these servlets are configured to be protected (authentication required) by keycloak servlet filter. Dictionary props; props = new Hashtable<>(); props.put("alias", "/whiteboard"); servletReg = context.registerService(Servlet.class, new WhiteboardServlet("/test"), props); Dictionary filterProps = new Hashtable(); String[] urls = { "/*" }; //$NON-NLS-1$ filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME, "keycloakFilter"); filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN, urls); keycloakFilter = context.registerService(Filter.class, new KeycloakOIDCFilter(), filterProps); The REST api is hosted by aries-jax-rs-whiteboard. @Component( immediate = true, property = JAX_RS_APPLICATION_BASE + "=/rest", service = Application.class ) @Path("/common") public final class RestAPI extends Application { public static final Response EMPTY_RESPONSE = Response.noContent().type(MediaType.TEXT_HTML_TYPE).build(); @Override public Set getSingletons() { return Collections.singleton(this); } @GET @Path("/getObject") @Produces(MediaType.APPLICATION_JSON) public String getObject() { return "Rest call"; //$NON-NLS-1$ } } The web app has some JS code executed on user browser that make an ajax call to the REST service above. Since this call happen after user has been auithenticated with keycloak and originate from the same browser session, I assume the ajax request also contains KeycloakSecurityContext. Thus this call should be allowed to reach the REST service. What I want is to register a filter (ContainerRequestFilter) to deny access to the REST service if user has not been authenticated. Is there an existing implementation of ContainerRequestFilter by keycloak that can do this? Thai From dt at acutus.pro Mon Aug 27 17:59:35 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 28 Aug 2018 00:59:35 +0300 Subject: [keycloak-user] cxf filter In-Reply-To: References: Message-ID: <1535407175.4014.3.camel@acutus.pro> Hello Thai, Seems like you've been watching the OSGification PR attentively :) I'm sorry we didn't make it for Keycloak 4.3.0. Should get included in 4.4.0, hopefully. Just in case anyone else is interested: PR for Keycloak OIDC servlet filter adapter OSGification https://github.com/keycloak/keycloak/pull/5383 PR for the docs https://github.com/keycloak/keycloak-documentation/pull/453 Built docs: https://keycloak-docs.github.io/deploy-docs-pullrequest/PR/453/securing_apps/index.html#using-on-osgi As for your question, could you please elaborate? What are you trying to achieve? For REST services, you should normally use bearer token authorization. In this mode, the adapter would expect a valid token in "Authorization: Bearer XXX" HTTP header, otherwise it would return? HTTP 401. Is this what you're after? Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Mon, 2018-08-27 at 14:52 -0400, Nhut Thai Le wrote: > Hello, > > I have a web app and a REST API running inside an OSGI environment. > > The web app has some servlets registered with the web container (jetty) as > OSGI whiteboard services. All of these servlets are configured to be > protected (authentication required) by keycloak servlet filter. > > Dictionary props; > props = new Hashtable<>(); > props.put("alias", "/whiteboard"); > servletReg = context.registerService(Servlet.class, new > WhiteboardServlet("/test"), props); > > Dictionary filterProps = new Hashtable(); > String[] urls = { "/*" }; //$NON-NLS-1$ > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME, > "keycloakFilter"); > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN, > urls); > keycloakFilter = context.registerService(Filter.class, new > KeycloakOIDCFilter(), filterProps); > > The REST api is hosted by aries-jax-rs-whiteboard. > @Component( > immediate = true, > ????property = JAX_RS_APPLICATION_BASE + "=/rest", > ????service = Application.class > ) > @Path("/common") > public final class RestAPI extends Application { > public static final Response EMPTY_RESPONSE = > Response.noContent().type(MediaType.TEXT_HTML_TYPE).build(); > @Override > public Set getSingletons() { > ? return Collections.singleton(this); > } > > @GET > @Path("/getObject") > @Produces(MediaType.APPLICATION_JSON) > public String getObject() { > return "Rest call"; //$NON-NLS-1$ > } > } > > The web app has some JS code executed on user browser that make an ajax > call to the REST service above. Since this call happen after user has been > auithenticated with keycloak and originate from the same browser session, I > assume the ajax request also contains KeycloakSecurityContext. Thus this > call should be allowed to reach the REST service. What I want is to > register a filter (ContainerRequestFilter) to deny access to the REST > service if user has not been authenticated. > Is there an existing implementation of ContainerRequestFilter by keycloak > that can do this? > > > Thai > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From dt at acutus.pro Mon Aug 27 19:20:39 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Tue, 28 Aug 2018 02:20:39 +0300 Subject: [keycloak-user] Access to EntityManager/KeycloakSession from a MessageDrivenBean inside Keycloak In-Reply-To: References: Message-ID: <1535412039.4014.5.camel@acutus.pro> Hello Edwin, Keycloak does support stateful EJBs as extensions: https://www.keycloak.org/docs/latest/server_development/index.html#leveraging-java-ee These EJBs are able to obtain an EntityManager as follows, without specifying unitName: @PersistenceContext protected EntityManager em; Could you try the same in your MDB? If that doesn't work, I think you could create a dummy stateful EJB whose sole purpose would be to propagate EntityManager, KeycloakSession etc. to your MDB (via e.g. JNDI). Good luck! Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Sun, 2018-08-26 at 16:19 +0200, Edwin Steiner wrote: > Hello All > > We would like to extended our Keycloak instance with a MessageDrivenBean for user synchronization. Inside the MessageDrivenBean we need access to the EntityManager for storing the imported users in the database. > > @MessageDriven(name = "ImportUserMessageHandler", activationConfig = { > ????????@ActivationConfigProperty(propertyName = "destinationType", propertyValue = "javax.jms.Queue"), > ????????@ActivationConfigProperty(propertyName = "destination", propertyValue = ?ImportQueue"), > ????????@ActivationConfigProperty(propertyName = "acknowledgeMode", propertyValue = "Auto-acknowledge") }) > @ApplicationScoped > public class ImportUserMessageHandler extends AbstractMessageDrivenBean { > > ????@PersistenceContext(unitName="keycloak-default") > ????private EntityManager entityManager; > > } > > But the above code results in the following error message: > > ???????? > Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: WFLYEE0041: Component class com.inventage.iam.import.ImportUserMessageHandler for component ImportUserMessageHandler has errors:? > WFLYJPA0033: Can't find a persistence unit named keycloak-default in deployment "keycloak-spi.jar" > at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor$1.handle(ModuleJndiBindingProcessor.java:157) > at org.jboss.as.ee.component.ClassDescriptionTraversal.run(ClassDescriptionTraversal.java:54) > at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor.processClassConfigurations(ModuleJndiBindingProcessor.java:186) > at org.jboss.as.ee.component.deployers.ModuleJndiBindingProcessor.deploy(ModuleJndiBindingProcessor.java:143) > at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:165) > ... 5 more > ???????? > > Normally the EntityManager is gotten via keycloakSession.getProvider(JpaConnectionProvider.class).getEntityManager(), but in the MessageDrivenBean we have no access a KeycloakSession instance. > > Is there an other way to get the EntityManager? Or can we get somehow a KeycloakSession instance inside the MessageDrivenBean? > > Thanks > Edwin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hcsgzh at gmail.com Mon Aug 27 21:14:29 2018 From: hcsgzh at gmail.com (hugh shangguan) Date: Tue, 28 Aug 2018 13:14:29 +1200 Subject: [keycloak-user] Mutual SSL between keycloak and Postgresql Message-ID: Hi there, I was interested in Keycloak work on SSL client certs for JDBC to connect PostgreSQL. I hope someone can give me some help, because i've been banging my head against this all day. First of all, I should mention that my client cert authentication is working fine with psql in both 1-way and 2-way(mutual ssl authentication) ssl authentication. So I am satisfied with the certs and keys. There are two servers, one is keycloak server, another is postgresql server. postgresql.crt postgresql.key / postgresql.pk8 root.crt Those files located in ${user.home}/.postgresql/ in my postgresql server. In my PostgreSQL server, if I configure like this. hostssl all all 0.0.0.0/0 md5 It is fine. My keycloak server will connect with my postgresql server very well. However when I configure like this. hostssl all all 0.0.0.0/0 md5 clientcert=1 The connection will fail. The log is below. Caused by: java.lang.RuntimeException: Failed to connect to database Caused by: java.sql.SQLException: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/KeycloakDS Caused by: javax.resource.ResourceException: IJ031084: Unable to create connection Caused by: org.postgresql.util.PSQLException: FATAL: connection requires a valid client certificate"}} *"connection requires a valid client certificate".* I don't know how to config the client certificate in keycloak (standalone.xml). At the meantime, I still can use 'psql' connect my postgresql server in my keycloak server. Questions: 1. Does keycloak support mutual authentication in ssl, when I try to connect postgresql by 2-way authentication? (I guess so. This should be JDBC's problem. But I am not sure. And I trid the instructions form Postgresql JDBC Driver Doc. https://jdbc.postgresql.org/documentation/head/ssl-client.html. It still doesn't work.) 2. Could someone help me out, please? Thank you for your time! Cheers! -- Hugh Zhaohui Shangguan From testoauth55 at gmail.com Tue Aug 28 01:37:58 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Tue, 28 Aug 2018 11:07:58 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Thanks Pedro for the update. Just to add details to my previous mail: From the sample app / quickstart app-authz-jee-servlet : I use *jdoe *user to login which has premium permissions, but when I debug, I get only Protected resource in the permission list: *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected Resource, scopes=[urn:servlet-authz:protected:resource:access]} * Only change I have done in realm imported from sample is replace root & base url in client: http://localhost:8080/authz-servlet with http://localhost:7200/myapp and the premium resource URI : /protected/premium/* with /secure/role/* (The URL I am accessing with above config and user jdoe on my client app is : http://localhost:7200/myapp/secure/role) Could this be an issue that in my case my client app is running on a different port (as it is outside the wildfly server that is running keycloak)? On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva wrote: > Hi, > > Thanks for continuing looking at this. Let's do this, I'll do the same > steps using Jetty to reproduce the issue, will let you know during this > week once I have something to share. > > Another weird thing is that the example actually should return all > permissions and make them available after the login. Will check how this is > working with Jetty too. The tests we have in the quickstarts are > wildfly based .... > > On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo > wrote: > >> I have tried 1 more thing: I have imported realm from one of the keycloak >> quickstarts >> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet and >> only replaced the URLs with my application URLs. >> >> But I get the same error *if* I remove the resource containing URI as >> */** (resource name is : *Protected Resource*). Furthermore, if i keep >> this resource (/*), I am able to authorize a user but putting a debugger in >> client app showed that authContext Permission list contains only 1 resource >> i.e. Protected Resource. Although the user which authenticated was assigned >> the role contained in resource name: Premium Resource. So ideally the >> Permission list must have contained this resource as well. (I am >> mentioning the names - Protected, Premium as mentioned in the keycloak >> quick start). I put in /* URI in my original app and 403 stopped. But the >> permission array contained only this resource (with URI /*) >> >> java.util.List perms = authzContext.getPermissions(); >> >> ********To summarize the above test:********* >> *I get 403 error if a resource containing URI /* is not present. If a URI >> containing /* is present, then I get only this resource in the Permissions >> Array / List in the java client app even if the resource with specific URI >> like /app/secure contains valid role/policy/permission. Also the evaluate >> API available under Authorization option shows result as permit.* >> >> *Screenshots present >> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >> * >> >> >> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo >> wrote: >> >>> Pedro, >>> >>> Yes default permissions grant access to any resource in my application >>> (uri == /*). But problem starts when I specify a resource with specific URI >>> (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>> * >>> ). >>> >>> Just to summarize the real problem: >>> >>> Apart from default resource having `/*`, I have a second resource having >>> URI: /secure/role/* and this resource also has a role based policy >>> to allow access to only users having role "special", the expected behavior >>> is the users who don't have role "special" should not be able to access >>> this resource, right? >>> >>> But I am able to access this resource with any user, any role. So I >>> thought that may be default resource URI with '/*' is overriding behavior >>> of second resource, so I changed default resource URI to '/test/*', and >>> then I started receiving 403 error for accessing both '/test' as well as >>> second resource ' /secure/role/* ' for all users including user with >>> "special" role assigned. >>> >>> I looked into realm resource configuration in one of the quick starts >>> and the only difference I found was that quick start resources specify >>> scope in each of resources whereas I have kept it blank. Could this be an >>> issue. >>> >>> I understand you already spent time in trying to resolve this but >>> problem still persists. >>> >>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva >>> wrote: >>> >>>> >>>> >>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo >>>> wrote: >>>> >>>>> Pedro, >>>>> >>>>> After further debugging I found out that following line in keycloak >>>>> json is causing the issue: "policy-enforcer": {}. If I remove this >>>>> line, then 403 error is removed but I guess doing this disables >>>>> authorization altogether. 2 questions on this: >>>>> 1. When I have configured policies on the Admin console under the >>>>> authorization tab, why is this empty? >>>>> >>>> >>>> I'm not sure. When you enable authorization services to a client >>>> default resource/permissions are created. Where these permissions grant >>>> access to any resource in your application (uri == /*). >>>> >>>> >>>>> 2. Is there a way to put some default values (not manually) in here to >>>>> make authorization work? >>>>> >>>> >>>> Like I said, when you just enable the authorization services switch, >>>> default settings are created automatically. >>>> >>>> Did you try to run any of our quickstarts ? >>>> >>>> >>>> >>>>> >>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> Yeah, it should be relative. I was wondering if the correct URI >>>>>> would be '/keycloak/secure/role' instead. >>>>>> >>>>>> In any case, I would ask you to try the same deployment using tomcat >>>>>> or wildfly to see how it goes. We have a few quickstarts running on these >>>>>> two. Maybe you could also try to enable DEBUG log level to see how the >>>>>> policy enforcer is matching URIs to your resources. >>>>>> >>>>>> If none of them work, I can give a try and run jetty. >>>>>> >>>>>> Regards. >>>>>> Pedro Igor >>>>>> >>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo < >>>>>> testoauth55 at gmail.com> wrote: >>>>>> >>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but it >>>>>>> does not work either. The documentation anyway states that the URI in >>>>>>> resource can be relative to client root URL which I have configured to be >>>>>>> http://localhost:7200/{app}/keycloak , therefore putting relateve >>>>>>> URI '/secure/role' in resource should be equivalent to putting >>>>>>> absolute URI : http://localhost:7200/{app}/keycloak/secure/role'. >>>>>>> Do you think, there is something else I can try? >>>>>>> >>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva >>>>>>> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Your configuration looks correct. But I noticed that in the postman >>>>>>>> request you are sending requests to ` >>>>>>>> http://localhost:7200/{app}/keycloak/secure/role` >>>>>>>> . However in >>>>>>>> your resource definition the URI is configured to `/secure/role`. Both URIs >>>>>>>> should match otherwise the adapter won't be able to map the URI in your >>>>>>>> application to a resource in Keycloak (and related permissions). >>>>>>>> >>>>>>>> Regards. >>>>>>>> Pedro Igor >>>>>>>> >>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo < >>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>> >>>>>>>>> With all the configuration(shared below), when I test using the >>>>>>>>> evaluate >>>>>>>>> option under authorization tab, result is permit: >>>>>>>>> >>>>>>>>> *But when I make a request to this resource through postman, I get >>>>>>>>> 403.* >>>>>>>>> >>>>>>>>> *Which part of configuration is wrong which is leading to 403 >>>>>>>>> error?* >>>>>>>>> >>>>>>>>> CONFIGURATION: >>>>>>>>> >>>>>>>>> >>>>>>>>> *Detailed configuration with images shown here:* >>>>>>>>> >>>>>>>>> * >>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>>>> < >>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>>>> >* >>>>>>>>> >>>>>>>>> *1.* Following the >>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>>>> created a >>>>>>>>> realm role : *role_special_user* and created a user : >>>>>>>>> *user_special* with >>>>>>>>> this role and role *user*. >>>>>>>>> >>>>>>>>> *2.* Next, my resource server / client is with *full scope >>>>>>>>> enabled*: >>>>>>>>> *3.* Under authorization tab, I created a resource with the role >>>>>>>>> based >>>>>>>>> policy is. >>>>>>>>> >>>>>>>>> *4.* Now, keycloak json is: >>>>>>>>> >>>>>>>>> { >>>>>>>>> "realm": "demo12", >>>>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>>>> "ssl-required": "none", >>>>>>>>> "resource": "server12", >>>>>>>>> "credentials": { >>>>>>>>> "secret": "XXXXXXX" >>>>>>>>> }, >>>>>>>>> "confidential-port": 0, >>>>>>>>> "policy-enforcer": {}} >>>>>>>>> >>>>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>>>> >>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>>>> InputStream is = >>>>>>>>> >>>>>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>>>> ConstraintSecurityHandler(); >>>>>>>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>>>> Constraint constraint = new Constraint(); >>>>>>>>> constraint.setAuthenticate(true); >>>>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>>>> constraintMapping.setConstraint(constraint); >>>>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>>>> >>>>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>>>> >>>>>>>>> { >>>>>>>>> "jti": "XXXXXXX", >>>>>>>>> "exp": 1533798704, >>>>>>>>> "nbf": 0, >>>>>>>>> "iat": 1533798404, >>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>>>> "aud": "server12", >>>>>>>>> "sub": "XXXXXXX", >>>>>>>>> "typ": "Bearer", >>>>>>>>> "azp": "server12", >>>>>>>>> "auth_time": 1533798404, >>>>>>>>> "session_state": "XXXXXX", >>>>>>>>> "acr": "1", >>>>>>>>> "allowed-origins": [], >>>>>>>>> "realm_access": { >>>>>>>>> "roles": [ >>>>>>>>> "role_special_user", >>>>>>>>> "offline_access", >>>>>>>>> "uma_authorization", >>>>>>>>> "user" >>>>>>>>> ] >>>>>>>>> }, >>>>>>>>> "resource_access": { >>>>>>>>> "server12": { >>>>>>>>> "roles": [ >>>>>>>>> "uma_protection" >>>>>>>>> ] >>>>>>>>> }, >>>>>>>>> "account": { >>>>>>>>> "roles": [ >>>>>>>>> "manage-account", >>>>>>>>> "manage-account-links", >>>>>>>>> "view-profile" >>>>>>>>> ] >>>>>>>>> } >>>>>>>>> }, >>>>>>>>> "scope": "openid email profile", >>>>>>>>> "email_verified": false, >>>>>>>>> "preferred_username": "user_special"} >>>>>>>>> _______________________________________________ >>>>>>>>> keycloak-user mailing list >>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> > From r.goyard at groupeonepoint.com Tue Aug 28 03:17:46 2018 From: r.goyard at groupeonepoint.com (=?utf-8?B?UsOpbWkgR09ZQVJE?=) Date: Tue, 28 Aug 2018 07:17:46 +0000 Subject: [keycloak-user] Keycloak & SAMLInvalid Response In-Reply-To: References: Message-ID: Hi All, I just tried to use the Auth0 service and it worked with Workplace by facebook (following this documentation : https://scontent-cdt1-1.xx.fbcdn.net/v/t39.2365-6/33246377_951880651638808_7491240743177027584_n.pdf?_nc_cat=0&oh=266ec47aacfd6aad53e67d33b4b5a502&oe=5C2DC62A) It seems that keycloak do not produce a Valid response for the email mapping, The above documentation precise the following configuration steps but I really don?t know how to map it In Keycloak : { "audience": "https://www.facebook.com/company/ID?, "recipient": "https://workplace.facebook.com/work/saml.php?, "mappings": { "email": "Email", }, "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?, "nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ], } I think that I need to precise the informations : "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?, "nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ], Does anyone have ideas ? Regards R?mi From r.goyard at groupeonepoint.com Tue Aug 28 05:14:19 2018 From: r.goyard at groupeonepoint.com (=?utf-8?B?UsOpbWkgR09ZQVJE?=) Date: Tue, 28 Aug 2018 09:14:19 +0000 Subject: [keycloak-user] Keycloak SAML Invalid response Message-ID: Hi All, I just tried to use the Auth0 service and it worked with Workplace by facebook (following this documentation : https://scontent-cdt1-1.xx.fbcdn.net/v/t39.2365-6/33246377_951880651638808_7491240743177027584_n.pdf?_nc_cat=0&oh=266ec47aacfd6aad53e67d33b4b5a502&oe=5C2DC62A) It seems that keycloak do not produce a Valid response for the email mapping, The above documentation precise the following configuration steps but I really don?t know how to map it In Keycloak : { "audience": "https://www.facebook.com/company/ID?, "recipient": "https://workplace.facebook.com/work/saml.php?, "mappings": { "email": "Email", }, "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?, "nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ], } I think that I need to precise the informations : "nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?, "nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ], Does anyone have ideas ? Regards R?mi From psilva at redhat.com Tue Aug 28 09:50:46 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 28 Aug 2018 10:50:46 -0300 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Hi, Could you please check changes I did in this branch https://github.com/pedroigor/keycloak-quickstarts/tree/tmp ? Basically, I have modified the realm settings to : * Include a new user granted with a "special" realm role * Included a new "Special Resource" mapping to "/secure/role/*" * Include permission for "Special Resource" granting access only for users with "special" role It seems to be working fine, but maybe I'm still missing something. Would be nice if you could look at my changes, import the realm settings and check how it is working. In addition to that, could you please try running Keycloak 4.3.0.Final ? Regards. Pedro Igor On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo wrote: > Thanks Pedro for the update. > > Just to add details to my previous mail: From the sample app / quickstart > app-authz-jee-servlet > : > I use *jdoe *user to login which has premium permissions, but when I > debug, I get only Protected resource in the permission list: > > *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected > Resource, scopes=[urn:servlet-authz:protected:resource:access]} * > > Only change I have done in realm imported from sample is replace root & > base url in client: http://localhost:8080/authz-servlet with > http://localhost:7200/myapp > and the premium resource URI : /protected/premium/* with /secure/role/* > > (The URL I am accessing with above config and user jdoe on my client app > is : http://localhost:7200/myapp/secure/role) > > Could this be an issue that in my case my client app is running on a > different port (as it is outside the wildfly server that is running > keycloak)? > > On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva > wrote: > >> Hi, >> >> Thanks for continuing looking at this. Let's do this, I'll do the same >> steps using Jetty to reproduce the issue, will let you know during this >> week once I have something to share. >> >> Another weird thing is that the example actually should return all >> permissions and make them available after the login. Will check how this is >> working with Jetty too. The tests we have in the quickstarts are >> wildfly based .... >> >> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo >> wrote: >> >>> I have tried 1 more thing: I have imported realm from one of the >>> keycloak quickstarts https://github.com/keycloak/keycloak- >>> quickstarts/tree/latest/app-authz-jee-servlet and only replaced the >>> URLs with my application URLs. >>> >>> But I get the same error *if* I remove the resource containing URI as >>> */** (resource name is : *Protected Resource*). Furthermore, if i keep >>> this resource (/*), I am able to authorize a user but putting a debugger in >>> client app showed that authContext Permission list contains only 1 resource >>> i.e. Protected Resource. Although the user which authenticated was assigned >>> the role contained in resource name: Premium Resource. So ideally the >>> Permission list must have contained this resource as well. (I am >>> mentioning the names - Protected, Premium as mentioned in the keycloak >>> quick start). I put in /* URI in my original app and 403 stopped. But the >>> permission array contained only this resource (with URI /*) >>> >>> java.util.List perms = authzContext.getPermissions(); >>> >>> ********To summarize the above test:********* >>> *I get 403 error if a resource containing URI /* is not present. If a >>> URI containing /* is present, then I get only this resource in the >>> Permissions Array / List in the java client app even if the resource with >>> specific URI like /app/secure contains valid role/policy/permission. Also >>> the evaluate API available under Authorization option shows result as >>> permit.* >>> >>> *Screenshots present >>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>> * >>> >>> >>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo >>> wrote: >>> >>>> Pedro, >>>> >>>> Yes default permissions grant access to any resource in my application >>>> (uri == /*). But problem starts when I specify a resource with specific URI >>>> (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>> * >>>> ). >>>> >>>> Just to summarize the real problem: >>>> >>>> Apart from default resource having `/*`, I have a second resource >>>> having URI: /secure/role/* and this resource also has a role based >>>> policy to allow access to only users having role "special", the expected >>>> behavior is the users who don't have role "special" should not be able to >>>> access this resource, right? >>>> >>>> But I am able to access this resource with any user, any role. So I >>>> thought that may be default resource URI with '/*' is overriding behavior >>>> of second resource, so I changed default resource URI to '/test/*', and >>>> then I started receiving 403 error for accessing both '/test' as well as >>>> second resource ' /secure/role/* ' for all users including user with >>>> "special" role assigned. >>>> >>>> I looked into realm resource configuration in one of the quick starts >>>> and the only difference I found was that quick start resources specify >>>> scope in each of resources whereas I have kept it blank. Could this be an >>>> issue. >>>> >>>> I understand you already spent time in trying to resolve this but >>>> problem still persists. >>>> >>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva >>>> wrote: >>>> >>>>> >>>>> >>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo >>>>> wrote: >>>>> >>>>>> Pedro, >>>>>> >>>>>> After further debugging I found out that following line in keycloak >>>>>> json is causing the issue: "policy-enforcer": {}. If I remove this >>>>>> line, then 403 error is removed but I guess doing this disables >>>>>> authorization altogether. 2 questions on this: >>>>>> 1. When I have configured policies on the Admin console under the >>>>>> authorization tab, why is this empty? >>>>>> >>>>> >>>>> I'm not sure. When you enable authorization services to a client >>>>> default resource/permissions are created. Where these permissions grant >>>>> access to any resource in your application (uri == /*). >>>>> >>>>> >>>>>> 2. Is there a way to put some default values (not manually) in here >>>>>> to make authorization work? >>>>>> >>>>> >>>>> Like I said, when you just enable the authorization services switch, >>>>> default settings are created automatically. >>>>> >>>>> Did you try to run any of our quickstarts ? >>>>> >>>>> >>>>> >>>>>> >>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva >>>>>> wrote: >>>>>> >>>>>>> Yeah, it should be relative. I was wondering if the correct URI >>>>>>> would be '/keycloak/secure/role' instead. >>>>>>> >>>>>>> In any case, I would ask you to try the same deployment using tomcat >>>>>>> or wildfly to see how it goes. We have a few quickstarts running on these >>>>>>> two. Maybe you could also try to enable DEBUG log level to see how the >>>>>>> policy enforcer is matching URIs to your resources. >>>>>>> >>>>>>> If none of them work, I can give a try and run jetty. >>>>>>> >>>>>>> Regards. >>>>>>> Pedro Igor >>>>>>> >>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo < >>>>>>> testoauth55 at gmail.com> wrote: >>>>>>> >>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but it >>>>>>>> does not work either. The documentation anyway states that the URI in >>>>>>>> resource can be relative to client root URL which I have configured to be >>>>>>>> http://localhost:7200/{app}/keycloak , therefore putting relateve >>>>>>>> URI '/secure/role' in resource should be equivalent to putting >>>>>>>> absolute URI : http://localhost:7200/{app}/keycloak/secure/role'. >>>>>>>> Do you think, there is something else I can try? >>>>>>>> >>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva >>>>>>> > wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> Your configuration looks correct. But I noticed that in the >>>>>>>>> postman request you are sending requests to ` >>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role` >>>>>>>>> . However >>>>>>>>> in your resource definition the URI is configured to `/secure/role`. Both >>>>>>>>> URIs should match otherwise the adapter won't be able to map the URI in >>>>>>>>> your application to a resource in Keycloak (and related permissions). >>>>>>>>> >>>>>>>>> Regards. >>>>>>>>> Pedro Igor >>>>>>>>> >>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo < >>>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> With all the configuration(shared below), when I test using the >>>>>>>>>> evaluate >>>>>>>>>> option under authorization tab, result is permit: >>>>>>>>>> >>>>>>>>>> *But when I make a request to this resource through postman, I >>>>>>>>>> get 403.* >>>>>>>>>> >>>>>>>>>> *Which part of configuration is wrong which is leading to 403 >>>>>>>>>> error?* >>>>>>>>>> >>>>>>>>>> CONFIGURATION: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> *Detailed configuration with images shown here:* >>>>>>>>>> >>>>>>>>>> *https://stackoverflow.com/questions/51761779/keycloak- >>>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>>>> as-evaluate-api >>>>>>>>>> >>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>>>> as-evaluate-api>* >>>>>>>>>> >>>>>>>>>> *1.* Following the >>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>>>>> created a >>>>>>>>>> realm role : *role_special_user* and created a user : >>>>>>>>>> *user_special* with >>>>>>>>>> this role and role *user*. >>>>>>>>>> >>>>>>>>>> *2.* Next, my resource server / client is with *full scope >>>>>>>>>> enabled*: >>>>>>>>>> *3.* Under authorization tab, I created a resource with the role >>>>>>>>>> based >>>>>>>>>> policy is. >>>>>>>>>> >>>>>>>>>> *4.* Now, keycloak json is: >>>>>>>>>> >>>>>>>>>> { >>>>>>>>>> "realm": "demo12", >>>>>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>>>>> "ssl-required": "none", >>>>>>>>>> "resource": "server12", >>>>>>>>>> "credentials": { >>>>>>>>>> "secret": "XXXXXXX" >>>>>>>>>> }, >>>>>>>>>> "confidential-port": 0, >>>>>>>>>> "policy-enforcer": {}} >>>>>>>>>> >>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>>>>> >>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>>>>> InputStream is = >>>>>>>>>> Thread.currentThread().getContextClassLoader(). >>>>>>>>>> getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_ >>>>>>>>>> DEFAULT); >>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>>>>> ConstraintSecurityHandler(); >>>>>>>>>> ConstraintMapping constraintMapping = new ConstraintMapping(); >>>>>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>>>>> Constraint constraint = new Constraint(); >>>>>>>>>> constraint.setAuthenticate(true); >>>>>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>>>>> constraintMapping.setConstraint(constraint); >>>>>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>>>>> >>>>>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>>>>> >>>>>>>>>> { >>>>>>>>>> "jti": "XXXXXXX", >>>>>>>>>> "exp": 1533798704, >>>>>>>>>> "nbf": 0, >>>>>>>>>> "iat": 1533798404, >>>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>>>>> "aud": "server12", >>>>>>>>>> "sub": "XXXXXXX", >>>>>>>>>> "typ": "Bearer", >>>>>>>>>> "azp": "server12", >>>>>>>>>> "auth_time": 1533798404, >>>>>>>>>> "session_state": "XXXXXX", >>>>>>>>>> "acr": "1", >>>>>>>>>> "allowed-origins": [], >>>>>>>>>> "realm_access": { >>>>>>>>>> "roles": [ >>>>>>>>>> "role_special_user", >>>>>>>>>> "offline_access", >>>>>>>>>> "uma_authorization", >>>>>>>>>> "user" >>>>>>>>>> ] >>>>>>>>>> }, >>>>>>>>>> "resource_access": { >>>>>>>>>> "server12": { >>>>>>>>>> "roles": [ >>>>>>>>>> "uma_protection" >>>>>>>>>> ] >>>>>>>>>> }, >>>>>>>>>> "account": { >>>>>>>>>> "roles": [ >>>>>>>>>> "manage-account", >>>>>>>>>> "manage-account-links", >>>>>>>>>> "view-profile" >>>>>>>>>> ] >>>>>>>>>> } >>>>>>>>>> }, >>>>>>>>>> "scope": "openid email profile", >>>>>>>>>> "email_verified": false, >>>>>>>>>> "preferred_username": "user_special"} >>>>>>>>>> _______________________________________________ >>>>>>>>>> keycloak-user mailing list >>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >> From testoauth55 at gmail.com Tue Aug 28 11:27:20 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Tue, 28 Aug 2018 20:57:20 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Thanks Pedro for quick turnaround. I have taken keycloak 4.3 installation. I imported the new realm and ran the app. However, still facing the same issue.* I am able to login with special user. But I am also able to login with jdoe (premium user) and alice(normal user) when actually only special user should be allowed and other 2 denied.* Also, in all 3 cases , I get only 1 item in permission list i.e. Protected resource ( resource having with URI : */**): [Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected Resource, scopes=[urn:servlet-authz:protected:resource:access]}] *ALSO, I had to make a couple of changes for realm to work:* *1.* Just like I mentioned in my previous email, I changed port number in the client URLs to 7200 as my app is running on jetty on a different port outside keycloak. *(Could this be the reason that app is running on a different port and keycloak/wildfly is running on a different port? )* *2.* Second change I did was make Valid redirect URI as * in Client settings.I was getting 400 on specifying: http://localhost:7200/myapp/* *(could this be an issue?) * NOTE: 403 would start coming if I delete resource named Protected Resource. On Tue, Aug 28, 2018 at 7:20 PM Pedro Igor Silva wrote: > Hi, > > Could you please check changes I did in this branch > https://github.com/pedroigor/keycloak-quickstarts/tree/tmp ? > > Basically, I have modified the realm settings to : > > * Include a new user granted with a "special" realm role > * Included a new "Special Resource" mapping to "/secure/role/*" > * Include permission for "Special Resource" granting access only for users > with "special" role > > It seems to be working fine, but maybe I'm still missing something. Would > be nice if you could look at my changes, import the realm settings and > check how it is working. > > In addition to that, could you please try running Keycloak 4.3.0.Final ? > > Regards. > Pedro Igor > > > On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo > wrote: > >> Thanks Pedro for the update. >> >> Just to add details to my previous mail: From the sample app / quickstart >> app-authz-jee-servlet >> : >> I use *jdoe *user to login which has premium permissions, but when I >> debug, I get only Protected resource in the permission list: >> >> *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected >> Resource, scopes=[urn:servlet-authz:protected:resource:access]} * >> >> Only change I have done in realm imported from sample is replace root & >> base url in client: http://localhost:8080/authz-servlet with >> http://localhost:7200/myapp >> and the premium resource URI : /protected/premium/* with /secure/role/* >> >> (The URL I am accessing with above config and user jdoe on my client app >> is : http://localhost:7200/myapp/secure/role) >> >> Could this be an issue that in my case my client app is running on a >> different port (as it is outside the wildfly server that is running >> keycloak)? >> >> On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva >> wrote: >> >>> Hi, >>> >>> Thanks for continuing looking at this. Let's do this, I'll do the same >>> steps using Jetty to reproduce the issue, will let you know during this >>> week once I have something to share. >>> >>> Another weird thing is that the example actually should return all >>> permissions and make them available after the login. Will check how this is >>> working with Jetty too. The tests we have in the quickstarts are >>> wildfly based .... >>> >>> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo >>> wrote: >>> >>>> I have tried 1 more thing: I have imported realm from one of the >>>> keycloak quickstarts >>>> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet and >>>> only replaced the URLs with my application URLs. >>>> >>>> But I get the same error *if* I remove the resource containing URI as >>>> */** (resource name is : *Protected Resource*). Furthermore, if i keep >>>> this resource (/*), I am able to authorize a user but putting a debugger in >>>> client app showed that authContext Permission list contains only 1 resource >>>> i.e. Protected Resource. Although the user which authenticated was assigned >>>> the role contained in resource name: Premium Resource. So ideally the >>>> Permission list must have contained this resource as well. (I am >>>> mentioning the names - Protected, Premium as mentioned in the keycloak >>>> quick start). I put in /* URI in my original app and 403 stopped. But the >>>> permission array contained only this resource (with URI /*) >>>> >>>> java.util.List perms = authzContext.getPermissions(); >>>> >>>> ********To summarize the above test:********* >>>> *I get 403 error if a resource containing URI /* is not present. If a >>>> URI containing /* is present, then I get only this resource in the >>>> Permissions Array / List in the java client app even if the resource with >>>> specific URI like /app/secure contains valid role/policy/permission. Also >>>> the evaluate API available under Authorization option shows result as >>>> permit.* >>>> >>>> *Screenshots present >>>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>> * >>>> >>>> >>>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo >>>> wrote: >>>> >>>>> Pedro, >>>>> >>>>> Yes default permissions grant access to any resource in my application >>>>> (uri == /*). But problem starts when I specify a resource with specific URI >>>>> (as described in configuration in my previous email and also here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>> * >>>>> ). >>>>> >>>>> Just to summarize the real problem: >>>>> >>>>> Apart from default resource having `/*`, I have a second resource >>>>> having URI: /secure/role/* and this resource also has a role based >>>>> policy to allow access to only users having role "special", the expected >>>>> behavior is the users who don't have role "special" should not be able to >>>>> access this resource, right? >>>>> >>>>> But I am able to access this resource with any user, any role. So I >>>>> thought that may be default resource URI with '/*' is overriding behavior >>>>> of second resource, so I changed default resource URI to '/test/*', and >>>>> then I started receiving 403 error for accessing both '/test' as well as >>>>> second resource ' /secure/role/* ' for all users including user with >>>>> "special" role assigned. >>>>> >>>>> I looked into realm resource configuration in one of the quick starts >>>>> and the only difference I found was that quick start resources specify >>>>> scope in each of resources whereas I have kept it blank. Could this be an >>>>> issue. >>>>> >>>>> I understand you already spent time in trying to resolve this but >>>>> problem still persists. >>>>> >>>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva >>>>> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo >>>>> > wrote: >>>>>> >>>>>>> Pedro, >>>>>>> >>>>>>> After further debugging I found out that following line in keycloak >>>>>>> json is causing the issue: "policy-enforcer": {}. If I remove this >>>>>>> line, then 403 error is removed but I guess doing this disables >>>>>>> authorization altogether. 2 questions on this: >>>>>>> 1. When I have configured policies on the Admin console under the >>>>>>> authorization tab, why is this empty? >>>>>>> >>>>>> >>>>>> I'm not sure. When you enable authorization services to a client >>>>>> default resource/permissions are created. Where these permissions grant >>>>>> access to any resource in your application (uri == /*). >>>>>> >>>>>> >>>>>>> 2. Is there a way to put some default values (not manually) in here >>>>>>> to make authorization work? >>>>>>> >>>>>> >>>>>> Like I said, when you just enable the authorization services switch, >>>>>> default settings are created automatically. >>>>>> >>>>>> Did you try to run any of our quickstarts ? >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva >>>>>> > wrote: >>>>>>> >>>>>>>> Yeah, it should be relative. I was wondering if the correct URI >>>>>>>> would be '/keycloak/secure/role' instead. >>>>>>>> >>>>>>>> In any case, I would ask you to try the same deployment using >>>>>>>> tomcat or wildfly to see how it goes. We have a few quickstarts running on >>>>>>>> these two. Maybe you could also try to enable DEBUG log level to see how >>>>>>>> the policy enforcer is matching URIs to your resources. >>>>>>>> >>>>>>>> If none of them work, I can give a try and run jetty. >>>>>>>> >>>>>>>> Regards. >>>>>>>> Pedro Igor >>>>>>>> >>>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo < >>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>> >>>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but >>>>>>>>> it does not work either. The documentation anyway states that the URI in >>>>>>>>> resource can be relative to client root URL which I have configured to be >>>>>>>>> http://localhost:7200/{app}/keycloak , therefore >>>>>>>>> putting relateve URI '/secure/role' in resource should be >>>>>>>>> equivalent to putting absolute URI : >>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, >>>>>>>>> there is something else I can try? >>>>>>>>> >>>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva < >>>>>>>>> psilva at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> Your configuration looks correct. But I noticed that in the >>>>>>>>>> postman request you are sending requests to ` >>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role` >>>>>>>>>> . However >>>>>>>>>> in your resource definition the URI is configured to `/secure/role`. Both >>>>>>>>>> URIs should match otherwise the adapter won't be able to map the URI in >>>>>>>>>> your application to a resource in Keycloak (and related permissions). >>>>>>>>>> >>>>>>>>>> Regards. >>>>>>>>>> Pedro Igor >>>>>>>>>> >>>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo < >>>>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> With all the configuration(shared below), when I test using the >>>>>>>>>>> evaluate >>>>>>>>>>> option under authorization tab, result is permit: >>>>>>>>>>> >>>>>>>>>>> *But when I make a request to this resource through postman, I >>>>>>>>>>> get 403.* >>>>>>>>>>> >>>>>>>>>>> *Which part of configuration is wrong which is leading to 403 >>>>>>>>>>> error?* >>>>>>>>>>> >>>>>>>>>>> CONFIGURATION: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> *Detailed configuration with images shown here:* >>>>>>>>>>> >>>>>>>>>>> * >>>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>>>>>> < >>>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>>>>>> >* >>>>>>>>>>> >>>>>>>>>>> *1.* Following the >>>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>>>>>> created a >>>>>>>>>>> realm role : *role_special_user* and created a user : >>>>>>>>>>> *user_special* with >>>>>>>>>>> this role and role *user*. >>>>>>>>>>> >>>>>>>>>>> *2.* Next, my resource server / client is with *full scope >>>>>>>>>>> enabled*: >>>>>>>>>>> *3.* Under authorization tab, I created a resource with the >>>>>>>>>>> role based >>>>>>>>>>> policy is. >>>>>>>>>>> >>>>>>>>>>> *4.* Now, keycloak json is: >>>>>>>>>>> >>>>>>>>>>> { >>>>>>>>>>> "realm": "demo12", >>>>>>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>>>>>> "ssl-required": "none", >>>>>>>>>>> "resource": "server12", >>>>>>>>>>> "credentials": { >>>>>>>>>>> "secret": "XXXXXXX" >>>>>>>>>>> }, >>>>>>>>>>> "confidential-port": 0, >>>>>>>>>>> "policy-enforcer": {}} >>>>>>>>>>> >>>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>>>>>> >>>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>>>>>> InputStream is = >>>>>>>>>>> >>>>>>>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>>>>>> >>>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>>>>>> ConstraintSecurityHandler(); >>>>>>>>>>> ConstraintMapping constraintMapping = new >>>>>>>>>>> ConstraintMapping(); >>>>>>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>>>>>> Constraint constraint = new Constraint(); >>>>>>>>>>> constraint.setAuthenticate(true); >>>>>>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>>>>>> constraintMapping.setConstraint(constraint); >>>>>>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>>>>>> >>>>>>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>>>>>> >>>>>>>>>>> { >>>>>>>>>>> "jti": "XXXXXXX", >>>>>>>>>>> "exp": 1533798704, >>>>>>>>>>> "nbf": 0, >>>>>>>>>>> "iat": 1533798404, >>>>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>>>>>> "aud": "server12", >>>>>>>>>>> "sub": "XXXXXXX", >>>>>>>>>>> "typ": "Bearer", >>>>>>>>>>> "azp": "server12", >>>>>>>>>>> "auth_time": 1533798404, >>>>>>>>>>> "session_state": "XXXXXX", >>>>>>>>>>> "acr": "1", >>>>>>>>>>> "allowed-origins": [], >>>>>>>>>>> "realm_access": { >>>>>>>>>>> "roles": [ >>>>>>>>>>> "role_special_user", >>>>>>>>>>> "offline_access", >>>>>>>>>>> "uma_authorization", >>>>>>>>>>> "user" >>>>>>>>>>> ] >>>>>>>>>>> }, >>>>>>>>>>> "resource_access": { >>>>>>>>>>> "server12": { >>>>>>>>>>> "roles": [ >>>>>>>>>>> "uma_protection" >>>>>>>>>>> ] >>>>>>>>>>> }, >>>>>>>>>>> "account": { >>>>>>>>>>> "roles": [ >>>>>>>>>>> "manage-account", >>>>>>>>>>> "manage-account-links", >>>>>>>>>>> "view-profile" >>>>>>>>>>> ] >>>>>>>>>>> } >>>>>>>>>>> }, >>>>>>>>>>> "scope": "openid email profile", >>>>>>>>>>> "email_verified": false, >>>>>>>>>>> "preferred_username": "user_special"} >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>> > From jp4work at gmail.com Tue Aug 28 13:07:46 2018 From: jp4work at gmail.com (JIA Pei) Date: Tue, 28 Aug 2018 10:07:46 -0700 Subject: [keycloak-user] Build Failure Message-ID: I'm using OpenJDK 10.0.2 ... Can anybody help please? [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 03:48 min [INFO] Finished at: 2018-08-28T10:01:37-07:00 [INFO] Final Memory: 140M/298M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project keycloak-saml-core: Compilation failure: Compilation failure: [ERROR] ....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/api/util/KeyInfoTools.java:[51,70] incompatible types: java.util.List cannot be converted to java.lang.Iterable [ERROR] ....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/api/util/KeyInfoTools.java:[55,70] incompatible types: java.util.List cannot be converted to java.lang.Iterable [ERROR] ....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/api/util/KeyInfoTools.java:[60,58] incompatible types: java.util.List cannot be converted to java.lang.Iterable [ERROR] ....../keycloak/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java:[757,42] incompatible types: java.util.List cannot be converted to java.util.List [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvn -rf :keycloak-saml-core -- Pei JIA, Ph.D. Email: jp4work at gmail.com cell in Canada: +1 778-863-5816 cell in China: +86 186-8244-3503 Welcome to Vision Open http://www.visionopen.com From ntle at castortech.com Tue Aug 28 13:34:01 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Tue, 28 Aug 2018 13:34:01 -0400 Subject: [keycloak-user] cxf filter In-Reply-To: <1535407175.4014.3.camel@acutus.pro> References: <1535407175.4014.3.camel@acutus.pro> Message-ID: Hi Dmitri, About the OIDC Servlet filter, i managed to build an osgi version of it so i'm ok for now :D Regarding the REST service, i think the bearer token is what I want, however, i'm not sure how the authentication flow works in this case. As I understand, to use bearer token, i need to create a client in keycloak server and set access type to bearer-only then when making the rest call, I need to provide the valid "Authorization: Bearer XXX" header. 1. Where do I get this token ? 2. If the bearer token is valid, does keycloak adapter also put the KeycloakSecurityContext with the username on the request sothat i can extract it latter? 3. does keycloak have an OSGI jaxrs filter for REST service or I have to implement my own? ( https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#service.jaxrs.extension.services ) Hope to get some insignt Thai On Mon, Aug 27, 2018 at 5:59 PM, Dmitry Telegin
wrote: > Hello Thai, > > Seems like you've been watching the OSGification PR attentively :) > I'm sorry we didn't make it for Keycloak 4.3.0. Should get included in > 4.4.0, hopefully. > > Just in case anyone else is interested: > PR for Keycloak OIDC servlet filter adapter OSGification > https://github.com/keycloak/keycloak/pull/5383 > PR for the docs https://github.com/keycloak/keycloak-documentation/pull/ > 453 > Built docs: https://keycloak-docs.github.io/deploy-docs-pullrequest/PR/ > 453/securing_apps/index.html#using-on-osgi > > As for your question, could you please elaborate? What are you trying > to achieve? For REST services, you should normally use bearer token > authorization. In this mode, the adapter would expect a valid token in > "Authorization: Bearer XXX" HTTP header, otherwise it would return > HTTP 401. Is this what you're after? > > Cheers, > Dmitry Telegin > CTO, Acutus s.r.o. > Keycloak Consulting and Training > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic > +42 (022) 888-30-71 > E-mail: info at acutus.pro > > On Mon, 2018-08-27 at 14:52 -0400, Nhut Thai Le wrote: > > Hello, > > > > I have a web app and a REST API running inside an OSGI environment. > > > > The web app has some servlets registered with the web container (jetty) > as > > OSGI whiteboard services. All of these servlets are configured to be > > protected (authentication required) by keycloak servlet filter. > > > > Dictionary props; > > props = new Hashtable<>(); > > props.put("alias", "/whiteboard"); > > servletReg = context.registerService(Servlet.class, new > > WhiteboardServlet("/test"), props); > > > > Dictionary filterProps = new Hashtable(); > > String[] urls = { "/*" }; //$NON-NLS-1$ > > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME, > > "keycloakFilter"); > > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN, > > urls); > > keycloakFilter = context.registerService(Filter.class, new > > KeycloakOIDCFilter(), filterProps); > > > > The REST api is hosted by aries-jax-rs-whiteboard. > > @Component( > > immediate = true, > > property = JAX_RS_APPLICATION_BASE + "=/rest", > > service = Application.class > > ) > > @Path("/common") > > public final class RestAPI extends Application { > > public static final Response EMPTY_RESPONSE = > > Response.noContent().type(MediaType.TEXT_HTML_TYPE).build(); > > @Override > > public Set getSingletons() { > > return Collections.singleton(this); > > } > > > > @GET > > @Path("/getObject") > > @Produces(MediaType.APPLICATION_JSON) > > public String getObject() { > > return "Rest call"; //$NON-NLS-1$ > > } > > } > > > > The web app has some JS code executed on user browser that make an ajax > > call to the REST service above. Since this call happen after user has > been > > auithenticated with keycloak and originate from the same browser > session, I > > assume the ajax request also contains KeycloakSecurityContext. Thus this > > call should be allowed to reach the REST service. What I want is to > > register a filter (ContainerRequestFilter) to deny access to the REST > > service if user has not been authenticated. > > Is there an existing implementation of ContainerRequestFilter by keycloak > > that can do this? > > > > > > Thai > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Castor Technologies Inc 460 rue St-Catherine St Ouest, Suite 613 Montr?al, Qu?bec H3B-1A7 (514) 360-7208 o (514) 798-2044 f ntle at castortech.com www.castortech.com CONFIDENTIALITY NOTICE: The information contained in this e-mail is confidential and may be proprietary information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, disclosure, copy or use of the information contained in this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete it from your system without reading, forwarding, copying or saving in any manner. Thank you. AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv? ? l'usage exclusif du destinataire. Toute autre personne est par les pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer ou reproduire ce message. Si vous avez re?u cette communication par erreur, veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci. From psilva at redhat.com Tue Aug 28 14:12:47 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 28 Aug 2018 15:12:47 -0300 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Running the app in a separated server is not a problem. If you delete the "protecter resource" you will get 403 because there is no resource granting access to "/", "/index.jsp" or "/protected/*". Maybe what you are trying to achieve is someway to update URIs in Keycloak and have those changes recognized by the policy enforcer in front of your app ? If so, you can disable cache of paths/uris by adding the following config to your policy-enforcer in keycloak.json: "path-cache": { "lifespan": 0, "max-entries": 0 } This will make the PEP invoke server all the time for resources and path mapping. By default, resource/path mapping is enabled and that avoids hits to the server in order to fetch resources and their uris. On Tue, Aug 28, 2018 at 12:27 PM, keycloak demo wrote: > Thanks Pedro for quick turnaround. > > I have taken keycloak 4.3 installation. I imported the new realm and ran > the app. However, still facing the same issue.* I am able to login with > special user. But I am also able to login with jdoe (premium user) and > alice(normal user) when actually only special user should be allowed and > other 2 denied.* Also, in all 3 cases , I get only 1 item in permission > list i.e. Protected resource ( resource having with URI : */**): > > [Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected > Resource, scopes=[urn:servlet-authz:protected:resource:access]}] > > *ALSO, I had to make a couple of changes for realm to work:* > > *1.* Just like I mentioned in my previous email, I changed port number in > the client URLs to 7200 as my app is running on jetty on a different port > outside keycloak. *(Could this be the reason that app is running on a > different port and keycloak/wildfly is running on a different port? )* > > *2.* Second change I did was make Valid redirect URI as * in Client > settings.I was getting 400 on specifying: http://localhost:7200/myapp/* *(could > this be an issue?) * > > NOTE: 403 would start coming if I delete resource named Protected > Resource. > > > On Tue, Aug 28, 2018 at 7:20 PM Pedro Igor Silva > wrote: > >> Hi, >> >> Could you please check changes I did in this branch https://github.com/ >> pedroigor/keycloak-quickstarts/tree/tmp ? >> >> Basically, I have modified the realm settings to : >> >> * Include a new user granted with a "special" realm role >> * Included a new "Special Resource" mapping to "/secure/role/*" >> * Include permission for "Special Resource" granting access only for >> users with "special" role >> >> It seems to be working fine, but maybe I'm still missing something. Would >> be nice if you could look at my changes, import the realm settings and >> check how it is working. >> >> In addition to that, could you please try running Keycloak 4.3.0.Final ? >> >> Regards. >> Pedro Igor >> >> >> On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo >> wrote: >> >>> Thanks Pedro for the update. >>> >>> Just to add details to my previous mail: From the sample app / >>> quickstart app-authz-jee-servlet >>> : >>> I use *jdoe *user to login which has premium permissions, but when I >>> debug, I get only Protected resource in the permission list: >>> >>> *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected >>> Resource, scopes=[urn:servlet-authz:protected:resource:access]} * >>> >>> Only change I have done in realm imported from sample is replace root & >>> base url in client: http://localhost:8080/authz-servlet with >>> http://localhost:7200/myapp >>> and the premium resource URI : /protected/premium/* with /secure/role/* >>> >>> (The URL I am accessing with above config and user jdoe on my client app >>> is : http://localhost:7200/myapp/secure/role) >>> >>> Could this be an issue that in my case my client app is running on a >>> different port (as it is outside the wildfly server that is running >>> keycloak)? >>> >>> On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva >>> wrote: >>> >>>> Hi, >>>> >>>> Thanks for continuing looking at this. Let's do this, I'll do the same >>>> steps using Jetty to reproduce the issue, will let you know during this >>>> week once I have something to share. >>>> >>>> Another weird thing is that the example actually should return all >>>> permissions and make them available after the login. Will check how this is >>>> working with Jetty too. The tests we have in the quickstarts are >>>> wildfly based .... >>>> >>>> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo >>>> wrote: >>>> >>>>> I have tried 1 more thing: I have imported realm from one of the >>>>> keycloak quickstarts https://github.com/keycloak/keycloak- >>>>> quickstarts/tree/latest/app-authz-jee-servlet and only replaced the >>>>> URLs with my application URLs. >>>>> >>>>> But I get the same error *if* I remove the resource containing URI as >>>>> */** (resource name is : *Protected Resource*). Furthermore, if i >>>>> keep this resource (/*), I am able to authorize a user but putting a >>>>> debugger in client app showed that authContext Permission list contains >>>>> only 1 resource i.e. Protected Resource. Although the user which >>>>> authenticated was assigned the role contained in resource name: Premium >>>>> Resource. So ideally the Permission list must have contained this resource >>>>> as well. (I am mentioning the names - Protected, Premium as mentioned in >>>>> the keycloak quick start). I put in /* URI in my original app and 403 >>>>> stopped. But the permission array contained only this resource (with URI /*) >>>>> >>>>> java.util.List perms = authzContext.getPermissions(); >>>>> >>>>> ********To summarize the above test:********* >>>>> *I get 403 error if a resource containing URI /* is not present. If a >>>>> URI containing /* is present, then I get only this resource in the >>>>> Permissions Array / List in the java client app even if the resource with >>>>> specific URI like /app/secure contains valid role/policy/permission. Also >>>>> the evaluate API available under Authorization option shows result as >>>>> permit.* >>>>> >>>>> *Screenshots present >>>>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>> * >>>>> >>>>> >>>>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo >>>>> wrote: >>>>> >>>>>> Pedro, >>>>>> >>>>>> Yes default permissions grant access to any resource in my >>>>>> application (uri == /*). But problem starts when I specify a resource with >>>>>> specific URI (as described in configuration in my previous email and also >>>>>> here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>> * >>>>>> ). >>>>>> >>>>>> Just to summarize the real problem: >>>>>> >>>>>> Apart from default resource having `/*`, I have a second resource >>>>>> having URI: /secure/role/* and this resource also has a role >>>>>> based policy to allow access to only users having role "special", the >>>>>> expected behavior is the users who don't have role "special" should not be >>>>>> able to access this resource, right? >>>>>> >>>>>> But I am able to access this resource with any user, any role. So I >>>>>> thought that may be default resource URI with '/*' is overriding behavior >>>>>> of second resource, so I changed default resource URI to '/test/*', and >>>>>> then I started receiving 403 error for accessing both '/test' as well as >>>>>> second resource ' /secure/role/* ' for all users including user >>>>>> with "special" role assigned. >>>>>> >>>>>> I looked into realm resource configuration in one of the quick starts >>>>>> and the only difference I found was that quick start resources specify >>>>>> scope in each of resources whereas I have kept it blank. Could this be an >>>>>> issue. >>>>>> >>>>>> I understand you already spent time in trying to resolve this but >>>>>> problem still persists. >>>>>> >>>>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo < >>>>>>> testoauth55 at gmail.com> wrote: >>>>>>> >>>>>>>> Pedro, >>>>>>>> >>>>>>>> After further debugging I found out that following line in keycloak >>>>>>>> json is causing the issue: "policy-enforcer": {}. If I remove >>>>>>>> this line, then 403 error is removed but I guess doing this disables >>>>>>>> authorization altogether. 2 questions on this: >>>>>>>> 1. When I have configured policies on the Admin console under the >>>>>>>> authorization tab, why is this empty? >>>>>>>> >>>>>>> >>>>>>> I'm not sure. When you enable authorization services to a client >>>>>>> default resource/permissions are created. Where these permissions grant >>>>>>> access to any resource in your application (uri == /*). >>>>>>> >>>>>>> >>>>>>>> 2. Is there a way to put some default values (not manually) in here >>>>>>>> to make authorization work? >>>>>>>> >>>>>>> >>>>>>> Like I said, when you just enable the authorization services switch, >>>>>>> default settings are created automatically. >>>>>>> >>>>>>> Did you try to run any of our quickstarts ? >>>>>>> >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva < >>>>>>>> psilva at redhat.com> wrote: >>>>>>>> >>>>>>>>> Yeah, it should be relative. I was wondering if the correct URI >>>>>>>>> would be '/keycloak/secure/role' instead. >>>>>>>>> >>>>>>>>> In any case, I would ask you to try the same deployment using >>>>>>>>> tomcat or wildfly to see how it goes. We have a few quickstarts running on >>>>>>>>> these two. Maybe you could also try to enable DEBUG log level to see how >>>>>>>>> the policy enforcer is matching URIs to your resources. >>>>>>>>> >>>>>>>>> If none of them work, I can give a try and run jetty. >>>>>>>>> >>>>>>>>> Regards. >>>>>>>>> Pedro Igor >>>>>>>>> >>>>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo < >>>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but >>>>>>>>>> it does not work either. The documentation anyway states that the URI in >>>>>>>>>> resource can be relative to client root URL which I have configured to be >>>>>>>>>> http://localhost:7200/{app}/keycloak , therefore >>>>>>>>>> putting relateve URI '/secure/role' in resource should be >>>>>>>>>> equivalent to putting absolute URI : >>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role'. Do you think, >>>>>>>>>> there is something else I can try? >>>>>>>>>> >>>>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva < >>>>>>>>>> psilva at redhat.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> Your configuration looks correct. But I noticed that in the >>>>>>>>>>> postman request you are sending requests to ` >>>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role` >>>>>>>>>>> . However >>>>>>>>>>> in your resource definition the URI is configured to `/secure/role`. Both >>>>>>>>>>> URIs should match otherwise the adapter won't be able to map the URI in >>>>>>>>>>> your application to a resource in Keycloak (and related permissions). >>>>>>>>>>> >>>>>>>>>>> Regards. >>>>>>>>>>> Pedro Igor >>>>>>>>>>> >>>>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo < >>>>>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> With all the configuration(shared below), when I test using the >>>>>>>>>>>> evaluate >>>>>>>>>>>> option under authorization tab, result is permit: >>>>>>>>>>>> >>>>>>>>>>>> *But when I make a request to this resource through postman, I >>>>>>>>>>>> get 403.* >>>>>>>>>>>> >>>>>>>>>>>> *Which part of configuration is wrong which is leading to 403 >>>>>>>>>>>> error?* >>>>>>>>>>>> >>>>>>>>>>>> CONFIGURATION: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> *Detailed configuration with images shown here:* >>>>>>>>>>>> >>>>>>>>>>>> *https://stackoverflow.com/questions/51761779/keycloak- >>>>>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>>>>>> as-evaluate-api >>>>>>>>>>>> >>>>>>>>>>> 403-forbidden-error-while-accessing-rest-resource-where- >>>>>>>>>>>> as-evaluate-api>* >>>>>>>>>>>> >>>>>>>>>>>> *1.* Following the >>>>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>>>>>>> created a >>>>>>>>>>>> realm role : *role_special_user* and created a user : >>>>>>>>>>>> *user_special* with >>>>>>>>>>>> this role and role *user*. >>>>>>>>>>>> >>>>>>>>>>>> *2.* Next, my resource server / client is with *full scope >>>>>>>>>>>> enabled*: >>>>>>>>>>>> *3.* Under authorization tab, I created a resource with the >>>>>>>>>>>> role based >>>>>>>>>>>> policy is. >>>>>>>>>>>> >>>>>>>>>>>> *4.* Now, keycloak json is: >>>>>>>>>>>> >>>>>>>>>>>> { >>>>>>>>>>>> "realm": "demo12", >>>>>>>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>>>>>>> "ssl-required": "none", >>>>>>>>>>>> "resource": "server12", >>>>>>>>>>>> "credentials": { >>>>>>>>>>>> "secret": "XXXXXXX" >>>>>>>>>>>> }, >>>>>>>>>>>> "confidential-port": 0, >>>>>>>>>>>> "policy-enforcer": {}} >>>>>>>>>>>> >>>>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>>>>>>> >>>>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>>>>>>> InputStream is = >>>>>>>>>>>> Thread.currentThread().getContextClassLoader(). >>>>>>>>>>>> getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_ >>>>>>>>>>>> DEFAULT); >>>>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>>>>>>> ConstraintSecurityHandler(); >>>>>>>>>>>> ConstraintMapping constraintMapping = new >>>>>>>>>>>> ConstraintMapping(); >>>>>>>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>>>>>>> Constraint constraint = new Constraint(); >>>>>>>>>>>> constraint.setAuthenticate(true); >>>>>>>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>>>>>>> constraintMapping.setConstraint(constraint); >>>>>>>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>>>>>>> >>>>>>>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>>>>>>> >>>>>>>>>>>> { >>>>>>>>>>>> "jti": "XXXXXXX", >>>>>>>>>>>> "exp": 1533798704, >>>>>>>>>>>> "nbf": 0, >>>>>>>>>>>> "iat": 1533798404, >>>>>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>>>>>>> "aud": "server12", >>>>>>>>>>>> "sub": "XXXXXXX", >>>>>>>>>>>> "typ": "Bearer", >>>>>>>>>>>> "azp": "server12", >>>>>>>>>>>> "auth_time": 1533798404, >>>>>>>>>>>> "session_state": "XXXXXX", >>>>>>>>>>>> "acr": "1", >>>>>>>>>>>> "allowed-origins": [], >>>>>>>>>>>> "realm_access": { >>>>>>>>>>>> "roles": [ >>>>>>>>>>>> "role_special_user", >>>>>>>>>>>> "offline_access", >>>>>>>>>>>> "uma_authorization", >>>>>>>>>>>> "user" >>>>>>>>>>>> ] >>>>>>>>>>>> }, >>>>>>>>>>>> "resource_access": { >>>>>>>>>>>> "server12": { >>>>>>>>>>>> "roles": [ >>>>>>>>>>>> "uma_protection" >>>>>>>>>>>> ] >>>>>>>>>>>> }, >>>>>>>>>>>> "account": { >>>>>>>>>>>> "roles": [ >>>>>>>>>>>> "manage-account", >>>>>>>>>>>> "manage-account-links", >>>>>>>>>>>> "view-profile" >>>>>>>>>>>> ] >>>>>>>>>>>> } >>>>>>>>>>>> }, >>>>>>>>>>>> "scope": "openid email profile", >>>>>>>>>>>> "email_verified": false, >>>>>>>>>>>> "preferred_username": "user_special"} >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> >> From clehingue at gmail.com Tue Aug 28 14:54:48 2018 From: clehingue at gmail.com (Christophe Lehingue) Date: Tue, 28 Aug 2018 20:54:48 +0200 Subject: [keycloak-user] Keycloak wth aerogear + wamarin Message-ID: Hello, I use keycloak as an identity manager. I am developing mobile versions of my apps using xamarin and aerogear. In the aerogear documentation it is mentioned to install "OpenShift". Is it mandatory to use OpenShift? Can we only use aerogear directly with a keycloak instance? If so, how should you configure keyclok and what should the config.json file look like to make it work? Thank you and have a good day. ====== IN FRENCH ==== Bonjour, J'utilise keycloak comme gestionnaire d'identit?. Je suis en train de developp? les versions mobile de mes applications ? l'aide de xamarin et aerogear. Dans la documentation de aerogear il est mentionn? d'installer "OpenShift". Est-il obligatoire d'utilisaer OpenShift ? Peut on utiliser uniquement aerogear directement avec une instance keycloak ? Si oui, comment doit on configurer keyclok et ? quoi doit ressembler le fichier config.json pour que cela fonctionne ? Merci ? vous et bonne journ?e. From ntle at castortech.com Tue Aug 28 19:15:51 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Tue, 28 Aug 2018 19:15:51 -0400 Subject: [keycloak-user] OIDC Servlet filter not redirect to to login screen after admin kick user out by KC admin console Message-ID: Hello, I'm using the OIDC Servlet filter to protect my app and it works when the user first come to the site. However after the user successfully login and using the app, if the admin use the keycloak admin console to kick the user out (use logout all button on the realm sessions tab) I expect the user will be redirected to the login page on his next request but he is still able to continue working as if the keycloak oidc servlet filter think the session is still valid. Is this behavior normal? If it is, what can be done to force user logout? If it is not, what would be the possible cause? Thank you Thai From testoauth55 at gmail.com Tue Aug 28 20:57:28 2018 From: testoauth55 at gmail.com (keycloak demo) Date: Wed, 29 Aug 2018 06:27:28 +0530 Subject: [keycloak-user] keycloak 403 forbidden error while accessing rest resource where as evaluate api shows permit In-Reply-To: References: Message-ID: Pedro, *2 queries * *1.* After importing your updated realm, and trying to access localhost:7200/myapp/secure/role , *according to the configuration, only specialuser should be allowed to access this URL but I was able to access this URL with other users as well(jdoe and alice). Also in all 3 users, I was getting only 1 item in permission list i.e. Protected resource* : [Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected Resource, scopes=[urn:servlet-authz:protected:resource:access]}] At your end, was the behavior as expected i.e. only specialuser is able to access this URL and permission list contains Special Resource in the list? *2.* I am not updating URIs except for the first time, where I had to change the port number in imported realm and I started my client app after making this change. No change in urls was done after starting the client app. Also, when I put: "path-cache": { "lifespan": 0, "max-entries": 0 } I start getting 403 for every URL and every user. But more weird is point 1. If we can understand the behavior in point 1, we can resolve it. On Tue, Aug 28, 2018 at 11:42 PM Pedro Igor Silva wrote: > Running the app in a separated server is not a problem. > > If you delete the "protecter resource" you will get 403 because there is > no resource granting access to "/", "/index.jsp" or "/protected/*". > > Maybe what you are trying to achieve is someway to update URIs in Keycloak > and have those changes recognized by the policy enforcer in front of your > app ? If so, you can disable cache of paths/uris by adding the following > config to your policy-enforcer in keycloak.json: > > "path-cache": { > "lifespan": 0, > "max-entries": 0 > } > > This will make the PEP invoke server all the time for resources and path > mapping. > > By default, resource/path mapping is enabled and that avoids hits to the > server in order to fetch resources and their uris. > > On Tue, Aug 28, 2018 at 12:27 PM, keycloak demo > wrote: > >> Thanks Pedro for quick turnaround. >> >> I have taken keycloak 4.3 installation. I imported the new realm and ran >> the app. However, still facing the same issue.* I am able to login with >> special user. But I am also able to login with jdoe (premium user) and >> alice(normal user) when actually only special user should be allowed and >> other 2 denied.* Also, in all 3 cases , I get only 1 item in permission >> list i.e. Protected resource ( resource having with URI : */**): >> >> [Permission {id=ce71e506-d2f5-4c8b-8c2b-00f282bfb7d5, name=Protected >> Resource, scopes=[urn:servlet-authz:protected:resource:access]}] >> >> *ALSO, I had to make a couple of changes for realm to work:* >> >> *1.* Just like I mentioned in my previous email, I changed port number >> in the client URLs to 7200 as my app is running on jetty on a different >> port outside keycloak. *(Could this be the reason that app is running on >> a different port and keycloak/wildfly is running on a different port? )* >> >> *2.* Second change I did was make Valid redirect URI as * in Client >> settings.I was getting 400 on specifying: http://localhost:7200/myapp/* *(could >> this be an issue?) * >> >> NOTE: 403 would start coming if I delete resource named Protected >> Resource. >> >> >> On Tue, Aug 28, 2018 at 7:20 PM Pedro Igor Silva >> wrote: >> >>> Hi, >>> >>> Could you please check changes I did in this branch >>> https://github.com/pedroigor/keycloak-quickstarts/tree/tmp ? >>> >>> Basically, I have modified the realm settings to : >>> >>> * Include a new user granted with a "special" realm role >>> * Included a new "Special Resource" mapping to "/secure/role/*" >>> * Include permission for "Special Resource" granting access only for >>> users with "special" role >>> >>> It seems to be working fine, but maybe I'm still missing something. >>> Would be nice if you could look at my changes, import the realm settings >>> and check how it is working. >>> >>> In addition to that, could you please try running Keycloak 4.3.0.Final ? >>> >>> Regards. >>> Pedro Igor >>> >>> >>> On Tue, Aug 28, 2018 at 2:37 AM, keycloak demo >>> wrote: >>> >>>> Thanks Pedro for the update. >>>> >>>> Just to add details to my previous mail: From the sample app / >>>> quickstart app-authz-jee-servlet >>>> : >>>> I use *jdoe *user to login which has premium permissions, but when I >>>> debug, I get only Protected resource in the permission list: >>>> >>>> *Permission {id=1ace954c-3de5-4f33-83f7-2822ce2b35fe, name=Protected >>>> Resource, scopes=[urn:servlet-authz:protected:resource:access]} * >>>> >>>> Only change I have done in realm imported from sample is replace root >>>> & base url in client: http://localhost:8080/authz-servlet with >>>> http://localhost:7200/myapp >>>> and the premium resource URI : /protected/premium/* with /secure/role/* >>>> >>>> (The URL I am accessing with above config and user jdoe on my client >>>> app is : http://localhost:7200/myapp/secure/role) >>>> >>>> Could this be an issue that in my case my client app is running on a >>>> different port (as it is outside the wildfly server that is running >>>> keycloak)? >>>> >>>> On Mon, Aug 27, 2018 at 7:30 PM Pedro Igor Silva >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> Thanks for continuing looking at this. Let's do this, I'll do the same >>>>> steps using Jetty to reproduce the issue, will let you know during this >>>>> week once I have something to share. >>>>> >>>>> Another weird thing is that the example actually should return all >>>>> permissions and make them available after the login. Will check how this is >>>>> working with Jetty too. The tests we have in the quickstarts are >>>>> wildfly based .... >>>>> >>>>> On Mon, Aug 27, 2018 at 8:22 AM, keycloak demo >>>>> wrote: >>>>> >>>>>> I have tried 1 more thing: I have imported realm from one of the >>>>>> keycloak quickstarts >>>>>> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-servlet and >>>>>> only replaced the URLs with my application URLs. >>>>>> >>>>>> But I get the same error *if* I remove the resource containing URI >>>>>> as */** (resource name is : *Protected Resource*). Furthermore, if i >>>>>> keep this resource (/*), I am able to authorize a user but putting a >>>>>> debugger in client app showed that authContext Permission list contains >>>>>> only 1 resource i.e. Protected Resource. Although the user which >>>>>> authenticated was assigned the role contained in resource name: Premium >>>>>> Resource. So ideally the Permission list must have contained this resource >>>>>> as well. (I am mentioning the names - Protected, Premium as mentioned in >>>>>> the keycloak quick start). I put in /* URI in my original app and 403 >>>>>> stopped. But the permission array contained only this resource (with URI /*) >>>>>> >>>>>> java.util.List perms = authzContext.getPermissions(); >>>>>> >>>>>> ********To summarize the above test:********* >>>>>> *I get 403 error if a resource containing URI /* is not present. If a >>>>>> URI containing /* is present, then I get only this resource in the >>>>>> Permissions Array / List in the java client app even if the resource with >>>>>> specific URI like /app/secure contains valid role/policy/permission. Also >>>>>> the evaluate API available under Authorization option shows result as >>>>>> permit.* >>>>>> >>>>>> *Screenshots present >>>>>> here: https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>> * >>>>>> >>>>>> >>>>>> On Mon, Aug 20, 2018 at 12:07 PM keycloak demo >>>>>> wrote: >>>>>> >>>>>>> Pedro, >>>>>>> >>>>>>> Yes default permissions grant access to any resource in my >>>>>>> application (uri == /*). But problem starts when I specify a resource with >>>>>>> specific URI (as described in configuration in my previous email and also >>>>>>> here: *https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>> * >>>>>>> ). >>>>>>> >>>>>>> Just to summarize the real problem: >>>>>>> >>>>>>> Apart from default resource having `/*`, I have a second resource >>>>>>> having URI: /secure/role/* and this resource also has a role >>>>>>> based policy to allow access to only users having role "special", the >>>>>>> expected behavior is the users who don't have role "special" should not be >>>>>>> able to access this resource, right? >>>>>>> >>>>>>> But I am able to access this resource with any user, any role. So I >>>>>>> thought that may be default resource URI with '/*' is overriding behavior >>>>>>> of second resource, so I changed default resource URI to '/test/*', and >>>>>>> then I started receiving 403 error for accessing both '/test' as well as >>>>>>> second resource ' /secure/role/* ' for all users including user >>>>>>> with "special" role assigned. >>>>>>> >>>>>>> I looked into realm resource configuration in one of the quick >>>>>>> starts and the only difference I found was that quick start resources >>>>>>> specify scope in each of resources whereas I have kept it blank. Could this >>>>>>> be an issue. >>>>>>> >>>>>>> I understand you already spent time in trying to resolve this but >>>>>>> problem still persists. >>>>>>> >>>>>>> On Fri, Aug 17, 2018 at 5:11 PM, Pedro Igor Silva >>>>>> > wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Aug 17, 2018 at 4:40 AM, keycloak demo < >>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>> >>>>>>>>> Pedro, >>>>>>>>> >>>>>>>>> After further debugging I found out that following line in >>>>>>>>> keycloak json is causing the issue: "policy-enforcer": {}. If I >>>>>>>>> remove this line, then 403 error is removed but I guess doing this disables >>>>>>>>> authorization altogether. 2 questions on this: >>>>>>>>> 1. When I have configured policies on the Admin console under the >>>>>>>>> authorization tab, why is this empty? >>>>>>>>> >>>>>>>> >>>>>>>> I'm not sure. When you enable authorization services to a client >>>>>>>> default resource/permissions are created. Where these permissions grant >>>>>>>> access to any resource in your application (uri == /*). >>>>>>>> >>>>>>>> >>>>>>>>> 2. Is there a way to put some default values (not manually) in >>>>>>>>> here to make authorization work? >>>>>>>>> >>>>>>>> >>>>>>>> Like I said, when you just enable the authorization services >>>>>>>> switch, default settings are created automatically. >>>>>>>> >>>>>>>> Did you try to run any of our quickstarts ? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Aug 10, 2018 at 5:17 PM, Pedro Igor Silva < >>>>>>>>> psilva at redhat.com> wrote: >>>>>>>>> >>>>>>>>>> Yeah, it should be relative. I was wondering if the correct URI >>>>>>>>>> would be '/keycloak/secure/role' instead. >>>>>>>>>> >>>>>>>>>> In any case, I would ask you to try the same deployment using >>>>>>>>>> tomcat or wildfly to see how it goes. We have a few quickstarts running on >>>>>>>>>> these two. Maybe you could also try to enable DEBUG log level to see how >>>>>>>>>> the policy enforcer is matching URIs to your resources. >>>>>>>>>> >>>>>>>>>> If none of them work, I can give a try and run jetty. >>>>>>>>>> >>>>>>>>>> Regards. >>>>>>>>>> Pedro Igor >>>>>>>>>> >>>>>>>>>> On Fri, Aug 10, 2018 at 12:31 AM, keycloak demo < >>>>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Pedro, thanks for replying. I tried putting the absolute URI,but >>>>>>>>>>> it does not work either. The documentation anyway states that the URI in >>>>>>>>>>> resource can be relative to client root URL which I have configured to be >>>>>>>>>>> http://localhost:7200/{app}/keycloak , therefore >>>>>>>>>>> putting relateve URI '/secure/role' in resource should be >>>>>>>>>>> equivalent to putting absolute URI : >>>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role'. Do you >>>>>>>>>>> think, there is something else I can try? >>>>>>>>>>> >>>>>>>>>>> On Thu, Aug 9, 2018 at 6:01 PM, Pedro Igor Silva < >>>>>>>>>>> psilva at redhat.com> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> >>>>>>>>>>>> Your configuration looks correct. But I noticed that in the >>>>>>>>>>>> postman request you are sending requests to ` >>>>>>>>>>>> http://localhost:7200/{app}/keycloak/secure/role` >>>>>>>>>>>> . >>>>>>>>>>>> However in your resource definition the URI is configured to >>>>>>>>>>>> `/secure/role`. Both URIs should match otherwise the adapter won't be able >>>>>>>>>>>> to map the URI in your application to a resource in Keycloak (and related >>>>>>>>>>>> permissions). >>>>>>>>>>>> >>>>>>>>>>>> Regards. >>>>>>>>>>>> Pedro Igor >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Aug 9, 2018 at 5:56 AM, keycloak demo < >>>>>>>>>>>> testoauth55 at gmail.com> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> With all the configuration(shared below), when I test using >>>>>>>>>>>>> the evaluate >>>>>>>>>>>>> option under authorization tab, result is permit: >>>>>>>>>>>>> >>>>>>>>>>>>> *But when I make a request to this resource through postman, I >>>>>>>>>>>>> get 403.* >>>>>>>>>>>>> >>>>>>>>>>>>> *Which part of configuration is wrong which is leading to 403 >>>>>>>>>>>>> error?* >>>>>>>>>>>>> >>>>>>>>>>>>> CONFIGURATION: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> *Detailed configuration with images shown here:* >>>>>>>>>>>>> >>>>>>>>>>>>> * >>>>>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>>>>>>>> < >>>>>>>>>>>>> https://stackoverflow.com/questions/51761779/keycloak-403-forbidden-error-while-accessing-rest-resource-where-as-evaluate-api >>>>>>>>>>>>> >* >>>>>>>>>>>>> >>>>>>>>>>>>> *1.* Following the >>>>>>>>>>>>> https://www.keycloak.org/docs/4.2/authorization_services/ , I >>>>>>>>>>>>> created a >>>>>>>>>>>>> realm role : *role_special_user* and created a user : >>>>>>>>>>>>> *user_special* with >>>>>>>>>>>>> this role and role *user*. >>>>>>>>>>>>> >>>>>>>>>>>>> *2.* Next, my resource server / client is with *full scope >>>>>>>>>>>>> enabled*: >>>>>>>>>>>>> *3.* Under authorization tab, I created a resource with the >>>>>>>>>>>>> role based >>>>>>>>>>>>> policy is. >>>>>>>>>>>>> >>>>>>>>>>>>> *4.* Now, keycloak json is: >>>>>>>>>>>>> >>>>>>>>>>>>> { >>>>>>>>>>>>> "realm": "demo12", >>>>>>>>>>>>> "auth-server-url": "http://localhost:8180/auth", >>>>>>>>>>>>> "ssl-required": "none", >>>>>>>>>>>>> "resource": "server12", >>>>>>>>>>>>> "credentials": { >>>>>>>>>>>>> "secret": "XXXXXXX" >>>>>>>>>>>>> }, >>>>>>>>>>>>> "confidential-port": 0, >>>>>>>>>>>>> "policy-enforcer": {}} >>>>>>>>>>>>> >>>>>>>>>>>>> *5.* And Keycloak Jetty adapter configuration is: >>>>>>>>>>>>> >>>>>>>>>>>>> final String KEYCLOAK_JSON = Constants.KC_CONFIG_JSON_PATH; >>>>>>>>>>>>> InputStream is = >>>>>>>>>>>>> >>>>>>>>>>>>> Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON);AdapterConfig >>>>>>>>>>>>> keyCloakConfig;ObjectMapper mapper = new ObjectMapper(new >>>>>>>>>>>>> SystemPropertiesJsonParserFactory()); >>>>>>>>>>>>> >>>>>>>>>>>>> mapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT); >>>>>>>>>>>>> keyCloakConfig = mapper.readValue(is, AdapterConfig.class); >>>>>>>>>>>>> KeycloakJettyAuthenticator kcAuthenticator = >>>>>>>>>>>>> KeyCloakConfig;if(kcAuthenticator != null) { >>>>>>>>>>>>> ConstraintSecurityHandler securityHandler = new >>>>>>>>>>>>> ConstraintSecurityHandler(); >>>>>>>>>>>>> ConstraintMapping constraintMapping = new >>>>>>>>>>>>> ConstraintMapping(); >>>>>>>>>>>>> constraintMapping.setPathSpec("/*"); >>>>>>>>>>>>> Constraint constraint = new Constraint(); >>>>>>>>>>>>> constraint.setAuthenticate(true); >>>>>>>>>>>>> constraint.setRoles(new String[]{"**"}); >>>>>>>>>>>>> constraintMapping.setConstraint(constraint); >>>>>>>>>>>>> securityHandler.addConstraintMapping(constraintMapping); >>>>>>>>>>>>> securityHandler.setAuthenticator(kcAuthenticator); >>>>>>>>>>>>> context.setSecurityHandler(securityHandler);} >>>>>>>>>>>>> >>>>>>>>>>>>> *6.* Also, the decoded jwt token sample is: >>>>>>>>>>>>> >>>>>>>>>>>>> { >>>>>>>>>>>>> "jti": "XXXXXXX", >>>>>>>>>>>>> "exp": 1533798704, >>>>>>>>>>>>> "nbf": 0, >>>>>>>>>>>>> "iat": 1533798404, >>>>>>>>>>>>> "iss": "http://localhost:8180/auth/realms/demo12", >>>>>>>>>>>>> "aud": "server12", >>>>>>>>>>>>> "sub": "XXXXXXX", >>>>>>>>>>>>> "typ": "Bearer", >>>>>>>>>>>>> "azp": "server12", >>>>>>>>>>>>> "auth_time": 1533798404, >>>>>>>>>>>>> "session_state": "XXXXXX", >>>>>>>>>>>>> "acr": "1", >>>>>>>>>>>>> "allowed-origins": [], >>>>>>>>>>>>> "realm_access": { >>>>>>>>>>>>> "roles": [ >>>>>>>>>>>>> "role_special_user", >>>>>>>>>>>>> "offline_access", >>>>>>>>>>>>> "uma_authorization", >>>>>>>>>>>>> "user" >>>>>>>>>>>>> ] >>>>>>>>>>>>> }, >>>>>>>>>>>>> "resource_access": { >>>>>>>>>>>>> "server12": { >>>>>>>>>>>>> "roles": [ >>>>>>>>>>>>> "uma_protection" >>>>>>>>>>>>> ] >>>>>>>>>>>>> }, >>>>>>>>>>>>> "account": { >>>>>>>>>>>>> "roles": [ >>>>>>>>>>>>> "manage-account", >>>>>>>>>>>>> "manage-account-links", >>>>>>>>>>>>> "view-profile" >>>>>>>>>>>>> ] >>>>>>>>>>>>> } >>>>>>>>>>>>> }, >>>>>>>>>>>>> "scope": "openid email profile", >>>>>>>>>>>>> "email_verified": false, >>>>>>>>>>>>> "preferred_username": "user_special"} >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> keycloak-user mailing list >>>>>>>>>>>>> keycloak-user at lists.jboss.org >>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>> > From postmaster at lists.jboss.org Wed Aug 29 02:39:26 2018 From: postmaster at lists.jboss.org (Post Office) Date: Wed, 29 Aug 2018 14:39:26 +0800 Subject: [keycloak-user] Message could not be delivered Message-ID: <201808290641.w7T6fngp011567@lists01.dmz-a.mwc.hst.phx2.redhat.com> The original message was received at Wed, 29 Aug 2018 14:39:26 +0800 from 113.215.213.214 ----- The following addresses had permanent fatal errors ----- keycloak-user at lists.jboss.org -------------- next part -------------- A non-text attachment was scrubbed... Name: text.zip Type: application/octet-stream Size: 28978 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180829/4cc8e954/attachment-0001.obj From triveni.chegireddy at tcs.com Wed Aug 29 03:24:23 2018 From: triveni.chegireddy at tcs.com (Triveni Chegireddy) Date: Wed, 29 Aug 2018 12:54:23 +0530 Subject: [keycloak-user] Fw: Single Logout not working with multiple applications Message-ID: Regards Triveni Chegireddy Tata Consultancy Services Limited Mailto: triveni.chegireddy at tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ ----- Forwarded by Triveni Chegireddy/LATAM/TCS on 08/29/2018 12:58 PM ----- From: Triveni Chegireddy/LATAM/TCS To: keycloak-user at lists.jboss.org Date: 08/29/2018 12:31 PM Subject: Single Logout not working with multiple applications Hi, I am securing many tools using Keycloak for Single sign on and Single Logout. We are securing tools like Jira, Confluence using Miniorange plugin. We have few Spring boot applications which are to be secured. They are secured using Spring Boot with KeycloakWebSecurityConfigurerAdapter. Single Sign on is working fine. The landing application is spring boot web application, which is accessed by giving LDAP credentials. From that application, we will be accessing the Jira, Confluence. They are opened without asking me for credentials. But Single Logout is not working. In Spring boot application, on click of Logout, I am calling HttpServletRequest.logout(), which is logging me out of Spring boot application successfully. But the sessions in Jira and Confluence are not killed. Similarly once I open the tools from Spring boot application, on logout of any tools both Jira and confluence are logging out using Single Logout but session in Spring boot application is not killed. Could you please help us resolving this issue. Regards Triveni Chegireddy =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you From rafaelweingartner at gmail.com Wed Aug 29 08:42:42 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Wed, 29 Aug 2018 09:42:42 -0300 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: References: <5bcdc1f7-1a56-6db7-d905-3b621dc50f71@redhat.com> Message-ID: Thanks! The problem was caused by firewalld blocking Multicast traffic. On Fri, Aug 24, 2018 at 7:28 AM, Sebastian Laskawiec wrote: > Great write-up! Bookmarked! > > On Thu, Aug 23, 2018 at 4:36 PM Bela Ban wrote: > >> Have you checked >> https://github.com/belaban/workshop/blob/master/slides/ >> admin.adoc#problem-1-members-don-t-find-each-other? >> >> On 23/08/18 13:53, Sebastian Laskawiec wrote: >> > +Bela Ban >> > >> > As I expected, the cluster doesn't form. >> > >> > I'm not sure where and why those UDP discovery packets are rejected. I >> > just stumbled upon this thread [1], which you may find useful. Maybe >> > Bela will also have an idea what's going on there. >> > >> > If you won't manage to get UDP working, you can always fall back into >> > TCP (and MPING). >> > >> > [1] https://serverfault.com/questions/211482/tools-to- >> test-multicast-routing >> > >> > On Thu, Aug 23, 2018 at 1:26 PM Rafael Weing?rtner >> > > >> wrote: >> > >> > Thanks for the reply Sebastian! >> > >> > >> > Note, that IP Multicasting is disabled in many data centers (I >> > have never found out why they do it, but I've seen it many, many >> > times). So make sure your cluster forms correctly (just grep >> > logs and look for "view"). >> > >> > >> > I thought about that. Then, I used tcpdump, and I can see the >> > multicast packets from both Keycloak replicas. However, it seems >> > that these packets are being ignored. >> > >> > root at Keycloak01:/# tcpdump -i eth0 port 7600 or port 55200 or >> > port 45700 or port 45688 or port 23364 or port 4712 or port 4713 >> > tcpdump: verbose output suppressed, use -v or -vv for full >> > protocol decode >> > listening on eth0, link-type EN10MB (Ethernet), capture size >> > 262144 bytes >> > 11:13:36.540080 IP keycloak02.local.55200 > 230.0.0.4.45688: >> > UDP, length 83 >> > 11:13:41.288449 IP keycloak02.local.55200 > 230.0.0.4.45688: >> > UDP, length 83 >> > 11:13:46.342606 IP keycloak02.local.55200 > 230.0.0.4.45688: >> > UDP, length 83 >> > >> > >> > root at keycloak02:/# tcpdump -i eth0 port 7600 or port 55200 or >> > port 45700 or port 45688 or port 23364 or port 4712 or port 4713 >> > tcpdump: verbose output suppressed, use -v or -vv for full >> > protocol decode >> > listening on eth0, link-type EN10MB (Ethernet), capture size >> > 262144 bytes >> > 11:12:14.218317 IP Keycloak01.local.55200 > 230.0.0.4.45688: >> > UDP, length 83 >> > 11:12:23.146798 IP Keycloak01.local.55200 > 230.0.0.4.45688: >> > UDP, length 83 >> > 11:12:27.201888 IP Keycloak01.local.55200 > 230.0.0.4.45688: >> > UDP, length 83 >> > >> > >> > >> > Here go the log entries. I filtered by ?view?. This is from >> Keycloak01. >> > >> > ^[[0m^[[0m11:16:57,896 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-4) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak01|0] (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,896 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-2) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak01|0] (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,897 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak01|0] (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,898 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-3) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak01|0] (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,962 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak01|0] (1) [keycloak01] >> > >> > >> > I expected it to be only one. I mean, I first started Keycloak01, >> > and just then Keycloak02. Next, we have the logs from Keycloak02. >> > >> > ^[[0m^[[0m11:17:34,950 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-3) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak02|0] (1) [keycloak02] >> > ^[[0m^[[0m11:17:34,952 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-4) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak02|0] (1) [keycloak02] >> > ^[[0m^[[0m11:17:34,957 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak02|0] (1) [keycloak02] >> > ^[[0m^[[0m11:17:34,957 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-2) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak02|0] (1) [keycloak02] >> > ^[[0m^[[0m11:17:35,052 INFO >> > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) ISPN000094: Received new cluster view >> > for channel ejb: [keycloak02|0] (1) [keycloak02 >> > >> > >> > They are similar. It seems that both applications are not seeing >> > each other. At first, I thought that the problem was caused by >> > ?owners=1? configuration (the lack of data synchronization between >> > replicas). I then changed it to ?owners=2?, but still, if I log in >> > the Keycloak01 and then force my request to go two Keycloak02, my >> > session is not there, and I am requested to log in again. >> > >> > Do you need some other log entries or configuration files? >> > >> > Again, thanks for your reply and help! >> > >> > On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec >> > > wrote: >> > >> > >> > >> > On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner >> > > > > wrote: >> > >> > Hello Keycloakers, >> > >> > I have some doubts regarding Keycloak and load balancers. I >> > set up two >> > keycloak replicas to provide HA. To start them I am using >> > ?./standalone.sh >> > --server-config=standalone-ha.xml?. I am assuming that >> they >> > will use >> > multicast to replicate information between nodes, right? >> > >> > >> > That is correct. It uses PING protocol, which in turn uses IP >> > Multicasting for discovery. >> > >> > Note, that IP Multicasting is disabled in many data centers (I >> > have never found out why they do it, but I've seen it many, many >> > times). So make sure your cluster forms correctly (just grep >> > logs and look for "view"). >> > >> > Then, I set up a load balancer layer using Apache HTTPD and >> > AJP connector >> > via 8009 port. To make everything work I needed to use >> > sticky session; >> > otherwise, the login would never happen. I am fine with the >> > sticky session, >> > however, if I stop one of the replicas where the user is >> > logged in, when >> > the user access Keycloak again, he/she is asked to present >> > the credentials >> > as if he/she was not logged in the other Keycloak replica. >> > Is that the >> > expected behavior? >> > >> > >> > My intuition tells me that your cluster didn't form correctly >> > (as I mentioned before, grep the logs and look for "view" >> > generated by JGroups). Therefore, if you enable sticky session, >> > all your requests get to the same Keycloak instance, which has >> > everything in the local cache. That's why it works fine. >> > >> > >> > Is there some troubleshooting or test that I can perform to >> > check if >> > replication is being executed? >> > >> > >> > Let's start with investigating the logs. Later on we can check >> JMX. >> > >> > >> > -- >> > Rafael Weing?rtner >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> > >> > >> > >> > -- >> > Rafael Weing?rtner >> > >> >> -- >> Bela Ban | http://www.jgroups.org >> >> -- Rafael Weing?rtner From rafaelweingartner at gmail.com Wed Aug 29 09:26:46 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Wed, 29 Aug 2018 10:26:46 -0300 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: References: <5bcdc1f7-1a56-6db7-d905-3b621dc50f71@redhat.com> Message-ID: I think I will need a little bit of your wisdom again. I am now seeing the cluster between my Keycloak replicas to be created: > ^[[0m^[[0m13:03:03,800 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000079: Channel ejb local address is keycloak01, physical > addresses are [192.168.1.58:55200] > ^[[0m^[[0m13:03:03,801 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [keycloak02|1] (2) [keycloak02, keycloak01] > The problem is that when I shutdown one of them, a logged user will receive the following message: > An internal server error has occurred > Then, in the log files I see the following: > ^[[0m^[[31m13:18:04,149 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-24) ISPN000136: Error executing command GetKeyValueCommand, writing > keys []: org.infinispan.util.concurrent.TimeoutException: Replication > timeout > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$1(JGroupsTransport.java:639) > ^[[0m^[[31m13:18:15,262 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] > (expiration-thread--p22-t1) ISPN000136: Error executing command > RemoveExpiredCommand, writing keys [468d1940-7293-4824-9e86-4aece6cd6744]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > keycloak02 > I would say that this is expected as the node is down. However, it should not be a problem for the whole system. My replication settings are the following: > > > > > > > Do I need to change something else? On Wed, Aug 29, 2018 at 9:51 AM, Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > Ah no problem. It was my fault. I forgot to start debugging from the > ground up (connectivity, firewalls, applications and so on ) > > On Wed, Aug 29, 2018 at 9:49 AM, Bela Ban wrote: > >> Excellent! Unfortunately, JGroups cannot detect this... >> >> On 29/08/18 14:42, Rafael Weing?rtner wrote: >> >>> Thanks! >>> The problem was caused by firewalld blocking Multicast traffic. >>> >>> On Fri, Aug 24, 2018 at 7:28 AM, Sebastian Laskawiec < >>> slaskawi at redhat.com > wrote: >>> >>> Great write-up! Bookmarked! >>> >>> On Thu, Aug 23, 2018 at 4:36 PM Bela Ban >> > wrote: >>> >>> Have you checked >>> https://github.com/belaban/workshop/blob/master/slides/admin >>> .adoc#problem-1-members-don-t-find-each-other >>> >> n.adoc#problem-1-members-don-t-find-each-other>? >>> >>> On 23/08/18 13:53, Sebastian Laskawiec wrote: >>> > +Bela Ban > >>> > >>> > As I expected, the cluster doesn't form. >>> > >>> > I'm not sure where and why those UDP discovery packets are >>> rejected. I >>> > just stumbled upon this thread [1], which you may find >>> useful. Maybe >>> > Bela will also have an idea what's going on there. >>> > >>> > If you won't manage to get UDP working, you can always fall >>> back into >>> > TCP (and MPING). >>> > >>> > [1] >>> https://serverfault.com/questions/211482/tools-to-test-multi >>> cast-routing >>> >> icast-routing> >>> > >>> > On Thu, Aug 23, 2018 at 1:26 PM Rafael Weing?rtner >>> > >> >>> >> >>> >> wrote: >>> > >>> > Thanks for the reply Sebastian! >>> > >>> > >>> > Note, that IP Multicasting is disabled in many data >>> centers (I >>> > have never found out why they do it, but I've seen it >>> many, many >>> > times). So make sure your cluster forms correctly >>> (just grep >>> > logs and look for "view"). >>> > >>> > >>> > I thought about that. Then, I used tcpdump, and I can see >>> the >>> > multicast packets from both Keycloak replicas. However, >>> it seems >>> > that these packets are being ignored. >>> > >>> > root at Keycloak01:/# tcpdump -i eth0 port 7600 or port >>> 55200 or >>> > port 45700 or port 45688 or port 23364 or port 4712 >>> or port 4713 >>> > tcpdump: verbose output suppressed, use -v or -vv for >>> full >>> > protocol decode >>> > listening on eth0, link-type EN10MB (Ethernet), >>> capture size >>> > 262144 bytes >>> > 11:13:36.540080 IP keycloak02.local.55200 > >>> 230.0.0.4.45688: >>> > UDP, length 83 >>> > 11:13:41.288449 IP keycloak02.local.55200 > >>> 230.0.0.4.45688: >>> > UDP, length 83 >>> > 11:13:46.342606 IP keycloak02.local.55200 > >>> 230.0.0.4.45688: >>> > UDP, length 83 >>> > >>> > >>> > root at keycloak02:/# tcpdump -i eth0 port 7600 or port >>> 55200 or >>> > port 45700 or port 45688 or port 23364 or port 4712 >>> or port 4713 >>> > tcpdump: verbose output suppressed, use -v or -vv for >>> full >>> > protocol decode >>> > listening on eth0, link-type EN10MB (Ethernet), >>> capture size >>> > 262144 bytes >>> > 11:12:14.218317 IP Keycloak01.local.55200 > >>> 230.0.0.4.45688: >>> > UDP, length 83 >>> > 11:12:23.146798 IP Keycloak01.local.55200 > >>> 230.0.0.4.45688: >>> > UDP, length 83 >>> > 11:12:27.201888 IP Keycloak01.local.55200 > >>> 230.0.0.4.45688: >>> > UDP, length 83 >>> > >>> > >>> > >>> > Here go the log entries. I filtered by ?view?. This is >>> from Keycloak01. >>> > >>> > ^[[0m^[[0m11:16:57,896 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-4) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>> > ^[[0m^[[0m11:16:57,896 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-2) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>> > ^[[0m^[[0m11:16:57,897 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-1) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>> > ^[[0m^[[0m11:16:57,898 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-3) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>> > ^[[0m^[[0m11:16:57,962 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-1) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>> > >>> > >>> > I expected it to be only one. I mean, I first started >>> Keycloak01, >>> > and just then Keycloak02. Next, we have the logs from >>> Keycloak02. >>> > >>> > ^[[0m^[[0m11:17:34,950 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-3) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>> > ^[[0m^[[0m11:17:34,952 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-4) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>> > ^[[0m^[[0m11:17:34,957 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-1) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>> > ^[[0m^[[0m11:17:34,957 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-2) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>> > ^[[0m^[[0m11:17:35,052 INFO >>> > [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] >>> > (MSC service thread 1-1) ISPN000094: Received new >>> cluster view >>> > for channel ejb: [keycloak02|0] (1) [keycloak02 >>> > >>> > >>> > They are similar. It seems that both applications are not >>> seeing >>> > each other. At first, I thought that the problem was >>> caused by >>> > ?owners=1? configuration (the lack of data >>> synchronization between >>> > replicas). I then changed it to ?owners=2?, but still, if >>> I log in >>> > the Keycloak01 and then force my request to go two >>> Keycloak02, my >>> > session is not there, and I am requested to log in again. >>> > >>> > Do you need some other log entries or configuration files? >>> > >>> > Again, thanks for your reply and help! >>> > >>> > On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec >>> > >>> >> >>> wrote: >>> > >>> > >>> > >>> > On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner >>> > >> >>> > >> >>> >> wrote: >>> > >>> > Hello Keycloakers, >>> > >>> > I have some doubts regarding Keycloak and load >>> balancers. I >>> > set up two >>> > keycloak replicas to provide HA. To start them I >>> am using >>> > ?./standalone.sh >>> > --server-config=standalone-ha.xml?. I am >>> assuming that they >>> > will use >>> > multicast to replicate information between nodes, >>> right? >>> > >>> > >>> > That is correct. It uses PING protocol, which in turn >>> uses IP >>> > Multicasting for discovery. >>> > >>> > Note, that IP Multicasting is disabled in many data >>> centers (I >>> > have never found out why they do it, but I've seen it >>> many, many >>> > times). So make sure your cluster forms correctly >>> (just grep >>> > logs and look for "view"). >>> > >>> > Then, I set up a load balancer layer using Apache >>> HTTPD and >>> > AJP connector >>> > via 8009 port. To make everything work I needed >>> to use >>> > sticky session; >>> > otherwise, the login would never happen. I am >>> fine with the >>> > sticky session, >>> > however, if I stop one of the replicas where the >>> user is >>> > logged in, when >>> > the user access Keycloak again, he/she is asked >>> to present >>> > the credentials >>> > as if he/she was not logged in the other Keycloak >>> replica. >>> > Is that the >>> > expected behavior? >>> > >>> > >>> > My intuition tells me that your cluster didn't form >>> correctly >>> > (as I mentioned before, grep the logs and look for >>> "view" >>> > generated by JGroups). Therefore, if you enable >>> sticky session, >>> > all your requests get to the same Keycloak instance, >>> which has >>> > everything in the local cache. That's why it works >>> fine. >>> > >>> > >>> > Is there some troubleshooting or test that I can >>> perform to >>> > check if >>> > replication is being executed? >>> > >>> > >>> > Let's start with investigating the logs. Later on we >>> can check JMX. >>> > >>> > >>> > -- >>> > Rafael Weing?rtner >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> >>> > >> > >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> > >>> > >>> > >>> > >>> > -- >>> > Rafael Weing?rtner >>> > >>> >>> -- Bela Ban | http://www.jgroups.org >>> >>> >>> >>> >>> -- >>> Rafael Weing?rtner >>> >> >> -- >> Bela Ban | http://www.jgroups.org >> >> > > > -- > Rafael Weing?rtner > -- Rafael Weing?rtner From Andrew.Schaar at bluestembrands.com Wed Aug 29 10:37:04 2018 From: Andrew.Schaar at bluestembrands.com (Schaar, Andrew) Date: Wed, 29 Aug 2018 14:37:04 +0000 Subject: [keycloak-user] Authenticator SPI dependencies NoClassDefFoundError Message-ID: Hello, I have a custom Authenticator SPI where we are trying to extend AbstractIdpAuthenticator.java with our own authenticate implementations. I am putting the jar in /standalone/deployments as per https://www.keycloak.org/docs/latest/server_development/index.html#using-the-keycloak-deployer When the provider is called, we get a NoClassDefFoundError for AbstractIdpAuthenticator. It seems classes from the keycloak-services dependency are not available to this jar. Why might that be the case? 13:58:16,447 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-13) Uncaught server error: java.lang.NoClassDefFoundError: Failed to link com/bsb/user/authenticator/BsbAuthenticator (Module "deployment.bsb-user-authenticator-spi-0.1.0-dev.10.uncommitted+bsb-user-authentication-spi.2a2cc9d.jar" from Service Module Loader): org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:77) at org.jboss.modules.Module.loadModuleClass(Module.java:713) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at com.bsb.user.authenticator.BsbAuthenticatorFactory.create(BsbAuthenticatorFactory.java:27) at com.bsb.user.authenticator.BsbAuthenticatorFactory.create(BsbAuthenticatorFactory.java:16) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:164) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:127) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:286) at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:753) at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:669) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Thanks! Andy From David.Erie at datapath.com Wed Aug 29 11:47:03 2018 From: David.Erie at datapath.com (David Erie (US)) Date: Wed, 29 Aug 2018 15:47:03 +0000 Subject: [keycloak-user] Question about RPT requests for all permissions on multiple clients Message-ID: Hello, We're excited to be integrating Keycloak into our application suite, and I have some authorization questions I haven't been able to answer myself. We have an unusual Single Page Application (SPA) architecture where our web server and our "data" server are separate processes. Further, we don't own the web server source code. Consequently, the SPA code running in the browser will need to perform fine-grained permission enforcement on its own. I believe we can do this by sending the following type of request to get an RPT with all allowed permissions on the given resource server (I tested this and it works as expected): curl -X POST \ http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \ -H "Authorization: Bearer ${access_token}" \ --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data "client_id={web_client_id}" \ --data "audience={resource_server_client_id}" We would actually need to send two of these requests, one with the "web" resource server client ID, and the other with the "data" resource server client ID, because they would each own a set of resources that are accessed and whose permissions are enforced in the SPA. Is this the recommended way to approach this problem? Will this approach be supported in the long term (versus being deprecated for some reason related to the UMA 2.0 spec)? Finally, what is the limit on the length of or number of permissions in an RPT? Thank you, Dave From psilva at redhat.com Wed Aug 29 12:32:35 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 29 Aug 2018 13:32:35 -0300 Subject: [keycloak-user] Question about RPT requests for all permissions on multiple clients In-Reply-To: References: Message-ID: On Wed, Aug 29, 2018 at 12:47 PM, David Erie (US) wrote: > Hello, > We're excited to be integrating Keycloak into our application suite, and I > have some authorization questions I haven't been able to answer myself. > > We have an unusual Single Page Application (SPA) architecture where our > web server and our "data" server are separate processes. Further, we don't > own the web server source code. Consequently, the SPA code running in the > browser will need to perform fine-grained permission enforcement on its own. > > I believe we can do this by sending the following type of request to get > an RPT with all allowed permissions on the given resource server (I tested > this and it works as expected): > > curl -X POST \ > http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token > \ > -H "Authorization: Bearer ${access_token}" \ > --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" > \ > --data "client_id={web_client_id}" \ > --data "audience={resource_server_client_id}" > > We would actually need to send two of these requests, one with the "web" > resource server client ID, and the other with the "data" resource server > client ID, because they would each own a set of resources that are accessed > and whose permissions are enforced in the SPA. > > Is this the recommended way to approach this problem? > This approach is fine depending on how many resources you have managed by Keycloak. As you know, you are basically checking permissions for all resources ... Another way to achieve this is asking for specific permissions and obtaining others on demand. For instance, if SPA right after login requires A, B and C, you can send a request asking permissions for only these resources. Later, you can send the previous token with permissions for A,B and C and ask for additional permissions for D, E and F. This is what we call incremental authorization. Would be nice if we could have a simple flag in resource page to define the resources we want to return by default (instead of all of them). > > Will this approach be supported in the long term (versus being deprecated > for some reason related to the UMA 2.0 spec)? > Yes. > > Finally, what is the limit on the length of or number of permissions in an > RPT? > No limit. But your clients can send a response_permissions_limit [1] parameter to define how many permissions you expected in the token. [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions > > Thank you, > Dave > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From eric.wittmann at redhat.com Wed Aug 29 13:06:28 2018 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Wed, 29 Aug 2018 13:06:28 -0400 Subject: [keycloak-user] How to delete an federated identity? Message-ID: Apicurio uses Keycloak to support Account Linking with GitHub, GitLab, and Bitbucket. Creating a link works well, but deleting the link does not. It's been awhile since I've checked for this functionality - but is there an API call in KC 4.x that Apicurio can use to delete the linked account for an authenticated user? Previously I was trying to use this: /auth/realms/apicurio/account/federated-identity-update?action=REMOVE&provider_id=gitlab But I don't think this ever worked, and it's definitely returning a 404 now. In a related followup question - in Keycloak 4.3.0 (most recent testing) if I delete the linked account record in Apicurio, I cannot re-create it. When I try, the result is a PK violation in the Keycloak database. I can work around this problem only by logging into Keycloak and deleting the "Identity Provider Link" in Manage->Users. The URL Apicurio uses when initiating an account link is: /auth/realms/apicurio/broker/gitlab/link?nonce=abc&hash=xyz&client_id=apicurio-studio&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fstudio%2Fsettings%2Faccounts%2FGitLab%2Fcreated If the user already has an identity provider link for "gitlab" then the result is: Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key violation: "PRIMARY_KEY_40 ON PUBLIC.FEDERATED_IDENTITY(IDENTITY_PROVIDER, USER_ID) VALUES ('gitlab', 'c0e35a37-ad19-49d1-a030-42ac1a1b1dae', 3)"; SQL statement: insert into FEDERATED_IDENTITY (REALM_ID, TOKEN, FEDERATED_USER_ID, FEDERATED_USERNAME, IDENTITY_PROVIDER, USER_ID) values (?, ?, ?, ?, ?, ?) [23505-193] at org.h2.message.DbException.getJdbcSQLException(DbException.java:345) at org.h2.message.DbException.get(DbException.java:179) at org.h2.message.DbException.get(DbException.java:155) at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:103) at org.h2.mvstore.db.MVSecondaryIndex.checkUnique(MVSecondaryIndex.java:231) at org.h2.mvstore.db.MVSecondaryIndex.add(MVSecondaryIndex.java:190) at org.h2.mvstore.db.MVTable.addRow(MVTable.java:704) at org.h2.command.dml.Insert.insertRows(Insert.java:156) at org.h2.command.dml.Insert.update(Insert.java:114) at org.h2.command.CommandContainer.update(CommandContainer.java:98) at org.h2.command.Command.executeUpdate(Command.java:258) at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:160) at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:146) at org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate(WrappedPreparedStatement.java:537) at org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate(ResultSetReturnImpl.java:204) ... 82 more Seeking help on both issues. I'm likely just doing the wrong thing. :) From serialoverflow at gmail.com Wed Aug 29 17:13:15 2018 From: serialoverflow at gmail.com (Max Demian) Date: Wed, 29 Aug 2018 23:13:15 +0200 Subject: [keycloak-user] Tracking/auditing login events for GDPR compliance with Keycloak APIs? Message-ID: Hey everyone, we have been happily using Keycloak to secure our recently developed applications. One of those applications requires users to give an informed consent when first logging in by marking a checkbox on the Keycloak login page. To comply with EU general data protection regulation, we need to track and archive those events. We are contemplating doing that from within Keycloak as the login event system and provider APIs seemingly give us everything we need. But before we commit to that, i would love the opinion of people better versed in the internal Keycloak APIs, databases and when to use them. Here is what we need to do: For every initial login event (i.e. when the users identity is first linked via our custom User Storage Federation Provider), we would have to store the following information: * The time of the event * The username * Ideally: custom information from the Keycloak login page, e.g. the url and/or hash of the consent document the user just read and accepted Here is what we already have: * a custom Keycloak login theme * a custom User Storage Federation provider We are currently using the federation provider to send the event to an external service but if we can cover this use case with Keycloak internal APIs and databases, we would happily do so because we are moving towards Keycloak as our central IDP. The reason we are using an external service right now is because there we have full control. For instance, a likely future functionality is querying the API if the user in question has already given his consent for given document. Thanks for your time! From oneal.kevin at gmail.com Wed Aug 29 21:07:08 2018 From: oneal.kevin at gmail.com (KevinO) Date: Wed, 29 Aug 2018 20:07:08 -0500 Subject: [keycloak-user] Strange Redirect Behavior When Upgrading to Version 2 Message-ID: I've finally go around to upgrading my keycloak server. Everything seems to be working correctly until I try and view Users in the management portal. When I try and view a users, it opens the right page but then immediately redirects to a brute-force url. However, I do not have attack-detection turned on. Any idea what configurations I have incorrect. Keycloak v 2.3.0.Final http://localhost:8070/auth/admin/realms/External/attack-detection/brute-force/usernames/10052 23:33:44,681 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 52) WFLYUT0021: Registered web context: /auth 23:33:44,703 INFO [org.jboss.as.server] (ServerService Thread Pool -- 47) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 23:33:44,763 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://172.27.0.4:9990/management 23:33:44,763 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://172.27.0.4:9990 23:33:44,763 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 2.3.0.Final (WildFly Core 2.0.10.Final) started in 13304ms - Started 425 of 801 services (542 services are lazy, passive or on-dem and) 23:34:24,425 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-29) RESTEASY002010: Failed to execute: javax.ws.rs.NotFoundException: RESTEASY003210: Could not find resource for full path: http://local host:8070/auth/admin/realms/External/attack-detection/brute-force/usernames/10052 at org.jboss.resteasy.core.registry.SegmentNode.match(SegmentNode.java:114) at org.jboss.resteasy.core.registry.RootNode.match(RootNode.java:43) at org.jboss.resteasy.core.LocatorRegistry.getResourceInvoker(LocatorRegistry.java:79) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:129) From dt at acutus.pro Wed Aug 29 21:41:07 2018 From: dt at acutus.pro (Dmitry Telegin) Date: Thu, 30 Aug 2018 04:41:07 +0300 Subject: [keycloak-user] Keycloak SAML Invalid response In-Reply-To: References: Message-ID: <1535593267.2110.1.camel@acutus.pro> Hello R?mi, Could you please?open your client settings in Keycloak and try the following: - change Name ID format to email; - under the Mappers tab, add builtin X500 email mapper; - under the same tab, create user property mapper with Property = email, SAML Attribute Name = email and SAML Attribute NameFormat = basic. Let me know if this helps. If it doesn't, we can examine SAML payloads from Auth0 exchange and try to understand what's required by Workplace. Cheers, Dmitry Telegin CTO, Acutus s.r.o. Keycloak Consulting and Training Pod lipami street 339/52, 130 00 Prague 3, Czech Republic +42 (022) 888-30-71 E-mail: info at acutus.pro On Tue, 2018-08-28 at 09:14 +0000, R?mi GOYARD wrote: > Hi All, > > I just tried to use the Auth0 service and it worked with Workplace by facebook (following this documentation : https://scontent-cdt1-1.xx.fbcdn.net/v/t39.2365-6/33246377_951880651638808_7491240743177027584_n.pdf?_nc_cat=0&oh=266ec47aacfd6aad53e67d33b4b5a502&oe=5C2DC62A) > > It seems that keycloak??do not produce a Valid response for the email mapping, The above documentation precise the following configuration steps but I really don?t know how to map it In Keycloak : > > { > > "audience": "https://www.facebook.com/company/ID?, > > "recipient": "https://workplace.facebook.com/work/saml.php?, > "mappings": { "email": "Email", }, > ?"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?, > "nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ], > } > > I think that I need to precise the informations :???"nameIdentifierFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:email?, > "nameIdentifierProbes?: [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" ], > > Does anyone have ideas ? > > Regards > > R?mi > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From slaskawi at redhat.com Thu Aug 30 04:02:34 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Thu, 30 Aug 2018 10:02:34 +0200 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: References: <5bcdc1f7-1a56-6db7-d905-3b621dc50f71@redhat.com> Message-ID: On Wed, Aug 29, 2018 at 3:27 PM Rafael Weing?rtner < rafaelweingartner at gmail.com> wrote: > I think I will need a little bit of your wisdom again. > > I am now seeing the cluster between my Keycloak replicas to be created: > >> ^[[0m^[[0m13:03:03,800 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-2) ISPN000079: Channel ejb local address is keycloak01, physical >> addresses are [192.168.1.58:55200] >> ^[[0m^[[0m13:03:03,801 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service >> thread 1-1) ISPN000094: Received new cluster view for channel ejb: >> [keycloak02|1] (2) [keycloak02, keycloak01] >> > > The problem is that when I shutdown one of them, a logged user will > receive the following message: > >> An internal server error has occurred >> > > > Then, in the log files I see the following: > >> ^[[0m^[[31m13:18:04,149 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] (default >> task-24) ISPN000136: Error executing command GetKeyValueCommand, writing >> keys []: org.infinispan.util.concurrent.TimeoutException: Replication >> timeout >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$1(JGroupsTransport.java:639) >> ^[[0m^[[31m13:18:15,262 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] >> (expiration-thread--p22-t1) ISPN000136: Error executing command >> RemoveExpiredCommand, writing keys [468d1940-7293-4824-9e86-4aece6cd6744]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >> keycloak02 >> > I see you just killed the node (e.g. kill -9 ), so that it exited without saying "goodbye". In that case JGroups FD_* protocols on the other node need to do their work and discover the failure. If you have any commands in flight, they might fail. I highly encourage you to use a larger cluster (with odd number of nodes if possible). Having only two nodes can be a bit dangerous. Imagine a partition split, after the split heals, which node is right? Hard to tell... > > I would say that this is expected as the node is down. However, it should > not be a problem for the whole system. > > My replication settings are the following: > >> >> >> >> >> >> >> > > Do I need to change something else? > Here's the exactly the same problem. With number of owners=2 and 2 nodes, this is essentially a replicated cache (despite some differences in logic). I'd advice using at least 3 nodes (or even better 5). > > On Wed, Aug 29, 2018 at 9:51 AM, Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> Ah no problem. It was my fault. I forgot to start debugging from the >> ground up (connectivity, firewalls, applications and so on ) >> >> On Wed, Aug 29, 2018 at 9:49 AM, Bela Ban wrote: >> >>> Excellent! Unfortunately, JGroups cannot detect this... >>> >>> On 29/08/18 14:42, Rafael Weing?rtner wrote: >>> >>>> Thanks! >>>> The problem was caused by firewalld blocking Multicast traffic. >>>> >>>> On Fri, Aug 24, 2018 at 7:28 AM, Sebastian Laskawiec < >>>> slaskawi at redhat.com > wrote: >>>> >>>> Great write-up! Bookmarked! >>>> >>>> On Thu, Aug 23, 2018 at 4:36 PM Bela Ban >>> > wrote: >>>> >>>> Have you checked >>>> >>>> https://github.com/belaban/workshop/blob/master/slides/admin.adoc#problem-1-members-don-t-find-each-other >>>> < >>>> https://github.com/belaban/workshop/blob/master/slides/admin.adoc#problem-1-members-don-t-find-each-other >>>> >? >>>> >>>> On 23/08/18 13:53, Sebastian Laskawiec wrote: >>>> > +Bela Ban > >>>> > >>>> > As I expected, the cluster doesn't form. >>>> > >>>> > I'm not sure where and why those UDP discovery packets are >>>> rejected. I >>>> > just stumbled upon this thread [1], which you may find >>>> useful. Maybe >>>> > Bela will also have an idea what's going on there. >>>> > >>>> > If you won't manage to get UDP working, you can always fall >>>> back into >>>> > TCP (and MPING). >>>> > >>>> > [1] >>>> >>>> https://serverfault.com/questions/211482/tools-to-test-multicast-routing >>>> < >>>> https://serverfault.com/questions/211482/tools-to-test-multicast-routing >>>> > >>>> > >>>> > On Thu, Aug 23, 2018 at 1:26 PM Rafael Weing?rtner >>>> > >>> >>>> >>> >>>> >> wrote: >>>> > >>>> > Thanks for the reply Sebastian! >>>> > >>>> > >>>> > Note, that IP Multicasting is disabled in many data >>>> centers (I >>>> > have never found out why they do it, but I've seen it >>>> many, many >>>> > times). So make sure your cluster forms correctly >>>> (just grep >>>> > logs and look for "view"). >>>> > >>>> > >>>> > I thought about that. Then, I used tcpdump, and I can >>>> see the >>>> > multicast packets from both Keycloak replicas. However, >>>> it seems >>>> > that these packets are being ignored. >>>> > >>>> > root at Keycloak01:/# tcpdump -i eth0 port 7600 or port >>>> 55200 or >>>> > port 45700 or port 45688 or port 23364 or port 4712 >>>> or port 4713 >>>> > tcpdump: verbose output suppressed, use -v or -vv for >>>> full >>>> > protocol decode >>>> > listening on eth0, link-type EN10MB (Ethernet), >>>> capture size >>>> > 262144 bytes >>>> > 11:13:36.540080 IP keycloak02.local.55200 > >>>> 230.0.0.4.45688: >>>> > UDP, length 83 >>>> > 11:13:41.288449 IP keycloak02.local.55200 > >>>> 230.0.0.4.45688: >>>> > UDP, length 83 >>>> > 11:13:46.342606 IP keycloak02.local.55200 > >>>> 230.0.0.4.45688: >>>> > UDP, length 83 >>>> > >>>> > >>>> > root at keycloak02:/# tcpdump -i eth0 port 7600 or port >>>> 55200 or >>>> > port 45700 or port 45688 or port 23364 or port 4712 >>>> or port 4713 >>>> > tcpdump: verbose output suppressed, use -v or -vv for >>>> full >>>> > protocol decode >>>> > listening on eth0, link-type EN10MB (Ethernet), >>>> capture size >>>> > 262144 bytes >>>> > 11:12:14.218317 IP Keycloak01.local.55200 > >>>> 230.0.0.4.45688: >>>> > UDP, length 83 >>>> > 11:12:23.146798 IP Keycloak01.local.55200 > >>>> 230.0.0.4.45688: >>>> > UDP, length 83 >>>> > 11:12:27.201888 IP Keycloak01.local.55200 > >>>> 230.0.0.4.45688: >>>> > UDP, length 83 >>>> > >>>> > >>>> > >>>> > Here go the log entries. I filtered by ?view?. This is >>>> from Keycloak01. >>>> > >>>> > ^[[0m^[[0m11:16:57,896 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-4) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>> > ^[[0m^[[0m11:16:57,896 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-2) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>> > ^[[0m^[[0m11:16:57,897 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-1) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>> > ^[[0m^[[0m11:16:57,898 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-3) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>> > ^[[0m^[[0m11:16:57,962 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-1) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>> > >>>> > >>>> > I expected it to be only one. I mean, I first started >>>> Keycloak01, >>>> > and just then Keycloak02. Next, we have the logs from >>>> Keycloak02. >>>> > >>>> > ^[[0m^[[0m11:17:34,950 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-3) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>> > ^[[0m^[[0m11:17:34,952 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-4) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>> > ^[[0m^[[0m11:17:34,957 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-1) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>> > ^[[0m^[[0m11:17:34,957 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-2) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>> > ^[[0m^[[0m11:17:35,052 INFO >>>> > >>>> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>>> > (MSC service thread 1-1) ISPN000094: Received new >>>> cluster view >>>> > for channel ejb: [keycloak02|0] (1) [keycloak02 >>>> > >>>> > >>>> > They are similar. It seems that both applications are not >>>> seeing >>>> > each other. At first, I thought that the problem was >>>> caused by >>>> > ?owners=1? configuration (the lack of data >>>> synchronization between >>>> > replicas). I then changed it to ?owners=2?, but still, if >>>> I log in >>>> > the Keycloak01 and then force my request to go two >>>> Keycloak02, my >>>> > session is not there, and I am requested to log in again. >>>> > >>>> > Do you need some other log entries or configuration >>>> files? >>>> > >>>> > Again, thanks for your reply and help! >>>> > >>>> > On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec >>>> > >>>> >> >>>> wrote: >>>> > >>>> > >>>> > >>>> > On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner >>>> > >>> >>>> > >>> >>>> >> wrote: >>>> > >>>> > Hello Keycloakers, >>>> > >>>> > I have some doubts regarding Keycloak and load >>>> balancers. I >>>> > set up two >>>> > keycloak replicas to provide HA. To start them I >>>> am using >>>> > ?./standalone.sh >>>> > --server-config=standalone-ha.xml?. I am >>>> assuming that they >>>> > will use >>>> > multicast to replicate information between nodes, >>>> right? >>>> > >>>> > >>>> > That is correct. It uses PING protocol, which in turn >>>> uses IP >>>> > Multicasting for discovery. >>>> > >>>> > Note, that IP Multicasting is disabled in many data >>>> centers (I >>>> > have never found out why they do it, but I've seen it >>>> many, many >>>> > times). So make sure your cluster forms correctly >>>> (just grep >>>> > logs and look for "view"). >>>> > >>>> > Then, I set up a load balancer layer using Apache >>>> HTTPD and >>>> > AJP connector >>>> > via 8009 port. To make everything work I needed >>>> to use >>>> > sticky session; >>>> > otherwise, the login would never happen. I am >>>> fine with the >>>> > sticky session, >>>> > however, if I stop one of the replicas where the >>>> user is >>>> > logged in, when >>>> > the user access Keycloak again, he/she is asked >>>> to present >>>> > the credentials >>>> > as if he/she was not logged in the other Keycloak >>>> replica. >>>> > Is that the >>>> > expected behavior? >>>> > >>>> > >>>> > My intuition tells me that your cluster didn't form >>>> correctly >>>> > (as I mentioned before, grep the logs and look for >>>> "view" >>>> > generated by JGroups). Therefore, if you enable >>>> sticky session, >>>> > all your requests get to the same Keycloak instance, >>>> which has >>>> > everything in the local cache. That's why it works >>>> fine. >>>> > >>>> > >>>> > Is there some troubleshooting or test that I can >>>> perform to >>>> > check if >>>> > replication is being executed? >>>> > >>>> > >>>> > Let's start with investigating the logs. Later on we >>>> can check JMX. >>>> > >>>> > >>>> > -- >>>> > Rafael Weing?rtner >>>> > _______________________________________________ >>>> > keycloak-user mailing list >>>> > keycloak-user at lists.jboss.org >>>> >>>> > >>> > >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> > >>>> > >>>> > >>>> > >>>> > -- >>>> > Rafael Weing?rtner >>>> > >>>> >>>> -- Bela Ban | http://www.jgroups.org >>>> >>>> >>>> >>>> >>>> -- >>>> Rafael Weing?rtner >>>> >>> >>> -- >>> Bela Ban | http://www.jgroups.org >>> >>> >> >> >> -- >> Rafael Weing?rtner >> > > > > -- > Rafael Weing?rtner > From ronald.demneri at amdtia.com Thu Aug 30 05:27:19 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Thu, 30 Aug 2018 09:27:19 +0000 Subject: [keycloak-user] login via curl Message-ID: Greetings everyone, I am testing the possibility to login via curl to the account client in my test realm and then use the tokens to access another client. I have tried this: curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "cache-control: no-cache" \ -d "grant_type=password&scope=openid&client_id=account&username=test1&password=1234t1" \ "http://keycloak:8080/auth/realms/test /protocol/openid-connect/token" \ -v But it gives me: * upload completely sent off: 81 out of 81 bytes < HTTP/1.1 400 Bad Request < Connection: keep-alive < Content-Type: application/json < Content-Length: 91 What am I doing wrong and apologies if this question has been asked before. Keycloak version is 4.1.0.Final Ronald From erik.g.haugen at gmail.com Thu Aug 30 06:40:24 2018 From: erik.g.haugen at gmail.com (Erik G. Haugen) Date: Thu, 30 Aug 2018 12:40:24 +0200 Subject: [keycloak-user] authenticate users programmatically with Java Message-ID: I see there an extensive Java API for use with Keycloak, but there is little documentation. How can I authenticate users programmatically with Java? In my Java program, I will have a userid and password. How do I authenticate the user and get a valid token with Java? Also, is there any documentation for basic usage of the Java API? Thank you, Erik From rafaelweingartner at gmail.com Thu Aug 30 07:02:45 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 30 Aug 2018 08:02:45 -0300 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: References: <5bcdc1f7-1a56-6db7-d905-3b621dc50f71@redhat.com> Message-ID: Awesome, thanks for the help, Sebastian. I have a question regarding these "owners" numbers. What happens if I set this number to (let's say) 10 and I only spin up 7 nodes? Is it a valid deployment? And, will everything work just fine? Or, would I start to get errors? On Thu, Aug 30, 2018 at 5:02 AM, Sebastian Laskawiec wrote: > On Wed, Aug 29, 2018 at 3:27 PM Rafael Weing?rtner < > rafaelweingartner at gmail.com> wrote: > >> I think I will need a little bit of your wisdom again. >> >> I am now seeing the cluster between my Keycloak replicas to be created: >> >>> ^[[0m^[[0m13:03:03,800 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>> (MSC service thread 1-2) ISPN000079: Channel ejb local address is >>> keycloak01, physical addresses are [192.168.1.58:55200] >>> ^[[0m^[[0m13:03:03,801 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>> (MSC service thread 1-1) ISPN000094: Received new cluster view for channel >>> ejb: [keycloak02|1] (2) [keycloak02, keycloak01] >>> >> >> The problem is that when I shutdown one of them, a logged user will >> receive the following message: >> >>> An internal server error has occurred >>> >> >> >> Then, in the log files I see the following: >> >>> ^[[0m^[[31m13:18:04,149 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >>> (default task-24) ISPN000136: Error executing command GetKeyValueCommand, >>> writing keys []: org.infinispan.util.concurrent.TimeoutException: >>> Replication timeout >>> at org.infinispan.remoting.transport.jgroups. >>> JGroupsTransport.lambda$invokeRemotelyAsync$1(JGroupsTransport.java:639) >>> ^[[0m^[[31m13:18:15,262 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >>> (expiration-thread--p22-t1) ISPN000136: Error executing command >>> RemoveExpiredCommand, writing keys [468d1940-7293-4824-9e86-4aece6cd6744]: >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout >>> for keycloak02 >>> >> > I see you just killed the node (e.g. kill -9 ), so that it exited > without saying "goodbye". In that case JGroups FD_* protocols on the other > node need to do their work and discover the failure. If you have any > commands in flight, they might fail. I highly encourage you to use a larger > cluster (with odd number of nodes if possible). Having only two nodes can > be a bit dangerous. Imagine a partition split, after the split heals, which > node is right? Hard to tell... > > >> >> I would say that this is expected as the node is down. However, it should >> not be a problem for the whole system. >> >> My replication settings are the following: >> >>> >>> >>> >>> >>> >>> >>> >> >> Do I need to change something else? >> > Here's the exactly the same problem. With number of owners=2 and 2 nodes, > this is essentially a replicated cache (despite some differences in logic). > I'd advice using at least 3 nodes (or even better 5). > >> >> On Wed, Aug 29, 2018 at 9:51 AM, Rafael Weing?rtner < >> rafaelweingartner at gmail.com> wrote: >> >>> Ah no problem. It was my fault. I forgot to start debugging from the >>> ground up (connectivity, firewalls, applications and so on ) >>> >>> On Wed, Aug 29, 2018 at 9:49 AM, Bela Ban wrote: >>> >>>> Excellent! Unfortunately, JGroups cannot detect this... >>>> >>>> On 29/08/18 14:42, Rafael Weing?rtner wrote: >>>> >>>>> Thanks! >>>>> The problem was caused by firewalld blocking Multicast traffic. >>>>> >>>>> On Fri, Aug 24, 2018 at 7:28 AM, Sebastian Laskawiec < >>>>> slaskawi at redhat.com > wrote: >>>>> >>>>> Great write-up! Bookmarked! >>>>> >>>>> On Thu, Aug 23, 2018 at 4:36 PM Bela Ban >>>> > wrote: >>>>> >>>>> Have you checked >>>>> https://github.com/belaban/workshop/blob/master/slides/ >>>>> admin.adoc#problem-1-members-don-t-find-each-other >>>>> >>>> admin.adoc#problem-1-members-don-t-find-each-other>? >>>>> >>>>> On 23/08/18 13:53, Sebastian Laskawiec wrote: >>>>> > +Bela Ban > >>>>> > >>>>> > As I expected, the cluster doesn't form. >>>>> > >>>>> > I'm not sure where and why those UDP discovery packets are >>>>> rejected. I >>>>> > just stumbled upon this thread [1], which you may find >>>>> useful. Maybe >>>>> > Bela will also have an idea what's going on there. >>>>> > >>>>> > If you won't manage to get UDP working, you can always fall >>>>> back into >>>>> > TCP (and MPING). >>>>> > >>>>> > [1] >>>>> https://serverfault.com/questions/211482/tools-to- >>>>> test-multicast-routing >>>>> >>>> test-multicast-routing> >>>>> > >>>>> > On Thu, Aug 23, 2018 at 1:26 PM Rafael Weing?rtner >>>>> > >>>> >>>>> >>>> >>>>> >> wrote: >>>>> > >>>>> > Thanks for the reply Sebastian! >>>>> > >>>>> > >>>>> > Note, that IP Multicasting is disabled in many data >>>>> centers (I >>>>> > have never found out why they do it, but I've seen >>>>> it >>>>> many, many >>>>> > times). So make sure your cluster forms correctly >>>>> (just grep >>>>> > logs and look for "view"). >>>>> > >>>>> > >>>>> > I thought about that. Then, I used tcpdump, and I can >>>>> see the >>>>> > multicast packets from both Keycloak replicas. However, >>>>> it seems >>>>> > that these packets are being ignored. >>>>> > >>>>> > root at Keycloak01:/# tcpdump -i eth0 port 7600 or >>>>> port >>>>> 55200 or >>>>> > port 45700 or port 45688 or port 23364 or port 4712 >>>>> or port 4713 >>>>> > tcpdump: verbose output suppressed, use -v or -vv >>>>> for >>>>> full >>>>> > protocol decode >>>>> > listening on eth0, link-type EN10MB (Ethernet), >>>>> capture size >>>>> > 262144 bytes >>>>> > 11:13:36.540080 IP keycloak02.local.55200 > >>>>> 230.0.0.4.45688: >>>>> > UDP, length 83 >>>>> > 11:13:41.288449 IP keycloak02.local.55200 > >>>>> 230.0.0.4.45688: >>>>> > UDP, length 83 >>>>> > 11:13:46.342606 IP keycloak02.local.55200 > >>>>> 230.0.0.4.45688: >>>>> > UDP, length 83 >>>>> > >>>>> > >>>>> > root at keycloak02:/# tcpdump -i eth0 port 7600 or >>>>> port >>>>> 55200 or >>>>> > port 45700 or port 45688 or port 23364 or port 4712 >>>>> or port 4713 >>>>> > tcpdump: verbose output suppressed, use -v or -vv >>>>> for >>>>> full >>>>> > protocol decode >>>>> > listening on eth0, link-type EN10MB (Ethernet), >>>>> capture size >>>>> > 262144 bytes >>>>> > 11:12:14.218317 IP Keycloak01.local.55200 > >>>>> 230.0.0.4.45688: >>>>> > UDP, length 83 >>>>> > 11:12:23.146798 IP Keycloak01.local.55200 > >>>>> 230.0.0.4.45688: >>>>> > UDP, length 83 >>>>> > 11:12:27.201888 IP Keycloak01.local.55200 > >>>>> 230.0.0.4.45688: >>>>> > UDP, length 83 >>>>> > >>>>> > >>>>> > >>>>> > Here go the log entries. I filtered by ?view?. This is >>>>> from Keycloak01. >>>>> > >>>>> > ^[[0m^[[0m11:16:57,896 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-4) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>>> > ^[[0m^[[0m11:16:57,896 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-2) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>>> > ^[[0m^[[0m11:16:57,897 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-1) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>>> > ^[[0m^[[0m11:16:57,898 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-3) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>>> > ^[[0m^[[0m11:16:57,962 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-1) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak01|0] (1) [keycloak01] >>>>> > >>>>> > >>>>> > I expected it to be only one. I mean, I first started >>>>> Keycloak01, >>>>> > and just then Keycloak02. Next, we have the logs from >>>>> Keycloak02. >>>>> > >>>>> > ^[[0m^[[0m11:17:34,950 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-3) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>>> > ^[[0m^[[0m11:17:34,952 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-4) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>>> > ^[[0m^[[0m11:17:34,957 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-1) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>>> > ^[[0m^[[0m11:17:34,957 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-2) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak02|0] (1) [keycloak02] >>>>> > ^[[0m^[[0m11:17:35,052 INFO >>>>> > [org.infinispan.remoting. >>>>> transport.jgroups.JGroupsTransport] >>>>> > (MSC service thread 1-1) ISPN000094: Received new >>>>> cluster view >>>>> > for channel ejb: [keycloak02|0] (1) [keycloak02 >>>>> > >>>>> > >>>>> > They are similar. It seems that both applications are >>>>> not >>>>> seeing >>>>> > each other. At first, I thought that the problem was >>>>> caused by >>>>> > ?owners=1? configuration (the lack of data >>>>> synchronization between >>>>> > replicas). I then changed it to ?owners=2?, but still, >>>>> if >>>>> I log in >>>>> > the Keycloak01 and then force my request to go two >>>>> Keycloak02, my >>>>> > session is not there, and I am requested to log in >>>>> again. >>>>> > >>>>> > Do you need some other log entries or configuration >>>>> files? >>>>> > >>>>> > Again, thanks for your reply and help! >>>>> > >>>>> > On Thu, Aug 23, 2018 at 5:24 AM, Sebastian Laskawiec >>>>> > >>>>> >> >>>>> wrote: >>>>> > >>>>> > >>>>> > >>>>> > On Wed, Aug 22, 2018 at 10:24 PM Rafael Weing?rtner >>>>> > >>>> >>>>> > >>>> >>>>> >> wrote: >>>>> > >>>>> > Hello Keycloakers, >>>>> > >>>>> > I have some doubts regarding Keycloak and load >>>>> balancers. I >>>>> > set up two >>>>> > keycloak replicas to provide HA. To start them I >>>>> am using >>>>> > ?./standalone.sh >>>>> > --server-config=standalone-ha.xml?. I am >>>>> assuming that they >>>>> > will use >>>>> > multicast to replicate information between >>>>> nodes, >>>>> right? >>>>> > >>>>> > >>>>> > That is correct. It uses PING protocol, which in >>>>> turn >>>>> uses IP >>>>> > Multicasting for discovery. >>>>> > >>>>> > Note, that IP Multicasting is disabled in many data >>>>> centers (I >>>>> > have never found out why they do it, but I've seen >>>>> it >>>>> many, many >>>>> > times). So make sure your cluster forms correctly >>>>> (just grep >>>>> > logs and look for "view"). >>>>> > >>>>> > Then, I set up a load balancer layer using >>>>> Apache >>>>> HTTPD and >>>>> > AJP connector >>>>> > via 8009 port. To make everything work I needed >>>>> to use >>>>> > sticky session; >>>>> > otherwise, the login would never happen. I am >>>>> fine with the >>>>> > sticky session, >>>>> > however, if I stop one of the replicas where the >>>>> user is >>>>> > logged in, when >>>>> > the user access Keycloak again, he/she is asked >>>>> to present >>>>> > the credentials >>>>> > as if he/she was not logged in the other >>>>> Keycloak >>>>> replica. >>>>> > Is that the >>>>> > expected behavior? >>>>> > >>>>> > >>>>> > My intuition tells me that your cluster didn't form >>>>> correctly >>>>> > (as I mentioned before, grep the logs and look for >>>>> "view" >>>>> > generated by JGroups). Therefore, if you enable >>>>> sticky session, >>>>> > all your requests get to the same Keycloak instance, >>>>> which has >>>>> > everything in the local cache. That's why it works >>>>> fine. >>>>> > >>>>> > >>>>> > Is there some troubleshooting or test that I can >>>>> perform to >>>>> > check if >>>>> > replication is being executed? >>>>> > >>>>> > >>>>> > Let's start with investigating the logs. Later on we >>>>> can check JMX. >>>>> > >>>>> > >>>>> > -- >>>>> > Rafael Weing?rtner >>>>> > _______________________________________________ >>>>> > keycloak-user mailing list >>>>> > keycloak-user at lists.jboss.org >>>>> >>>>> > >>>> > >>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Rafael Weing?rtner >>>>> > >>>>> >>>>> -- Bela Ban | http://www.jgroups.org >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Rafael Weing?rtner >>>>> >>>> >>>> -- >>>> Bela Ban | http://www.jgroups.org >>>> >>>> >>> >>> >>> -- >>> Rafael Weing?rtner >>> >> >> >> >> -- >> Rafael Weing?rtner >> > -- Rafael Weing?rtner From rafaelweingartner at gmail.com Thu Aug 30 07:23:25 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 30 Aug 2018 08:23:25 -0300 Subject: [keycloak-user] Does Keycloak need sticky session at the load balancer? In-Reply-To: <6bf8a116-1827-d6a7-ef20-b39a64c17dd3@redhat.com> References: <5bcdc1f7-1a56-6db7-d905-3b621dc50f71@redhat.com> <6bf8a116-1827-d6a7-ef20-b39a64c17dd3@redhat.com> Message-ID: Thanks! you guys helped me a lot! On Thu, Aug 30, 2018 at 8:17 AM, Bela Ban wrote: > > > On 30/08/18 13:02, Rafael Weing?rtner wrote: > >> Awesome, thanks for the help, Sebastian. I have a question regarding >> these "owners" numbers. What happens if I set this number to (let's say) 10 >> and I only spin up 7 nodes? Is it a valid deployment? And, will everything >> work just fine? Or, would I start to get errors? >> > > If numOwners is bigger than the number of members in the cluster, you > essentially end up with full replication, where every data item is > replicated to all members. > > IIRC, Infinispan even checks for this condition and automatically switches > to multicasting rather than unicasting as long as the condition holds. > > > On Thu, Aug 30, 2018 at 5:02 AM, Sebastian Laskawiec > > wrote: >> >> On Wed, Aug 29, 2018 at 3:27 PM Rafael Weing?rtner >> > >> wrote: >> >> I think I will need a little bit of your wisdom again. >> >> I am now seeing the cluster between my Keycloak replicas to be >> created: >> >> ^[[0m^[[0m13:03:03,800 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-2) ISPN000079: Channel ejb local address is >> keycloak01, physical addresses are [192.168.1.58:55200 < >> http://192.168.1.58:55200>] >> >> ^[[0m^[[0m13:03:03,801 INFO >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> (MSC service thread 1-1) ISPN000094: Received new cluster view for channel >> ejb: [keycloak02|1] (2) [keycloak02, keycloak01] >> >> >> The problem is that when I shutdown one of them, a logged user >> will receive the following message: >> >> An internal server error has occurred >> >> Then, in the log files I see the following: >> >> ^[[0m^[[31m13:18:04,149 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] >> (default task-24) ISPN000136: Error executing command >> GetKeyValueCommand, writing keys []: >> org.infinispan.util.concurrent.TimeoutException: Replication >> timeout >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$1(JGroupsTransport.java:639) >> ^[[0m^[[31m13:18:15,262 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] >> (expiration-thread--p22-t1) ISPN000136: Error executing >> command RemoveExpiredCommand, writing keys >> [468d1940-7293-4824-9e86-4aece6cd6744]: >> org.infinispan.util.concurrent.TimeoutException: Replication >> timeout for keycloak02 >> >> >> I see you just killed the node (e.g. kill -9 ), so that it >> exited without saying "goodbye". In that case JGroups FD_* protocols >> on the other node need to do their work and discover the failure. If >> you have any commands in flight, they might fail. I highly encourage >> you to use a larger cluster (with odd number of nodes if possible). >> Having only two nodes can be a bit dangerous. Imagine a partition >> split, after the split heals, which node is right? Hard to tell... >> >> >> I would say that this is expected as the node is down. However, >> it should not be a problem for the whole system. >> >> My replication settings are the following: >> >> >> > owners="2"/> >> > owners="2"/> >> > owners="2"/> >> > owners="2"/> >> > owners="2"/> >> >> >> Do I need to change something else? >> >> Here's the exactly the same problem. With number of owners=2 and 2 >> nodes, this is essentially a replicated cache (despite some >> differences in logic). I'd advice using at least 3 nodes (or even >> better 5). >> >> >> On Wed, Aug 29, 2018 at 9:51 AM, Rafael Weing?rtner >> > > wrote: >> >> Ah no problem. It was my fault. I forgot to start debugging >> from the ground up (connectivity, firewalls, applications >> and so on ) >> >> On Wed, Aug 29, 2018 at 9:49 AM, Bela Ban > > wrote: >> >> Excellent! Unfortunately, JGroups cannot detect this... >> >> On 29/08/18 14:42, Rafael Weing?rtner wrote: >> >> Thanks! >> The problem was caused by firewalld blocking >> Multicast traffic. >> >> On Fri, Aug 24, 2018 at 7:28 AM, Sebastian Laskawiec >> >> > >> wrote: >> >> Great write-up! Bookmarked! >> >> On Thu, Aug 23, 2018 at 4:36 PM Bela Ban >> >> > >> wrote: >> >> Have you checked >> https://github.com/belaban/wor >> kshop/blob/master/slides/admin.adoc#problem-1-members-don-t- >> find-each-other >> > rkshop/blob/master/slides/admin.adoc#problem-1-members-don- >> t-find-each-other> >> < >> https://github.com/belaban/workshop/blob/master/slides/admi >> n.adoc#problem-1-members-don-t-find-each-other >> > rkshop/blob/master/slides/admin.adoc#problem-1-members-don- >> t-find-each-other>>? >> >> On 23/08/18 13:53, Sebastian Laskawiec wrote: >> > +Bela Ban > > >> >> >> > >> > As I expected, the cluster doesn't form. >> > >> > I'm not sure where and why those UDP >> discovery packets are >> rejected. I >> > just stumbled upon this thread [1], >> which you may find >> useful. Maybe >> > Bela will also have an idea what's going >> on there. >> > >> > If you won't manage to get UDP working, >> you can always fall >> back into >> > TCP (and MPING). >> > >> > [1] >> https://serverfault.com/questi >> ons/211482/tools-to-test-multicast-routing >> > ions/211482/tools-to-test-multicast-routing> >> < >> https://serverfault.com/questions/211482/tools-to-test-multicast-routing >> > ions/211482/tools-to-test-multicast-routing>> >> > >> > On Thu, Aug 23, 2018 at 1:26 PM Rafael >> Weing?rtner >> > > >> > > >> > >> >> > >>> wrote: >> > >> > Thanks for the reply Sebastian! >> > >> > >> > Note, that IP Multicasting is >> disabled in many data >> centers (I >> > have never found out why they do >> it, but I've seen it >> many, many >> > times). So make sure your >> cluster forms correctly >> (just grep >> > logs and look for "view"). >> > >> > >> > I thought about that. Then, I used >> tcpdump, and I can see the >> > multicast packets from both Keycloak >> replicas. However, >> it seems >> > that these packets are being ignored. >> > >> > root at Keycloak01:/# tcpdump -i >> eth0 port 7600 or port >> 55200 or >> > port 45700 or port 45688 or port >> 23364 or port 4712 >> or port 4713 >> > tcpdump: verbose output >> suppressed, use -v or -vv for >> full >> > protocol decode >> > listening on eth0, link-type >> EN10MB (Ethernet), >> capture size >> > 262144 bytes >> > 11:13:36.540080 IP >> keycloak02.local.55200 > >> 230.0.0.4.45688: >> > UDP, length 83 >> > 11:13:41.288449 IP >> keycloak02.local.55200 > >> 230.0.0.4.45688: >> > UDP, length 83 >> > 11:13:46.342606 IP >> keycloak02.local.55200 > >> 230.0.0.4.45688: >> > UDP, length 83 >> > >> > >> > root at keycloak02:/# tcpdump -i >> eth0 port 7600 or port >> 55200 or >> > port 45700 or port 45688 or port >> 23364 or port 4712 >> or port 4713 >> > tcpdump: verbose output >> suppressed, use -v or -vv for >> full >> > protocol decode >> > listening on eth0, link-type >> EN10MB (Ethernet), >> capture size >> > 262144 bytes >> > 11:12:14.218317 IP >> Keycloak01.local.55200 > >> 230.0.0.4.45688: >> > UDP, length 83 >> > 11:12:23.146798 IP >> Keycloak01.local.55200 > >> 230.0.0.4.45688: >> > UDP, length 83 >> > 11:12:27.201888 IP >> Keycloak01.local.55200 > >> 230.0.0.4.45688: >> > UDP, length 83 >> > >> > >> > >> > Here go the log entries. I filtered >> by ?view?. This is >> from Keycloak01. >> > >> > ^[[0m^[[0m11:16:57,896 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-4) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak01|0] >> (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,896 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-2) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak01|0] >> (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,897 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak01|0] >> (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,898 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-3) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak01|0] >> (1) [keycloak01] >> > ^[[0m^[[0m11:16:57,962 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak01|0] >> (1) [keycloak01] >> > >> > >> > I expected it to be only one. I >> mean, I first started >> Keycloak01, >> > and just then Keycloak02. Next, we >> have the logs from >> Keycloak02. >> > >> > ^[[0m^[[0m11:17:34,950 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-3) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak02|0] >> (1) [keycloak02] >> > ^[[0m^[[0m11:17:34,952 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-4) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak02|0] >> (1) [keycloak02] >> > ^[[0m^[[0m11:17:34,957 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak02|0] >> (1) [keycloak02] >> > ^[[0m^[[0m11:17:34,957 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-2) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak02|0] >> (1) [keycloak02] >> > ^[[0m^[[0m11:17:35,052 INFO >> > >> [org.infinispan.remoting.transport.jgroups.JGroupsTransport] >> > (MSC service thread 1-1) >> ISPN000094: Received new >> cluster view >> > for channel ejb: [keycloak02|0] >> (1) [keycloak02 >> > >> > >> > They are similar. It seems that both >> applications are not >> seeing >> > each other. At first, I thought that >> the problem was >> caused by >> > ?owners=1? configuration (the lack >> of data >> synchronization between >> > replicas). I then changed it to >> ?owners=2?, but still, if >> I log in >> > the Keycloak01 and then force my >> request to go two >> Keycloak02, my >> > session is not there, and I am >> requested to log in again. >> > >> > Do you need some other log entries >> or configuration files? >> > >> > Again, thanks for your reply and help! >> > >> > On Thu, Aug 23, 2018 at 5:24 AM, >> Sebastian Laskawiec >> > > >> > > >> > >> > >>> wrote: >> > >> > >> > >> > On Wed, Aug 22, 2018 at 10:24 PM >> Rafael Weing?rtner >> > > >> > > >> > > rafaelweingartner at gmail.com >> >> >> > >>> wrote: >> > >> > Hello Keycloakers, >> > >> > I have some doubts regarding >> Keycloak and load >> balancers. I >> > set up two >> > keycloak replicas to provide >> HA. To start them I >> am using >> > ?./standalone.sh >> > >> --server-config=standalone-ha.xml?. I am >> assuming that they >> > will use >> > multicast to replicate >> information between nodes, >> right? >> > >> > >> > That is correct. It uses PING >> protocol, which in turn >> uses IP >> > Multicasting for discovery. >> > >> > Note, that IP Multicasting is >> disabled in many data >> centers (I >> > have never found out why they do >> it, but I've seen it >> many, many >> > times). So make sure your >> cluster forms correctly >> (just grep >> > logs and look for "view"). >> > >> > Then, I set up a load >> balancer layer using Apache >> HTTPD and >> > AJP connector >> > via 8009 port. To make >> everything work I needed >> to use >> > sticky session; >> > otherwise, the login would >> never happen. I am >> fine with the >> > sticky session, >> > however, if I stop one of >> the replicas where the >> user is >> > logged in, when >> > the user access Keycloak >> again, he/she is asked >> to present >> > the credentials >> > as if he/she was not logged >> in the other Keycloak >> replica. >> > Is that the >> > expected behavior? >> > >> > >> > My intuition tells me that your >> cluster didn't form >> correctly >> > (as I mentioned before, grep the >> logs and look for "view" >> > generated by JGroups). >> Therefore, if you enable >> sticky session, >> > all your requests get to the >> same Keycloak instance, >> which has >> > everything in the local cache. >> That's why it works fine. >> > >> > >> > Is there some >> troubleshooting or test that I can >> perform to >> > check if >> > replication is being executed? >> > >> > >> > Let's start with investigating >> the logs. Later on we >> can check JMX. >> > >> > >> > -- >> > Rafael Weing?rtner >> > >> _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> >> > > >> > > keycloak-user at lists.jboss.org >> >> > >> >> > >> https://lists.jboss.org/mailma >> n/listinfo/keycloak-user >> > an/listinfo/keycloak-user> >> < >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > an/listinfo/keycloak-user>> >> > >> > >> > >> > >> > -- >> > Rafael Weing?rtner >> > >> >> -- Bela Ban | http://www.jgroups.org >> >> >> >> >> -- Rafael Weing?rtner >> >> >> -- Bela Ban | http://www.jgroups.org >> >> >> >> >> -- Rafael Weing?rtner >> >> >> >> >> -- Rafael Weing?rtner >> >> >> >> >> -- >> Rafael Weing?rtner >> > > -- > Bela Ban | http://www.jgroups.org > > -- Rafael Weing?rtner From oneal.kevin at gmail.com Thu Aug 30 11:26:10 2018 From: oneal.kevin at gmail.com (KevinO) Date: Thu, 30 Aug 2018 10:26:10 -0500 Subject: [keycloak-user] login via curl In-Reply-To: References: Message-ID: Try curl -d "client_id=account" -d "username=test1" -d "password=1234t1" -d "grant_type=password" " http://localhost:8070/auth/realms/test/protocol/openid-connect/token On Thu, Aug 30, 2018 at 4:34 AM Ronald Demneri wrote: > Greetings everyone, > > I am testing the possibility to login via curl to the account client in my > test realm and then use the tokens to access another client. I have tried > this: > curl -X POST \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -H "cache-control: no-cache" \ > -d > "grant_type=password&scope=openid&client_id=account&username=test1&password=1234t1" > \ > "http://keycloak:8080/auth/realms/test /protocol/openid-connect/token" \ > -v > > But it gives me: > * upload completely sent off: 81 out of 81 bytes > < HTTP/1.1 400 Bad Request > < Connection: keep-alive > < Content-Type: application/json > < Content-Length: 91 > > What am I doing wrong and apologies if this question has been asked before. > > Keycloak version is 4.1.0.Final > > Ronald > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From ronald.demneri at amdtia.com Thu Aug 30 11:35:19 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Thu, 30 Aug 2018 15:35:19 +0000 Subject: [keycloak-user] login via curl In-Reply-To: References: , Message-ID: Yeah, tried that as well, same result. Any other ideas? Thanks in advance, Ronald Sent from my HTC ----- Reply message ----- From: "KevinO" To: "Ronald Demneri" Cc: "keycloak-user at lists.jboss.org" Subject: [keycloak-user] login via curl Date: Thu, Aug 30, 2018 17:26 Try curl -d "client_id=account" -d "username=test1" -d "password=1234t1" -d "grant_type=password" "http://localhost:8070/auth/realms/test/protocol/openid-connect/token On Thu, Aug 30, 2018 at 4:34 AM Ronald Demneri > wrote: Greetings everyone, I am testing the possibility to login via curl to the account client in my test realm and then use the tokens to access another client. I have tried this: curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "cache-control: no-cache" \ -d "grant_type=password&scope=openid&client_id=account&username=test1&password=1234t1" \ "http://keycloak:8080/auth/realms/test /protocol/openid-connect/token" \ -v But it gives me: * upload completely sent off: 81 out of 81 bytes < HTTP/1.1 400 Bad Request < Connection: keep-alive < Content-Type: application/json < Content-Length: 91 What am I doing wrong and apologies if this question has been asked before. Keycloak version is 4.1.0.Final Ronald _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From patrick.bucher at peax.ch Thu Aug 30 11:35:25 2018 From: patrick.bucher at peax.ch (Patrick Bucher) Date: Thu, 30 Aug 2018 15:35:25 +0000 Subject: [keycloak-user] Differnentiate Login Error for Disabled Account (Version 3.4.3 Final) Message-ID: When a disabled user tries to login, he gets an error 400 Bad Request (error: "invalid_grant", error_description: "Account disabled"). However, in my project, there are multiple reasons for a user to be disabled, which are distinguishable by certain attributes I set to the user. My goal is to create a Keycloak extension to customize the response based on those attributes, so that a different error message can be shown to the user. Providing a different value error_description would be a solution. My question is: Is it possible to intercept that error message before it is sent to the client, and if so, what kind of SPI do I need to write to handle that? I am using Keycloak version 3.4.3 Final. Regards, Patrick Bucher From oneal.kevin at gmail.com Thu Aug 30 11:51:01 2018 From: oneal.kevin at gmail.com (KevinO) Date: Thu, 30 Aug 2018 10:51:01 -0500 Subject: [keycloak-user] login via curl In-Reply-To: References: Message-ID: Whenever I run curl -v -d "client_id=amin-cli" -d "username=admin" -d "password=keycloak" -d "grant_type=password" " http://localhost:8070/auth/realms/External/protocol/openid-connect/token" if something is incorrect, I get a message like {"error":"invalid_grant","error_description":"Invalid user credentials"} Are you getting any json reponse? What does the log say? On Thu, Aug 30, 2018 at 10:35 AM Ronald Demneri wrote: > Yeah, tried that as well, same result. Any other ideas? > > Thanks in advance, > Ronald > > Sent from my HTC > > ----- Reply message ----- > From: "KevinO" > To: "Ronald Demneri" > Cc: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] login via curl > Date: Thu, Aug 30, 2018 17:26 > > Try > > curl -d "client_id=account" -d "username=test1" -d "password=1234t1" -d > "grant_type=password" " > http://localhost:8070/auth/realms/test/protocol/openid-connect/token > > > On Thu, Aug 30, 2018 at 4:34 AM Ronald Demneri > wrote: > >> Greetings everyone, >> >> I am testing the possibility to login via curl to the account client in >> my test realm and then use the tokens to access another client. I have >> tried this: >> curl -X POST \ >> -H "Content-Type: application/x-www-form-urlencoded" \ >> -H "cache-control: no-cache" \ >> -d >> "grant_type=password&scope=openid&client_id=account&username=test1&password=1234t1" >> \ >> "http://keycloak:8080/auth/realms/test /protocol/openid-connect/token" \ >> -v >> >> But it gives me: >> * upload completely sent off: 81 out of 81 bytes >> < HTTP/1.1 400 Bad Request >> < Connection: keep-alive >> < Content-Type: application/json >> < Content-Length: 91 >> >> What am I doing wrong and apologies if this question has been asked >> before. >> >> Keycloak version is 4.1.0.Final >> >> Ronald >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From max.allan+keycloak at surevine.com Thu Aug 30 12:25:35 2018 From: max.allan+keycloak at surevine.com (Max Allan) Date: Thu, 30 Aug 2018 17:25:35 +0100 Subject: [keycloak-user] Optional/Alternative in login flows Message-ID: Hi, I'd like to make a login flow : If the user has TOTP, use it. If the user has no TOTP but SMS, use it instead. If the user has neither use the TOTP normal enrolment to set it up. Setting the SMS execution to optional results in a "missing mobile number" error when I login, rather than skipping the step. Is this a fault in the SMS plugin? Or have I misunderstood the "optional" indicator? (https://github.com/gwallet/keycloak-sms-authenticator) Thanks, Max From sisyphus18 at protonmail.com Thu Aug 30 13:28:21 2018 From: sisyphus18 at protonmail.com (sisyphus18) Date: Thu, 30 Aug 2018 17:28:21 +0000 Subject: [keycloak-user] LOGIN_ERROR invalid_redirect_uri Message-ID: Hello Users, Apologies if this is not the right place to ask a question. I have an issue in configuring KeyCloak...I am getting an error "invalid redirect uri" Here's the log output from the service provider, a local application... 8-08-30 13:19:12.420 INFO --- [nio-8080-exec-2] o.s.security.saml.log.SAMLDefaultLogger : AuthNRequest;SUCCESS;127.0.0.1;[https://*/csi-gu](https://csichargingdev.atos-srv.net/csi-gu) hargedb/;http://localhost:8081/auth/realms/csi_realm_1;;; Here's the log from Keycloak 13:19:13,414 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=csi_realm_1, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri I do not know what value I have to put for redirect URI...I have tried many permutations and combinations. Attached are some screenshots from the Keycloak interface as well. Any help will be greatly appreciated. Thanking you. Sent with [ProtonMail](https://protonmail.com) Secure Email. From clehingue at gmail.com Thu Aug 30 13:34:41 2018 From: clehingue at gmail.com (Christophe Lehingue) Date: Thu, 30 Aug 2018 19:34:41 +0200 Subject: [keycloak-user] Need help : How to configure keycloak client for android / IOS application Message-ID: Hello, How to configure the information for an android client application (as attachment, screenshots) in the keycloak administration environment? What should I put as information in the following areas: - Valid Redirect URIs - Web Origins Is there any other information to inform? Regards, Christophe [image: image.png] [image: image.png] -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 18309 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180830/11082c73/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 4873 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180830/11082c73/attachment-0003.png From Chris.Phillips at canarie.ca Thu Aug 30 12:37:09 2018 From: Chris.Phillips at canarie.ca (Chris Phillips) Date: Thu, 30 Aug 2018 16:37:09 +0000 Subject: [keycloak-user] Can KeyCloak support Multi-lateral SAML federation? Message-ID: <0B5DA61A-359C-4517-89D1-99CE8D74B567@canarie.ca> Hi. I?m going through assessing KeyCloak as being able to be an Identity Provider in a multi-lateral SAML federation context and am seeking insight from the users and devs involved in KeyCloak. For an IdP to be considered interoperable in a multi-lateral SAML trust federation context, IdPs need to be able to do a base set of functions. These are some of the critical (but not only) ones: * Retrieve, with a configurable frequency (usually hourly), an online metadata aggregate * validate the signature on the aggregate * when signature validity is verified, load all the entities (Identity Providers/Service Providers) to be trusted or used in trust decisions in the Identity Provider. I have not seen this capability in KeyCloak 4.3.0.Final (docker) but could be missing something. Is anyone using KeyCloak in this manner or are there plans for this functionality on KeyCloak?s technical roadmap? Some additional items to decorate my ask for information.. To give an idea of scale, the aggregates I want to work with have ~4500 entities with 2800 IdPs and 2100 SPs and need to be refreshed hourly. The list of items important for interoperability can be seen here with the ones I called out above appearing in section 2.2.1: https://kantarainitiative.github.io/SAMLprofiles/fedinterop.html I?ve searched the keycloak-users list a bit and came across the reference to EntitiesDescriptor which lead me to this issue and code update in KeyCloak: https://issues.jboss.org/browse/KEYCLOAK-4399 which leads me to think that the support for reading in aggregates is not possible and maybe engineered out of the product itself. Am I right in thinking that? Thoughts and insights welcome.. Chris. ___________________________________________________________________________________________ Chris Phillips Technical Architect, Canadian Access Federation, CANARIE| chris.phillips at canarie.ca |GPG: 0x7F6245580380811D From p.wojcieszonek at bosmanager.com Thu Aug 30 16:06:18 2018 From: p.wojcieszonek at bosmanager.com (Piotr Wojcieszonek) Date: Thu, 30 Aug 2018 22:06:18 +0200 Subject: [keycloak-user] TimeoutException: Replication timeout Message-ID: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> Hi, I have problem with standalone cluster. After cluster start working it begin to print that kind of information to log file: 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] (expiration-thread--p22-t1) ISPN000026: Caught exception purging data container!: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) And in time it start to work very slow. What can by a reason for that? From ntle at castortech.com Thu Aug 30 16:45:24 2018 From: ntle at castortech.com (Nhut Thai Le) Date: Thu, 30 Aug 2018 16:45:24 -0400 Subject: [keycloak-user] cxf filter In-Reply-To: References: <1535407175.4014.3.camel@acutus.pro> Message-ID: Hello, I see the Keycloak client config supports autodetect-bearer-only so what I want is 1. a user tries to go to https://mysite.com/singlePageApp 2. the application is configured to be protected by keycloakOIDCServletFilter (with autodetect-bearer-only=true) so it will redirect user to keycloak login page 3. user enter credential and login 4. KC server authenticates and redirects the user to https://mysite.com/singlePageApp with the KeycloakSecurityContext in the response header 5. once user lands on the singlePageApp, a javascript code on the page send an ajax request to my REST endpoint at https://mysite.com/rest/items with Authorization: bearer $TOKEN (the $TOKEN is extracted form the KeycloakSecurityContext) 6. the REST endpoint is configured to be protected by JaxrsBearerTokenFilter using the same keycloak.json file which validates the token and will returns data if the token is good What i am missing is how to get the access token out of the KeycloakSecurityContext in step 5 from my javascript. Hope it is clearer than my previous email Thai On Tue, Aug 28, 2018 at 1:34 PM, Nhut Thai Le wrote: > Hi Dmitri, > > About the OIDC Servlet filter, i managed to build an osgi version of it so > i'm ok for now :D > > Regarding the REST service, i think the bearer token is what I want, > however, i'm not sure how the authentication flow works in this case. As I > understand, to use bearer token, i need to create a client in keycloak > server and set access type to bearer-only then when making the rest call, I > need to provide the valid "Authorization: Bearer XXX" header. > > 1. Where do I get this token ? > 2. If the bearer token is valid, does keycloak adapter also put the > KeycloakSecurityContext with the username on the request sothat i can > extract it latter? > 3. does keycloak have an OSGI jaxrs filter for REST service or I have > to implement my own? (https://osgi.org/specification/osgi.cmpn/7.0.0/ > service.jaxrs.html#service.jaxrs.extension.services > > ) > > Hope to get some insignt > > Thai > > > > On Mon, Aug 27, 2018 at 5:59 PM, Dmitry Telegin
wrote: > >> Hello Thai, >> >> Seems like you've been watching the OSGification PR attentively :) >> I'm sorry we didn't make it for Keycloak 4.3.0. Should get included in >> 4.4.0, hopefully. >> >> Just in case anyone else is interested: >> PR for Keycloak OIDC servlet filter adapter OSGification >> https://github.com/keycloak/keycloak/pull/5383 >> PR for the docs https://github.com/keycloak/ke >> ycloak-documentation/pull/453 >> Built docs: https://keycloak-docs.github.io/deploy-docs-pullrequest/PR/4 >> 53/securing_apps/index.html#using-on-osgi >> >> As for your question, could you please elaborate? What are you trying >> to achieve? For REST services, you should normally use bearer token >> authorization. In this mode, the adapter would expect a valid token in >> "Authorization: Bearer XXX" HTTP header, otherwise it would return >> HTTP 401. Is this what you're after? >> >> Cheers, >> Dmitry Telegin >> CTO, Acutus s.r.o. >> Keycloak Consulting and Training >> >> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic >> +42 (022) 888-30-71 >> E-mail: info at acutus.pro >> >> On Mon, 2018-08-27 at 14:52 -0400, Nhut Thai Le wrote: >> > Hello, >> > >> > I have a web app and a REST API running inside an OSGI environment. >> > >> > The web app has some servlets registered with the web container (jetty) >> as >> > OSGI whiteboard services. All of these servlets are configured to be >> > protected (authentication required) by keycloak servlet filter. >> > >> > Dictionary props; >> > props = new Hashtable<>(); >> > props.put("alias", "/whiteboard"); >> > servletReg = context.registerService(Servlet.class, new >> > WhiteboardServlet("/test"), props); >> > >> > Dictionary filterProps = new Hashtable> Object>(); >> > String[] urls = { "/*" }; //$NON-NLS-1$ >> > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_NAME, >> > "keycloakFilter"); >> > filterProps.put(HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_PATTERN, >> > urls); >> > keycloakFilter = context.registerService(Filter.class, new >> > KeycloakOIDCFilter(), filterProps); >> > >> > The REST api is hosted by aries-jax-rs-whiteboard. >> > @Component( >> > immediate = true, >> > property = JAX_RS_APPLICATION_BASE + "=/rest", >> > service = Application.class >> > ) >> > @Path("/common") >> > public final class RestAPI extends Application { >> > public static final Response EMPTY_RESPONSE = >> > Response.noContent().type(MediaType.TEXT_HTML_TYPE).build(); >> > @Override >> > public Set getSingletons() { >> > return Collections.singleton(this); >> > } >> > >> > @GET >> > @Path("/getObject") >> > @Produces(MediaType.APPLICATION_JSON) >> > public String getObject() { >> > return "Rest call"; //$NON-NLS-1$ >> > } >> > } >> > >> > The web app has some JS code executed on user browser that make an ajax >> > call to the REST service above. Since this call happen after user has >> been >> > auithenticated with keycloak and originate from the same browser >> session, I >> > assume the ajax request also contains KeycloakSecurityContext. Thus this >> > call should be allowed to reach the REST service. What I want is to >> > register a filter (ContainerRequestFilter) to deny access to the REST >> > service if user has not been authenticated. >> > Is there an existing implementation of ContainerRequestFilter by >> keycloak >> > that can do this? >> > >> > >> > Thai >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Castor Technologies Inc > 460 rue St-Catherine St Ouest, Suite 613 > Montr?al, Qu?bec H3B-1A7 > (514) 360-7208 o > (514) 798-2044 f > ntle at castortech.com > www.castortech.com > > CONFIDENTIALITY NOTICE: The information contained in this e-mail is > confidential and may be proprietary information intended only for the use > of the individual or entity to whom it is addressed. If the reader of this > message is not the intended recipient, you are hereby notified that any > viewing, dissemination, distribution, disclosure, copy or use of the > information contained in this e-mail message is strictly prohibited. If you > have received and/or are viewing this e-mail in error, please immediately > notify the sender by reply e-mail, and delete it from your system without > reading, forwarding, copying or saving in any manner. Thank you. > AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est > confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv? > ? l'usage exclusif du destinataire. Toute autre personne est par les > pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer > ou reproduire ce message. Si vous avez re?u cette communication par erreur, > veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci. > -- Castor Technologies Inc 460 rue St-Catherine St Ouest, Suite 613 Montr?al, Qu?bec H3B-1A7 (514) 360-7208 o (514) 798-2044 f ntle at castortech.com www.castortech.com CONFIDENTIALITY NOTICE: The information contained in this e-mail is confidential and may be proprietary information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any viewing, dissemination, distribution, disclosure, copy or use of the information contained in this e-mail message is strictly prohibited. If you have received and/or are viewing this e-mail in error, please immediately notify the sender by reply e-mail, and delete it from your system without reading, forwarding, copying or saving in any manner. Thank you. AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv? ? l'usage exclusif du destinataire. Toute autre personne est par les pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer ou reproduire ce message. Si vous avez re?u cette communication par erreur, veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci. From jerry.saravia at virginpulse.com Thu Aug 30 17:01:28 2018 From: jerry.saravia at virginpulse.com (Jerry Saravia) Date: Thu, 30 Aug 2018 21:01:28 +0000 Subject: [keycloak-user] Differnentiate Login Error for Disabled Account (Version 3.4.3 Final) In-Reply-To: References: Message-ID: <0A3B74C6-DDD9-4277-8157-9902AA82A9CF@virginpulse.com> Yes. We've done this to some extent. Look at the UsernamePasswordForm. You can create your own version of that class with its own Factory as well. Make sure to look at the ` AbstractUsernameFormAuthenticator` class. Then you can override the ` public boolean enabledUser` from the abstract class. In here you can do additional checks for the user and the conditions under which was disabled. You'll probably have to disabledUser method and call setError with your own error string. Jerry Jerry Saravia Software Engineer M516-603-6914 virginpulse.com |globalchallenge.virginpulse.com 492 Old Connecticut Path, Framingham, MA 01701, USA Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. v2.10 ?On 8/30/18, 11:35, "Patrick Bucher" wrote: When a disabled user tries to login, he gets an error 400 Bad Request (error: "invalid_grant", error_description: "Account disabled"). However, in my project, there are multiple reasons for a user to be disabled, which are distinguishable by certain attributes I set to the user. My goal is to create a Keycloak extension to customize the response based on those attributes, so that a different error message can be shown to the user. Providing a different value error_description would be a solution. My question is: Is it possible to intercept that error message before it is sent to the client, and if so, what kind of SPI do I need to write to handle that? I am using Keycloak version 3.4.3 Final. Regards, Patrick Bucher -------------- next part -------------- A non-text attachment was scrubbed... Name: image570773.png Type: image/png Size: 681 bytes Desc: image570773.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180830/e1c0e0ae/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image988200.png Type: image/png Size: 687 bytes Desc: image988200.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180830/e1c0e0ae/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image129016.png Type: image/png Size: 757 bytes Desc: image129016.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180830/e1c0e0ae/attachment-0005.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image085525.jpg Type: image/jpeg Size: 21266 bytes Desc: image085525.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180830/e1c0e0ae/attachment-0001.jpg From rafaelweingartner at gmail.com Thu Aug 30 21:01:03 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Thu, 30 Aug 2018 22:01:03 -0300 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> Message-ID: Did you configure the "owners" parameter in the standalone-ha.xml with a value bigger than 1? On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek < p.wojcieszonek at bosmanager.com> wrote: > Hi, > I have problem with standalone cluster. After cluster start working it > begin to print that kind of information to log file: > > 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] > (expiration-thread--p22-t1) ISPN000026: Caught exception purging data > container!: org.infinispan.util.concurrent.TimeoutException: Replication > timeout for authservice1 > at org.infinispan.remoting.transport.jgroups. > JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at org.infinispan.remoting.transport.jgroups. > JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > at java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > at java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > at java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > at org.infinispan.remoting.transport.jgroups. > SingleResponseFuture.call(SingleResponseFuture.java:46) > at org.infinispan.remoting.transport.jgroups. > SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] > (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing > keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for authservice1 > at org.infinispan.remoting.transport.jgroups. > JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at org.infinispan.remoting.transport.jgroups. > JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > at java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > at java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > at java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > at org.infinispan.remoting.transport.jgroups. > SingleResponseFuture.call(SingleResponseFuture.java:46) > at org.infinispan.remoting.transport.jgroups. > SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] > (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing > keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for authservice1 > at org.infinispan.remoting.transport.jgroups. > JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at org.infinispan.remoting.transport.jgroups. > JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > at java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > at java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > at java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > at org.infinispan.remoting.transport.jgroups. > SingleResponseFuture.call(SingleResponseFuture.java:46) > at org.infinispan.remoting.transport.jgroups. > SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > And in time it start to work very slow. > What can by a reason for that? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Rafael Weing?rtner From oneal.kevin at gmail.com Thu Aug 30 21:17:33 2018 From: oneal.kevin at gmail.com (KevinO) Date: Thu, 30 Aug 2018 20:17:33 -0500 Subject: [keycloak-user] authenticate users programmatically with Java In-Reply-To: References: Message-ID: Can you use the Keycloak Java Client? https://www.keycloak.org/docs/2.5/authorization_services/topics/service/client-api.htmlhttps://www.keycloak.org/docs/2.5/authorization_services/topics/service/client-api.html On Thu, Aug 30, 2018 at 7:06 PM Erik G. Haugen wrote: > I see there an extensive Java API for use with Keycloak, but there is > little documentation. > > How can I authenticate users programmatically with Java? > > In my Java program, I will have a userid and password. How do I > authenticate the user and get a valid token with Java? > > Also, is there any documentation for basic usage of the Java API? > > Thank you, > > Erik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From erik.g.haugen at gmail.com Thu Aug 30 22:32:07 2018 From: erik.g.haugen at gmail.com (Erik G. Haugen) Date: Fri, 31 Aug 2018 04:32:07 +0200 Subject: [keycloak-user] authenticate users programmatically with Java In-Reply-To: References: Message-ID: Thanks for your reply! That's the issue. Perhaps I can use the client API. But, I don't see how yet. Does anyone know the actual Java code used to do the authentication? Kind regards, Erik On Fri, Aug 31, 2018 at 3:18 AM KevinO wrote: > Can you use the Keycloak Java Client? > > https://www.keycloak.org/docs/2.5/authorization_services/topics/service/client-api.htmlhttps://www.keycloak.org/docs/2.5/authorization_services/topics/service/client-api.html > > On Thu, Aug 30, 2018 at 7:06 PM Erik G. Haugen > wrote: > >> I see there an extensive Java API for use with Keycloak, but there is >> little documentation. >> >> How can I authenticate users programmatically with Java? >> >> In my Java program, I will have a userid and password. How do I >> authenticate the user and get a valid token with Java? >> >> Also, is there any documentation for basic usage of the Java API? >> >> Thank you, >> >> Erik >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > From p.wojcieszonek at bosmanager.com Fri Aug 31 02:16:06 2018 From: p.wojcieszonek at bosmanager.com (Piotr Wojcieszonek) Date: Fri, 31 Aug 2018 08:16:06 +0200 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> Message-ID: Yes I did: > On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek > wrote: > Hi, > I have problem with standalone cluster. After cluster start working it begin to print that kind of information to log file: > > 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] (expiration-thread--p22-t1) ISPN000026: Caught exception purging data container!: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 > at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 > at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 > at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) > > And in time it start to work very slow. > What can by a reason for that? > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Rafael Weing?rtner From nikola.malenic at netsetglobal.rs Fri Aug 31 03:58:04 2018 From: nikola.malenic at netsetglobal.rs (Nikola Malenic) Date: Fri, 31 Aug 2018 09:58:04 +0200 Subject: [keycloak-user] org.keycloak.keycloak-services Message-ID: <001201d44100$590d3430$0b279c90$@netsetglobal.rs> I developed an authentication provider and am trying to deploy it on the KC server. My project depends on the Keycloak-services: org.keycloak keycloak-services provided ${keycloak.version} My version is the same as running Keycloak server. I'm getting error: java.lang.NoClassDefFoundError: Failed to link rs/netset/aas/authenticator/user_pass/CustomUsernamePasswordForm (Module \"deployment.aas-1.0.DEBUG.jar\" from Service Module Loader): org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthe nticator"}} And wildfly succeeds in finding other dependencies, like keycloak-server-spi etc. Any clue why is this happening? Many thanks, Nikola From ronald.demneri at amdtia.com Fri Aug 31 05:00:59 2018 From: ronald.demneri at amdtia.com (Ronald Demneri) Date: Fri, 31 Aug 2018 09:00:59 +0000 Subject: [keycloak-user] login via curl In-Reply-To: References: Message-ID: Hello, Yes I receive an error, I had not configured the account client to use Direct Access Grants, once I changed that I was able to receive the access and refresh tokens. Let me explain a bit what I am trying to achieve: I have a Jenkins instance where I have installed and configured the OIDC plugin. Basically login works as it should, but the global log out does not. In chrome I can see that the logout URL that Jenkins sends is this one: http://keycloak:8080/auth/realms/test/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fjenkins%3A8080/?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZVWJyelJBSUJZemE5bkRUMVZxVmhYWGN5M1VaQ0hNZ1A2S3ZoUXMtOUcwIn0.eyJqdGkiOiJhYjZhZDkwNy01MDViLTQ5YmMtYTdmOC0yMzllNGJlYjE0MTIiLCJleHAiOjE1MzU1NTQyOTMsIm5iZiI6MCwiaWF0IjoxNTM1NTUzOTkzLCJpc3MiOiJodHRwOi8va2V5Y2xvYWs6ODA4MC9hdXRoL3JlYWxtcy90ZXN0LWxoaW5kIiwiYXVkIjoiamVua2lucy1jbGllbnQiLCJzdWIiOiJhY2NmNWJiYi0xZDNkLTRiMDItYWZlMi1iOGZkM2RkMTQ1NDgiLCJ0eXAiOiJJRCIsImF6cCI6ImplbmtpbnMtY2xpZW50IiwiYXV0aF90aW1lIjoxNTM1NTUzOTkzLCJzZXNzaW9uX3N0YXRlIjoiMzQ5Y2Q3ZjMtMjcyMS00MTdmLTg3ZmMtMjJlYmExMDkyOTg0IiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdDEifQ.LuwrieAEQ6eeAaMAir8H42SwwGDqsM8SqLdyDf6vZiHgEtG7Se9zu3iSISmjhzmi1a7t3Hmz4LrzigWNoTQJs7IEMG0xzF3U9OdwzQSK-Lb989IXt_xfYH2vBAZ-jYpFgoCYC-c4vfTf-74-iBP4IPQzeWl31LHarkcD4PemVsZCkUbLnODbCC6fZ2MnJnP_KAC5uVgCvXqfauf0HP8skbPp9tajUm4skuns3rfv2JeLJHIbwdmWSVkqpircWtYGx6j88NKAiudlRGL3vxBx6bC49BZpioK7Q0vXVmt1R24iykp-GyG5H10UiKidzhKS2WcGGmNFhRbGgOcLPEqWFA&state=N2M2MGQ5NDctOGM1OS00&post_logout_redirect_uri= Sure enough, it displays an ?Invalid redirect uri? in Keycloak. So I was trying to mimic the situation with curl and to see whether the issue still remains and I have to check the configurations in Keycloak, or if the Jenkins plugin does not send Keycloak the uri as Keycloak expects it. Makes sense? Regards, Ronald From: KevinO Sent: Thursday, August 30, 2018 5:51 PM To: Ronald Demneri Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] login via curl Whenever I run curl -v -d "client_id=amin-cli" -d "username=admin" -d "password=keycloak" -d "grant_type=password" "http://localhost:8070/auth/realms/External/protocol/openid-connect/token" if something is incorrect, I get a message like {"error":"invalid_grant","error_description":"Invalid user credentials"} Are you getting any json reponse? What does the log say? On Thu, Aug 30, 2018 at 10:35 AM Ronald Demneri > wrote: Yeah, tried that as well, same result. Any other ideas? Thanks in advance, Ronald Sent from my HTC ----- Reply message ----- From: "KevinO" > To: "Ronald Demneri" > Cc: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] login via curl Date: Thu, Aug 30, 2018 17:26 Try curl -d "client_id=account" -d "username=test1" -d "password=1234t1" -d "grant_type=password" "http://localhost:8070/auth/realms/test/protocol/openid-connect/token On Thu, Aug 30, 2018 at 4:34 AM Ronald Demneri > wrote: Greetings everyone, I am testing the possibility to login via curl to the account client in my test realm and then use the tokens to access another client. I have tried this: curl -X POST \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "cache-control: no-cache" \ -d "grant_type=password&scope=openid&client_id=account&username=test1&password=1234t1" \ "http://keycloak:8080/auth/realms/test /protocol/openid-connect/token" \ -v But it gives me: * upload completely sent off: 81 out of 81 bytes < HTTP/1.1 400 Bad Request < Connection: keep-alive < Content-Type: application/json < Content-Length: 91 What am I doing wrong and apologies if this question has been asked before. Keycloak version is 4.1.0.Final Ronald _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From rafaelweingartner at gmail.com Fri Aug 31 05:52:13 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Fri, 31 Aug 2018 06:52:13 -0300 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> Message-ID: Can you check if your cluster if being formed? You can grep the word "view" in Keycloak's logs. On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek < p.wojcieszonek at bosmanager.com> wrote: > Yes I did: > > mode="SYNC" owners="2"/> > owners="2"/> > owners="2"/> > mode="SYNC" owners="2"/> > owners="2?/> > > I have two node cluster. > > > > Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 03:01: > > Did you configure the "owners" parameter in the standalone-ha.xml with a > value bigger than 1? > > On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com> wrote: > >> Hi, >> I have problem with standalone cluster. After cluster start working it >> begin to print that kind of information to log file: >> >> 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] >> (expiration-thread--p22-t1) ISPN000026: Caught exception purging data >> container!: org.infinispan.util.concurrent.TimeoutException: Replication >> timeout for authservice1 >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1149) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> >> 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >> (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing >> keys [task::ClearExpiredClientInitialAccessTokens]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >> authservice1 >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1149) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> >> 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >> (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing >> keys [task::ClearExpiredClientInitialAccessTokens]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >> authservice1 >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1149) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> >> And in time it start to work very slow. >> What can by a reason for that? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > Rafael Weing?rtner > > > -- Rafael Weing?rtner From p.wojcieszonek at bosmanager.com Fri Aug 31 05:56:59 2018 From: p.wojcieszonek at bosmanager.com (Piotr Wojcieszonek) Date: Fri, 31 Aug 2018 11:56:59 +0200 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> Message-ID: 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] 2018-08-30 00:07:45,757 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] 2018-08-30 00:07:45,758 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] 2018-08-30 00:07:45,763 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] 2018-08-30 00:07:45,779 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] 2018-08-30 00:07:45,783 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 00:39:50,078 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 19:41:38,553 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] 2018-08-30 19:41:43,562 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 21:16:23,261 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] 2018-08-30 21:16:23,264 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] 2018-08-30 21:16:23,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > Wiadomo?? napisana przez Rafael Weing?rtner w dniu 31.08.2018, o godz. 11:52: > > Can you check if your cluster if being formed? You can grep the word "view" in Keycloak's logs. > > On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek > wrote: > Yes I did: > > > > > > > >> On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek > wrote: >> Hi, >> I have problem with standalone cluster. After cluster start working it begin to print that kind of information to log file: >> >> 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] (expiration-thread--p22-t1) ISPN000026: Caught exception purging data container!: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> >> 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> >> 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) >> >> And in time it start to work very slow. >> What can by a reason for that? >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> -- >> Rafael Weing?rtner > > > > > -- > Rafael Weing?rtner From rafaelweingartner at gmail.com Fri Aug 31 06:00:40 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Fri, 31 Aug 2018 07:00:40 -0300 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> Message-ID: Your cluster is being created. Everything seems fine there. I had a problem once when the cluster was not being formed due to firewall problems. Is your firewall activated? On Fri, Aug 31, 2018 at 6:56 AM, Piotr Wojcieszonek < p.wojcieszonek at bosmanager.com> wrote: > > 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-2) ISPN000094: Received new cluster view for channel > ejb: [authservice1|0] (1) [authservice1] > 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-5) ISPN000094: Received new cluster view for channel > ejb: [authservice1|0] (1) [authservice1] > 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000094: Received new cluster view for channel > ejb: [authservice1|0] (1) [authservice1] > 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-7) ISPN000094: Received new cluster view for channel > ejb: [authservice1|0] (1) [authservice1] > 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-6) ISPN000094: Received new cluster view for channel > ejb: [authservice1|0] (1) [authservice1] > 2018-08-30 00:07:45,757 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|1] (2) [authservice1, authservice2] > 2018-08-30 00:07:45,758 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|1] (2) [authservice1, authservice2] > 2018-08-30 00:07:45,763 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|1] (2) [authservice1, authservice2] > 2018-08-30 00:07:45,779 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|1] (2) [authservice1, authservice2] > 2018-08-30 00:07:45,783 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|1] (2) [authservice1, authservice2] > 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-4) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-2) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-1) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-6) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 00:39:50,078 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-5) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 19:41:38,553 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|2] (1) [authservice1] > 2018-08-30 19:41:43,562 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-5) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-7) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-2) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-1) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 21:16:23,261 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|2] (1) [authservice1] > 2018-08-30 21:16:23,264 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|2] (1) [authservice1] > 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|2] (1) [authservice1] > 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|2] (1) [authservice1] > 2018-08-30 21:16:23,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|2] (1) [authservice1] > 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-2) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-4) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-1) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-6) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (MSC service thread 1-3) ISPN000094: Received new cluster view for channel > ejb: [authservice2|1] (2) [authservice2, authservice1] > > > Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 11:52: > > Can you check if your cluster if being formed? You can grep the word > "view" in Keycloak's logs. > > On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com> wrote: > >> Yes I did: >> > owners="2"/> >> > mode="SYNC" owners="2"/> >> > owners="2"/> >> > owners="2"/> >> > mode="SYNC" owners="2"/> >> > owners="2?/> >> >> I have two node cluster. >> >> >> >> Wiadomo?? napisana przez Rafael Weing?rtner >> w dniu 31.08.2018, o godz. 03:01: >> >> Did you configure the "owners" parameter in the standalone-ha.xml with a >> value bigger than 1? >> >> On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek < >> p.wojcieszonek at bosmanager.com> wrote: >> >>> Hi, >>> I have problem with standalone cluster. After cluster start working it >>> begin to print that kind of information to log file: >>> >>> 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] >>> (expiration-thread--p22-t1) ISPN000026: Caught exception purging data >>> container!: org.infinispan.util.concurrent.TimeoutException: >>> Replication timeout for authservice1 >>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.c >>> heckRsp(JGroupsTransport.java:827) >>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.l >>> ambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(Comp >>> letableFuture.java:577) >>> at java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1149) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:624) >>> at java.lang.Thread.run(Thread.java:748) >>> >>> 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >>> (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing >>> keys [task::ClearExpiredClientInitialAccessTokens]: >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout >>> for authservice1 >>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.c >>> heckRsp(JGroupsTransport.java:827) >>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.l >>> ambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(Comp >>> letableFuture.java:577) >>> at java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1149) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:624) >>> at java.lang.Thread.run(Thread.java:748) >>> >>> 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >>> (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing >>> keys [task::ClearExpiredClientInitialAccessTokens]: >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout >>> for authservice1 >>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.c >>> heckRsp(JGroupsTransport.java:827) >>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.l >>> ambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(Comp >>> letableFuture.java:577) >>> at java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1149) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:624) >>> at java.lang.Thread.run(Thread.java:748) >>> >>> And in time it start to work very slow. >>> What can by a reason for that? >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> -- >> Rafael Weing?rtner >> >> >> > > > -- > Rafael Weing?rtner > > > -- Rafael Weing?rtner From p.wojcieszonek at bosmanager.com Fri Aug 31 06:08:55 2018 From: p.wojcieszonek at bosmanager.com (Piotr Wojcieszonek) Date: Fri, 31 Aug 2018 12:08:55 +0200 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> <850CE24C-1191-4256-9B4D-950B30E14B12@bosmanager.com> Message-ID: <8407AF85-AC88-4888-8710-B54C412ECAE2@bosmanager.com> This is Ubuntu 16.04 without SELinux. > Wiadomo?? napisana przez Rafael Weing?rtner w dniu 31.08.2018, o godz. 12:06: > > Then, there is only one things left in my mind. Did you configure SElinux? > > On Fri, Aug 31, 2018 at 7:04 AM, Piotr Wojcieszonek > wrote: > No, there is no firewall on host and both of them are in the same vlan. > > >> Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 12:00: >> >> Your cluster is being created. Everything seems fine there. I had a problem once when the cluster was not being formed due to firewall problems. >> Is your firewall activated? >> >> On Fri, Aug 31, 2018 at 6:56 AM, Piotr Wojcieszonek > wrote: >> >> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >> 2018-08-30 00:07:45,757 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >> 2018-08-30 00:07:45,758 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >> 2018-08-30 00:07:45,763 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >> 2018-08-30 00:07:45,779 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >> 2018-08-30 00:07:45,783 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 00:39:50,078 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 19:41:38,553 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >> 2018-08-30 19:41:43,562 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 21:16:23,261 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >> 2018-08-30 21:16:23,264 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >> 2018-08-30 21:16:23,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >> >> >>> Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 11:52: >>> >>> Can you check if your cluster if being formed? You can grep the word "view" in Keycloak's logs. >>> >>> On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek > wrote: >>> Yes I did: >>> >>> >>> >>> >>> >>> >>> >>>> On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek > wrote: >>>> Hi, >>>> I have problem with standalone cluster. After cluster start working it begin to print that kind of information to log file: >>>> >>>> 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] (expiration-thread--p22-t1) ISPN000026: Caught exception purging data container!: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>> at java.lang.Thread.run(Thread.java:748) >>>> >>>> 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>> at java.lang.Thread.run(Thread.java:748) >>>> >>>> 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>> at java.lang.Thread.run(Thread.java:748) >>>> >>>> And in time it start to work very slow. >>>> What can by a reason for that? >>>> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>>> >>>> -- >>>> Rafael Weing?rtner >>> >>> >>> >>> >>> -- >>> Rafael Weing?rtner >> >> >> >> >> -- >> Rafael Weing?rtner > > > > > -- > Rafael Weing?rtner From rafaelweingartner at gmail.com Fri Aug 31 06:21:15 2018 From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=) Date: Fri, 31 Aug 2018 07:21:15 -0300 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: <8407AF85-AC88-4888-8710-B54C412ECAE2@bosmanager.com> References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> <850CE24C-1191-4256-9B4D-950B30E14B12@bosmanager.com> <8407AF85-AC88-4888-8710-B54C412ECAE2@bosmanager.com> Message-ID: hmmm...Besides the stacktrace, did you see any other warning or error? On Fri, Aug 31, 2018 at 7:08 AM, Piotr Wojcieszonek < p.wojcieszonek at bosmanager.com> wrote: > This is Ubuntu 16.04 without SELinux. > > > Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 12:06: > > Then, there is only one things left in my mind. Did you configure SElinux? > > On Fri, Aug 31, 2018 at 7:04 AM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com> wrote: > >> No, there is no firewall on host and both of them are in the same vlan. >> >> >> Wiadomo?? napisana przez Rafael Weing?rtner >> w dniu 31.08.2018, o godz. 12:00: >> >> Your cluster is being created. Everything seems fine there. I had a >> problem once when the cluster was not being formed due to firewall problems. >> Is your firewall activated? >> >> On Fri, Aug 31, 2018 at 6:56 AM, Piotr Wojcieszonek < >> p.wojcieszonek at bosmanager.com> wrote: >> >>> >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>> Received new cluster view for channel ejb: [authservice1|0] (1) >>> [authservice1] >>> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: >>> Received new cluster view for channel ejb: [authservice1|0] (1) >>> [authservice1] >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>> Received new cluster view for channel ejb: [authservice1|0] (1) >>> [authservice1] >>> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: >>> Received new cluster view for channel ejb: [authservice1|0] (1) >>> [authservice1] >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: >>> Received new cluster view for channel ejb: [authservice1|0] (1) >>> [authservice1] >>> 2018-08-30 00:07:45,757 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|1] (2) [authservice1, >>> authservice2] >>> 2018-08-30 00:07:45,758 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|1] (2) [authservice1, >>> authservice2] >>> 2018-08-30 00:07:45,763 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|1] (2) [authservice1, >>> authservice2] >>> 2018-08-30 00:07:45,779 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|1] (2) [authservice1, >>> authservice2] >>> 2018-08-30 00:07:45,783 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|1] (2) [authservice1, >>> authservice2] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 00:39:50,078 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 19:41:38,553 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 19:41:43,562 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 21:16:23,261 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,264 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,344 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new >>> cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.tran >>> sport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: >>> Received new cluster view for channel ejb: [authservice2|1] (2) >>> [authservice2, authservice1] >>> >>> >>> Wiadomo?? napisana przez Rafael Weing?rtner >>> w dniu 31.08.2018, o godz. 11:52: >>> >>> Can you check if your cluster if being formed? You can grep the word >>> "view" in Keycloak's logs. >>> >>> On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek < >>> p.wojcieszonek at bosmanager.com> wrote: >>> >>>> Yes I did: >>>> >>> owners="2"/> >>>> >>> mode="SYNC" owners="2"/> >>>> >>> owners="2"/> >>>> >>> owners="2"/> >>>> >>> mode="SYNC" owners="2"/> >>>> >>> owners="2?/> >>>> >>>> I have two node cluster. >>>> >>>> >>>> >>>> Wiadomo?? napisana przez Rafael Weing?rtner < >>>> rafaelweingartner at gmail.com> w dniu 31.08.2018, o godz. 03:01: >>>> >>>> Did you configure the "owners" parameter in the standalone-ha.xml with >>>> a value bigger than 1? >>>> >>>> On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek < >>>> p.wojcieszonek at bosmanager.com> wrote: >>>> >>>>> Hi, >>>>> I have problem with standalone cluster. After cluster start working it >>>>> begin to print that kind of information to log file: >>>>> >>>>> 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] >>>>> (expiration-thread--p22-t1) ISPN000026: Caught exception purging data >>>>> container!: org.infinispan.util.concurrent.TimeoutException: >>>>> Replication timeout for authservice1 >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JG >>>>> roupsTransport.java:628) >>>>> at java.util.concurrent.Completab >>>>> leFuture.uniApply(CompletableFuture.java:602) >>>>> at java.util.concurrent.Completab >>>>> leFuture$UniApply.tryFire(CompletableFuture.java:577) >>>>> at java.util.concurrent.Completab >>>>> leFuture.postComplete(CompletableFuture.java:474) >>>>> at java.util.concurrent.Completab >>>>> leFuture.complete(CompletableFuture.java:1962) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at java.util.concurrent.Scheduled >>>>> ThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledT >>>>> hreadPoolExecutor.java:180) >>>>> at java.util.concurrent.Scheduled >>>>> ThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPo >>>>> olExecutor.java:293) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> >>>>> 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >>>>> (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing >>>>> keys [task::ClearExpiredClientInitialAccessTokens]: >>>>> org.infinispan.util.concurrent.TimeoutException: Replication timeout >>>>> for authservice1 >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JG >>>>> roupsTransport.java:628) >>>>> at java.util.concurrent.Completab >>>>> leFuture.uniApply(CompletableFuture.java:602) >>>>> at java.util.concurrent.Completab >>>>> leFuture$UniApply.tryFire(CompletableFuture.java:577) >>>>> at java.util.concurrent.Completab >>>>> leFuture.postComplete(CompletableFuture.java:474) >>>>> at java.util.concurrent.Completab >>>>> leFuture.complete(CompletableFuture.java:1962) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at java.util.concurrent.Scheduled >>>>> ThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledT >>>>> hreadPoolExecutor.java:180) >>>>> at java.util.concurrent.Scheduled >>>>> ThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPo >>>>> olExecutor.java:293) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> >>>>> 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] >>>>> (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing >>>>> keys [task::ClearExpiredClientInitialAccessTokens]: >>>>> org.infinispan.util.concurrent.TimeoutException: Replication timeout >>>>> for authservice1 >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JG >>>>> roupsTransport.java:628) >>>>> at java.util.concurrent.Completab >>>>> leFuture.uniApply(CompletableFuture.java:602) >>>>> at java.util.concurrent.Completab >>>>> leFuture$UniApply.tryFire(CompletableFuture.java:577) >>>>> at java.util.concurrent.Completab >>>>> leFuture.postComplete(CompletableFuture.java:474) >>>>> at java.util.concurrent.Completab >>>>> leFuture.complete(CompletableFuture.java:1962) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>>> at org.infinispan.remoting.transp >>>>> ort.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at java.util.concurrent.Scheduled >>>>> ThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledT >>>>> hreadPoolExecutor.java:180) >>>>> at java.util.concurrent.Scheduled >>>>> ThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPo >>>>> olExecutor.java:293) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> >>>>> And in time it start to work very slow. >>>>> What can by a reason for that? >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>> >>>> >>>> >>>> -- >>>> Rafael Weing?rtner >>>> >>>> >>>> >>> >>> >>> -- >>> Rafael Weing?rtner >>> >>> >>> >> >> >> -- >> Rafael Weing?rtner >> >> >> > > > -- > Rafael Weing?rtner > > > -- Rafael Weing?rtner From p.wojcieszonek at bosmanager.com Fri Aug 31 06:25:51 2018 From: p.wojcieszonek at bosmanager.com (Piotr Wojcieszonek) Date: Fri, 31 Aug 2018 12:25:51 +0200 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> <850CE24C-1191-4256-9B4D-950B30E14B12@bosmanager.com> <8407AF85-AC88-4888-8710-B54C412ECAE2@bosmanager.com> Message-ID: <2017C42D-9AC1-469D-ACFD-4D87A04C3B18@bosmanager.com> No, I don?t see any errors beside this mentioned earlier. Stack trace in log file, and it?s look that if cluster work for some time then it slow down dramatically in all operation that require write some data like creating realm. > Wiadomo?? napisana przez Rafael Weing?rtner w dniu 31.08.2018, o godz. 12:21: > > hmmm...Besides the stacktrace, did you see any other warning or error? > > On Fri, Aug 31, 2018 at 7:08 AM, Piotr Wojcieszonek > wrote: > This is Ubuntu 16.04 without SELinux. > > >> Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 12:06: >> >> Then, there is only one things left in my mind. Did you configure SElinux? >> >> On Fri, Aug 31, 2018 at 7:04 AM, Piotr Wojcieszonek > wrote: >> No, there is no firewall on host and both of them are in the same vlan. >> >> >>> Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 12:00: >>> >>> Your cluster is being created. Everything seems fine there. I had a problem once when the cluster was not being formed due to firewall problems. >>> Is your firewall activated? >>> >>> On Fri, Aug 31, 2018 at 6:56 AM, Piotr Wojcieszonek > wrote: >>> >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >>> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >>> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] >>> 2018-08-30 00:07:45,757 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >>> 2018-08-30 00:07:45,758 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >>> 2018-08-30 00:07:45,763 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >>> 2018-08-30 00:07:45,779 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >>> 2018-08-30 00:07:45,783 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 00:39:50,078 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 19:41:38,553 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 19:41:43,562 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 21:16:23,261 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,264 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:16:23,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] >>> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] >>> >>> >>>> Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 11:52: >>>> >>>> Can you check if your cluster if being formed? You can grep the word "view" in Keycloak's logs. >>>> >>>> On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek > wrote: >>>> Yes I did: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek > wrote: >>>>> Hi, >>>>> I have problem with standalone cluster. After cluster start working it begin to print that kind of information to log file: >>>>> >>>>> 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] (expiration-thread--p22-t1) ISPN000026: Caught exception purging data container!: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >>>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >>>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >>>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> >>>>> 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >>>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >>>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >>>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> >>>>> 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) >>>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) >>>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) >>>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) >>>>> at java.lang.Thread.run(Thread.java:748) >>>>> >>>>> And in time it start to work very slow. >>>>> What can by a reason for that? >>>>> >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>>> >>>>> >>>>> >>>>> -- >>>>> Rafael Weing?rtner >>>> >>>> >>>> >>>> >>>> -- >>>> Rafael Weing?rtner >>> >>> >>> >>> >>> -- >>> Rafael Weing?rtner >> >> >> >> >> -- >> Rafael Weing?rtner > > > > > -- > Rafael Weing?rtner From slaskawi at redhat.com Fri Aug 31 07:45:29 2018 From: slaskawi at redhat.com (Sebastian Laskawiec) Date: Fri, 31 Aug 2018 13:45:29 +0200 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: <2017C42D-9AC1-469D-ACFD-4D87A04C3B18@bosmanager.com> References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> <850CE24C-1191-4256-9B4D-950B30E14B12@bosmanager.com> <8407AF85-AC88-4888-8710-B54C412ECAE2@bosmanager.com> <2017C42D-9AC1-469D-ACFD-4D87A04C3B18@bosmanager.com> Message-ID: Hey guys, The replication timeout occurs when Infinispan replicates data to the other nodes (via so called commands) and the target node doesn't respond within a certain timeout. There might be different things that cause it, including: - Long GC pauses (longer than replication timeout setting) - Slow network - High CPU constraints on the target node - Wrong JGroups settings - Target node crashes - and even more My suggestion is to try the following: - increase remote timeout [1] - Turn on GC logging and see if there's any correlation between the replication errors and GC pauses - Make sure you're using default JGroups configuration. If anything needs adjusting, please adjust one thing at a time. Please let me know how did it go. Thanks, Sebastian [1] here's a configuration example https://github.com/infinispan/infinispan/blob/master/server/integration/infinispan/src/test/resources/org/jboss/as/clustering/infinispan/subsystem/subsystem-infinispan_9_0.xml#L131 On Fri, Aug 31, 2018 at 12:30 PM Piotr Wojcieszonek < p.wojcieszonek at bosmanager.com> wrote: > No, I don?t see any errors beside this mentioned earlier. > Stack trace in log file, and it?s look that if cluster work for some time > then it slow down dramatically in all operation that require write some > data like creating realm. > > > > Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 12:21: > > > > hmmm...Besides the stacktrace, did you see any other warning or error? > > > > On Fri, Aug 31, 2018 at 7:08 AM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com > > wrote: > > This is Ubuntu 16.04 without SELinux. > > > > > >> Wiadomo?? napisana przez Rafael Weing?rtner < > rafaelweingartner at gmail.com > w dniu > 31.08.2018, o godz. 12:06: > >> > >> Then, there is only one things left in my mind. Did you configure > SElinux? > >> > >> On Fri, Aug 31, 2018 at 7:04 AM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com > > wrote: > >> No, there is no firewall on host and both of them are in the same vlan. > >> > >> > >>> Wiadomo?? napisana przez Rafael Weing?rtner < > rafaelweingartner at gmail.com > w dniu > 31.08.2018, o godz. 12:00: > >>> > >>> Your cluster is being created. Everything seems fine there. I had a > problem once when the cluster was not being formed due to firewall problems. > >>> Is your firewall activated? > >>> > >>> On Fri, Aug 31, 2018 at 6:56 AM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com > > wrote: > >>> > >>> 2018-08-30 00:07:43,048 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel ejb: > [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,049 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-5) ISPN000094: Received new cluster view for channel ejb: > [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,048 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-3) ISPN000094: Received new cluster view for channel ejb: > [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,049 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-7) ISPN000094: Received new cluster view for channel ejb: > [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,048 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-6) ISPN000094: Received new cluster view for channel ejb: > [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:45,757 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) > [authservice1, authservice2] > >>> 2018-08-30 00:07:45,758 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) > [authservice1, authservice2] > >>> 2018-08-30 00:07:45,763 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) > [authservice1, authservice2] > >>> 2018-08-30 00:07:45,779 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) > [authservice1, authservice2] > >>> 2018-08-30 00:07:45,783 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) > [authservice1, authservice2] > >>> 2018-08-30 00:39:50,071 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-4) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,071 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,071 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,071 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-6) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,078 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-5) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:38,553 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) > [authservice1] > >>> 2018-08-30 19:41:43,562 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-3) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-5) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-7) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:16:23,261 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) > [authservice1] > >>> 2018-08-30 21:16:23,264 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) > [authservice1] > >>> 2018-08-30 21:16:23,330 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) > [authservice1] > >>> 2018-08-30 21:16:23,330 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) > [authservice1] > >>> 2018-08-30 21:16:23,344 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) > ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) > [authservice1] > >>> 2018-08-30 21:17:36,994 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-2) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,995 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-4) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,994 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-1) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,995 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-6) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,995 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service > thread 1-3) ISPN000094: Received new cluster view for channel ejb: > [authservice2|1] (2) [authservice2, authservice1] > >>> > >>> > >>>> Wiadomo?? napisana przez Rafael Weing?rtner < > rafaelweingartner at gmail.com > w dniu > 31.08.2018, o godz. 11:52: > >>>> > >>>> Can you check if your cluster if being formed? You can grep the word > "view" in Keycloak's logs. > >>>> > >>>> On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com > > wrote: > >>>> Yes I did: > >>>> owners="2"/> > >>>> mode="SYNC" owners="2"/> > >>>> owners="2"/> > >>>> owners="2"/> > >>>> mode="SYNC" owners="2"/> > >>>> owners="2?/> > >>>> > >>>> I have two node cluster. > >>>> > >>>> > >>>> > >>>>> Wiadomo?? napisana przez Rafael Weing?rtner < > rafaelweingartner at gmail.com > w dniu > 31.08.2018, o godz. 03:01: > >>>>> > >>>>> Did you configure the "owners" parameter in the standalone-ha.xml > with a value bigger than 1? > >>>>> > >>>>> On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek < > p.wojcieszonek at bosmanager.com > > wrote: > >>>>> Hi, > >>>>> I have problem with standalone cluster. After cluster start working > it begin to print that kind of information to log file: > >>>>> > >>>>> 2018-08-30 22:04:33,725 WARN > [org.infinispan.expiration.impl.ClusterExpirationManager] > (expiration-thread--p22-t1) ISPN000026: Caught exception purging data > container!: org.infinispan.util.concurrent.TimeoutException: Replication > timeout for authservice1 > >>>>> at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > >>>>> at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>>>> at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > >>>>> at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > >>>>> at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > >>>>> at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > >>>>> at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > >>>>> at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>>>> at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>>>> at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > >>>>> at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >>>>> at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >>>>> at java.lang.Thread.run(Thread.java:748) > >>>>> > >>>>> 2018-08-30 22:04:39,966 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) > ISPN000136: Error executing command PutKeyValueCommand, writing keys > [task::ClearExpiredClientInitialAccessTokens]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > authservice1 > >>>>> at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > >>>>> at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>>>> at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > >>>>> at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > >>>>> at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > >>>>> at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > >>>>> at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > >>>>> at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>>>> at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>>>> at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > >>>>> at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >>>>> at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >>>>> at java.lang.Thread.run(Thread.java:748) > >>>>> > >>>>> 2018-08-30 22:04:52,605 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) > ISPN000136: Error executing command PutKeyValueCommand, writing keys > [task::ClearExpiredClientInitialAccessTokens]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > authservice1 > >>>>> at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > >>>>> at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>>>> at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > >>>>> at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > >>>>> at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > >>>>> at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > >>>>> at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > >>>>> at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>>>> at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>>>> at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > >>>>> at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >>>>> at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >>>>> at java.lang.Thread.run(Thread.java:748) > >>>>> > >>>>> And in time it start to work very slow. > >>>>> What can by a reason for that? > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user < > https://lists.jboss.org/mailman/listinfo/keycloak-user> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Rafael Weing?rtner > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Rafael Weing?rtner > >>> > >>> > >>> > >>> > >>> -- > >>> Rafael Weing?rtner > >> > >> > >> > >> > >> -- > >> Rafael Weing?rtner > > > > > > > > > > -- > > Rafael Weing?rtner > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From p.wojcieszonek at bosmanager.com Fri Aug 31 07:52:33 2018 From: p.wojcieszonek at bosmanager.com (Piotr Wojcieszonek) Date: Fri, 31 Aug 2018 13:52:33 +0200 Subject: [keycloak-user] TimeoutException: Replication timeout In-Reply-To: References: <8F8E45CD-FE72-4D60-A151-F6B87676DCB9@bosmanager.com> <850CE24C-1191-4256-9B4D-950B30E14B12@bosmanager.com> <8407AF85-AC88-4888-8710-B54C412ECAE2@bosmanager.com> <2017C42D-9AC1-469D-ACFD-4D87A04C3B18@bosmanager.com> Message-ID: <35D27CA2-D52E-4FA7-9127-9D1419DE0F85@bosmanager.com> Hi, I will reject slow network and high CPU usage. Both node exist on one switch and there is no problem with transfers. CPU utilisation is also low. Both node work and both have the same errors in logfile. How to turn CG logging? How to check JGroups? > Wiadomo?? napisana przez Sebastian Laskawiec w dniu 31.08.2018, o godz. 13:45: > > Hey guys, > > The replication timeout occurs when Infinispan replicates data to the other nodes (via so called commands) and the target node doesn't respond within a certain timeout. > > There might be different things that cause it, including: > - Long GC pauses (longer than replication timeout setting) > - Slow network > - High CPU constraints on the target node > - Wrong JGroups settings > - Target node crashes > - and even more > > My suggestion is to try the following: > - increase remote timeout [1] > - Turn on GC logging and see if there's any correlation between the replication errors and GC pauses > - Make sure you're using default JGroups configuration. If anything needs adjusting, please adjust one thing at a time. > > Please let me know how did it go. > > Thanks, > Sebastian > > [1] here's a configuration example https://github.com/infinispan/infinispan/blob/master/server/integration/infinispan/src/test/resources/org/jboss/as/clustering/infinispan/subsystem/subsystem-infinispan_9_0.xml#L131 > On Fri, Aug 31, 2018 at 12:30 PM Piotr Wojcieszonek > wrote: > No, I don?t see any errors beside this mentioned earlier. > Stack trace in log file, and it?s look that if cluster work for some time then it slow down dramatically in all operation that require write some data like creating realm. > > > > Wiadomo?? napisana przez Rafael Weing?rtner > w dniu 31.08.2018, o godz. 12:21: > > > > hmmm...Besides the stacktrace, did you see any other warning or error? > > > > On Fri, Aug 31, 2018 at 7:08 AM, Piotr Wojcieszonek >> wrote: > > This is Ubuntu 16.04 without SELinux. > > > > > >> Wiadomo?? napisana przez Rafael Weing?rtner >> w dniu 31.08.2018, o godz. 12:06: > >> > >> Then, there is only one things left in my mind. Did you configure SElinux? > >> > >> On Fri, Aug 31, 2018 at 7:04 AM, Piotr Wojcieszonek >> wrote: > >> No, there is no firewall on host and both of them are in the same vlan. > >> > >> > >>> Wiadomo?? napisana przez Rafael Weing?rtner >> w dniu 31.08.2018, o godz. 12:00: > >>> > >>> Your cluster is being created. Everything seems fine there. I had a problem once when the cluster was not being formed due to firewall problems. > >>> Is your firewall activated? > >>> > >>> On Fri, Aug 31, 2018 at 6:56 AM, Piotr Wojcieszonek >> wrote: > >>> > >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,049 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:43,048 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice1|0] (1) [authservice1] > >>> 2018-08-30 00:07:45,757 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] > >>> 2018-08-30 00:07:45,758 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] > >>> 2018-08-30 00:07:45,763 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] > >>> 2018-08-30 00:07:45,779 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] > >>> 2018-08-30 00:07:45,783 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|1] (2) [authservice1, authservice2] > >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,071 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 00:39:50,078 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:38,553 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] > >>> 2018-08-30 19:41:43,562 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-5) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 19:41:43,563 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:16:23,261 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] > >>> 2018-08-30 21:16:23,264 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] > >>> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] > >>> 2018-08-30 21:16:23,330 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] > >>> 2018-08-30 21:16:23,344 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [authservice1|2] (1) [authservice1] > >>> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,994 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-6) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> 2018-08-30 21:17:36,995 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel ejb: [authservice2|1] (2) [authservice2, authservice1] > >>> > >>> > >>>> Wiadomo?? napisana przez Rafael Weing?rtner >> w dniu 31.08.2018, o godz. 11:52: > >>>> > >>>> Can you check if your cluster if being formed? You can grep the word "view" in Keycloak's logs. > >>>> > >>>> On Fri, Aug 31, 2018 at 3:16 AM, Piotr Wojcieszonek >> wrote: > >>>> Yes I did: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> >>>>> > >>>>> On Thu, Aug 30, 2018 at 5:06 PM, Piotr Wojcieszonek >> wrote: > >>>>> Hi, > >>>>> I have problem with standalone cluster. After cluster start working it begin to print that kind of information to log file: > >>>>> > >>>>> 2018-08-30 22:04:33,725 WARN [org.infinispan.expiration.impl.ClusterExpirationManager] (expiration-thread--p22-t1) ISPN000026: Caught exception purging data container!: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 > >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > >>>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > >>>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > >>>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >>>>> at java.lang.Thread.run(Thread.java:748) > >>>>> > >>>>> 2018-08-30 22:04:39,966 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 > >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > >>>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > >>>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > >>>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >>>>> at java.lang.Thread.run(Thread.java:748) > >>>>> > >>>>> 2018-08-30 22:04:52,605 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (Timer-2) ISPN000136: Error executing command PutKeyValueCommand, writing keys [task::ClearExpiredClientInitialAccessTokens]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for authservice1 > >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > >>>>> at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>>>> at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > >>>>> at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > >>>>> at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > >>>>> at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > >>>>> at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > >>>>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>>>> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > >>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) > >>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) > >>>>> at java.lang.Thread.run(Thread.java:748) > >>>>> > >>>>> And in time it start to work very slow. > >>>>> What can by a reason for that? > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> keycloak-user mailing list > >>>>> keycloak-user at lists.jboss.org > > >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Rafael Weing?rtner > >>>> > >>>> > >>>> > >>>> > >>>> -- > >>>> Rafael Weing?rtner > >>> > >>> > >>> > >>> > >>> -- > >>> Rafael Weing?rtner > >> > >> > >> > >> > >> -- > >> Rafael Weing?rtner > > > > > > > > > > -- > > Rafael Weing?rtner > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From oneal.kevin at gmail.com Fri Aug 31 11:35:11 2018 From: oneal.kevin at gmail.com (KevinO) Date: Fri, 31 Aug 2018 10:35:11 -0500 Subject: [keycloak-user] login via curl In-Reply-To: References: Message-ID: Yeah, makes sense. Glad you got the curl working! On Fri, Aug 31, 2018 at 4:01 AM Ronald Demneri wrote: > Hello, > > > > Yes I receive an error, I had not configured the account client to use > Direct Access Grants, once I changed that I was able to receive the access > and refresh tokens. > > > > Let me explain a bit what I am trying to achieve: > > I have a Jenkins instance where I have installed and configured the OIDC > plugin. Basically login works as it should, but the global log out does > not. In chrome I can see that the logout URL that Jenkins sends is this one: > > > > > http://keycloak:8080/auth/realms/test/protocol/openid-connect/logout?redirect_uri=http%3A%2F%2Fjenkins%3A8080/?id_token_hint=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZVWJyelJBSUJZemE5bkRUMVZxVmhYWGN5M1VaQ0hNZ1A2S3ZoUXMtOUcwIn0.eyJqdGkiOiJhYjZhZDkwNy01MDViLTQ5YmMtYTdmOC0yMzllNGJlYjE0MTIiLCJleHAiOjE1MzU1NTQyOTMsIm5iZiI6MCwiaWF0IjoxNTM1NTUzOTkzLCJpc3MiOiJodHRwOi8va2V5Y2xvYWs6ODA4MC9hdXRoL3JlYWxtcy90ZXN0LWxoaW5kIiwiYXVkIjoiamVua2lucy1jbGllbnQiLCJzdWIiOiJhY2NmNWJiYi0xZDNkLTRiMDItYWZlMi1iOGZkM2RkMTQ1NDgiLCJ0eXAiOiJJRCIsImF6cCI6ImplbmtpbnMtY2xpZW50IiwiYXV0aF90aW1lIjoxNTM1NTUzOTkzLCJzZXNzaW9uX3N0YXRlIjoiMzQ5Y2Q3ZjMtMjcyMS00MTdmLTg3ZmMtMjJlYmExMDkyOTg0IiwiYWNyIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdDEifQ.LuwrieAEQ6eeAaMAir8H42SwwGDqsM8SqLdyDf6vZiHgEtG7Se9zu3iSISmjhzmi1a7t3Hmz4LrzigWNoTQJs7IEMG0xzF3U9OdwzQSK-Lb989IXt_xfYH2vBAZ-jYpFgoCYC-c4vfTf-74-iBP4IPQzeWl31LHarkcD4PemVsZCkUbLnODbCC6fZ2MnJnP_KAC5uVgCvXqfauf0HP8skbPp9tajUm4skuns3rfv2JeLJHIbwdmWSVkqpircWtYGx6j88NKAiudlRGL3vxBx6bC49BZpioK7Q0vXVmt1R24iykp-GyG5H10UiKidzhKS2WcGGmNFhRbGgOcLPEqWFA&state=N2M2MGQ5NDctOGM1OS00&post_logout_redirect_uri= > > > > Sure enough, it displays an ?Invalid redirect uri? in Keycloak. So I was > trying to mimic the situation with curl and to see whether the issue still > remains and I have to check the configurations in Keycloak, or if the > Jenkins plugin does not send Keycloak the uri as Keycloak expects it. > > > > Makes sense? > > > > Regards, > > Ronald > > > > *From:* KevinO > *Sent:* Thursday, August 30, 2018 5:51 PM > *To:* Ronald Demneri > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] login via curl > > > > Whenever I run > > curl -v -d "client_id=amin-cli" -d "username=admin" -d "password=keycloak" > -d "grant_type=password" " > http://localhost:8070/auth/realms/External/protocol/openid-connect/token" > > if something is incorrect, I get a message like > {"error":"invalid_grant","error_description":"Invalid user credentials"} > > Are you getting any json reponse? > > What does the log say? > > > > On Thu, Aug 30, 2018 at 10:35 AM Ronald Demneri > wrote: > > Yeah, tried that as well, same result. Any other ideas? > > > > Thanks in advance, > > Ronald > > > > Sent from my HTC > > > > ----- Reply message ----- > From: "KevinO" > To: "Ronald Demneri" > Cc: "keycloak-user at lists.jboss.org" > Subject: [keycloak-user] login via curl > Date: Thu, Aug 30, 2018 17:26 > > > > Try > > > > curl -d "client_id=account" -d "username=test1" -d "password=1234t1" -d > "grant_type=password" " > http://localhost:8070/auth/realms/test/protocol/openid-connect/token > > > > > > On Thu, Aug 30, 2018 at 4:34 AM Ronald Demneri > wrote: > > Greetings everyone, > > I am testing the possibility to login via curl to the account client in my > test realm and then use the tokens to access another client. I have tried > this: > curl -X POST \ > -H "Content-Type: application/x-www-form-urlencoded" \ > -H "cache-control: no-cache" \ > -d > "grant_type=password&scope=openid&client_id=account&username=test1&password=1234t1" > \ > "http://keycloak:8080/auth/realms/test /protocol/openid-connect/token" \ > -v > > But it gives me: > * upload completely sent off: 81 out of 81 bytes > < HTTP/1.1 400 Bad Request > < Connection: keep-alive > < Content-Type: application/json > < Content-Length: 91 > > What am I doing wrong and apologies if this question has been asked before. > > Keycloak version is 4.1.0.Final > > Ronald > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From oneal.kevin at gmail.com Fri Aug 31 11:36:43 2018 From: oneal.kevin at gmail.com (KevinO) Date: Fri, 31 Aug 2018 10:36:43 -0500 Subject: [keycloak-user] org.keycloak.keycloak-services In-Reply-To: <001201d44100$590d3430$0b279c90$@netsetglobal.rs> References: <001201d44100$590d3430$0b279c90$@netsetglobal.rs> Message-ID: Are you deploying your jar into the `providers` folder? On Fri, Aug 31, 2018 at 3:01 AM Nikola Malenic < nikola.malenic at netsetglobal.rs> wrote: > I developed an authentication provider and am trying to deploy it on the KC > server. My project depends on the Keycloak-services: > > > > > > org.keycloak > > keycloak-services > > provided > > ${keycloak.version} > > > > > > My version is the same as running Keycloak server. > > I'm getting error: > > java.lang.NoClassDefFoundError: Failed to link > rs/netset/aas/authenticator/user_pass/CustomUsernamePasswordForm (Module > \"deployment.aas-1.0.DEBUG.jar\" from Service Module Loader): > > org/keycloak/authentication/authenticators/browser/AbstractUsernameFormAuthe > nticator"}} > > > > And wildfly succeeds in finding other dependencies, like > keycloak-server-spi > etc. > > Any clue why is this happening? > > > > Many thanks, > > Nikola > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From shawn.firth at gmail.com Fri Aug 31 12:15:11 2018 From: shawn.firth at gmail.com (Shawn Firth) Date: Fri, 31 Aug 2018 12:15:11 -0400 Subject: [keycloak-user] JBoss EAP 7.1 RH-SSO 7.2 Rest Service Keycloak Bearer Only AuthenticatedActionsValve.invoke Policy enforcement is disabled 403 Forbidden Message-ID: My configuration is: JBoss EAP 7.1.4 RH-SSO 7.2.4 JDK 1.8.0u172 We have built a Rest/JSON web service based on the jboss-eap-quickstarts-7.1\contacts-jquerymobile example, without any of the JavaScript GUI components, which works fine. We then attempted to secure this Rest/JSON web service using the redhat-sso-quickstarts-7.2.x\service-jee-jaxrs example for guidance, after getting the service-jee-jaxrs example running locally. The Rest/JSON web service is secured using keycloak, and access is bearer only. Here is the web.xml: OurRestService All /* mobilerole KEYCLOAK mobilerole Here is the keycloak.json { "realm": "mobilerealm", "bearer-only": true, "auth-server-url": "blah blah localhost:8180/auth", "ssl-required": "external", "resource": "OurRestService", "confidential-port": 0 } Below is the JBoss server log output from an attempted GET using PostMan. As you can see the bearer only token is successfully authenticated by SSO, but the web service never fires, and PostMan gets a 403 Forbidden. Please note the last 2 lines of the log with: "*2018-08-31 11:42:57,025 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) AuthenticatedActionsValve.invoke http://localhost:8080/OurRestService/rest/contacts/ * *2018-08-31 11:42:57,025 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) Policy enforcement is disabled.*" What am I missing? 2018-08-31 11:42:56,917 DEBUG [io.undertow.request.security] (default task-4) Attempting to authenticate HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[cb7f2b96-ddb0-4490-8bdb-2ae110048b1c], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI4MjNhYzk2Ni05Zjc0LTQ1ZjMtOWE4NC0wN2M2OGMwNDI5ODQiLCJleHAiOjE1MzU3MzA0NzEsIm5iZiI6MCwiaWF0IjoxNTM1NzMwMTcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyNGUyYTQ5OC1jNjViLTRhOWEtODc0YS0yNGVkOTdjOWVjNmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.jawXZlWhnKJCbCiqxk7jqNLPox8OAa2kD4upOaZdLEmkrMFMW1Gn193C1gJSdwwzQZtlmVLnWbIPhBLBUg_c_NCkeYhoAc2x5AffqOtPMDeHbcj06O_UOSzGIrsf86a1dOOMRP1B7fUtmve2xwbJqXC93j64t7uIU1ESnB8jr6qpwGnz2w_8wykkVqrKaeYaX2ZmlayLcz4dypxUgjSunmR2XLs2BJXURn1h2MTvQzSJLTTLDD0t7H1iVso_l6dYUgI27Pg1Ug-U2hLl8pu-iF82r4ARTgySIwucjWPNCiyWTNlkU2rclJ0tmcGU5LJ1PcOC3SYoiSZWsVXa0owHhA], Content-Type=[application/json], cookie=[JSESSIONID=rGEYK52-lB-f9KfOPcfAB9b6IXlKUIm8_9o1GkK6.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}}, authentication required: true 2018-08-31 11:42:56,917 DEBUG [io.undertow.request.security] (default task-4) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 75a0aa11 for HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[cb7f2b96-ddb0-4490-8bdb-2ae110048b1c], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI4MjNhYzk2Ni05Zjc0LTQ1ZjMtOWE4NC0wN2M2OGMwNDI5ODQiLCJleHAiOjE1MzU3MzA0NzEsIm5iZiI6MCwiaWF0IjoxNTM1NzMwMTcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyNGUyYTQ5OC1jNjViLTRhOWEtODc0YS0yNGVkOTdjOWVjNmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.jawXZlWhnKJCbCiqxk7jqNLPox8OAa2kD4upOaZdLEmkrMFMW1Gn193C1gJSdwwzQZtlmVLnWbIPhBLBUg_c_NCkeYhoAc2x5AffqOtPMDeHbcj06O_UOSzGIrsf86a1dOOMRP1B7fUtmve2xwbJqXC93j64t7uIU1ESnB8jr6qpwGnz2w_8wykkVqrKaeYaX2ZmlayLcz4dypxUgjSunmR2XLs2BJXURn1h2MTvQzSJLTTLDD0t7H1iVso_l6dYUgI27Pg1Ug-U2hLl8pu-iF82r4ARTgySIwucjWPNCiyWTNlkU2rclJ0tmcGU5LJ1PcOC3SYoiSZWsVXa0owHhA], Content-Type=[application/json], cookie=[JSESSIONID=rGEYK52-lB-f9KfOPcfAB9b6IXlKUIm8_9o1GkK6.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}} 2018-08-31 11:42:56,917 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-4) Verifying access_token 2018-08-31 11:42:56,978 DEBUG [org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager] (default task-4) Get connection: {}->http://localhost:8180, timeout = 0 2018-08-31 11:42:56,979 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) [{}-> http://localhost:8180] total kept alive: 0, total issued: 0, total allocated: 0 out of 20 2018-08-31 11:42:56,979 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) No free connections [{}->http://localhost:8180][null] 2018-08-31 11:42:56,979 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Available capacity: 20 out of 20 [{}->http://localhost:8180][null] 2018-08-31 11:42:56,979 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Creating new connection [{}->http://localhost:8180] 2018-08-31 11:42:56,984 DEBUG [org.apache.http.impl.conn.DefaultClientConnectionOperator] (default task-4) Connecting to localhost:8180 2018-08-31 11:42:56,995 DEBUG [org.apache.http.client.protocol.RequestAddCookies] (default task-4) CookieSpec selected: compatibility 2018-08-31 11:42:56,995 DEBUG [org.apache.http.client.protocol.RequestAuthCache] (default task-4) Auth cache not set in the context 2018-08-31 11:42:56,995 DEBUG [org.apache.http.client.protocol.RequestTargetAuthentication] (default task-4) Target auth state: UNCHALLENGED 2018-08-31 11:42:56,996 DEBUG [org.apache.http.client.protocol.RequestProxyAuthentication] (default task-4) Proxy auth state: UNCHALLENGED 2018-08-31 11:42:56,996 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-4) Attempt 1 to execute request 2018-08-31 11:42:56,996 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-4) Sending request: GET /auth/realms/mobilerealm/protocol/openid-connect/certs HTTP/1.1 2018-08-31 11:42:56,996 DEBUG [org.apache.http.wire] (default task-4) >> "GET /auth/realms/mobilerealm/protocol/openid-connect/certs HTTP/1.1[\r][\n]" 2018-08-31 11:42:56,997 DEBUG [org.apache.http.wire] (default task-4) >> "Host: localhost:8180[\r][\n]" 2018-08-31 11:42:56,997 DEBUG [org.apache.http.wire] (default task-4) >> "Connection: Keep-Alive[\r][\n]" 2018-08-31 11:42:56,997 DEBUG [org.apache.http.wire] (default task-4) >> "[\r][\n]" 2018-08-31 11:42:56,997 DEBUG [org.apache.http.headers] (default task-4) >> GET /auth/realms/mobilerealm/protocol/openid-connect/certs HTTP/1.1 2018-08-31 11:42:56,997 DEBUG [org.apache.http.headers] (default task-4) >> Host: localhost:8180 2018-08-31 11:42:56,997 DEBUG [org.apache.http.headers] (default task-4) >> Connection: Keep-Alive 2018-08-31 11:42:57,000 DEBUG [org.apache.http.wire] (default task-4) << "HTTP/1.1 200 OK[\r][\n]" 2018-08-31 11:42:57,001 DEBUG [org.apache.http.wire] (default task-4) << "Connection: keep-alive[\r][\n]" 2018-08-31 11:42:57,001 DEBUG [org.apache.http.wire] (default task-4) << "Cache-Control: no-cache[\r][\n]" 2018-08-31 11:42:57,001 DEBUG [org.apache.http.wire] (default task-4) << "Content-Type: application/json[\r][\n]" 2018-08-31 11:42:57,001 DEBUG [org.apache.http.wire] (default task-4) << "Content-Length: 462[\r][\n]" 2018-08-31 11:42:57,002 DEBUG [org.apache.http.wire] (default task-4) << "Date: Fri, 31 Aug 2018 15:42:57 GMT[\r][\n]" 2018-08-31 11:42:57,002 DEBUG [org.apache.http.wire] (default task-4) << "[\r][\n]" 2018-08-31 11:42:57,002 DEBUG [org.apache.http.impl.conn.DefaultClientConnection] (default task-4) Receiving response: HTTP/1.1 200 OK 2018-08-31 11:42:57,002 DEBUG [org.apache.http.headers] (default task-4) << HTTP/1.1 200 OK 2018-08-31 11:42:57,002 DEBUG [org.apache.http.headers] (default task-4) << Connection: keep-alive 2018-08-31 11:42:57,002 DEBUG [org.apache.http.headers] (default task-4) << Cache-Control: no-cache 2018-08-31 11:42:57,002 DEBUG [org.apache.http.headers] (default task-4) << Content-Type: application/json 2018-08-31 11:42:57,002 DEBUG [org.apache.http.headers] (default task-4) << Content-Length: 462 2018-08-31 11:42:57,002 DEBUG [org.apache.http.headers] (default task-4) << Date: Fri, 31 Aug 2018 15:42:57 GMT 2018-08-31 11:42:57,004 DEBUG [org.apache.http.impl.client.DefaultHttpClient] (default task-4) Connection can be kept alive indefinitely 2018-08-31 11:42:57,008 DEBUG [org.apache.http.wire] (default task-4) << "{"keys":[{"kid":"qK2JZ52V1fSJJDo63HfdyIn62XDe_haIhE0eyevdBZ0","kty":"RSA","alg":"RS256","use":"sig","n":"5dKNlsMOu2W6WB0X1G27PcqUoBLPzPUDtfQmA7uf0BaPSkYu7CnbUPdShrs09RGQM6tWWL_6_qiacFi9jBgyEAhT9MhQ-rgkPe0YpdyQtVqznZH5CHkaAq9fTxwmEUXUZvRWuP4cAF7Pi5RfVgOIRflI-AgGyiH-ygdinRQx10nr-m7Us2seCM8QB5zjsKz3YLNdnk_bmvc6axhPpZAAlUCaAMM-j0Edc9CR7NDw09aUIKGED8wWdmxxdteqfPVjKiIlFjg1-QiroEH2PnNOqFTn2UKX6imOJmEc9XlJCsthlEHz-1Pqz23imiLkk-n2S3CJVyvnnI-OvUYaaOF6_w","e":"AQAB"}]}" 2018-08-31 11:42:57,010 DEBUG [org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager] (default task-4) Released connection is reusable. 2018-08-31 11:42:57,010 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Releasing connection [{}->http://localhost:8180][null] 2018-08-31 11:42:57,010 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Pooling connection [{}->http://localhost:8180][null]; keep alive indefinitely 2018-08-31 11:42:57,011 DEBUG [org.apache.http.impl.conn.tsccm.ConnPoolByRoute] (default task-4) Notifying no-one, there are no waiting threads 2018-08-31 11:42:57,012 DEBUG [org.keycloak.adapters.rotation.JWKPublicKeyLocator] (default task-4) Realm public keys successfully retrieved for client OurRestService. New kids: [qK2JZ52V1fSJJDo63HfdyIn62XDe_haIhE0eyevdBZ0] 2018-08-31 11:42:57,013 DEBUG [org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-4) successful authorized 2018-08-31 11:42:57,015 DEBUG [io.undertow.request.security] (default task-4) Authenticated as 218ea704-3a7a-4766-a251-69d9aa8e75ff, roles [] 2018-08-31 11:42:57,023 DEBUG [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-4) propagate security context to wildfly 2018-08-31 11:42:57,024 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-4) User '218ea704-3a7a-4766-a251-69d9aa8e75ff' invoking ' http://localhost:8080/OurRestService/rest/contacts/' on client 'OurRestService' 2018-08-31 11:42:57,024 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-4) Bearer AUTHENTICATED 2018-08-31 11:42:57,024 DEBUG [io.undertow.request.security] (default task-4) Authentication outcome was AUTHENTICATED with method org.keycloak.adapters.wildfly.WildflyAuthenticationMechanism at 63d7bad9 for HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[cb7f2b96-ddb0-4490-8bdb-2ae110048b1c], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI4MjNhYzk2Ni05Zjc0LTQ1ZjMtOWE4NC0wN2M2OGMwNDI5ODQiLCJleHAiOjE1MzU3MzA0NzEsIm5iZiI6MCwiaWF0IjoxNTM1NzMwMTcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyNGUyYTQ5OC1jNjViLTRhOWEtODc0YS0yNGVkOTdjOWVjNmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.jawXZlWhnKJCbCiqxk7jqNLPox8OAa2kD4upOaZdLEmkrMFMW1Gn193C1gJSdwwzQZtlmVLnWbIPhBLBUg_c_NCkeYhoAc2x5AffqOtPMDeHbcj06O_UOSzGIrsf86a1dOOMRP1B7fUtmve2xwbJqXC93j64t7uIU1ESnB8jr6qpwGnz2w_8wykkVqrKaeYaX2ZmlayLcz4dypxUgjSunmR2XLs2BJXURn1h2MTvQzSJLTTLDD0t7H1iVso_l6dYUgI27Pg1Ug-U2hLl8pu-iF82r4ARTgySIwucjWPNCiyWTNlkU2rclJ0tmcGU5LJ1PcOC3SYoiSZWsVXa0owHhA], Content-Type=[application/json], cookie=[JSESSIONID=rGEYK52-lB-f9KfOPcfAB9b6IXlKUIm8_9o1GkK6.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}} 2018-08-31 11:42:57,024 DEBUG [io.undertow.request.security] (default task-4) Authentication result was AUTHENTICATED for HttpServerExchange{ GET /OurRestService/rest/contacts/ request {Postman-Token=[cb7f2b96-ddb0-4490-8bdb-2ae110048b1c], Accept=[*/*], cache-control=[no-cache], accept-encoding=[gzip, deflate], User-Agent=[PostmanRuntime/7.2.0], Connection=[keep-alive], Authorization=[Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxSzJKWjUyVjFmU0pKRG82M0hmZHlJbjYyWERlX2hhSWhFMGV5ZXZkQlowIn0.eyJqdGkiOiI4MjNhYzk2Ni05Zjc0LTQ1ZjMtOWE4NC0wN2M2OGMwNDI5ODQiLCJleHAiOjE1MzU3MzA0NzEsIm5iZiI6MCwiaWF0IjoxNTM1NzMwMTcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvbW9iaWxlcmVhbG0iLCJhdWQiOiJhZG1pbi1jbGkiLCJzdWIiOiIyMThlYTcwNC0zYTdhLTQ3NjYtYTI1MS02OWQ5YWE4ZTc1ZmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyNGUyYTQ5OC1jNjViLTRhOWEtODc0YS0yNGVkOTdjOWVjNmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6Ik1vYmlsZSBVc2VyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibW9iaWxldXNlciIsImdpdmVuX25hbWUiOiJNb2JpbGUiLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6InNoYXduLmZpcnRoQGdtYWlsLmNvbSJ9.jawXZlWhnKJCbCiqxk7jqNLPox8OAa2kD4upOaZdLEmkrMFMW1Gn193C1gJSdwwzQZtlmVLnWbIPhBLBUg_c_NCkeYhoAc2x5AffqOtPMDeHbcj06O_UOSzGIrsf86a1dOOMRP1B7fUtmve2xwbJqXC93j64t7uIU1ESnB8jr6qpwGnz2w_8wykkVqrKaeYaX2ZmlayLcz4dypxUgjSunmR2XLs2BJXURn1h2MTvQzSJLTTLDD0t7H1iVso_l6dYUgI27Pg1Ug-U2hLl8pu-iF82r4ARTgySIwucjWPNCiyWTNlkU2rclJ0tmcGU5LJ1PcOC3SYoiSZWsVXa0owHhA], Content-Type=[application/json], cookie=[JSESSIONID=rGEYK52-lB-f9KfOPcfAB9b6IXlKUIm8_9o1GkK6.sfirth], Host=[localhost:8080]} response {Expires=[0], Cache-Control=[no-cache, no-store, must-revalidate], X-Powered-By=[Undertow/1], Server=[JBoss-EAP/7], Pragma=[no-cache]}} *2018-08-31 11:42:57,025 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) AuthenticatedActionsValve.invoke http://localhost:8080/OurRestService/rest/contacts/ * *2018-08-31 11:42:57,025 DEBUG [org.keycloak.adapters.AuthenticatedActionsHandler] (default task-4) Policy enforcement is disabled.* From hfuss at bandwidth.com Fri Aug 31 17:11:48 2018 From: hfuss at bandwidth.com (Hayden Fuss) Date: Fri, 31 Aug 2018 17:11:48 -0400 Subject: [keycloak-user] Upgrade Documentation: Containers and Cross-Dc Message-ID: Hello, When going through the upgrade documentation, it was tailored towards very mutable deployments of Keycloak on VMs. Will the docs soon describe containerized deployments of Keycloak as well? Obviously, the config XML changes won't be the issue, moreso just the deployment strategy. The docs say For standalone-high availability (HA) mode, all instances must be upgraded > at the same time. Which to me is a little vague, it almost sounds like you *have* to stop all servers at the same time rather than in a rolling fashion. Does this mean you can't deploy Keycloak with zero-downtime? Even in a containerized environment which will more easily allow for rolling, blue/green, or canary deployments? For the cross-DC scenario thats even scarier since Keycloak would have to be down in *all* DC's temporarily. Even if thats not the case, how does the manual DB migration work, especially in the cross-DC case: When you start the server with this configuration it checks if the database > needs to be migrated. The required changes are written to an SQL file that > you can review and manually run against the database > It sounds like you have to start the new version of the server to get the migrations. What will the new version of the server do while the migrations haven't been applied, will it still run or crash/return 5xxs since the schema updates I would think it _requires_ don't exist? Also this is in no way container feels friendly since you can get the migrations off a container easily. The automated migrations seem like they would require downtime too unless the changes are guaranteed to be backwards compatible, but that contradicts "all instances must be upgraded at the same time". Also with the 4.4.0 release coming up, Infinispan will be upgraded a major version that will likely be breaking release for those running the cross-DC setup, or will they have the option to keep using Infinispan 8.2.8? Can we expect lots of Infinispan upgrades in the future? Sorry I know those are a lot of questions, thanks for any help clarifying or providing past experiences with Keycloak upgrades. Best, Hayden From hfuss at bandwidth.com Fri Aug 31 17:14:19 2018 From: hfuss at bandwidth.com (Hayden Fuss) Date: Fri, 31 Aug 2018 17:14:19 -0400 Subject: [keycloak-user] Upgrade Documentation: Containers and Cross-Dc In-Reply-To: References: Message-ID: > > Also this is in no way container feels friendly since you can get the > migrations off a container easily. > Sorry meant *can't*. On Fri, Aug 31, 2018 at 5:11 PM Hayden Fuss wrote: > Hello, > > When going through the upgrade documentation, it was tailored towards very > mutable deployments of Keycloak on VMs. Will the docs soon describe > containerized deployments of Keycloak as well? Obviously, the config XML > changes won't be the issue, moreso just the deployment strategy. > > The docs say > > For standalone-high availability (HA) mode, all instances must be upgraded >> at the same time. > > > Which to me is a little vague, it almost sounds like you *have* to stop > all servers at the same time rather than in a rolling fashion. Does this > mean you can't deploy Keycloak with zero-downtime? Even in a containerized > environment which will more easily allow for rolling, blue/green, or canary > deployments? > > For the cross-DC scenario thats even scarier since Keycloak would have to > be down in *all* DC's temporarily. Even if thats not the case, how does > the manual DB migration work, especially in the cross-DC case: > > When you start the server with this configuration it checks if the >> database needs to be migrated. The required changes are written to an SQL >> file that you can review and manually run against the database >> > > It sounds like you have to start the new version of the server to get the > migrations. What will the new version of the server do while the migrations > haven't been applied, will it still run or crash/return 5xxs since the > schema updates I would think it _requires_ don't exist? > > Also this is in no way container feels friendly since you can get the > migrations off a container easily. The automated migrations seem like they > would require downtime too unless the changes are guaranteed to be > backwards compatible, but that contradicts "all instances must be upgraded > at the same time". > > Also with the 4.4.0 release coming up, Infinispan will be upgraded a major > version that will likely be breaking release for those running the cross-DC > setup, or will they have the option to keep using Infinispan 8.2.8? Can we > expect lots of Infinispan upgrades in the future? > > Sorry I know those are a lot of questions, thanks for any help clarifying > or providing past experiences with Keycloak upgrades. > > Best, > Hayden >