[keycloak-user] Issue on Direct Grant API
Stian Thorgersen
sthorger at redhat.com
Tue Dec 5 15:16:20 EST 2017
As "hmac-generated" was introduced in 2.5.5 there is no way you would have
that in the DB unless you have imported data from a newer Keycloak or have
ran a newer Keycloak against the DB.
We also will not support you on any issues in Keycloak unless you use the
latest version. We simply don't have capacity to do that in the free
community version.
On 5 December 2017 at 15:25, Marcelo Miura <marcelo.miura at gdcommunity.co.uk>
wrote:
> No, the versions were not changed, as far as I know. But I’ll check it.
> Thanks!
>
>
> On 5 Dec 2017, at 11:29, Marek Posolda <mposolda at redhat.com> wrote:
>
> Today, I've tested something and actually simulated the issue, which is
> very similar to your issue with the keys/providers. The stacktrace was
> almost the same.
>
> In my case, it was caused by the fact that I messed things a bit and
> "downgrade" the Keycloak to use the database, which was using the newer
> Keycloak before. In details what I did was:
> - Start Keycloak 3.4.1 with clean MySQL DB
> - Stopped Keycloak 3.4.1
> - Started older Keycloak version 3.3.0 against the same MySQL DB, which
> was previously used for 3.4.1.
>
> The fact it is broken is, that in 3.4.1 were added some new
> implementations of providers, which are saved in DB as ComponentModels.
> When you start the older 3.3.0 version, the ComponentModel is read from DB,
> which references new provider implementations, which don't yet exists in
> 3.3.0. Hence it blows and throws the stacktrace below.
>
> Could it be the case, that you messed things in similar manner and started
> older version of KC against "new" DB?
>
> Marek
>
> On 05/12/17 13:44, Marcelo Miura wrote:
>
> Actually that’s because it’s been running for one year and just now it
> started with the issues. Just trying to figure out what was the cause.
> Could this keys / providers missing has something to do with the direct
> grant authentication flow issue?
>
>
> On 5 Dec 2017, at 06:16, Stian Thorgersen <sthorger at redhat.com> wrote:
>
> Are you actually using 2.4.0.CR1? That's old and unsupported, maybe you
> actually wanted to use 3.4.0.CR1? "hmac-generated" was added in 2.5.5.
>
> On 4 December 2017 at 18:40, Marcelo Miura <marcelo.miura at gdcommunity.co.
> uk> wrote:
>
>> Thanks for your answers.
>>
>> http://localhost:8080/auth/admin/master/console/#/server-info/providers
>> On keys I see the following:
>> rsa
>> java-keystore
>> rsa-generated
>> On the COMPONENT table of the keycloak db, I could see 2 records related
>> to hmac-generated. I removed both in attempt to fix the problem (it’s
>> happening on my dev server). On production I do not see those records and
>> it's currently working fine.
>> Then, I tried to created the provider rsa again, so the old provider
>> appeared back. Then I deleted the providers that I created and the error
>> related to the keys is not showing anymore.
>> But I’m still facing the authentication issue by Direct Grant.
>>
>> On my local server I do not have this issue.
>> Version used: 2.4.0.CR1
>>
>>
>> On 4 Dec 2017, at 14:34, Marek Posolda <mposolda at redhat.com> wrote:
>>
>> Does this happen when you start latest Keycloak from clean state? Or did
>> you migrate from some previous version?
>>
>> Marek
>>
>> On 04/12/17 14:57, Marcelo Miura wrote:
>>
>> Hi,
>>
>> I’m using Direct Grant to authenticate with an admin user to be able to
>> create new users into Keycloak and be able to reset user passwords.
>>
>> But for some reason, the authentication is not working anymore. It’s
>> returning that the user credentials are invalid, as follows:
>> {
>> "error": "invalid_grant",
>> "error_description": "Invalid user credentials"
>> }
>>
>> But when logging in into the Admin Console, the credentials are working
>> fine.
>>
>> Keycloak log:
>>
>> 2017-11-30 20:22:31,631 WARN [org.keycloak.events] (default task-29)
>> type=LOGIN_ERROR, realmId=master, clientId=admin, userId=null,
>> ipAddress=xxx.xx.xx.xx error=invalid_user_credentials,
>> auth_method=openid-connect, grant_type=password,
>> client_auth_method=client-secret, username=admin
>> 2017-11-30 20:22:31,631 WARN [org.keycloak.services] (Brute Force
>> Protector) KC-SERVICES0053: login failure for user <userid> from
>> xxx.xx.xx.xx
>>
>> *replaced some values as required by the client
>>
>> Not sure if it’s related but on the last days when accessing the realm
>> settings - keys, it was displaying an error: "Error! An unexpected server
>> error has occurred” and the tabs Active and Providers didn’t show any keys.
>> Keycloak log:
>>
>> 2017-11-30 20:20:52,033 ERROR [org.keycloak.keys.DefaultKeyManager]
>> (default task-24) Failed to load provider <provider id>:
>> java.lang.NullPointerException
>> at org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyM
>> anager.java:133)
>> at org.keycloak.keys.DefaultKeyManager.getPublicKey(DefaultKeyM
>> anager.java:70)
>> at org.keycloak.services.managers.AuthenticationManager.verifyI
>> dentityToken(AuthenticationManager.java:688)
>> at org.keycloak.services.managers.AppAuthManager.authenticateBe
>> arerToken(AppAuthManager.java:64)
>> at org.keycloak.services.resources.admin.AdminRoot.authenticate
>> RealmAdminRequest(AdminRoot.java:175)
>> at org.keycloak.services.resources.admin.AdminRoot.getRealmsAdm
>> in(AdminRoot.java:209)
>> at sun.reflect.GeneratedMethodAccessor371.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.createResourc
>> e(ResourceLocatorInvoker.java:79)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.createResourc
>> e(ResourceLocatorInvoker.java:58)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:100)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:202)
>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>> spatcher.service(ServletContainerDispatcher.java:221)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:56)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>> rvletHandler.java:85)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:129)
>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>> oFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:131)
>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>> terHandler.java:84)
>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>> eRequest(ServletDispatchingHandler.java:36)
>> at org.wildfly.extension.undertow.security.SecurityContextAssoc
>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.security.SSLInformationAssociat
>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:793)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> 2017-11-30 20:20:52,038 ERROR [io.undertow.request] (default task-24)
>> UT005023: Exception handling request to /auth/admin/realms/master/components:
>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
>> java.lang.IllegalArgumentException: No such provider 'hmac-generated'
>> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationEx
>> ception(ExceptionHandler.java:76)
>> at org.jboss.resteasy.core.ExceptionHandler.handleException(Exc
>> eptionHandler.java:212)
>> at org.jboss.resteasy.core.SynchronousDispatcher.writeException
>> (SynchronousDispatcher.java:168)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:411)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:202)
>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>> spatcher.service(ServletContainerDispatcher.java:221)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:56)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>> rvletHandler.java:85)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:129)
>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>> oFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:131)
>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>> terHandler.java:84)
>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>> eRequest(ServletDispatchingHandler.java:36)
>> at org.wildfly.extension.undertow.security.SecurityContextAssoc
>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.security.SSLInformationAssociat
>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:793)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.RuntimeException: java.lang.IllegalArgumentException:
>> No such provider 'hmac-generated'
>> at org.keycloak.models.utils.ComponentUtil.getComponentConfigPr
>> operties(ComponentUtil.java:69)
>> at org.keycloak.models.utils.ComponentUtil.getComponentConfigPr
>> operties(ComponentUtil.java:39)
>> at org.keycloak.models.utils.StripSecretsUtils.strip(StripSecre
>> tsUtils.java:39)
>> at org.keycloak.models.utils.ModelToRepresentation.toRepresenta
>> tion(ModelToRepresentation.java:815)
>> at org.keycloak.services.resources.admin.ComponentResource.getC
>> omponents(ComponentResource.java:118)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>> ctorImpl.java:139)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>> (ResourceMethodInvoker.java:295)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>> eMethodInvoker.java:249)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:138)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:101)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>> ... 37 more
>> Caused by: java.lang.IllegalArgumentException: No such provider
>> 'hmac-generated'
>> at org.keycloak.models.utils.ComponentUtil.getComponentFactory(
>> ComponentUtil.java:81)
>> at org.keycloak.models.utils.ComponentUtil.getComponentConfigPr
>> operties(ComponentUtil.java:56)
>> ... 55 more
>>
>>
>> But when I check the keycloak database, seems that the key and provider
>> are there.
>> Any thoughts?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>>
>
>
>
>
More information about the keycloak-user
mailing list