-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ProcessingException: RESTEASY004655: Unable to invoke request: java.net.SocketException: Connection reset #8917
Comments
Looks like a networking issue to me? Can't see anything that would indicate this is a bug in Keycloak. |
@stianst In the error log I saw I highly suspect that there is an error in'TokenManager.refreshToken(TokenManager.java:111)': An unknown error occurred when the client requested the token, which may be on server or during network transmission. After the token expired, when the client tried to obtain the token again, the error occurred? The following is how I use it:
@RefreshScope
@Configuration
public class KeycloakClientConfig {
@Value("${project.keycloak.server-url}")
private String serverUrl;
@Value("${project.keycloak.realm}")
private String realm;
@Value("${project.keycloak.client-id}")
private String clientId;
@Value("${project.keycloak.username}")
private String username;
@Value("${project.keycloak.password}")
private String password;
@Bean
public Keycloak keycloak() {
return KeycloakBuilder.builder()
.serverUrl(serverUrl)
.realm(realm)
.clientId(clientId)
.username(username)
.password(password)
.build();
}
}
@Resource
Keycloak keycloak;
@Value("${project.keycloak.current-realm}")
private String currentRealm;
private boolean verifyAccountFromKeycloak(String account, String email) {
final UsersResource usersResource = keycloak.realm(currentRealm).users();
if (CollectionUtils.isNotEmpty(usersResource.search(account, true))) {
return false;
}
List<UserRepresentation> users2 = usersResource.search(null, null, null, email, 0, 20);
return CollectionUtils.isEmpty(users2) || !users2.stream().anyMatch(s -> email.equals(s.getEmail()));
} |
@myifeng SocketException is often a network environment issue, instead of a bug on Keycloak. If the issue happens occasionally, we need a reproducible step, otherwise it will be really hard for us to guess what's going on. |
@abstractj see #9269 Both of these situations occur when the token expires and the token is re-acquired |
Thanks for taking the time to submit this issue. However, we were unable to reproduce the mentioned steps. We strongly recommend that people upgrade to the latest releases of Keycloak. The WildFly distribution was discontinued and no longer supported by our team. If you can reproduce the issue using the latest releases of Keycloak, please reopen this issue, including a reproducer. |
This error happen also with latest 21.1.1 version and it is during long processes such as the user migration from another system and using the admin client Java APIs. |
We have the same issue with long running processes. |
Also have the same issue in 21.1.1 |
邮件已收到,我会尽快处理!
|
I have the same issue, but possibly found the workaround (it is under tests now). @Bean
public Client customizedResteasyClient() {
CloseableHttpClient httpClient = createHttpClient();
ApacheHttpClient43Engine engine = new ApacheHttpClient43Engine(httpClient);
return ((ResteasyClientBuilder) ClientBuilder.newBuilder())
.httpEngine(engine)
.connectTimeout(10000, TimeUnit.MILLISECONDS)
.readTimeout(7000, TimeUnit.MILLISECONDS)
.connectionTTL(-1, TimeUnit.MILLISECONDS)
.disableTrustManager()
.build();
}
private CloseableHttpClient createHttpClient() {
PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager();
cm.setValidateAfterInactivity(1000);
cm.setMaxTotal(200);
cm.setDefaultMaxPerRoute(20);
return HttpClients.custom()
.setConnectionManager(cm)
.evictExpiredConnections()
.evictIdleConnections(10000, TimeUnit.MILLISECONDS)
.setRetryHandler(DefaultHttpRequestRetryHandler.INSTANCE)
.build();
}
@Bean
public Keycloak customizedKeycloakAdminClient() {
return KeycloakBuilder.builder()
.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
.realm("admin")
.clientId("clientId")
.clientSecret("clientSecret")
.serverUrl("http://127.0.0.1:8080")
.resteasyClient(customizedResteasyClient())
.build();
} I think that pooling settings like retry handler and idle connections eviction mechanism could cause that sockets used to connect through HTTP protocol should be tested before use and connections closed by some external mechanisms like firewall would be rejected by KeycloakAdmin client. |
@tramiaczek did this solution work? I tried reproducing the issue using calls to |
We have the problem reported from the client's environment - random Of course as we could not reproduce the issue, we tried to seek for the solution in a blind manner - we tried to use the latest possible version of |
@tramiaczek thanks for clarification. Do I understand correctly that when passing the custom client the error did not occur again? |
Yes, it currently works almost 2 months and the error was not reopened by the client. |
I've implemented the solution (here's the Clojure version). Where we first got roughly 30 RESTEASY004655 error messages a day, we now average 3 per day. Mainly coming from the health check that calls the service every 15 seconds thus 5760 times per day. So tenfold decrease in error messages, but there are still some. Maybe can use some further tuning, but already great reduction. Thanks a lot for this improvement @tramiaczek. |
I was able to reliable reproduce the issue using the latest keycloak and keycloak-admin-client (each 22.0.5). Reproducer setupI am running on Ubuntu 20.04 (WSL2 on Windows) and OpenJDK 17.
The reproducer may take a few iterations until it hits this exception and exits:
Some iterations may fully succeed, some may only print this message:
I believe the differences are due to if (!clientContext.isRequestSent() || this.requestSentRetryEnabled) {
// Retry if the request has not been sent fully or
// if it's OK to retry methods that have been sent
return true;
}
// otherwise do not retry
return false; The code always reaches that statement. I saw that Possible solutionsAssuming the troublemaker is some network component closing idle connections, the problem can be avoided by auto-closing idle connections and/or testing pooled connections before use. This is what @tramiaczek suggested in his previous comment #8917 (comment) A minimal configuration to enable auto-closing of connections may look like this: Keycloak kc = KeycloakBuilder.builder()
.serverUrl("http://localhost:8081")
.realm("master")
.username("admin")
.password("admin")
.clientId("admin-cli")
.resteasyClient(((ResteasyClientBuilder) ClientBuilder.newBuilder())
.connectionPoolSize(3)
.connectionTTL(10, TimeUnit.SECONDS)
.build())
.build(); For this specific usecase, namely the keycloak-admin-client transparently refreshing its token, it might be useful for it to automatically retry this too, since other connection failures are typically retried as well. Though I am unsure how this would be done. Alternatively, application-side retry mechanisms may be considered. Given the keycloak admin client may throw connection errors at any time anyway, applications should probably be robust against this. |
I have been able to reproduce this still in |
Describe the bug
I get a reset error when I use keycloak to search for users.
This error does not appear every time, only occasionally, but I don't know how to fix it.
Please help~
Version
15.0.2
Expected behavior
No errors or exceptions
Actual behavior
How to Reproduce?
Sorry,This error does not appear every time, only occasionally.
Anything else?
Spring Boot: 2.3.11.RELEASE
JDK Image: openjdk:8u212-jre-slim
The text was updated successfully, but these errors were encountered: