[keycloak-user] Problems using keycloak admin client

Tero Ahonen tahonen at redhat.com
Sat Dec 30 05:33:03 EST 2017 

Hi,

I have some problems using keycloak admin client against Keycloak instance
that is running on Openshift Online Pro.

Basic functions work ok, I can get token and do login, but cannot do any
admin stuff with Java client (keycloak-admin-client 3.4.2.Final).

My keycloak (v 3.4.2) is running ok on Openshift Online Pro and I'm using
custom SSL certificate. I have tried different approaches on routing layer.
Using Edge termination with my own cert stuff and also Passthru SSL with
proper cert configured on keycloak Wildfly. Even tried to us default
hostname xxxx-namespace.e4ff.pro-eu-west-1.openshiftapps.com.

When using default router hostname (e4ff ...) I get

javax.ws.rs.ServiceUnavailableException: HTTP 503 Service Unavailable

at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.handleErrorStatus(
ClientInvocation.java:211)

at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(
ClientInvocation.java:174)

at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(
BodyEntityExtractor.java:59)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
ClientInvoker.java:104)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
ClientProxy.java:64)

at com.sun.proxy.$Proxy19.grantToken(Unknown Source)

at org.keycloak.admin.client.token.TokenManager.grantToken(
TokenManager.java:89)

at org.keycloak.admin.client.token.TokenManager.getAccessToken(
TokenManager.java:69)

at org.keycloak.admin.client.token.TokenManager.getAccessTokenString(
TokenManager.java:64)

at org.keycloak.admin.client.resource.BearerAuthFilter.filter(
BearerAuthFilter.java:52)

at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(
ClientInvocation.java:413)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
ClientInvoker.java:102)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
ClientProxy.java:64)

at com.sun.proxy.$Proxy27.list(Unknown Source)

at KeycloakTestStage.main(KeycloakTestStage.java:43)


There is nothing in keycloak logs that describes that 503. When using
browser or curl that URL works fine.


When using own certs I get own hostname I get


javax.ws.rs.ProcessingException: RESTEASY004655: Unable to invoke request

at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(
ApacheHttpClient4Engine.java:287)

at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(
ClientInvocation.java:436)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
ClientInvoker.java:102)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
ClientProxy.java:64)

at com.sun.proxy.$Proxy19.grantToken(Unknown Source)

at org.keycloak.admin.client.token.TokenManager.grantToken(
TokenManager.java:89)

at org.keycloak.admin.client.token.TokenManager.getAccessToken(
TokenManager.java:69)

at org.keycloak.admin.client.token.TokenManager.getAccessTokenString(
TokenManager.java:64)

at org.keycloak.admin.client.resource.BearerAuthFilter.filter(
BearerAuthFilter.java:52)

at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(
ClientInvocation.java:413)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(
ClientInvoker.java:102)

at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(
ClientProxy.java:64)

at com.sun.proxy.$Proxy27.list(Unknown Source)

at KeycloakTestStage.main(KeycloakTestStage.java:43)

Caused by: javax.net.ssl.SSLException: Certificate for <
keycloak-XXX.mycustomhostname.com> doesn't match any of the subject
alternative names: [*.e4ff.pro-eu-west-1.openshiftapps.com,
e4ff.pro-eu-west-1.openshiftapps.com]

at org.apache.http.conn.ssl.AbstractVerifier.verify(
AbstractVerifier.java:164)

at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(
BrowserCompatHostnameVerifier.java:61)

at org.apache.http.conn.ssl.AbstractVerifier.verify(
AbstractVerifier.java:140)

at org.apache.http.conn.ssl.AbstractVerifier.verify(
AbstractVerifier.java:114)

at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(
SSLSocketFactory.java:569)

at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
SSLSocketFactory.java:544)

at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(
SSLSocketFactory.java:409)

at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(
DefaultClientConnectionOperator.java:177)

at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(
ManagedClientConnectionImpl.java:304)

at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(
DefaultRequestDirector.java:611)

at org.apache.http.impl.client.DefaultRequestDirector.execute(
DefaultRequestDirector.java:446)

at org.apache.http.impl.client.AbstractHttpClient.doExecute(
AbstractHttpClient.java:882)

at org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:82)

at org.apache.http.impl.client.CloseableHttpClient.execute(
CloseableHttpClient.java:55)

at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(
ApacheHttpClient4Engine.java:283)

... 13 more



Custom route hostname is configured as CNAME in my domain name provider as
instructed. CNAME points to e4ff.pro-eu-west-1.openshiftapps.com


I'm creating Keycloak object like this


Keycloak kc =  Keycloak.getInstance(KC_AUTH_SERVER_URL, KC_ADMIN_REALM,
KC_ADMIN_USER, KC_ADMIN_PWD, KC_ADMIN_CLIENT_ID);


Even with constructor code like this


SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new
TrustStrategy() {

    public boolean isTrusted(X509Certificate[] arg0, String arg1) throws
CertificateException {

        return true;

    }

}).build();


Keycloak.getInstance(KC_AUTH_SERVER_URL, KC_ADMIN_REALM, KC_ADMIN_USER,
KC_ADMIN_PWD, KC_ADMIN_CLIENT_ID, null, sslContext);


I get same result.


When checking from code (if this is correct code)


https://github.com/keycloak/keycloak/blob/master/integration/admin-client/src/main/java/org/keycloak/admin/client/Keycloak.java#L77


public static Keycloak getInstance(String serverUrl, String realm, String
username, String password, String clientId, String clientSecret, SSLContext
sslContext, ResteasyJackson2Provider customJacksonProvider) {

    ResteasyClientBuilder clientBuilder = new ResteasyClientBuilder()

                .sslContext(sslContext)


.hostnameVerification(ResteasyClientBuilder.HostnameVerificationPolicy.WILDCARD)

                .connectionPoolSize(10);


    if (customJacksonProvider != null) {

        clientBuilder.register(customJacksonProvider);

    }


    return new Keycloak(serverUrl, realm, username, password, clientId,
clientSecret, PASSWORD, clientBuilder.build(), null);

}


Based on the code hostname verification cannot be overridden.


Br,

Tero

More information about the keycloak-user mailing list