keycloak internal server error when accessing token url - keycloak

I ran the keycloak instance by
docker run -d --name keycloak \
-e ROOT_LOGLEVEL=INFO \
-e KEYCLOAK_LOGLEVEL=INFO \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
-p 8080:8080 \
-it jboss/keycloak:master -b 0.0.0.0
docker logs -f keycloak
And then visit http://localhost:8080/auth/realms/master/protocol/openid-connect/token, get Internal Server Error:
So,
How to get the error log? docker logs keycloak stays at the startup information, now new request log.
Where is wrong, and how to fix the internal server error?

Why do you need GET request /auth/realms/master/protocol/openid-connect/token?
Token endpoint is for POST requests, not for GET request - see OIDC spec https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest

Related

Keycloak production

I have used the official docker file to create an image from the webiste https://www.keycloak.org/server/containers
But while running the container using the comand
docker run --name mykeycloak -p 8443:8443 \
-e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=change_me \
mykeycloak \
start --optimized -- --hostname-strict=false
It is showing the below error.
ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Failed to start server in (production) mode
2022-12-26 17:11:45,894 ERROR [org.keycloak.quarkus.runtime.cli.ExecutionExceptionHandler] (main) ERROR: Key material not provided to setup HTTPS. Please configure your keydevelopment mode.
For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

How to use the command kcadm.sh when after successfull login it says HTTPS required in Keycloak?

I am trying also to disable HTTPS, based on a stackoverflow question, an Answer was
to
docker exec -it {contaierID} bash
cd keycloak/bin
./kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
./kcadm.sh update realms/master -s sslRequired=NONE
but after executing the third command I am getting the error of HTTPS Required
Image
Version 19.0.2 of Keycloak

Install pgadmin III for a linked database container in docker

There are two running docker containers. One container containing a web application and the second is a linked postgres database.
Where should the Pgadmin III tool be installed?
pgAdmin can be deployed
in a container using the image at hub.docker.com/r/dpage/pgadmin4/
E.g. to run a TLS secured container using a shared config/storage directory in /private/var/lib/pgadmin on the host, and servers pre-loaded from /tmp/servers.json on the host:
docker pull dpage/pgadmin4
docker run -p 443:443 \
-v /private/var/lib/pgadmin:/var/lib/pgadmin \
-v /path/to/certificate.cert:/certs/server.cert \
-v /path/to/certificate.key:/certs/server.key \
-v /tmp/servers.json:/pgadmin4/servers.json \
-e 'PGADMIN\_DEFAULT\_EMAIL=user#domain.com' \
-e 'PGADMIN\_DEFAULT\_PASSWORD=SuperSecret' \
-e 'PGADMIN\_ENABLE\_TLS=True' \
-d dpage/pgadmin4

Kubernetes exec throw the WebSocket API

I'm trying to connect on a container throw the Kubernetes WebSocket API, from a container running within Kubernetes, without any success.
Install wscat:
apt-get update
apt-get install -y npm
ln -s /usr/bin/nodejs /usr/bin/node
npm install -g n
n stable
npm install -g wscat
Exec on Kubernetes API:
wscat -c "wss://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/pods/my-pod-1623018646-kvc4b/exec?container=aws&stdin=1&stdout=1&stderr=1&tty=1&command=bash" \
--ca /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-H "Authorization: Bearer $(</var/run/secrets/kubernetes.io/serviceaccount/token)"
error: Error: unexpected server response (400)
Do you know what I'm doing wrong?
Note that the following works:
curl https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/pods/my-pod-1623018646-kvc4b \
--cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-H "Authorization: Bearer $(</var/run/secrets/kubernetes.io/serviceaccount/token)"
Apparently some people are able to connect: https://stackoverflow.com/a/43841572/599728
Cheers
I just found out that the container name was wrong:
?container=aws Aws was not on this pod.

Couchbase REST API vs CLI

I'm trying to use the REST API on Couchbase 2.2 and I'm finding two things that I cannot seem to do via REST:
Init a new cluster when no other nodes exist.
CLI version:
couchbase-cli cluster-init -u admin -p mypw -c localhost:8091 --cluster-init-ramsize=1024
Remove a healthy node from the cluster.
CLI version:
couchbase-cli rebalance -u admin -p mypw -c 10.10.1.10:8091 --server-remove=10.10.1.12
As for removing a node, I've tried:
curl -u admin:mypw -d otpNode=ns_1#10.10.1.12 \
http://10.10.1.10:8091/controller/ejectNode
Which returns: "Cannot remove active server."
I've also tried:
curl -s -u Administrator:myclusterpw \
-d 'ejectedNodes=ns_1%4010.10.1.12&knownNodes=ns_1%4010.10.1.10%2Cns_1%4010.10.1.11' \
http://10.10.1.10:8091/controller/rebalance
Which returns: {"mismatch":1} (presumably due to the node actually not being marked for ejection?)
Am I crazy, or are there no ways to do these things using curl?
I span up a two node cluster on aws (10.170.76.236 and 10.182.151.86), I was able to remove node 10.182.151.86 using the below curl request
curl -v -u Administrator:password -X POST 'http://10.182.151.86:8091/controller/rebalance' -d 'ejectedNodes=ns_1#10.182.151.86&knownNodes=ns_1#10.182.151.86,ns_1#10.170.76.236'
That removes the node and performs the rebalance leaving only '10.170.76.236' as the single node. Running this request below results in 'Cannot remove active server' as you have experienced.
curl -u Administrator:password -d otpNode=ns_1#10.170.76.236 http://10.170.76.236:8091/controller/ejectNode
This is because you can't remove the last node as you can't perform a rebalance, this issue is covered here http://www.couchbase.com/issues/browse/MB-7517
I left the real IP's in that I used so the curl requests are as clear as possible, I've terminated the nodes now though :)
Combo of:
curl -X POST -u admin:password -d username=Administrator \
-d password=letmein \
-d port=8091 \
http://localhost:8091/settings/web
and
curl -X POST -u admin:password -d memoryQuota=400 \
http://localhost:8091/pools/default
Ticket raised against this indicates that the ejectnode command itself won't work by design.
Server needs to either be pending or failover state to use that command seemingly