Keycloak 16 - Wildfly 25 config regression - cannot configure lists for properties values via jboss-cli anymore
823 views
Skip to first unread message
Thomas Darimont
Dec 18, 2021, 5:59:17 AM12/18/21
to Keycloak Dev
Hello,
I just tried the Keycloak 16.0.0 release from yesterday and noticed, that I cannot configure multiple values as a list for properties anymore via the jboss-cli.
jboss-cli commands like the following worked for Keycloak version < 16.0.0
```
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.include-events,value=["UPDATE_PASSWORD","UPDATE_TOTP","REMOVE_TOTP"])
```
```
but that fails on 16.0.0.
An example is shown below, does anybody know a workaround or fix for this?
Cheers,
Thomas
```
### Event Listeners SPI Configuration ###
echo SETUP: Event Listeners configuration
# Add dedicated eventsListener config element to allow configuring elements.
if (outcome == failed) of /subsystem=keycloak-server/spi=eventsListener/:read-resource
echo SETUP: Add missing eventsListener SPI
/subsystem=keycloak-server/spi=eventsListener:add()
echo
end-if
echo SETUP: Event Listeners configuration
# Add dedicated eventsListener config element to allow configuring elements.
if (outcome == failed) of /subsystem=keycloak-server/spi=eventsListener/:read-resource
echo SETUP: Add missing eventsListener SPI
/subsystem=keycloak-server/spi=eventsListener:add()
echo
end-if
echo SETUP: Configure built-in "email" event listener to only send emails for user initiated UPDATE_PASSWORD events
/subsystem=keycloak-server/spi=eventsListener/provider=email:add(enabled=true)
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value=["LOGIN_ERROR","LOGIN"])
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.include-events,value=["UPDATE_PASSWORD","UPDATE_TOTP","REMOVE_TOTP"])
/subsystem=keycloak-server/spi=eventsListener/provider=email:add(enabled=true)
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value=["LOGIN_ERROR","LOGIN"])
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.include-events,value=["UPDATE_PASSWORD","UPDATE_TOTP","REMOVE_TOTP"])
```
This now fails with Keycloak 16.0.0 and Wildfly 25:
```
[standalone@localhost:9990 /] /subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value=["LOGIN_ERROR","LOGIN"])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0097: Wrong type for 'properties'. Expected [STRING] but was LIST",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}
```
[standalone@localhost:9990 /] /subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value=["LOGIN_ERROR","LOGIN"])
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0097: Wrong type for 'properties'. Expected [STRING] but was LIST",
"rolled-back" => true,
"response-headers" => {"process-state" => "reload-required"}
}
```
Thomas Darimont
Dec 18, 2021, 6:33:45 AM12/18/21
to Keycloak Dev
Just tried to configure the whole properties value as object, but that didn't work either:
```
[standalone@localhost:9990 /] /subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties,value={"exclude-events" => ["LOGIN_ERROR", "LOGIN"]}
[standalone@localhost:9990 /] /subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties,value={"exclude-events" => ["LOGIN_ERROR", "LOGIN"]}
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0097: Wrong type for 'properties'. Expected [STRING] but was LIST",
"rolled-back" => true
}
```
Unfortunately the "usual" workaround mentioned in the documentation about using " (https://www.keycloak.org/docs/latest/server_installation/#_config_spi_providers)
doesn't work here either:
Although the following command can be applied succesfully
```
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value="["LOGIN_ERROR","LOGIN"]")
```
yields the following error at start:
```
13:13:49,538 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war")
13:13:49,664 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."keycloak-server.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."keycloak-server.war".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "keycloak-server.war"
at org.jboss...@17.0.3.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:189)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.IllegalArgumentException: Unexpected character '&' while reading DMR stream
at org.jb...@1.6.1.Final//org.jboss.dmr.stream.ModelGrammarAnalyzer.newModelException(ModelGrammarAnalyzer.java:363)
at org.jb...@1.6.1.Final//org.jboss.dmr.stream.ModelReaderImpl.newModelException(ModelReaderImpl.java:861)
at org.jb...@1.6.1.Final//org.jboss.dmr.stream.ModelReaderImpl.next(ModelReaderImpl.java:615)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readListFrom(ModelNodeFactory.java:168)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readFrom(ModelNodeFactory.java:112)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readFrom(ModelNodeFactory.java:67)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readFrom(ModelNodeFactory.java:72)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNode.fromString(ModelNode.java:1740)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.massageProviderProps(KeycloakAdapterConfigService.java:156)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.massageProviders(KeycloakAdapterConfigService.java:144)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.massageSpis(KeycloakAdapterConfigService.java:126)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.getConfig(KeycloakAdapterConfigService.java:77)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakServerDeploymentProcessor.addConfiguration(KeycloakServerDeploymentProcessor.java:92)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakServerDeploymentProcessor.deploy(KeycloakServerDeploymentProcessor.java:70)
at org.jboss...@17.0.3.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:182)
... 8 more
13:13:49,692 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"keycloak-server.war\"
Caused by: java.lang.IllegalArgumentException: Unexpected character '&' while reading DMR stream"}}
```
```
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value="["LOGIN_ERROR","LOGIN"]")
```
yields the following error at start:
```
13:13:49,538 INFO [org.jboss.as.server.deployment] (MSC service thread 1-1) WFLYSRV0027: Starting deployment of "keycloak-server.war" (runtime-name: "keycloak-server.war")
13:13:49,664 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service jboss.deployment.unit."keycloak-server.war".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."keycloak-server.war".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "keycloak-server.war"
at org.jboss...@17.0.3.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:189)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jb...@1.4.13.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jbos...@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jbos...@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.IllegalArgumentException: Unexpected character '&' while reading DMR stream
at org.jb...@1.6.1.Final//org.jboss.dmr.stream.ModelGrammarAnalyzer.newModelException(ModelGrammarAnalyzer.java:363)
at org.jb...@1.6.1.Final//org.jboss.dmr.stream.ModelReaderImpl.newModelException(ModelReaderImpl.java:861)
at org.jb...@1.6.1.Final//org.jboss.dmr.stream.ModelReaderImpl.next(ModelReaderImpl.java:615)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readListFrom(ModelNodeFactory.java:168)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readFrom(ModelNodeFactory.java:112)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readFrom(ModelNodeFactory.java:67)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNodeFactory.readFrom(ModelNodeFactory.java:72)
at org.jb...@1.6.1.Final//org.jboss.dmr.ModelNode.fromString(ModelNode.java:1740)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.massageProviderProps(KeycloakAdapterConfigService.java:156)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.massageProviders(KeycloakAdapterConfigService.java:144)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.massageSpis(KeycloakAdapterConfigService.java:126)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakAdapterConfigService.getConfig(KeycloakAdapterConfigService.java:77)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakServerDeploymentProcessor.addConfiguration(KeycloakServerDeploymentProcessor.java:92)
at org.keycloak.keycloak-w...@16.0.0//org.keycloak.subsystem.server.extension.KeycloakServerDeploymentProcessor.deploy(KeycloakServerDeploymentProcessor.java:70)
at org.jboss...@17.0.3.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:182)
... 8 more
13:13:49,692 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"keycloak-server.war\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"keycloak-server.war\"
Caused by: java.lang.IllegalArgumentException: Unexpected character '&' while reading DMR stream"}}
```
This is because the " is translated to &quot; in the generated xml configuration...
```
<provider name="email" enabled="true">
<properties>
<property name="exclude-events" value="[&quot;LOGIN_ERROR&quot;,&quot;LOGIN&quot;]"/>
</properties>
</provider>
```
instead of (which would be correct):
```
<provider name="email" enabled="true">
<properties>
<property name="exclude-events" value="["LOGIN_ERROR","LOGIN"]"/>
</properties>
</provider>
```
... after playing around with this a bit I finally found a variant that works:The cli command:
```
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value="[\"LOGIN_ERROR\",\"LOGIN\"]")
```
will produce a working configuration:
```
<provider name="email" enabled="true">
<properties>
<property name="exclude-events" value="["LOGIN_ERROR","LOGIN"]"/>
</properties>
</provider>
```
Thomas Darimont
Dec 18, 2021, 6:36:05 AM12/18/21
to Keycloak Dev
TLDR:
Cheers,
this cli command does NOT work with 16.0.0:
```
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value=["LOGIN_ERROR","LOGIN"])
```
this cli command works with 16.0.0:
```
/subsystem=keycloak-server/spi=eventsListener/provider=email:write-attribute(name=properties.exclude-events,value="[\"LOGIN_ERROR\",\"LOGIN\"]")
```
```
The value is provided a string with the nested quotes quoted with a backslash.
Cheers,
Thomas
Message has been deleted
Dominik Guhr
Dec 18, 2021, 9:21:20 AM12/18/21
to Thomas Darimont, Stian Thorgersen, Keycloak Dev
Hey,
thanks Thomas for answering. You can see another example of the syntax change here: https://github.com/keycloak/keycloak/pull/9190/commits/bf39e738a6779a4a6279b93752e8aa2ad4301b41
@Stian Thorgersen maybe also worth mentioning in the kc16 migration guide? Kind of "breaking" change.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/9fdbf40c-6024-44cc-a8f8-4cf323ef35fdn%40googlegroups.com.
Stian Thorgersen
Dec 20, 2021, 3:39:08 AM12/20/21
to Dominik Guhr, Thomas Darimont, Keycloak Dev
I actually thought we always had required the strange work-around with quotes ("[\"one\",\"two\"]"). At least that was how it was initially when we added the config to standalone.xml.
Reply all
Reply to author
Forward
0 new messages