KeyCloak: Connection has been refused by the server. Connection timed out - timeout

Occasionally I receive a connection timeout when calling the /userinfo endpoint of my KeyCloak-Server.
So far, I have no indication what's wrong and what causes the timeouts. There are no errors in the server.log I configured. Also, I cannot reproduce the issue, I just see the errors in the logs of the application trying to authenticate with keycloak.
Is there some sort of connection limit that my keycloak might use?
List item
What additional logs can I activate to narrow down the problem?
I am currently on version 17.0.1

Try running keycloak in debug mode kc.sh start --log-level=debug If the /userinfo call reached the keycloak then there will be a debug log for that, you can match the time when error occurred to the keycloak log.
Do you have any other components in between your application and keycloak such as proxy, a DNS server etc ? You would need to check their logs as well.
Also check out this document regarding rest api in keycloak -> https://github.com/keycloak/keycloak-community/blob/main/design/rest-api-guideline.md#rate-lmiting

Related

keycloak authz client - SocketException: Connection reset

15 minutes after login, when trying again to do authorization using keycloack-authz-client, I am receiving an exception: Caused by: java.net.SocketException: Connection reset.
Maybe some settings need to update from keycloak admin console or maybe from the Java configuration, I could not find any solution.
Has anyone encountered such problems?
I am trying to do authorization and expect to receive access and refresh tokens.

WSO2 EI 6.4.0 Docker Container -javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null

There is an implementation where API-1 is calling another API-2, Both are deployed in same WSO2 docker container 6.4.0.
Internal API Call is not working, Got below ERROR in logs.
Unable to sendViaPost to url[https://integ.company.com/wso2/api/queue_service]
javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: null
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.verifyHostname(TLSProtocolSocketFactory.java:233)
at org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory.createSocket(TLSProtocolSocketFactory.java:194)
In the background, There is some SSL Certificate renewal activity happened at HA Proxy level, Post this we started to get above ERROR.
Can I get some suggestion to resolve this ERROR?
Try importing the certificate used for 'https://integ.company.com/wso2/api/queue_service' to WSO2 servers client-trustore. If that doesn't resolve the issue add the full Stacktrace of the exception.

Keycloak in Docker "Failed to turn code into token"

I'm running Keycloak, keycloak Security Proxy and an ui application in a Docker-compose network. When I try to access the webpage, I get a login page, which I can use - but instead of being successfully redirected, I get the following error:
> Aug 03, 2018 1:13:24 PM org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: failed to turn code into token
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
I get this error no matter what kind of application I proxy, or if I run it within Docker-compose or simply as a node. It also probably appears when I try to use python adapters, instead of the security proxy.
The whole network runs behind a company proxy, could this be the reason?
Considering that the code seems to be send (see below), it seems Keycloak can at least verify the user. But I'm stumped on how to solve the problem. Has anyone any ideas?
http://localhost:8080/?state=84736978-afe6-43eb-a554-aedf86717415session_state=8a231709-5ef3-45fd-8e36-103e521ba49ecode=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..4GewkGISgYEXeGPuCxupsA.V939JivWRaNltjnjT4r2CJGT4oj1HEX9iXycJFoAb_qhI4ietRc5Z2wQO6ekF9MOZ0VtMcLAyX0zASY-NPEcf3byX0INP-2zJDSF4TOEXNbMbMnVeKFgmLgQKDseUsl1ieofPVY7df8QVvpTs98VAw2_g2XwTsLemBcpxfalvMRBwViN6PyJI8A-gJJToolyDafHbzIco7bH4X4y5bzZsUh5yB6ZUMy0goBkAV_KPLepnA8X2OjEJef8GHyqgHVi.QQtjD-E_MZq72hb4g0BEbw
My proxy.json file is:
{
"target-url": "http://localhost:7005",
"bind-address":"0.0.0.0",
"http-port":"8080",
"applications":[
{
"base-path":"/",
"adapter-config":{
"realm":"realm",
"resource":"realm_ui",
"auth-server-url":"http://localhost:8800/auth",
"ssl-required":"external",
"credentials": {
"secret":"secret"
},
"confidential-port":0
},
"constraints":[
{
"pattern":"/*",
"roles-allowed":[
"user"
]
}
]
}
]
}
In Keycloak:
Access Type: confidential
Standard Flow Enabled: ON
Direct Access Grands: ON
The Valid Redirect URI: *
After searching for a while, I found the solution. It was a networking problem.
Keycloak OpenIDConnect Authentication flow follows 3 steps, as explained here: https://www.keycloak.org/docs/3.3/server_admin/topics/sso-protocols/oidc.html
Step 1 & 2 were completed, but upon receiving the temporary code from the browser the application was unable to connect with Keycloak. In step 1&2 it is always the browser connecting to application or Keycloak, not them speaking with each other.
This happened, because within my docker-compose file I declared networks that overwrote the automatic binding to 0.0.0.0 of Keycloak and the proxy. Additionally, the auth-server-url to connect to Keycloak must be true for the browser as well as the docker container of the Keycloak security proxy.
Make sure credential secret and auth-server-url values are same in keycloak.json and proxy.json files. Also, try removing "confidential-port":0 in the proxy.json file.
I think having a company proxy is not the reason for this error.

Neo4j Enterprise 3.2 browser does not connect

I am trying to learn Neo4j by using the trial Enterprise version, however the browser is not able to connect. The service is running but when I try to log in via browser http://localhost:7474/browser/ the error is:
N/A: WebSocket connection failure. Due to security constraints in your
web browser, the reason for the failure is not available to this Neo4j
Driver. Please use your browsers development console to determine the
root cause of the failure. Common reasons include the database being
unavailable, using the wrong connection URL or temporary network
problems. If you have enabled encryption, ensure your browser is
configured to trust the certificate Neo4j is configured to use.
WebSocket readyState is: 3
In the console the error is:
WebSocket is already in CLOSING or CLOSED state.
I am using Chrome and the neo4j.conf is:
# Bolt connector
dbms.connector.bolt.enabled=true
#dbms.connector.bolt.tls_level=OPTIONAL
dbms.connector.bolt.listen_address=:7687
# HTTP Connector. There must be exactly one HTTP connector.
dbms.connector.http.enabled=true
#dbms.connector.http.listen_address=:7474
# HTTPS Connector. There can be zero or one HTTPS connectors.
dbms.connector.https.enabled=true
#dbms.connector.https.listen_address=:7473
I understand from this issue the 3.2 version only allows bolt and I tried playing with the conf but so far no luck. Is there a way to get the local connection going with bolt?
Thank you in advance, Paola

Trying to setup Neo4j 3.2.0 in ubuntu server

I am trying to setup Neo4j version 3.2.0 in the ubuntu server 14.04.2 LTS
Downloaded the tar and extracted the folder, edited the config file to update the port to 4444, for the time being disabled the bolt connector, listen_address to 0.0.0.0 for the http connector, authentication also disabled just to get started.
bolt connector is updated with the port 7687 even though it is disabled as i was trying earlier with it enabled.
Now when i try to connect to the http://serverip:4444/browser, it says Database access not available and shows me the login screen with host prefilled bolt://serverip:7687
Also I see this error on the console window
WebSocket connection to ws://serverip:7687/
failed: Error in connection establishment:
net::ERR_CONNECTION_TIMED_OUT
Dont understand the issues here, please help me out. I am not sure why is it trying to do a WS to the port assigned to the bolt, when it is disabled at the first place.
Regards
There's a bit of juggling going on for HTTP connector support between the browser and the driver being used, a handoff which isn't complete, and the state of things is the browser is only supporting bolt connections right now.
The javascript bolt driver is being upgraded to handle http connections, I think, so you may need to wait until the next 3.2.x release to use the http connector again.
I think this issue should be tracking it.

Resources