I'm writing a custom identity provider for Keycloa that I want to deploy using the deployer method (since I want to deploy it in Docker containers). Following an example I found on the web, I've created a maven project where, using the maven-assembly-plugin, I build a jar with dependencies (but I've filtered out the various services implementations my dependencies provide me to just keep the identity provider service).
Things seems to work partly correctly :
Keycloak log indicates my id provider is loading/loaded : keycloak_1 | 09:23:20,056 INFO [org.jboss.as.server] (ServerService Thread Pool -- 29) WFLYSRV0010: Deployed "mycompnay-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar" (runtime-name :
"mycompany-oidc-id-provider-0.0.1-SNAPSHOT-jar-with-dependencies.jar")
When I go in the Identity Providers panel, the new provider is visible (see screenshot)
But when I try to configure it, everything fails :
The problem is that Keycloak outputs strictly no logs (even when I configure log level to the max).
In my project, I have he following code organization (which gets replicated in jar-with-dependencies)
+---src
+---build
| \---assembly
+---main
| +---java
| | \---com
| | \---mycompany
| | \---mygroup
| | \---security
| | \---oidc
| \---resources
| +---META-INF
| | \---services
| \---themes
| \---base
| \---admin
| \---resources
| \---partials
\---test
+---java
\---resources
What am I missing ?
Maybe you've figured this out by now.
It's not very well documented... I've done something similar a month ago and I faced the same problem. I've figured it out pretty much by poking and guessing, so it might not be the best way to do it but I'll say what I know on this:
You need both the idp and the partial page registered properly.
To be honest I have no idea if you can just extend the base keycloak admin theme in that way. I've tried it but failed horribly. So I've created my own theme extending the base one:
assuming your idp is called foo
src/main/resources/theme/foo/admin/theme.properties
parent=keycloak
import=common/keycloak
src/main/resources/theme/foo/admin/resources/partials/realm-identity-provider-foo.html
<div data-ng-include
data-src="resourceUrl + '/partials/realm-identity-provider-oidc.html'">
</div>
src/main/resources/theme/foo/admin/resources/partials/realm-identity-provider-foo.html
<div data-ng-include
data-src="resourceUrl + '/partials/realm-identity-provider-oidc.html'">
</div>
(I'm using oidc as my idp is extending that one, but you can use whatever makes sense for your case here)
src/main/resources/theme/foo/admin/resources/partials/realm-identity-provider-foo-ext.html
this last file is empty in my case, but as far as I remember you must have it
Then, on the admin console, you need to go and change your admin theme to be foo, and you must refresh your browser so it starts picking up the resources from your new theme. It's important to note that if you are logged in with a user from another realm (e.g. admin from master realm), you have to change the admin theme in master realm, since this is the theme you are actually using now.
If successful you should start seeing in your devtools that template resources now come from your theme, e.g. auth/resources/4.4.0.final/admin/foo/templates/kc-tabs-realm.html
If that's the case then your idp page should be working, or at least you should be able to pick it up from here.
I know it's not the perfect answer, but it might give you a hint on things to consider.
If you make progress or find a better way please share!
I faced the same problem. Resolved by renaming jar file to:
keycloak-{identity provider name}-{version}-SNAPSHOT.jar
Before that the file was called:
keycloak-{identity provider name}-idp-plugin-{version}-SNAPSHOT.jar
…and I was getting "resource not found" error. I suppose keycloak is looking for resources in archives with a name that matches a certain pattern.
Related
I'm having a weird issue using Orion on Kubernetes. When using Orion 2.5 (also happens with 3.6) and MongoDB 4.4 on Docker-Compose, everything works as expected, I'm able to create and retrieve entities in Orion and they are created properly in databases with the proper name (if fiware-service is service, the database is orion-service).
However, using the same in Kubernetes, with the same commands in Orion and everything configured the same way, it ignores the service. I can see in the logs that Orion receives the service and service-path
time=2022-04-29T12:20:44.125Z | lvl=INFO | corr=cac0239e-c7b6-11ec-abd6-f6ce73396b62 | trans=1651234819-423-00000000003 | from=127.0.0.1 | srv=acc1234121 | subsrv=/asd | comp=Orion | op=logTracing.cpp[148]:logInfoRequestWithPayload | msg=Request received: POST /v2/entities, request payload (288 bytes)
However, it creates the entity in the orion database (without using the -service, which would be orion-acc1234121 in this case).
Could you provide some insights on how to debug the issue and if there is some configuration I'm missing?
Thanks
UPDATE: We finally figured out the issue. In the chart, we were not setting properly the multiservice option, so it was set to false. The point is we are not able to see it neither in the command executed (output of ps command) nor in the environment variables. Anyway, thank you very much for your help, we can mark this as closed and solved.
I created author AEM6 on localhost:4504.
When I load any page on the server, I have a lot of the following errors:
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule No IDP found with name cortexCSR. Will not be used for login.
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule No IDP found with name cortex. Will not be used for login.
org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule No IDP found with name ldap. Will not be used for login.
Does anyone know how to fix this problem?
It sounds like you may have an instance that is configured for LDAP authentication. Check these URLs to see if that is the case.
Go to http://localhost:4504/system/console/configMgr and search for "ExternalLoginModule" or "org.apache.jackrabbit.oak" and then edit the config to see what is set for any items you find. It sounds like you have an ExternalLoginModuleFactory configured to look for an LDAPIdentityProvider that hasn't been configured. Most likely you need to add the configuration for the providers. See https://docs.adobe.com/docs/en/aem/6-0/administer/security/ldap-config.html for info on how to configure those. It could be that there is an OSGI config file that is runmode specific, so if your localhost isn't running with the same runmode it would not have applied the configuration in that case.
Also see http://abani-behera.blogspot.com/2014/07/ldap-integration-with-aem6-osgi-config.html for more details.
In a Wildfly 8.1.0.Final we deploy:
our own CRM-webapp (Seam2/JSF1.2)
camunda-webapp 7.3.0
camunda-engine 7.3.0 as a module (shared engine)
custom engine-plugin to enable camunda-engine to use the user/group-store of our CRM
We display camunda tasklist in an iframe inside our CRM.
This setup runs fine so far, but we have to login twice.
So we need SSO, but cannot establish AD/LDAP, like in camunda-sso-jboss example.
I thought of Wildfly's JAAS and SSO capabilities, but i'am not sure, if camunda-webapp supports JAAS-authentication.
I think the security-domain configuration in jboss-web.xml is just generated by a maven archetype and has no effect on the camunda-webapp, is that right? I changed that configuration and it had no effect at all.
Can someone give me a hint, where i should hook into camunda-webapp or if it is possible at all?
Ok, i have a first success.
I changed org.camunda.bpm.webapp.impl.security.auth.Authentications.getFromSession to accept HttpServletRequest as parameter instead of HttpSession (called from AuthenticationFilter.doFilter). If the session contains no Authentications, i try to pull the Principle from the request and if one exists, i log em in silently (copied most from UserAuthenticationResource.doLogin).
Then i have a very simple webapp ("testA") with only one JSP and Basic Authentication. Both camunda-webapp and testA have the same security-domain configured, and the host in the undertow-subsystem has the "single-sign-on"-setting.
Now i can login into /testA, then call /camunda in another tab without further authentication.
The code has to be improved a lot. If everythink works fine, i'll post the details.
If someone thinks this is a wrong approach, please let me know ;-)
I have the task to run a build task whenever the source code in github is updated. However I am very new with Jenkins and I have a hard time to accomplish this.
My understanding
github.com will send a POST message to a specific URL that I specify. As an example let's use:
http://mywebsite/src-updated
So the source code get's update, github sends the POST message to mywebsite/src-updated. Since HTTP runs on port 80, Apache receives this message.
____________LAN____________
| |
| .......... .......... |
| :JENKINS : :APACHE : | POST message to: ..............
| :Listen : :Listen :<--|<----http://mywebsite/src-updated--- : github.com :
| :on 8080 : :on 80 : | :............:
| :........: :........: |
|___________________________|
My frustration
Now what?
Jenkins sits there like a loser with no-one wanting to play with him. How will Mr. Jenkins get the message? Is there some module I have to install on Apache so that it notifies him? All this sounds very different from the sparse information I read so far so I feel that I am totally off track.
I also tried to use the Github plugin but I am totally lost on how it's supposed to work (terrible documentation if you're new to the whole thing).
Any help?
Please check this link on configuring Jenkins with Apache. Besides, i also found this note on the GitHub plugin page:
Jenkins inside a firewall:
In case your Jenkins run inside the firewall and not directly reachable from the internet, this plugin lets you specify an arbitrary endpoint URL as an override in the automatic mode. The plugin will assume that you've set up reverse proxy or some other means so that the POST from GitHub will be routed to the Jenkins.
As far as running builds is concerned whenever source code in GitHub is updated, it's very simple to configure in Jenkins. There is a polling option present in the job's/project's configuration page. Go to the configuration section of the job. Search for Build Triggers section. You will find a check-box named Poll SCM. Enabling this option tells Jenkins to initiate a build as soon as it finds a change in the repository (in this case, GitHub) you specified. You will have to specify some interval after which it will check GitHub for changes:
For example,
# every fifteen minutes (perhaps at :07, :22, :37, :52)
H/15 * * * *
For more options and details on the above, don't forget to look for the help section '?'
I have just (for the first time) compiled and installed kamailio, following this guide. For configuration, I am following the documentation here
I am trying to test a new SIP user. I have created it with:
» kamctl add test testpasswd
The user is there:
» kamctl db show subscriber
|----+----------+--------------------+------------+---------------+----------------------------------+----------------------------------+------|
| id | username | domain | password | email_address | ha1 | ha1b | rpid |
|----+----------+--------------------+------------+---------------+----------------------------------+----------------------------------+------|
| 5 | test | tethys.wavilon.net | testpasswd | | 5cf40781f33c6f43a26244046564b67e | eb898de815bc16092e4c2e8c04bfe188 | NULL |
|----+----------+--------------------+------------+---------------+----------------------------------+----------------------------------+------|
I try to connect with my sip client, and the registration times out (Request Timeout (408)). I have tried to verify what is going on by doing:
» kamailio -l <my-ip> -E -ddddd -D 1
And I see lots of messages, one of them interesting:
0(15818) DEBUG: auth [api.c:86]: pre_auth(): auth:pre_auth: Credentials with realm '<my-ip>' not found
But I do not know how to solve this problem. How can I verify what credentials associated to realm <my-ip> are configured? What is a "realm"? I do not find any beginners guide for kamailio. Is there a simple how-to on how to setup a simple kamailio configuration?
The log message you pasted in the question is for debug purposes (hence DEBUG level) and it could be printed for first SIP requests that come with no credentioals (e.g., first REGISTER) -- in such case it is all ok. Those requests are challenged for authentication with 401 replies, then they are resent by phone with credentials in Autorization header.
If for those requests with credentials you don't get the same realm as used in challenge function parameters (e.g., www_challenge(), auth_challenge()...), then the SIP phone might be misconfigured. Typically the realm is the same as SIP domain in order to ensure it is unique, but that is not a must. With default kamailio configuration, the realm is the From header URI domain.
However, you say you get 408 timeout for registration, then the issues might be something else. When the credentials matching the realm are not found, then 401reply is sent back, not 408.
The reason for timeout could be that the REGISTER didn't get to kamailio or kamailio tries to send it somewhere else. You should look at the SIP traffic on the kamailio server to see what happens. You can use ngrep for that purpose, like:
ngrep -d any -qt -W byline . port 5060
Watch to see if the REGISTER comes to kamailio server and if it is attempted to be sent to another IP.
I got the same issue. I that add the alias record in kamailio.cfg and it works well.
alias="tethys.wavilon.net"
Kamailio is a proxy. It is not simple, so if you want something simple, try Asterisk instead. Kamailio configuration requires knowledge of SIP.
For this problem: you set the realm somewhere (in config file or in database) but are not using it for registration. Possible solutions would be to:
Remove the realm or set it to the correct domain name (and use it!). In the default config, that means disabling domains.
Use tethys.wavilon.net as you described in the subscriber table.
For more info, go to the Kamailio site and read this document.