[keycloak-user] Kerberos & login, multiple environments with multiple users

Dominik Guhr pinguwien at gmail.com
Thu Mar 1 04:48:20 EST 2018


i'll try out the multi-realm-approach and give feedback later. Thanks 
for your answers!

Dominik

Am 28.02.18 um 22:05 schrieb Ryan Slominski:
> I think whether or not session cookies are shared between browser tabs is browser specific, but in Firefox I believe they are shared.  You can create separate Firefox "profiles" to get around it:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=117222
> 
> ----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Dominik Guhr" <pinguwien at gmail.com>, "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Wednesday, February 28, 2018 3:21:06 PM
> Subject: Re: [keycloak-user] Kerberos & login, multiple environments with multiple users
> 
> I am not sure I understand correctly, but generally, Keycloak is browser
> SSO and being logged in 2 browser tabs in 2 clients as different user is
> something generally unsupported and can cause various kind of issues. If
> you want something like this just for development, you can maybe use
> different realms?
> 
> Marek
> 
> On 28/02/18 14:30, Dominik Guhr wrote:
>> Hi everyone,
>>
>> so I've built a custom kerberos authenticator which should, depending on
>> a querystring, not automatically login. So, when I add &login=manual to
>> the url, kerberos authenticator starts, checks, and stops.
>> Now everything is fine when I use this authenticator under normal
>> conditions, in one tab, but:
>>
>> - As a dev, I sometimes have different tabs with different environments
>> open. e.g. https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Dlocal&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=KsLgzw-uL3z8DjfqL3pUJmhZEt6c8Epy2NtsRa0v3Jk&e= , https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Ddev&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=LRaVXH7vIKAzcH2_9g3X42VYXB4A4GRwQE9TwEzMXgI&e=  - these apps are
>> different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev
>>
>> Now I get logged in via kerberos in myapp-local, logout in myapp-test
>> and try to login with different credentials manually in myapp-test.
>> Then, the AuthenticationProcessor raises the following exception when
>> doing this with kerberos login-enabled browsers (chrome, ie):
>>
>> =====================
>> 2018-02-28 09:57:12,236 WARN  [org.keycloak.events] (default task-2)
>> type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null,
>> ipAddress=10.242.50.137, error=different_user_authenticated,
>> auth_method=openid-connect, auth_type=code, response_type=code,
>> redirect_uri=https://urldefense.proofpoint.com/v2/url?u=https-3A__myurl_my-2Dwebapp-2Ddev_&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=bSQjZ3_zcDMsNK4ei84x5ttorM0vonfokR_P9kF0H8s&e= , consent=no_consent_required,
>> previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997,
>> code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query
>> 2018-02-28 09:57:12,236 WARN  [org.keycloak.services] (default task-2)
>> KC-SERVICES0013: Failed authentication:
>> org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error
>>        at
>> org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898)
>>        at
>> org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796)
>>        at
>> org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951)
>>        at
>> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724)
>>        at
>> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
>>        at
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)
>>        at
>> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
>>        at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source)
>>        at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>        at java.lang.reflect.Method.invoke(Method.java:498)
>>        at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>        at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>        at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>        at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>        at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
>>        at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
>>        at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>>        at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>        at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>        at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>        at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>        at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>        at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>        at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>        at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>        at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>        at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>        at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>        at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>        at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>        at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>        at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>        at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>        at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>        at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>        at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>        at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>        at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>        at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>        at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>        at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>>        at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>        at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>        at java.lang.Thread.run(Thread.java:745)
>>
>>
>> =================
>> and in the browser I get an "unexpected error when handling request to
>> identity provider" errormsg.
>>
>> When doing the same thing in firefox (no kerberos, manual login, open 2
>> tabs in 2 different environments and login with different users), I get
>> at least the errormsg "You are already authenticated as different user
>> [name] in this session. Please logout first."
>>
>> So, my questions are:
>> - Why is this not possible?
>> - Is there anything I can do (having a custom authenticator for
>> kerberos/AD and a custom userstorageprovider for applicationdb) to make
>> it possible to have different users logged in in different tabs for
>> different kc-clients in the same realm?
>> - More specifically: Is there a possibility to use the
>> AuthenticationProcessor in an SPI without having to make a custom
>> keycloakbuild and remove the check in line 246/setAuthenticatedUser, or
>> does this mess up the whole authentication session?
>>
>> Would be great to get a hint here.
>>
>> Thanks!
>>
>> Best regards,
>> Dominik
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=vrogPjcTKKWk3OCa5Dos5Tf-XY7MRxHOWbhfeIiWqu4&e=
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=vrogPjcTKKWk3OCa5Dos5Tf-XY7MRxHOWbhfeIiWqu4&e=
> 


More information about the keycloak-user mailing list