I need to set the flags to enable the default redirect_uri behavior for keycloak 19.0.3-legacy.
However, nothing I've tried so far has worked.
We're using the standalone-ha.xml configuration file. (not sure if this is the could be the right place to configure this.)
I need to set the following flags:
spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true
spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
https://www.keycloak.org/docs/19.0.3/upgrading/#openid-connect-logout-prompt
https://www.keycloak.org/docs/latest/upgrading/#openid-connect-logout
However, I run a standalone instance and don't run using kc.sh.
I've tried setting environment variables without success:
KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
KC_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
KEYCLOAK_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
KEYCLOAK_SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
SPI_LOGIN_PROTOCOL_OPENID_CONNECT_LEGACY_LOGOUT_REDIRECT_URI=true
SPI_LOGIN_PROTOCOL_OPENID_CONNECT_SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
and
LEGACY_LOGOUT_REDIRECT_URI=true
SUPPRESS_LOGOUT_CONFIRMATION_SCREEN=true
I've also tried to adding to a config file, but it doesn't seem to have been picked up from where it was put in the Dockerfile.
Dockerfile:
COPY conf.d/keycloak.conf /opt/jboss/keycloak/conf/keycloak.conf
and
COPY conf.d/keycloak.conf /opt/keycloak/conf/keycloak.conf
keycloak.conf
spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true
spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
and
suppress-logout-confirmation-screen=true
legacy-logout-redirect-uri=true
I also tried adding it to thedocker-entrypoint.sh parameters:
exec /opt/jboss/tools/docker-entrypoint.sh $# -Dspi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true -Dspi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
and
--This one won't even start up. It fails stating that the parameters are invalid.
exec /opt/jboss/tools/docker-entrypoint.sh $# --spi-login-protocol-openid-connect-suppress-logout-confirmation-screen=true --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true
Update 1/24/23
Tried updating standalone-ha.xml, but it seems to have been ignored:
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
<providers>
<provider>
classpath:${jboss.home.dir}/providers/*
</provider>
<provider>
module:org.keycloak.storage.ldap.LDAPSyncOnly
</provider>
</providers>
<master-realm-name>master</master-realm-name>
<scheduled-task-interval>900</scheduled-task-interval>
<theme>
<staticMaxAge>2592000</staticMaxAge>
<cacheThemes>false</cacheThemes>
<cacheTemplates>false</cacheTemplates>
<welcomeTheme>${env.KEYCLOAK_WELCOME_THEME:keycloak}</welcomeTheme>
<default>${env.KEYCLOAK_DEFAULT_THEME:keycloak}</default>
<dir>${jboss.home.dir}/themes</dir>
</theme>
... Bunch of other spi tags. ...
<spi name="login-protocol">
<provider name="openid-connect" enabled="true">
<properties>
<property name="suppress-logout-confirmation-screen" value="true"/>
<property name="legacy-logout-redirect-uri" value="true"/>
</properties>
</provider>
</spi>
</subsystem>
Useful links:
https://github.com/keycloak/keycloak/blob/10b7475b0431ed380d45b840578bc666ecb3263a/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocolFactory.java#L106-L121
Shows the warning message that will print to the logs if this is set correctly.
https://www.keycloak.org/server/configuration#_example_configuring_the_db_url_host_parameter
Shows alternate ways to configure keycloak.
https://github.com/keycloak/keycloak-containers/tree/19.0.3
https://quay.io/repository/keycloak/keycloak?tab=tags
We figured it out.
By adding the following CLI commands we can properly update the high availability config file to enable the legacy flag.
embed-server --server-config=standalone-ha.xml --std-out=echo
/subsystem=keycloak-server/spi=login-protocol:add
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:add(enabled=true)
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:write-attribute(name=properties.legacy-logout-redirect-uri,value=true)
/subsystem=keycloak-server/spi=login-protocol/provider=openid-connect:write-attribute(name=properties.suppress-logout-confirmation-screen,value=true)
stop-embedded-server
I don't know why this worked but manually editing the standalone-ha.xml config didn't.
Related
I have a Tomcat WAR project running in AWS Elastic Beanstalk EC2 instances. I have configured the instances to ensure that they have an environment variable CLUSTER_NAME. I can verify that the variable is available in the EC2 instance.
[ec2-user#ip-10* ~]$ cat /etc/environment
export CLUSTER_NAME=sandbox
ec2-user#ip-10* ~]$ echo $CLUSTER_NAME
sandbox
This variable is looked up in a Log4j2 XML file like this:
<properties>
<property name="env-name">${env:CLUSTER_NAME}</property>
</properties>
The env-name property is used in a Coralogix appender like this:
<Coralogix name="Coralogix" companyId="--" privateKey="--"
applicationName="--" subSystemName="${env-name}">
<PatternLayout>
<pattern>%d{yyyy-MM-dd HH:mm:ss.SSS}{GMT+0}\t%p\t%c\t%m%n</pattern>
</PatternLayout>
</Coralogix>
I see that this lookup is not working, as the env-name is just shown as ${env:CLUSTER_NAME} in Coralogix dashboard. The value works if I hardcode it.
What can be done to fix this lookup? There are several related questions for this, but they seem to refer to log4j1.x. https://stackoverflow.com/a/22296362. I have ensured that this project uses log4j2.
The solution was to add the CLUSTER_NAME variable in the /etc/profile.d/env.sh. This variable is available in the log4j2.xml with the following lookup.
<property name="env-name">
${env:CORALOGIX_CLUSTER_NAME}
</property>
I am still not clear of the difference between adding a variable to /etc/environment vs /etc/profile.d/env.sh.
I am attempting to set the location of the system property java.io.tmpdir to something other than the default "/tmp" in my standalone.xml file.
I have added the following element after the <extensions> element:
<system-properties>
<property name="java.io.tmpdir" value="/tmp/wildfly"/>
</system-properties>
However, when I start up wildfly, I see this in the log file:
java.io.tmpdir = /tmp
I don't see anywhere in any of the bin*.conf files or the bin*.sh files that's setting this... what am I missing?
Thanks.
I am learning build.xml and am confused by the following code:
<macrodef name="a-test">
<attribute name="port" default="${PORT}"/> #1
<junit printsummary=...
<env key="PORT" value="#{port}" /> #2
...
when I run java with commandLine including -DPORT=8080 and then in java code I get port value 8080 by calling
String port = System.getenv(PORT).
What is the above build.xml doing? So far I know $ is to represent a property while # is to represent an attribute. Besides, the above code is the only place where PORT and port appear. What happens here so that port value are finally obtained in java code? Thanks.
The other question, what is the difference btw. using "env key" and using "sysproperty"? according to http://etutorials.org/Programming/Java+extreme+programming/Chapter+3.+Ant/3.6+Passing+Arguments+to+a+Buildfile/
sysproperty can be use to parse argument -D to java code, while env key is used to do the same thing right? Thanks.
Is there any detailed document about build.xml? the one I google from internet describer things so briefly.
What you see is macrodef in ant. There will be another place in build.xml(or other build.xml) where this is called by like
<a-test port=<value> ..
I am trying to setup openbravo on eclipse environment with the above URL.
Development stack setup is done successfully. (ANT, Java, Postgresql)
At the openbravo source directory when i apply the command
ant install.source
Build failure due to errors -
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/build.xml:480: The following error occurred while executing this line:
480 <ant dir="${base.src}" target="compile.complete.development" inheritAll="true" inheritRefs="true" />
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/src/build.xml:874: The following error occurred while executing this line:
874 <jvmarg line="${env.CATALINA_OPTS}" />
/home/pos/sourcecode_openbravo/Openbravo-3.0MP21/src/build.xml:880: Directory
880 <jvmarg value="-Djava.io.tmpdir=${env.CATALINA_BASE}/temp" />
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not successful for an unknown reason
Any help would be appreciated. Thanks.
Sounds like a permission problem.
See the related section 'Permission issues' in openbravo wiki
EDIT
for the remaining issues, i believe the properties base.src, CATALINA_OPTS and CATALINA_BASE are not set properly. Check this via :
<echo>
$${base.src} => ${base.src}
$${env.CATALINA_OPTS} => ${env.CATALINA_OPTS}
$${env.CATALINA_BASE} => ${env.CATALINA_BASE}
</echo>
or simply output all available properties use :
<echoproperties/>
also consider, before using ${env.whatever} you need to use :
<property environment="env"/>
before !
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not successful for an unknown reason
Give the permission to webapps folder
sudo chmod -R 777 /var/lib/tomcat6/webapps/
/var/lib/tomcat6/webapps/openbravo/WEB-INF/lib creation was not
successful for an unknown reason
it seem permission problem. It is important to always us the correct user account to start / stop tomcat!
Conceptually there are two user accounts involved in working with Openbravo:
command-line user used to work with files & compile Openbravo
user account used by Apache Tomcat service
There are several overlapping areas in which one of the accounts needs to access and modify files from the other account in both directions.
To avoid any problems Openbravo strongly recommends to run Apache Tomcat services with the same user account which is used on command line. As that way the above topic will be perfectly solved easily.
source: http://wiki.openbravo.com/wiki/Installation/Custom/Apache_Tomcat
I have an Ubuntu server with Elasticsearch, MongoDB, and Graylog2 running in Azure, and I have an asp.net mvc4 application I am trying to send logs from. (I am using Gelf4Net / Log4Net as the logging component). To cut to the chase, nothing is being logged.
(skip to the update to see what is wrong)
The setup
1 Xsmall Ubuntu VM running the needed software for graylog2
everything is running as a daemon
1 Xsmall cloud service with the MVC4 app (2 instnaces)
A virtual network setup so they can talk.
So what have I tried?
From the linux box the follow command will cause a message to be logged echo "<86>Dec 24 17:05:01 foo-bar CRON[10049]: pam_unix(cron:session):" |
nc -w 1 -u 127.0.0.1 514
I can change the IP address to use the public IP and it works fine as well.
using this powershell script I can log the same message from my dev machine as well as the production web server
Windows firewall turned off and it still doesn't work.
I can log to a FileAppender Log4Net, so I know Log4Net is working.
tailing the graylog2.log shows nothing of interest. Just a few warning about my plugin directory
So I know everything is working, but I can't get the Gelf4Net appender to work. I'm a loss here. Where can I look? Is there something I am missing
GRAYLOG2.CONF
#only showing the connection stuff here. If you need something else let me know
syslog_listen_port = 514
syslog_listen_address = 0.0.0.0
syslog_enable_udp = true
syslog_enable_tcp = false
web.config/Log4Net
//application_start() has log4net.Config.XmlConfigurator.Configure();
<log4net >
<root>
<level value="ALL" />
<appender-ref ref="GelfUdpAppender" />
</root>
<appender name="GelfUdpAppender" type="Gelf4net.Appender.GelfUdpAppender, Gelf4net">
<remoteAddress value="public.ip.of.server"/>
<remotePort value="514" />
<layout type="Gelf4net.Layout.GelfLayout, Gelf4net">
<param name="Facility" value="RandomPhrases" />
</layout>
</appender>
</log4net>
update
for some reason it didn't occur to me to run graylog in debug mode :) Doing so shows this message.
2013-04-09 03:00:56,202 INFO : org.graylog2.inputs.syslog.SyslogProcessor - Date could not be parsed. Was set to NOW because allow_override_syslog_date is true.
2013-04-09 03:00:56,202 DEBUG: org.graylog2.inputs.syslog.SyslogProcessor - Skipping incomplete message.
So it is sending an incomplete message. How can I see what is wrong with it?
I was using the wrong port (DOH!)
I should have been using the port specified in graylog2.config / gelf_listen_port = 12201
so my web.config/log4net/gelf appender should have had
<appender name="GelfUdpAppender" type="Gelf4net.Appender.GelfUdpAppender, Gelf4net">
...
<remotePort value="12201" />
...
</appender>
For anyone who may have the same problem, make sure Log4Net reloads the configuration after you change it. I don't have it set to watch the config file for changes, so it took me a few minutes to realize that I was using the wrong port. When I changed it from 514 to 12201 the first time, messages still weren't getting though. I had to restart the server for Log4Net to pick up the new config, and then it started to work.