demo fails to start

[jmls]

sudo docker run --name keycloak_dev \
--link mysql:mysql \
-p 8080:8080 \
-e MYSQL_DATABASE=KEYCLOAK_DEV -e MYSQL_USERNAME=keycloak -e MYSQL_PASSWORD=keycloak \
-e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin \
ladynev/keycloak-mysql-realm-users

fails with

21:16:14,685 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 53) IJ000604: Throwable while attempting to get a new connection: null: javax.resource.ResourceException: IJ031084: Unable to create connection
    at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:345)
    at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.getLocalManagedConnection(LocalManagedConnectionFactory.java:352)

the mysql system is running

CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS              PORTS                                                        NAMES
884c0f8ec741        mysql                    "docker-entrypoint.s…"   10 minutes ago      Up 10 minutes       3306/tcp, 33060/tcp                                          mysql

I have no idea on what's wrong or how to even start fixing this ;)

[ghost]

Same here. The keycloak container just crushes :(

[v-ladynev]

@jmls, @andagent Okay, guys. I will take a look.

[fmeleiro]

Is there any update on this issue?

[harsh4870]

use this docker-compose to test

version: '3'

volumes:
  postgres_data:
      driver: local

services:
  postgres:
      image: postgres
      volumes:
        - postgres_data:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: keycloak
        POSTGRES_USER: keycloak
        POSTGRES_PASSWORD: password
  keycloak:
      image: quay.io/keycloak/keycloak:latest
      command: -Dkeycloak.profile.feature.upload_scripts=enabled
      environment:
        DB_VENDOR: POSTGRES
        DB_ADDR: postgres
        DB_DATABASE: keycloak
        DB_USER: keycloak
        DB_SCHEMA: public
        DB_PASSWORD: password
        KEYCLOAK_USER: admin
        KEYCLOAK_PASSWORD: Pa55w0rd
        #JDBC_PARAMS: "ssl=true"
      ports:
        - 8080:8080
      depends_on:
        - postgres

i have not fully tested everything but at least can able to import the realm, policy, and users.

[harsh4870]

Eveything running now but gettting the error of 404:Not Found while login into to the appllication using admin_user and admin_user.

i have replaced the keyloack.json file also while trying to add user into keycloak getting

{
    "errno": "ECONNREFUSED",
    "code": "ECONNREFUSED",
    "syscall": "connect",
    "address": "127.0.0.1",
    "port": 8080
}

@v-ladynev you have hardcoded this config to connect with realm over locahost IP ? how can i change the configuration to connect the application to my external running keycloak.

[v-ladynev]

@harsh4870 You can try pass the config as a JS object here, for testing purposes https://github.com/v-ladynev/keycloak-nodejs-example/blob/master/lib/keyCloakService.js#L18

format of the configuration object https://github.com/v-ladynev/keycloak-nodejs-example/blob/master/lib/keyCloakService.js#L50

Admin client has a hardcoded URL. Admin client is a separate thing to demo how, for example, work with KeyCloak users.

[harsh4870]

Thanks for reply. i am on it

[harsh4870]

@v-ladynev just requires your small suggestion or help.

i understand now the concept of resource, policies, permission, and scopes. Just wanted to check how can we add the roles and auth scopes

• scopes:create
• scopes:create

to JWT token ? so that we can verify and restrict the user at the API gateway level?

if you can please share you thoughts that would be really helpful.

maybe we are getting roles already in JWT

i fired

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password&client_id=CAMPAIGN_CLIENT&client_secret=6520dsdfbe5-cb81-4d5c-9fc7-45d1b0c7a75e&username=admin_user&password=admin_user" https://keycloak.example.tk/auth/realms/CAMPAIGN_REALM/protocol/openid-connect/token

so roles we are getting but can we add auth scopes also ?

[v-ladynev]

@harsh4870 Roles are already in JWT. They are used by keycloak-connect middleware

 app.get( '/special', keycloak.protect('special'), specialHandler );

You can try to use Script Mapper

https://keycloak.discourse.group/t/how-to-add-value-to-the-jwt-tokens-scope-attribute/950 https://stackoverflow.com/questions/52518298/how-to-create-a-script-mapper-in-keycloak

[harsh4870]

Thankyou @v-ladynev

i have tried writing the script in JS but not able to add the auth scopes into the JWT token.

But yes when we are hitting the resource servr uma_auth we are getting all the details by default into the token

  curl -X POST \
  https://keycloak.example.tk/auth/realms/test-v1/protocol/openid-connect/token \
  -H "Authorization: Bearer <TOKEN>" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
  --data "audience=app-client"

any idea how can we get the same details while running command

curl -X POST \
  https://keycloak.example.tk/auth/realms/test-v1/protocol/openid-connect/token \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -d 'client_id=app-client&grant_type=password&scope=openid&username=bob&password=bob&client_secret=5242dfddd-cdc9-4ecb-a151-58gy07e0293c'

[v-ladynev]

@harsh4870 if you want to check permissions using user's credentials, you can try to pass a Basic authentication header. Like in the example here https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

curl -X POST \
  http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token \
  -H "Authorization: Basic cGhvdGg6L7Jl13RmfWgtkk==pOnNlY3JldA==" \
  --data "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"

[v-ladynev]

I have fixed everything. Please follow this to start Keycloak with configuration https://github.com/v-ladynev/keycloak-nodejs-example#quick-start