I tried using the Ruby to import users into a tenant from KeyCloak, the script threw no errors but I am unable to login using the password. The password works in KeyCloak but not in FusionAuth. The Fusion Auth version I am using is 1.45.3 and Key Cloak version is 21.1.1.
Anybody had this issue before?
Without understanding your setup completely, is the callback happening in a server-to-server call? If so, localhost doesn't work.
For example when I wanna call the elastic search container from fusion auth, I cannot call it as http://localhost:9200. For instance if the setup is
fusionauth-search:
image: docker.elastic.co/elasticsearch/elasticsearch:8.5.0
container_name: fusionauth-search
environment:
cluster.name: fusionauth
networks:
- data-layer
restart: unless-stopped
ports:
- '9011:9011'
I will need to call it via http://fusionauth-search:9200. You can also see such a setup in Fusion Auth's documentation on setting up Fusion Auth in docker-compose at https://fusionauth.io/docs/v1/tech/installation-guide/docker. You notice that the URLs will refer to the container names.
I hope this helps.
@dan Hello Dan, I found the fix, at least for my test instance, seems that pbkdf2-sha256 maps to salted-pbkdf2-hmac-sha256 rather than salted-pbkdf2-hmac-sha256-512.
This seems to make the Ruby script work and also it works on our own internal update scripts in the test instance.
@dan You folks may want to update the documentation and potentially the ruby script you guys provide so people won't panic like we did lolz.
We are trying out FusionAuth in clustered (more than 1 replica in Kubernetes). We are seeing this message a lot in the logs:
2023-08-17 06:29:20.688 PM ERROR io.fusionauth.api.service.cache.DistributedCacheNotifier - Failed to request a cache reload for [Applications, IdentityProvider, Keys] on [http://fusionauth.qa.svc.cluster.local:9011]. Status Code [-1]
Took [15015] ms
java.net.SocketTimeoutException: Read timed out
at java.base/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:283)
at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:309)
at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
at java.base/java.net.Socket$SocketInputStream.read(Socket.java:966)
at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:244)
at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:284)
at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:343)
at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:791)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:726)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1688)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
at com.inversoft.rest.RESTClient.go(RESTClient.java:403)
at io.fusionauth.api.service.cache.DistributedCacheNotifier.callReload(DistributedCacheNotifier.java:201)
Our YAML file looks something like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: fusionauth
namespace: qa
spec:
replicas: 1
selector:
matchLabels:
app: fusionauth
template:
metadata:
labels:
app: fusionauth
spec:
containers:
- name: fusionauth
image: fusionauth/fusionauth-app:1.47.1
ports:
- containerPort: 9011
env:
- name: FUSIONAUTH_APP_MEMORY
value: "2G"
- name: FUSIONAUTH_APP_RUNTIME_MODE
value: "production"
- name: FUSIONAUTH_APP_URL
value: "http://fusionauth.qa.svc.cluster.local:9011"
- name: FUSIONAUTH_APP_USER_SEARCH_INDEX_NAME
value: fusionauth-qa-user
- name: FUSIONAUTH_APP_ENTITY_SEARCH_INDEX_NAME
value: fusionauth-qa-entity
- name: SEARCH_TYPE
value: "elasticsearch"
- name: PROXY_PORT
value: "80"
- name: DATABASE_CONNECTION_TIMEOUT
value: "300000"
- name: DATABASE_MAXIMUM_POOL_SIZE
value: "20"
- name: DATABASE_CONNECTION_HEALTHCHECK_99PERCENT_MS
value: "1000"
- name: FUSIONAUTH_SEARCH_ADDITIONAL_JAVA_ARGS
value: "-Xms128m -Xmx2048m"
resources:
requests:
cpu: "2000m"
memory: "2.5Gi"
limits:
cpu: "4000m"
memory: "3Gi"
---
apiVersion: v1
kind: Service
metadata:
name: fusionauth
namespace: qa
spec:
type: ClusterIP
ports:
- port: 9011
selector:
app: fusionauth
I tested it by installing CURL in the FusionAuth image, it resolves the URL.
@dan You folks may want to update the documentation and potentially the ruby script you guys provide so people won't panic like we did lolz.
@dan Hello Dan, I found the fix, at least for my test instance, seems that pbkdf2-sha256 maps to salted-pbkdf2-hmac-sha256 rather than salted-pbkdf2-hmac-sha256-512.
This seems to make the Ruby script work and also it works on our own internal update scripts in the test instance.
Without understanding your setup completely, is the callback happening in a server-to-server call? If so, localhost doesn't work.
For example when I wanna call the elastic search container from fusion auth, I cannot call it as http://localhost:9200. For instance if the setup is
fusionauth-search:
image: docker.elastic.co/elasticsearch/elasticsearch:8.5.0
container_name: fusionauth-search
environment:
cluster.name: fusionauth
networks:
- data-layer
restart: unless-stopped
ports:
- '9011:9011'
I will need to call it via http://fusionauth-search:9200. You can also see such a setup in Fusion Auth's documentation on setting up Fusion Auth in docker-compose at https://fusionauth.io/docs/v1/tech/installation-guide/docker. You notice that the URLs will refer to the container names.
I hope this helps.
I tried using the Ruby to import users into a tenant from KeyCloak, the script threw no errors but I am unable to login using the password. The password works in KeyCloak but not in FusionAuth. The Fusion Auth version I am using is 1.45.3 and Key Cloak version is 21.1.1.
Anybody had this issue before?