[keycloak-user] Hitting error -- "Didn't find publicKey for specified kid"
Rajesh Ghosh
ghosh.rajesh at gmail.com
Tue Jul 25 13:37:12 EDT 2017
Well, first I allowed all roles in my web.xml as in --
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Even then I was hitting the issue. Then while I was going through the
client installation for wildfly subsystem, I read about the
use-resource-role-mapping --
<secure-deployment name="WAR MODULE NAME.war">
<realm>bkofc</realm>
<auth-server-url>http://192.168.99.100:30001/auth</auth-server-url>
<bearer-only>true</bearer-only>
<ssl-required>NONE</ssl-required>
<resource>bkofc-svc</resource>
<credential
name="secret">9bcc6d9f-9c72-4b58-b297-79f0f207d9e1</credential>
<use-resource-role-mappings>true</use-resource-role-mappings>
</secure-deployment>
It was set to true, as provided in keycloak console. When I turned it to
the default value "false" , everything started working. Do we know which
client configuration parameter , controls this element ? By default it
should have the default value "false", isn't it ??
Thanks for all your help into this.
Regards,
Rajesh
On Tue, Jul 25, 2017 at 8:45 PM, Sebastien Blanc <sblanc at redhat.com> wrote:
> 403, you have probably something not setup correctly with your user's
> role.
>
> On Tue, Jul 25, 2017 at 5:09 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
> wrote:
>
>> Sebastien,
>>
>> I could get past the 401 error after rectifying the url issue. However I
>> am hitting 403 - Unauthorized exception now and there is no exception in
>> log. Still investigating. But thanks for your support on the original
>> issue.
>>
>> @Thomas Recloux , thank you for the tips as well.
>>
>> Regards,
>> Rajesh
>>
>> On Tue, Jul 25, 2017 at 7:48 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>> wrote:
>>
>>> OMG ! That was stupid ! Let me rectify that and try again.
>>>
>>> Thanks so much for pointing out.
>>>
>>> Regards,
>>> Rajesh
>>>
>>> On Tue, Jul 25, 2017 at 7:47 PM, Sebastien Blanc <sblanc at redhat.com>
>>> wrote:
>>>
>>>> Oh I think I found it : <auth-server-url>http://192.16
>>>> 8.99.100/30001/auth
>>>> </auth-server-url>
>>>> You have a typo there , shouldn't it be http://192.168.99.100:30001/au
>>>> th
>>>> <http://192.168.99.100:30001/auth/realms/bkofc/protocol/openid-connect/token>
>>>> , notice the ":" instead of "/"
>>>>
>>>> On Tue, Jul 25, 2017 at 4:14 PM, Sebastien Blanc <sblanc at redhat.com>
>>>> wrote:
>>>>
>>>>> Oh you were faster than me on this one ;) , well you can change the
>>>>> log level of you app in the standalone.xml
>>>>>
>>>>> On Tue, Jul 25, 2017 at 4:12 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello Sebastien,
>>>>>>
>>>>>> I was looking at the logs of my app wildfly server , as suggested by
>>>>>> another user Thomas . Here is a relevant exception stack which I see.
>>>>>>
>>>>>> 13:56:29,450 ERROR [org.keycloak.adapters.rotation.JWKPublicKeyLocator]
>>>>>> (default task-12) Error when sending request to retrieve realm keys:
>>>>>> org.keycloak.adapters.HttpClientAdapterException: IO error
>>>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>>>> ttpAdapterUtils.java:58)
>>>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.sendReque
>>>>>> st(JWKPublicKeyLocator.java:99)
>>>>>> at org.keycloak.adapters.rotation.JWKPublicKeyLocator.getPublic
>>>>>> Key(JWKPublicKeyLocator.java:63)
>>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>>>> blicKey(AdapterRSATokenVerifier.java:44)
>>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>>>> estAuthenticator.java:68)
>>>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>>> transition(SecurityContextImpl.java:245)
>>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>>> transition(SecurityContextImpl.java:263)
>>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>>> access$100(SecurityContextImpl.java:231)
>>>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>>>> ication(SecurityContextImpl.java:125)
>>>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>>>> (SecurityContextImpl.java:99)
>>>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>>>> ecurityContextImpl.java:92)
>>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>>>> t(DisableCacheHandler.java:33)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>>> aintHandler.java:64)
>>>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>>> Handler.java:43)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>>> stRequest(ServletInitialHandler.java:292)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>>>> 0(ServletInitialHandler.java:81)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>>> rvletInitialHandler.java:138)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>>> rvletInitialHandler.java:135)
>>>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>>>> l(ContextClassLoaderSetupAction.java:43)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>>> equest(ServletInitialHandler.java:272)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>>> 0(ServletInitialHandler.java:81)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>>> equest(ServletInitialHandler.java:104)
>>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>>> java:202)
>>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>>> ge.java:805)
>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>>> Executor.java:1142)
>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>>> lExecutor.java:617)
>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>> Caused by: java.net.ConnectException: Connection refused (Connection
>>>>>> refused)
>>>>>> at java.net.PlainSocketImpl.socketConnect(Native Method)
>>>>>> at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSock
>>>>>> etImpl.java:350)
>>>>>> at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPl
>>>>>> ainSocketImpl.java:206)
>>>>>> at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocket
>>>>>> Impl.java:188)
>>>>>> at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
>>>>>> at java.net.Socket.connect(Socket.java:589)
>>>>>> at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket
>>>>>> (PlainSocketFactory.java:117)
>>>>>> at org.apache.http.impl.conn.DefaultClientConnectionOperator.op
>>>>>> enConnection(DefaultClientConnectionOperator.java:177)
>>>>>> at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoo
>>>>>> lEntry.java:144)
>>>>>> at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(Abs
>>>>>> tractPooledConnAdapter.java:131)
>>>>>> at org.apache.http.impl.client.DefaultRequestDirector.tryConnec
>>>>>> t(DefaultRequestDirector.java:611)
>>>>>> at org.apache.http.impl.client.DefaultRequestDirector.execute(D
>>>>>> efaultRequestDirector.java:446)
>>>>>> at org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>>>>>> tractHttpClient.java:882)
>>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>>> eableHttpClient.java:82)
>>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>>> eableHttpClient.java:107)
>>>>>> at org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>>>>> eableHttpClient.java:55)
>>>>>> at org.keycloak.adapters.HttpAdapterUtils.sendJsonHttpRequest(H
>>>>>> ttpAdapterUtils.java:37)
>>>>>> ... 52 more
>>>>>> 2017-07-25T13:56:29.452564496Z
>>>>>> 13:56:29,454 ERROR [org.keycloak.adapters.rotation.AdapterRSATokenVerifier]
>>>>>> (default task-12) Didn't find publicKey for kid:
>>>>>> RHESicBPoNCwhBnBLEk_8X4ufj5WyuTo20zbzOo4HfQ
>>>>>> 13:56:29,454 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
>>>>>> (default task-12) Failed to verify token: org.keycloak.common.VerificationException:
>>>>>> Didn't find publicKey for specified kid
>>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPu
>>>>>> blicKey(AdapterRSATokenVerifier.java:47)
>>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>>> yToken(AdapterRSATokenVerifier.java:55)
>>>>>> at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verif
>>>>>> yToken(AdapterRSATokenVerifier.java:37)
>>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>>> ticateToken(BearerTokenRequestAuthenticator.java:87)
>>>>>> at org.keycloak.adapters.BearerTokenRequestAuthenticator.authen
>>>>>> ticate(BearerTokenRequestAuthenticator.java:82)
>>>>>> at org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>>>>> estAuthenticator.java:68)
>>>>>> at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>>>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>>>> at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>>>>> nticate(ServletKeycloakAuthMech.java:92)
>>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>>> transition(SecurityContextImpl.java:245)
>>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>>> transition(SecurityContextImpl.java:263)
>>>>>> at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>>>>> access$100(SecurityContextImpl.java:231)
>>>>>> at io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>>>>> ication(SecurityContextImpl.java:125)
>>>>>> at io.undertow.security.impl.SecurityContextImpl.authTransition
>>>>>> (SecurityContextImpl.java:99)
>>>>>> at io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>>>>> ecurityContextImpl.java:92)
>>>>>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>>>>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>>>> at io.undertow.server.handlers.DisableCacheHandler.handleReques
>>>>>> t(DisableCacheHandler.java:33)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at io.undertow.security.handlers.AuthenticationConstraintHandle
>>>>>> r.handleRequest(AuthenticationConstraintHandler.java:53)
>>>>>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>>>>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>>>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>>>>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>>>>> aintHandler.java:64)
>>>>>> at io.undertow.servlet.handlers.security.ServletSecurityConstra
>>>>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
>>>>>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>>>>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>>>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>>>>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>>>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>>>>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>>>>> Handler.java:43)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>>>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>>>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>>>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>>>>> redicateHandler.java:43)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>>>>> stRequest(ServletInitialHandler.java:292)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$10
>>>>>> 0(ServletInitialHandler.java:81)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>>> rvletInitialHandler.java:138)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$2.call(Se
>>>>>> rvletInitialHandler.java:135)
>>>>>> at io.undertow.servlet.core.ServletRequestContextThreadSetupAct
>>>>>> ion$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>>>> at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.cal
>>>>>> l(ContextClassLoaderSetupAction.java:43)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.cal
>>>>>> l(LegacyThreadSetupActionWrapper.java:44)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>>>>> equest(ServletInitialHandler.java:272)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>>>>> 0(ServletInitialHandler.java:81)
>>>>>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>>>>> equest(ServletInitialHandler.java:104)
>>>>>> at io.undertow.server.Connectors.executeRootHandler(Connectors.
>>>>>> java:202)
>>>>>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>>>>>> ge.java:805)
>>>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>>>> Executor.java:1142)
>>>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>>>> lExecutor.java:617)
>>>>>> at java.lang.Thread.run(Thread.java:748)
>>>>>>
>>>>>> Is there a way to enhance the log level at the client ( i mean
>>>>>> keycloak adapter ) , to see if it is a http connection issue or something
>>>>>> else ??
>>>>>>
>>>>>> Thanks,
>>>>>> Rajesh
>>>>>>
>>>>>> On Tue, Jul 25, 2017 at 7:36 PM, Rajesh Ghosh <ghosh.rajesh at gmail.com
>>>>>> > wrote:
>>>>>>
>>>>>>> Here is the response from curl ---
>>>>>>>
>>>>>>> $ curl -v http://192.168.99.100:8080/Olp
>>>>>>> UIFwk2-1.0-SNAPSHOT/services/sec/rest/us
>>>>>>> erservice/users -H "Authorization: Bearer $KEY"
>>>>>>> * Trying 192.168.99.100...
>>>>>>> * Connected to 192.168.99.100 (192.168.99.100) port 8080 (#0)
>>>>>>> > GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>>>> HTTP/1.1
>>>>>>> > Host: 192.168.99.100:8080
>>>>>>> > User-Agent: curl/7.50.1
>>>>>>> > Accept: */*
>>>>>>> > Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>>>>>>> AiSldUIiwia2lkIiA6ICJSSEV
>>>>>>> TaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXeXVUbzIwemJ6T280SGZRIn0.eyJ
>>>>>>> qdGkiOiJkNmY2MmM5YS1
>>>>>>> hNjAwLTQ4ZmQtYmI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDg
>>>>>>> sIm5iZiI6MCwiaWF0Ijo
>>>>>>> xNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6MzAwMDE
>>>>>>> vYXV0aC9yZWFsbXMvYmt
>>>>>>> vZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzdWIiOiIwYTA5MTQ0OC0wNjAyLTQ
>>>>>>> 2YmMtOWU4MS05MjE1Zjg
>>>>>>> zYjVjOTgiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXR
>>>>>>> oX3RpbWUiOjAsInNlc3N
>>>>>>> pb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhMjEzOTZ
>>>>>>> lNjciLCJhY3IiOiIxIiw
>>>>>>> iY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1ZDQtYjdmNy0xNWF
>>>>>>> kYTY2NmE4Y2EiLCJhbGx
>>>>>>> vd2VkLW9yaWdpbnMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0
>>>>>>> sInJlYWxtX2FjY2VzcyI
>>>>>>> 6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sInJlc29
>>>>>>> 1cmNlX2FjY2VzcyI6eyJ
>>>>>>> yZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV
>>>>>>> 3LWlkZW50aXR5LXByb3Z
>>>>>>> pZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF
>>>>>>> 0aW9uIiwicmVhbG0tYWR
>>>>>>> taW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlldy1hdXR
>>>>>>> ob3JpemF0aW9uIiwibWF
>>>>>>> uYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidml
>>>>>>> ldy11c2VycyIsInZpZXc
>>>>>>> tY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWV
>>>>>>> udHMiXX0sImFjY291bnQ
>>>>>>> iOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1
>>>>>>> saW5rcyIsInZpZXctcHJ
>>>>>>> vZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzdXB
>>>>>>> lcmFkbWluIiwiZW1haWw
>>>>>>> iOiJ0cmlsaWEudGVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5Hv
>>>>>>> G3x5WBI3ZcC4WEcBA3NU
>>>>>>> L-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI09JAjM
>>>>>>> 6zLk7cy0UKig5ghHX1-g
>>>>>>> Xb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFwDmCMyWj8bqyoFMDTIp_Gz67Wt1
>>>>>>> iUXAaCZ5fIdXs3epdG82
>>>>>>> NhJrjQsIKiYGzUg9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82poh
>>>>>>> W6RQMAZmGyMVofsxH_uR
>>>>>>> rEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>>>> >
>>>>>>> < HTTP/1.1 401 Unauthorized
>>>>>>> < Expires: 0
>>>>>>> < Cache-Control: no-cache, no-store, must-revalidate
>>>>>>> < X-Powered-By: Undertow/1
>>>>>>> < Server: WildFly/10
>>>>>>> < Pragma: no-cache
>>>>>>> < Date: Tue, 25 Jul 2017 14:04:31 GMT
>>>>>>> < Connection: keep-alive
>>>>>>> < WWW-Authenticate: Bearer realm="bkofc", error="invalid_token",
>>>>>>> error_description="Didn't find publicKey for specified kid"
>>>>>>> < Content-Type: text/html;charset=UTF-8
>>>>>>> < Content-Length: 71
>>>>>>> <
>>>>>>> * Connection #0 to host 192.168.99.100 left intact
>>>>>>> <html><head><title>Error</title></head><body>Unauthorized</b
>>>>>>> ody></html>$
>>>>>>> $
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Rajesh
>>>>>>>
>>>>>>> On Tue, Jul 25, 2017 at 7:30 PM, Rajesh Ghosh <
>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>
>>>>>>>> Sure. I was using postman to invoke the service. This is the
>>>>>>>> command used by postman --
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>>>>>> ------------
>>>>>>>>
>>>>>>>> GET /OlpUIFwk2-1.0-SNAPSHOT/services/sec/rest/userservice/users
>>>>>>>> HTTP/1.1
>>>>>>>> Host: 192.168.99.100:8080
>>>>>>>> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAegmCpw
>>>>>>>> Cache-Control: no-cache
>>>>>>>> Postman-Token: d378eefe-82c8-9c3d-0140-ef56c62f9b97
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>>>>>> ---------------
>>>>>>>>
>>>>>>>> The "userservice" is my own service for other attributes of users.
>>>>>>>> I also made sure that the service executes without the security.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Rajesh
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jul 25, 2017 at 7:24 PM, Sebastien Blanc <sblanc at redhat.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> Okay, to have the complete picture could paste the command you
>>>>>>>>> issue to call your REST service ?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jul 25, 2017 at 3:50 PM, Rajesh Ghosh <
>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Sebastien,
>>>>>>>>>>
>>>>>>>>>> Here is a token response -
>>>>>>>>>>
>>>>>>>>>> {
>>>>>>>>>> "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiJkNmY2MmM5YS1hNjAwLTQ4ZmQtY
>>>>>>>>>> mI3Ny0wMTI1NDQ0YmIzNWMiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>> XAiOiJCZWFyZXIiLCJhenAiOiJia29mYy13ZWIiLCJhdXRoX3RpbWUiOjAsI
>>>>>>>>>> nNlc3Npb25fc3RhdGUiOiIzMjMxZjQ2Zi0yMjliLTQyZDMtYTQxOS0wODlhM
>>>>>>>>>> jEzOTZlNjciLCJhY3IiOiIxIiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2M
>>>>>>>>>> C03ZTkyLTQ1ZDQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJhbGxvd2VkLW9yaWdpb
>>>>>>>>>> nMiOlsiaHR0cDovLzE5Mi4xNjguOTkuMTAwOjgwODAvIl0sInJlYWxtX2FjY
>>>>>>>>>> 2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sI
>>>>>>>>>> nJlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzI
>>>>>>>>>> jpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hb
>>>>>>>>>> mFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwicmVhb
>>>>>>>>>> G0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwidmlld
>>>>>>>>>> y1hdXRob3JpemF0aW9uIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsb
>>>>>>>>>> SIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsI
>>>>>>>>>> m1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiXX0sImFjY
>>>>>>>>>> 291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb
>>>>>>>>>> 3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiIiLCJwcmVmZ
>>>>>>>>>> XJyZWRfdXNlcm5hbWUiOiJzdXBlcmFkbWluIiwiZW1haWwiOiJ0cmlsaWEud
>>>>>>>>>> GVjaEBnbWFpbC5jb20ifQ.JCGcaQ-8yYhoOT_DfHvNa5HvG3x5WBI3ZcC4WE
>>>>>>>>>> cBA3NUL-mQdUhU1aEK9G5VulcRbMeYp9f_rFnFip-N9g3JwPGhR6ozgwdXlI
>>>>>>>>>> 09JAjM6zLk7cy0UKig5ghHX1-gXb5EHChzhmGI_xtV77t9dcKBjW4V3f7eFw
>>>>>>>>>> DmCMyWj8bqyoFMDTIp_Gz67Wt1iUXAaCZ5fIdXs3epdG82NhJrjQsIKiYGzU
>>>>>>>>>> g9JY2Dkvg_tHGHESN85KsW2TNj8Jd0CuS-cF0rOqx82pohW6RQMAZmGyMVof
>>>>>>>>>> sxH_uRrEbvpmI_ofkAUF6qCuLDD7idZC_j1ARXH-EOWxHgnSEDXc6SF2aAeg
>>>>>>>>>> mCpw",
>>>>>>>>>> "expires_in": 300,
>>>>>>>>>> "refresh_expires_in": 1800,
>>>>>>>>>> "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiIyYzE4ZjkxYi0yMDljLTQwY2ItY
>>>>>>>>>> TE5OS02NGIwZTEyYjRkOGIiLCJleHAiOjE1MDA5OTE3NDgsIm5iZiI6MCwia
>>>>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>> XAiOiJSZWZyZXNoIiwiYXpwIjoiYmtvZmMtd2ViIiwiYXV0aF90aW1lIjowL
>>>>>>>>>> CJzZXNzaW9uX3N0YXRlIjoiMzIzMWY0NmYtMjI5Yi00MmQzLWE0MTktMDg5Y
>>>>>>>>>> TIxMzk2ZTY3IiwiY2xpZW50X3Nlc3Npb24iOiI5MjFjYzM2MC03ZTkyLTQ1Z
>>>>>>>>>> DQtYjdmNy0xNWFkYTY2NmE4Y2EiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiO
>>>>>>>>>> lsidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc
>>>>>>>>>> 3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtI
>>>>>>>>>> iwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktc
>>>>>>>>>> HJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsInJlYWxtLWFkbWluIiwiY3JlY
>>>>>>>>>> XRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInZpZXctYXV0aG9yaXphdGlvb
>>>>>>>>>> iIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50c
>>>>>>>>>> yIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9ya
>>>>>>>>>> XphdGlvbiIsIm1hbmFnZS1jbGllbnRzIl19LCJhY2NvdW50Ijp7InJvbGVzI
>>>>>>>>>> jpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2a
>>>>>>>>>> WV3LXByb2ZpbGUiXX19fQ.Uz0rqNlj09T_SdnfZK9ZxBcJ5EIEwwHCN5VwKI
>>>>>>>>>> hIF6Ua32fDlf1UvZSoZTmr5jiHeiwpp4JALWGTXsda4p-PlzMvwmMN5Qp46-
>>>>>>>>>> EXGJQkqH4NNqZ1W_1mRGySYokQCSkmdvAZPFGrqxpeb1seuKgaaiXXMsrvai
>>>>>>>>>> ucFCa8H599Ox6QRE3MkoLmm8w7_08kPG1_JjXIviHtwoWgsb0zCcMPyHRdCv
>>>>>>>>>> _rs6FIoTQiCRZ2joaXSvIsmVAkchgZbeB-_RSWzlk3_oaOCQw7OWZJRqnAdG
>>>>>>>>>> gDnL5jCCRLTVFnPo9TqKrt88h3fKkVuNuI8Y06sZ1If8wgSWRDRLUf0X8sam
>>>>>>>>>> pLww",
>>>>>>>>>> "token_type": "bearer",
>>>>>>>>>> "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgO
>>>>>>>>>> iAiSldUIiwia2lkIiA6ICJSSEVTaWNCUG9OQ3doQm5CTEVrXzhYNHVmajVXe
>>>>>>>>>> XVUbzIwemJ6T280SGZRIn0.eyJqdGkiOiI2ZDJkNWMxNS01YmE3LTRhNTgtO
>>>>>>>>>> TJkNC0wNGU0NTkyMjNkNGYiLCJleHAiOjE1MDA5OTAyNDgsIm5iZiI6MCwia
>>>>>>>>>> WF0IjoxNTAwOTg5OTQ4LCJpc3MiOiJodHRwOi8vMTkyLjE2OC45OS4xMDA6M
>>>>>>>>>> zAwMDEvYXV0aC9yZWFsbXMvYmtvZmMiLCJhdWQiOiJia29mYy13ZWIiLCJzd
>>>>>>>>>> WIiOiIwYTA5MTQ0OC0wNjAyLTQ2YmMtOWU4MS05MjE1ZjgzYjVjOTgiLCJ0e
>>>>>>>>>> XAiOiJJRCIsImF6cCI6ImJrb2ZjLXdlYiIsImF1dGhfdGltZSI6MCwic2Vzc
>>>>>>>>>> 2lvbl9zdGF0ZSI6IjMyMzFmNDZmLTIyOWItNDJkMy1hNDE5LTA4OWEyMTM5N
>>>>>>>>>> mU2NyIsImFjciI6IjEiLCJuYW1lIjoiIiwicHJlZmVycmVkX3VzZXJuYW1lI
>>>>>>>>>> joic3VwZXJhZG1pbiIsImVtYWlsIjoidHJpbGlhLnRlY2hAZ21haWwuY29tI
>>>>>>>>>> n0.eFVxG7MImPS4yCEiLOzhvZ5M_XjRWuHJlt_T4r3djak7sH_XOXUmHAuih
>>>>>>>>>> xXrm7HLv8DU3OzHpN3FinOWufOdTCv9Ywww0DRq4ha1M7dodqMuv1H5d3XVB
>>>>>>>>>> n_kuHK68zWRI3t9WI4ZNeaEU0whLSnBqcbJ54dQrBloUPS4bpYG-BqfSNYs6
>>>>>>>>>> bG8cyJHQ4_FRpAi3X9qWOCwaPrZ5Z_vQfNbYcgIfON_puN8QfRxihg90KQYO
>>>>>>>>>> p4lJpU5JqeaVmYp9eOYTb5iQzOuLWDXenyIBmvT_K84HZKh8t5eWsqH01st-
>>>>>>>>>> Ls7uJcNAUM9PXRM7JswCjhouuQGBM6dn5iICoL00acuxg",
>>>>>>>>>> "not-before-policy": 0,
>>>>>>>>>> "session_state": "3231f46f-229b-42d3-a419-089a21396e67"
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I checked it in jwt.io . The kid is same as the "rsa-generated"
>>>>>>>>>> one, shown in the screen shot I shared yesterday. Although jwt complained
>>>>>>>>>> as "Invalid Signature" .
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Thomas, the connectivity should not be an issue as I am able to
>>>>>>>>>> get the access token from my app wildfly server using curl. So keycloak is
>>>>>>>>>> reachable from my wildfly server. Anything specific you did to resolve your
>>>>>>>>>> issue ?
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Rajesh
>>>>>>>>>>
>>>>>>>>>> On Tue, Jul 25, 2017 at 11:12 AM, Sebastien Blanc <
>>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> This looks all correct. Could you try paste your access token or
>>>>>>>>>>> even check it your self on jwt.io to see if the kid is present ?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Mon, Jul 24, 2017 at 6:47 PM, Rajesh Ghosh <
>>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Sebastien,
>>>>>>>>>>>>
>>>>>>>>>>>> I am attaching a pdf containing the screen shots. Few more
>>>>>>>>>>>> points I wanted to mention.
>>>>>>>>>>>>
>>>>>>>>>>>> i) I didn't install the public client -- "bkofc-web" in the
>>>>>>>>>>>> wildfly container which hosts my REST services. I did it for "bkofc-svc"
>>>>>>>>>>>> client which is bearer only. I hope that is the correct approach.
>>>>>>>>>>>> ii) Both keycloak and my application are running on docker
>>>>>>>>>>>> containers locally in my laptop.
>>>>>>>>>>>>
>>>>>>>>>>>> Let me know if you need anything else to analyze.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Mon, Jul 24, 2017 at 9:13 PM, Sebastien Blanc <
>>>>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> yes please
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:54 PM, Rajesh Ghosh <
>>>>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes definitely. I did replace it with the actual war name.
>>>>>>>>>>>>>> Let me know if you would like me to paste screen shots of realm
>>>>>>>>>>>>>> configurations, client configurations.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 8:12 PM, Sebastien Blanc <
>>>>>>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Ok and for :
>>>>>>>>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Did you replace that with the actual name of your war file ?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 4:35 PM, Rajesh Ghosh <
>>>>>>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hello Sebastien,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I am using 3.1.0.Final build.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 7:56 PM, Sebastien Blanc <
>>>>>>>>>>>>>>>> sblanc at redhat.com> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Which version of Keycloak are you using ?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Mon, Jul 24, 2017 at 3:15 PM, Rajesh Ghosh <
>>>>>>>>>>>>>>>>> ghosh.rajesh at gmail.com> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I am trying to secure my REST services using the method
>>>>>>>>>>>>>>>>>> described in the
>>>>>>>>>>>>>>>>>> document --
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> http://blog.keycloak.org/2015/
>>>>>>>>>>>>>>>>>> 10/getting-started-with-keycloak-securing.html
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I am securing my war using JBoss subsystem , instead of
>>>>>>>>>>>>>>>>>> per-war option. The
>>>>>>>>>>>>>>>>>> relevant sections from my standalone.xml are posted
>>>>>>>>>>>>>>>>>> below.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <extensions>
>>>>>>>>>>>>>>>>>> ......
>>>>>>>>>>>>>>>>>> <extension module="org.keycloak.keycloak-
>>>>>>>>>>>>>>>>>> adapter-subsystem"/>
>>>>>>>>>>>>>>>>>> </extensions>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <security-domains>
>>>>>>>>>>>>>>>>>> .....
>>>>>>>>>>>>>>>>>> <security-domain name="keycloak">
>>>>>>>>>>>>>>>>>> <authentication>
>>>>>>>>>>>>>>>>>> <login-module
>>>>>>>>>>>>>>>>>> code="org.keycloak.adapters.jboss.KeycloakLoginModule"
>>>>>>>>>>>>>>>>>> flag="required"/>
>>>>>>>>>>>>>>>>>> </authentication>
>>>>>>>>>>>>>>>>>> </security-domain>
>>>>>>>>>>>>>>>>>> </security-domains>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <subsystem xmlns="urn:jboss:domain:keycloak:1.1">
>>>>>>>>>>>>>>>>>> <secure-deployment name="my war file.war">
>>>>>>>>>>>>>>>>>> <realm>bkofc</realm>
>>>>>>>>>>>>>>>>>> <resource>bkofc-svc</resource>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <use-resource-role-mappings>tr
>>>>>>>>>>>>>>>>>> ue</use-resource-role-mappings>
>>>>>>>>>>>>>>>>>> <bearer-only>true</bearer-only>
>>>>>>>>>>>>>>>>>> <auth-server-url>http://192.16
>>>>>>>>>>>>>>>>>> 8.99.100/30001/auth
>>>>>>>>>>>>>>>>>> </auth-server-url>
>>>>>>>>>>>>>>>>>> <ssl-required>none</ssl-required>
>>>>>>>>>>>>>>>>>> <credential
>>>>>>>>>>>>>>>>>> name="secret">9bcc6d9f-9c72-4b
>>>>>>>>>>>>>>>>>> 58-b297-79f0f207d9e1</credential>
>>>>>>>>>>>>>>>>>> </secure-deployment>
>>>>>>>>>>>>>>>>>> </subsystem>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I am able to obtain the access token.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> curl -i curl --data
>>>>>>>>>>>>>>>>>> "grant_type=password&client_id
>>>>>>>>>>>>>>>>>> =bkofc-web&username=user&password=password"
>>>>>>>>>>>>>>>>>> http://192.168.99.100:30001/au
>>>>>>>>>>>>>>>>>> th/realms/bkofc/protocol/openid-connect/token
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Note:- I have created 2 clients -- i) bkofc-svc which is
>>>>>>>>>>>>>>>>>> bearer only, for
>>>>>>>>>>>>>>>>>> my REST services ii) bkofc-web , a public client to
>>>>>>>>>>>>>>>>>> simulate UI login
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> However when I try to use the access token to invoke a
>>>>>>>>>>>>>>>>>> service, I am
>>>>>>>>>>>>>>>>>> getting the error -
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Status: 401
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> WWW-Authenticate Bearer realm="bkofc",
>>>>>>>>>>>>>>>>>> error="invalid_token",
>>>>>>>>>>>>>>>>>> error_description="Didn't find publicKey for specified
>>>>>>>>>>>>>>>>>> kid"
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Please let me know if I am missing something here. I have
>>>>>>>>>>>>>>>>>> been breaking my
>>>>>>>>>>>>>>>>>> head last few days without any luck ! I have also tried
>>>>>>>>>>>>>>>>>> rotating the realm
>>>>>>>>>>>>>>>>>> keys.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>>>>>> Rajesh
>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
More information about the keycloak-user
mailing list