How to enable OpenTracing in Keycloak 10.x

readme.md

How enable Micro Profile OpenTracing in Keycloak 10.x

Keycloak 10.0.1 is based on Wildfly 19 which comes with support for OpenTracing. However the OpenTracing support in Keycloak is not active by default. This small example demonstrates how to enable OpenTracing in the latest Keycloak version based on the article Micro_Profile_OpenTracing_Comes_To_WildFly

This example tries to explore a solution for KEYCLOAK-8288.

Start latest jaeger docker container

docker run -d --name jaeger \
  -p 6831:6831/udp \
  -p 5778:5778 \
  -p 14268:14268 \
  -p 16686:16686 \
  jaegertracing/all-in-one:1.17.1

Enable opentracing in Keycloak

In order to enable opentracing in Keycloak, we need to add the opentracing extension:

<extension module="org.wildfly.extension.microprofile.opentracing-smallrye"/>

Then we need to create a default opentracing subsystem configuration

<subsystem xmlns="urn:wildfly:microprofile-opentracing-smallrye:2.0" default-tracer="jaeger-demo">
    <jaeger-tracer name="jaeger-demo">
        <sampler-configuration sampler-type="const" sampler-param="1.0"/>
        <sender-configuration sender-endpoint="http://localhost:14268/api/traces"/>
        <reporter-configuration reporter-log-spans="true"/>
    </jaeger-tracer>
</subsystem>

The following jboss-cli script creates the necessary bits.

Copy standalone.xml to standalone-tracing.xml

Run via bin/jboss-cli.sh:

/extension=org.wildfly.extension.microprofile.opentracing-smallrye:add

## For UDP
#/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=jaeger:add(host=localhost, port=6831)
#/subsystem=microprofile-opentracing-smallrye/jaeger-tracer=jaeger-demo:add(sampler-type=const, sampler-param=1, #reporter-log-spans=true, sender-binding=jaeger)

# For TCP
/subsystem=microprofile-opentracing-smallrye:add()
/subsystem=microprofile-opentracing-smallrye/jaeger-tracer=jaeger-demo:add(sampler-type=const, sampler-param=1, reporter-log-spans=true)
/subsystem=microprofile-opentracing-smallrye/jaeger-tracer=jaeger-demo:write-attribute(name="sender-endpoint", value="http://localhost:14268/api/traces")

# Setting the default tracer
/subsystem=microprofile-opentracing-smallrye:write-attribute(name=default-tracer, value=jaeger-demo)

stop-embedded-server 
exit

Note that additional configuration examples can be found here: configuration_guide/eclipse_microprofile A description about the jaeger-tracing configuration options can be found in the subsystem-configuration/MicroProfile_OpenTracing_SmallRye documentation.

Enable CDI for Keycloak Web App

In order to get Wildfly Jaeger OpenTracing support working we need to activate CDI, which is currently not used by Keycloak.

Uncomment the excluded weld subsystem in jboss-deployment-structure.xml: $KEYCLOAK_HOME/modules/system/layers/keycloak/org/keycloak/keycloak-server-subsystem/main/server-war/WEB-INF/jboss-deployment-structure.xml

<jboss-deployment-structure>
    <deployment>
        <dependencies>
            <module name="org.keycloak.keycloak-server-subsystem.dependencies"/>
        </dependencies>
        <exclude-subsystems>
            <subsystem name="webservices"/>
            <!--<subsystem name="weld"/>-->
        </exclude-subsystems>
    </deployment>
</jboss-deployment-structure>

Create an empty beans.xml

<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
      http://xmlns.jcp.org/xml/ns/javaee
      http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
    bean-discovery-mode="all">
</beans>

Start Keycloak

bin/standalone.sh -c standalone-tracing.xml

Login to Keycloak

http://localhost:8080/auth/

If everything is setup correctly you should see log messages like:

...
23:02:29,652 INFO  [io.jaegertracing.internal.reporters.LoggingReporter] (default task-1) Span reported: 96dad3890edde7a8:96dad3890edde7a8:0:1 - GET:org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet
23:02:33,225 INFO  [io.jaegertracing.internal.reporters.LoggingReporter] (default task-1) Span reported: 5a6a8ffb45ae1d2:5a6a8ffb45ae1d2:0:1 - POST:org.keycloak.services.resources.LoginActionsService.authenticateForm
23:02:33,308 INFO  [io.jaegertracing.internal.reporters.LoggingReporter] (default task-1) Span reported: 3cda2b77c6bc7577:3cda2b77c6bc7577:0:1 - GET:org.keycloak.services.resources.account.AccountFormService.loginRedirect
23:02:33,361 INFO  [io.jaegertracing.internal.reporters.LoggingReporter] (default task-1) Span reported: b229006688e2d438:b229006688e2d438:0:1 - GET:org.keycloak.services.resources.account.AccountFormService.accountPage
23:02:45,140 INFO  [io.jaegertracing.internal.reporters.LoggingReporter] (default task-1) Span reported: 48fad346264b8360:48fad346264b8360:0:1 - GET:org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout
...

View the traces in jaeger

http://localhost:16686/search

Alternative Sample Application

Deploy the opentracing example application

git clone git@github.com:ehsavoie/opentracing-demo.git
mvn clean package -DskipTests
cp target/opentracing-demo.war $KEYCLOAK_HOME/standalone/deployments

Call app endpoints

Refresh the following URLs a few times in your browser http://localhost:8080/opentracing-demo/rest/xml http://localhost:8080/opentracing-demo/rest/json

View the traces in jaeger

http://localhost:16686/search

I modified the standalone-ha.xml of the Keycloak 13.0.1 docker image and now I keep getting this exception:

10:33:43,332 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration
	at org.jboss.as.controller@15.0.1.Final//org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143)
	at org.jboss.as.server@15.0.1.Final//org.jboss.as.server.ServerService.boot(ServerService.java:403)
	at org.jboss.as.controller@15.0.1.Final//org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:416)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to load module org.wildfly.extension.microprofile.opentracing-smallrye
	at org.jboss.as.controller@15.0.1.Final//org.jboss.as.controller.parsing.DeferredExtensionContext.load(DeferredExtensionContext.java:100)
	at org.jboss.as.server@15.0.1.Final//org.jboss.as.server.parsing.StandaloneXml_16.readServerElement(StandaloneXml_16.java:240)
	at org.jboss.as.server@15.0.1.Final//org.jboss.as.server.parsing.StandaloneXml_16.readElement(StandaloneXml_16.java:140)
	at org.jboss.as.server@15.0.1.Final//org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:144)
	at org.jboss.as.server@15.0.1.Final//org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:52)
	at org.jboss.staxmapper@1.3.0.Final//org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:122)
	at org.jboss.staxmapper@1.3.0.Final//org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:76)
	at org.jboss.as.controller@15.0.1.Final//org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:126)
	... 3 more
Caused by: java.util.concurrent.ExecutionException: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to load module
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at org.jboss.as.controller@15.0.1.Final//org.jboss.as.controller.parsing.DeferredExtensionContext.load(DeferredExtensionContext.java:92)
	... 10 more
Caused by: javax.xml.stream.XMLStreamException: WFLYCTL0083: Failed to load module

It seems like Keycloak 13 that I use does not come with the needed module in wildly classpath. Do you know any solutions to this problem?

@goto1134 try adding the config extension upfront

/extension=org.wildfly.extension.microprofile.config-smallrye:add

although this lets me run all steps on keycloak 15 it doesnt seem to do more than logging that the subsystem was loaded, no tracing happens though

im running the docker container and i did not add the beans.xml (no idea where) but the weld comment is uncommented by default now…

any ideas @thomasdarimont ?

@Robbilie
It also did not work for me, and tcpdump shows that no traffic is being sent
Did you manage to achieve tracing on version 15?

I did not invest any further time into it, might do so in the future again for the quarkus version

ls -l /subsystem=microprofile-opentracing-smallrye/jaeger-tracer=my-tracer
ATTRIBUTE                 VALUE                              TYPE
propagation               ["JAEGER"]                         LIST
reporter-flush-interval   1000                               INT
reporter-log-spans        true                               BOOLEAN
reporter-max-queue-size   undefined                          INT
sampler-manager-host-port undefined                          STRING
sampler-param             1.0                                DOUBLE
sampler-type              const                              STRING
sender-auth-password      undefined                          STRING
sender-auth-token         undefined                          STRING
sender-auth-user          undefined                          STRING
sender-binding            undefined                          STRING
sender-endpoint           http://10.0.150.7:14268/api/traces STRING
tags                      undefined                          OBJECT
tracer_id_128bit          false                              BOOLEAN

@Robbilie Thank!

It's Worked. Just removed the line)

            <subsystem name="weld"/>

keycloak 15.0.2