[keycloak-user] Issue on Direct Grant API

Marek Posolda mposolda at redhat.com
Tue Dec 5 08:29:57 EST 2017


Today, I've tested something and actually simulated the issue, which is 
very similar to your issue with the keys/providers. The stacktrace was 
almost the same.

In my case, it was caused by the fact that I messed things a bit and 
"downgrade" the Keycloak to use the database, which was using the newer 
Keycloak before. In details what I did was:
- Start Keycloak 3.4.1 with clean MySQL DB
- Stopped Keycloak 3.4.1
- Started older Keycloak version 3.3.0 against the same MySQL DB, which 
was previously used for 3.4.1.

The fact it is broken is, that in 3.4.1 were added some new 
implementations of providers, which are saved in DB as ComponentModels. 
When you start the older 3.3.0 version, the ComponentModel is read from 
DB, which references new provider implementations, which don't yet 
exists in 3.3.0. Hence it blows and throws the stacktrace below.

Could it be the case, that you messed things in similar manner and 
started older version of KC against "new" DB?

Marek

On 05/12/17 13:44, Marcelo Miura wrote:
> Actually that’s because it’s been running for one year and just now it 
> started with the issues. Just trying to figure out what was the cause.
> Could this keys / providers missing has something to do with the 
> direct grant authentication flow issue?
>
>
>> On 5 Dec 2017, at 06:16, Stian Thorgersen <sthorger at redhat.com 
>> <mailto:sthorger at redhat.com>> wrote:
>>
>> Are you actually using 2.4.0.CR1? That's old and unsupported, maybe 
>> you actually wanted to use 3.4.0.CR1? "hmac-generated" was added in 
>> 2.5.5.
>>
>> On 4 December 2017 at 18:40, Marcelo Miura 
>> <marcelo.miura at gdcommunity.co.uk 
>> <mailto:marcelo.miura at gdcommunity.co.uk>> wrote:
>>
>>     Thanks for your answers.
>>
>>     http://localhost:8080/auth/admin/master/console/#/server-info/providers
>>     <http://localhost:8080/auth/admin/master/console/#/server-info/providers>
>>     On keys I see the following:
>>     rsa
>>     java-keystore
>>     rsa-generated
>>
>>     On the COMPONENT table of the keycloak db, I could see 2 records
>>     related to hmac-generated. I removed both in attempt to fix the
>>     problem (it’s happening on my dev server). On production I do not
>>     see those records and it's currently working fine.
>>     Then, I tried to created the provider rsa again, so the old
>>     provider appeared back. Then I deleted the providers that I
>>     created and the error related to the keys is not showing anymore.
>>     But I’m still facing the authentication issue by Direct Grant.
>>
>>     On my local server I do not have this issue.
>>     Version used: 2.4.0.CR1
>>
>>
>>>     On 4 Dec 2017, at 14:34, Marek Posolda <mposolda at redhat.com
>>>     <mailto:mposolda at redhat.com>> wrote:
>>>
>>>     Does this happen when you start latest Keycloak from clean
>>>     state? Or did you migrate from some previous version?
>>>
>>>     Marek
>>>
>>>     On 04/12/17 14:57, Marcelo Miura wrote:
>>>>     Hi,
>>>>
>>>>     I’m using Direct Grant to authenticate with an admin user to be
>>>>     able to create new users into Keycloak and be able to reset
>>>>     user passwords.
>>>>
>>>>     But for some reason, the authentication is not working anymore.
>>>>     It’s returning that the user credentials are invalid, as follows:
>>>>     {
>>>>         "error": "invalid_grant",
>>>>         "error_description": "Invalid user credentials"
>>>>     }
>>>>
>>>>     But when logging in into the Admin Console, the credentials are
>>>>     working fine.
>>>>
>>>>     Keycloak log:
>>>>
>>>>     2017-11-30 20:22:31,631 WARN  [org.keycloak.events] (default
>>>>     task-29) type=LOGIN_ERROR, realmId=master, clientId=admin,
>>>>     userId=null, ipAddress=xxx.xx.xx.xx
>>>>     error=invalid_user_credentials, auth_method=openid-connect,
>>>>     grant_type=password, client_auth_method=client-secret,
>>>>     username=admin
>>>>     2017-11-30 20:22:31,631 WARN  [org.keycloak.services] (Brute
>>>>     Force Protector) KC-SERVICES0053: login failure for user
>>>>     <userid> from xxx.xx.xx.xx
>>>>
>>>>     *replaced some values as required by the client
>>>>
>>>>     Not sure if it’s related but on the last days when accessing
>>>>     the realm settings - keys, it was displaying an error: "Error!
>>>>     An unexpected server error has occurred” and the tabs Active
>>>>     and Providers didn’t show any keys.
>>>>     Keycloak log:
>>>>
>>>>     2017-11-30 20:20:52,033 ERROR
>>>>     [org.keycloak.keys.DefaultKeyManager] (default task-24) Failed
>>>>     to load provider <provider id>: java.lang.NullPointerException
>>>>     at
>>>>     org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:133)
>>>>     at
>>>>     org.keycloak.keys.DefaultKeyManager.getPublicKey(DefaultKeyManager.java:70)
>>>>     at
>>>>     org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:688)
>>>>     at
>>>>     org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:64)
>>>>     at
>>>>     org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:175)
>>>>     at
>>>>     org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
>>>>     at sun.reflect.GeneratedMethodAccessor371.invoke(Unknown Source)
>>>>     at
>>>>     sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>     at java.lang.reflect.Method.invoke(Method.java:498)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>>     at
>>>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>     at
>>>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>     at
>>>>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>     at
>>>>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>     at
>>>>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>     at
>>>>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>     at
>>>>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>     at
>>>>     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>     at
>>>>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>     at
>>>>     io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>     at
>>>>     org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>     at
>>>>     io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>     at
>>>>     io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>     at
>>>>     io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>     at
>>>>     io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>     at
>>>>     io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>     at
>>>>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>     at
>>>>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>     at java.lang.Thread.run(Thread.java:745)
>>>>
>>>>     2017-11-30 20:20:52,038 ERROR [io.undertow.request] (default
>>>>     task-24) UT005023: Exception handling request to
>>>>     /auth/admin/realms/master/components:
>>>>     org.jboss.resteasy.spi.UnhandledException:
>>>>     java.lang.RuntimeException: java.lang.IllegalArgumentException:
>>>>     No such provider 'hmac-generated'
>>>>     at
>>>>     org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>>>     at
>>>>     org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>>>     at
>>>>     org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>>>>     at
>>>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>>>>     at
>>>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>     at
>>>>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>     at
>>>>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>     at
>>>>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>     at
>>>>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>     at
>>>>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>     at
>>>>     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>     at
>>>>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>     at
>>>>     io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>     at
>>>>     org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>     at
>>>>     io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>     at
>>>>     io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>     at
>>>>     io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>     at
>>>>     io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>     at
>>>>     io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>     at
>>>>     io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>     at
>>>>     io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>     at
>>>>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>     at
>>>>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>     at java.lang.Thread.run(Thread.java:745)
>>>>     Caused by: java.lang.RuntimeException:
>>>>     java.lang.IllegalArgumentException: No such provider
>>>>     'hmac-generated'
>>>>     at
>>>>     org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:69)
>>>>     at
>>>>     org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:39)
>>>>     at
>>>>     org.keycloak.models.utils.StripSecretsUtils.strip(StripSecretsUtils.java:39)
>>>>     at
>>>>     org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:815)
>>>>     at
>>>>     org.keycloak.services.resources.admin.ComponentResource.getComponents(ComponentResource.java:118)
>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>     at
>>>>     sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>>     at
>>>>     sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>     at java.lang.reflect.Method.invoke(Method.java:498)
>>>>     at
>>>>     org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>     at
>>>>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>>     at
>>>>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>     ... 37 more
>>>>     Caused by: java.lang.IllegalArgumentException: No such provider
>>>>     'hmac-generated'
>>>>     at
>>>>     org.keycloak.models.utils.ComponentUtil.getComponentFactory(ComponentUtil.java:81)
>>>>     at
>>>>     org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:56)
>>>>     ... 55 more
>>>>
>>>>
>>>>     But when I check the keycloak database, seems that the key and
>>>>     provider are there.
>>>>     Any thoughts?
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     keycloak-user mailing list
>>>>     keycloak-user at lists.jboss.org
>>>>     <mailto:keycloak-user at lists.jboss.org>
>>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>
>>
>



More information about the keycloak-user mailing list