[aerogear-dev] AGPUSH-1047: Decouple UPS from Keycloak
Bruno Oliveira
bruno at abstractj.org
Mon Nov 17 07:43:21 EST 2014
Good morning my friend, I can't confirm/deny without access to the
sources like the files you did the updates.
Here is what must be done to get UPS working in a separate server from
Keycloak (some steps are very similar with what you already did).
Note: I'm working to make it configurable on UPS, but if you are in a
rush, these steps might help.
1. docker run -it -p 8080:8080 -p 9090:9090 jboss/keycloak
2. Login on Keycloak
3. Add a new realm and import the JSON file from
servers/auth-server/src/main/webapp/WEB-INF/ups-realm.json
4. git clone https://github.com/abstractj/aerogear-unifiedpush-server.git
5. Change the files to the IP address where KC is located
(https://github.com/abstractj/aerogear-unifiedpush-server/commit/db7639566e75f01a8cc79ff18f22daa61cc9cb30)
5. cd aerogear-unifiedpush-server && git checkout strawman && mvn clean
install
6. Deploy on WildFly
All the steps here are necessary if you want to solve the problem right
now. Now I'm working on it to decouple UPS and these steps will be
configurable for the further releases.
On 2014-11-15, Pratik Parikh wrote:
> Hi Burno,
>
> I am working on this as well just from the setup side for below is where
> i am stuck i don't know if this helps you or not. But if you find something
> wrong in my approach please point me to it.
>
> My goal is get liveoak, aerogear and keycloak working on different
> servers. LiveOak uses Keycloak and Aerogear. Following are the steps i
> took.
>
> 1) Install Keycloak on one server with self signed certificate. It is
> accessible via https://XXX.XXX.XXX.XXX:8443/auth
> <https://xxx.xxx.xxx.xxx:8443/auth>. Worked
> 2) Installed AreoGear on another server with self signed certificate.
> It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push
> <https://xxx.xxx.xxx.xxx:8443/ag-push>. Worked
> 3) Imported attached JSON in as a new aerogear realm in keycloak.
> Worked
> 4) Updated Keycloak to use MongoDB. Worked
> 5) Update application aerogear with keycloak.json restarted wildfly
> server. Updated application under AreoGear to use
> https://XXX.XXX.XXX.XXX:8443/ag-push/*
> <https://xxx.xxx.xxx.xxx:8443/ag-push/*> as a redirect uri. Worked.
> 6) Restarted both the wildfly servers.
> 7) After restart tried to login to https://XXX.XXX.XXX.XXX:8443/ag-push/
> <https://xxx.xxx.xxx.xxx:8443/ag-push/> forwarded me to
> https://XXX.XXX.XXX.XXX:8443/auth <https://xxx.xxx.xxx.xxx:8443/auth> login
> page. Successfull login was achieved.
> 8) PROBLEM: After login redirect to
> https://XXX.XXX.XXX.XXX:8443/ag-push/
> <https://xxx.xxx.xxx.xxx:8443/ag-push/> where by i get error "No state
> cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator
> line 116 because the adapter can not find a cookie with name "
> OAuth_Token_Request_State" in HTTP.
>
> Troubleshooting Try 1.
> 1) updated aerogear to use 1.0.1.Beta1 Adapter. Still works does not
> solve the problem same error.
>
> Troubleshooting Try 2.
> 1) updated keycloak.json by adding *"disable-trust-manager": true*.
> Still works does not solve the problem same error.
>
> Troubleshooting Try 3.
> 1) updated keycloak.json by adding *"disable-trust-manager":
> false,"truststore": "/path","truststore-password": "password"*. Still
> works doe not solve the problem. I have a question is "*truststore*" a
> local path to the keycloak jks cert or this is a path to remote keycloak
> cert? I copied the keycloak.jks and pointed to that locally using
> ${jboss.server.config.dir}/trustcerts/keycloak.jks?
> is this correct? After doing this i tried to invoke
>
> https://XXX.XXX.XXXX.XXXX:8443/ag-push/rest/ping
>
> Get the login screen
>
> then i get Forbidden with below exception:
>
> 2014-11-15 18:31:13,664 ERROR
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) failed
> to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not
> authenticated
> at
> sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
> [jsse.jar:1.8.0_25]
> at
> org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
> [httpclient-4.2.1.jar:4.2.1]
> at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
> [keycloak-adapter-core-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
> [keycloak-undertow-adapter-1.0.4.Final.jar:]
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
> [undertow-core-1.0.15.Final.jar:1.0.15.Final]
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [rt.jar:1.8.0_25]
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [rt.jar:1.8.0_25]
> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
>
> Please help i feel like i am very close just missing something simple.
>
>
> Regards,
> Pratik Parikh
>
>
>
> --
> View this message in context: http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-AGPUSH-1047-Decouple-UPS-from-Keycloak-tp9973p9983.html
> Sent from the aerogear-dev mailing list archive at Nabble.com.
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
PGP: 0x84DC9914
More information about the aerogear-dev
mailing list