Disable ssl in Keycloak 20.0.1 - keycloak

I'm trying to disable https:
I started the sever using bin/kc.sh start-dev
And then I tried to disable ssl using:
root#server:/opt/keycloak#
root#server:/opt/keycloak# /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin –-password admin
Logging into http://locahost:8080/auth as user admin of realm master
Enter password: *****
null [RESTEASY003210: Could not find resource for full path: http://localhost:8080/auth/realms/master/protocol/openid-connect/token]
root#server:/opt/keycloak#
Do you know what is the proper way to execute the command?
PS:
Working commands:
/opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin –-password admin
/opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE

If you're using Spring Boot you can configure it in application.yml
keycloak:
ssl-required: none
Since you're using Keycloak 20.0.1 you don't need /auth in server path, therefore, you need to modify command for configuring Keycloak as shown bellow:
/opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user admin –-password admin
After that you should be able to disable SSL:
/opt/keycloak/bin/kcadm.sh update realms/master -s sslRequired=NONE

Related

How to use the command kcadm.sh when after successfull login it says HTTPS required in Keycloak?

I am trying also to disable HTTPS, based on a stackoverflow question, an Answer was
to
docker exec -it {contaierID} bash
cd keycloak/bin
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
./kcadm.sh update realms/master -s sslRequired=NONE
but after executing the third command I am getting the error of HTTPS Required
Image
Version 19.0.2 of Keycloak

"You need local access to create the initial admin user" error while keycloak startup in docker

While starting keycloak server on docker, I am getting this error: "You need local access to create the initial admin user". But running it locally, it's working fine.
Another thing is that if I want to use Postgres db instead of embedded H2 db then should I create tables to store user, clients and scope, etc? If yes how can I get db structure for all tables?
You can let the container create the admin user by providing the environment variables KEYCLOAK_USER and KEYCLOAK_PASSWORD:
docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> jboss/keycloak
Or add the account to an existing container( Service or container restart required afterwards) with:
docker exec <CONTAINER> /opt/jboss/keycloak/bin/add-user-keycloak.sh -u <USERNAME> -p <PASSWORD>
And either restart container
docker restart <container>
Or restart the service (#Madeo's answer)
docker exec -it <container> /opt/jboss/keycloak/bin/jboss-cli.sh --connect --command=:reload
The above commands come from the Keycloak Docker image page on Docker Hub.
Regarding your database question, you don't have to provide the tables by hand.
You can refer to chapter 6 (§6.4, §6.5) of the Keycloak documentation for the details of how to configure a PostgreSQL DB.
Open container bash console
cd /keycloak/bin
bash ./add-user-keycloak.sh -u admin
Enter desired password
Restart the container
Go to following URL for login
http://dockerIP:8080/auth/admin/
For Keycloak 17, you can use lynx locally to create the admin user:
lynx localhost:8080
Then just Tab to navigate fields and press Enter on the Create button:
Keycloak
Welcome to Keycloak
[user.png] Administration Console
Please create an initial admin user to get started.
Username ____________________
Password ____________________
Password confirmation ____________________
(BUTTON) Create
[user.png] Administration Console
Centrally manage all aspects of the Keycloak server
[admin-console.png] Documentation
User Guide, Admin REST API and Javadocs
[keycloak-project.png] Keycloak Project
[mail.png] Mailing List
[bug.png] Report an issue
JBoss and JBoss Community
None of the tips above worked. Finally I use Environment Variables:
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
The full code of the docker-compose.yml:
version: '3'
volumes:
postgres_data:
driver: local
services:
postgres:
image: postgres
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
POSTGRES_PASSWORD: password
keycloak:
image: quay.io/keycloak/keycloak:17.0.1
environment:
DB_VENDOR: POSTGRES
DB_ADDR: postgres
DB_DATABASE: keycloak
DB_USER: keycloak
DB_SCHEMA: public
DB_PASSWORD: password
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
KEYCLOAK_ADMIN: admin
KEYCLOAK_ADMIN_PASSWORD: admin
entrypoint: ["/opt/keycloak/bin/kc.sh", "start-dev"]
ports:
- 8080:8080
depends_on:
- postgres
The answer with docker is incomplete and it won't work
If you add the user via docker container you must restart jboss server
docker exec -it keycloak-container /opt/jboss/keycloak/bin/add-user-keycloak.sh -u admin -p admin
and then:
docker exec -it keycloak-container /opt/jboss/keycloak/bin/jboss-cli.sh --connect --command=:reload
This worked for me:
cd /opt/keycloak/bin
sudo ./add-user-keycloak.sh -u admin -p yourpass
Open 'keycloak.conf' file from Keycloak folder (in my case keycloak-18.0.0/conf)
db-username=postgres
db-password=password
db-url=jdbc:postgresql://yourhostname:5432/keycloak-db-name
If you start keycloak service, postgres DB will be created automatically
Using the Operator https://www.keycloak.org/guides#operator, I had the same issue.
The username and password provided by this step
kubectl get secret example-kc-initial-admin -o jsonpath='{.data.username}' | base64 --decode
kubectl get secret example-kc-initial-admin -o jsonpath='{.data.password}' | base64 --decode
https://www.keycloak.org/operator/basic-deployment#_accessing_the_keycloak_deployment
did not work.
What apparently solved it for me was deleting all Keycloak CRs, deployments, services, etc. and starting the tutorial from the beginning. Then, I omitted this optional step:
We suggest you to first store the Database credentials in a separate Secret, you can do it for example by running:
kubectl create secret generic keycloak-db-secret \
--from-literal=username=[your_database_username] \
--from-literal=password=[your_database_password]
(with made up Postgres username and password filling in the brackets)
I am not sure how the Database secret relates to the Admin User secret, but now the username and password in example-kc-initial-admin work. Perhaps Postgres was inaccessible to Keycloak. This was not indicated in the Keycloak logs.
I don't believe starting fresh was the solution, because I already tried that. Omitting keycloak-db-secret seems to have been important. I will need to fully understand where the DB secret is set, now; it may be insecure.

Setting up realms in Keycloak during kubernetes helm install

I'm trying to get keycloak set up as a helm chart requirement to run some integration tests. I can get it to bring it up and run it, but I can't figure out how to set up the realm and client I need. I've switched over to the 1.0.0 stable release that came out today:
https://github.com/kubernetes/charts/tree/master/stable/keycloak
I wanted to use the keycloak.preStartScript defined in the chart and use the /opt/jboss/keycloak/bin/kcadm.sh admin script to do this, but apparently by "pre start" they mean before the server is brought up, so kcadm.sh can't authenticate. If I leave out the keycloak.preStartScript I can shell into the keycloak container and run the kcadm.sh scripts I want to use after it's up and running, but they fail as part of the pre start script.
Here's my requirements.yaml for my chart:
dependencies:
- name: keycloak
repository: https://kubernetes-charts.storage.googleapis.com/
version: 1.0.0
Here's my values.yaml file for my chart:
keycloak:
keycloak:
persistence:
dbVendor: H2
deployPostgres: false
username: 'admin'
password: 'test'
preStartScript: |
/opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin --password 'test'
/opt/jboss/keycloak/bin/kcadm.sh create realms -s realm=foo -s enabled=true -o
CID=$(/opt/jboss/keycloak/bin/kcadm.sh create clients -r foo -s clientId=foo -s 'redirectUris=["http://localhost:8080/*"]' -i)
/opt/jboss/keycloak/bin/kcadm.sh get clients/$CID/installation/providers/keycloak-oidc-keycloak-json
persistence:
dbVendor: H2
deployPostgres: false
Also a side annoyance is that I need to define the persistence settings in both places or it either fails or brings up postgresql in addition to keycloak
I tried this too and also hit this problem so have raised an issue. I prefer to use -Dimport with a realm .json file but your points suggest a postStartScript option would make sense so I've included both in the PR on that issue
the Keycloak chart has been updated. Have a look at these PRs:
https://github.com/kubernetes/charts/pull/5887
https://github.com/kubernetes/charts/pull/5950

Client secret not provided in request [unauthorized_client]

Here what i tried login to server where keyclock deploy and use the below directory /keycloak/bin/
and run following command
./kcadm.sh config credentials --server https://<IP ADRESS>:8666/auth --realm master --user admin --password admin
But this command throw error.
Client secret not provided in request [unauthorized_client]
Why client information is required ? I have to do this through Admin CLI
Login into the keycloak
Create a New realm
Create User and userGroup.
So according to me in this case client secret or any such information not require but admin-cli command complaining about same.
Here is the solution of the above problem.After installation the keycloak .Keycloak will by default create few clients(account,admin-cli,broker,master-realm,security-admin-console) and in these all clients admin-cli will be come with access-type=public So if you are trying to login through keycloak u have to fire below command from /keycloak/bin directory
./kcadm.sh config credentials --server https://<IP ADDRESS>:8666/auth --realm master --user admin --password admin --client admin-cli
As i am using https you may get the below error as well
Failed to send request - sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
To overcome this issue please generate the certificate and put inside /keycloak/security/ssl folder and then fire this command
kcadm.sh config truststore --trustpass $PASSWORD ~/.keycloak/truststore.jks
Now question how to create the realm then after login through admin-cli client use below command
./kcadm.sh create realms -s realm=demorealm -s enabled=true

Openstack - Change Admin password for the Dashboard

Where can I change the Admin Password for the Dasboard in Openstack?
I installed openstack with the packstack installer...
the password in the keystonerc_admin file doesn't work, too.
I use a CentOS 6.3 (and I have access to the config files)
username: admin
password: admin/password/123/etc. don't work..
SOLVED
$ export OS_SERVICE_TOKEN=$servicetoken(/etc/keystone/keystone.conf)
$ export OS_SERVICE_ENDPOINT=$http://ipoftheserver/v2.0
then use this syntax to change the password
$ keystone user-password-update --pass <password> <user id>
openstack user password set --password <new-password> --original-password <current-admin-password>