[keycloak-user] Keycloak as SSO

Stephen Henrie stephen at saasindustries.com
Fri Nov 10 16:58:35 EST 2017 

When running a Keycloak instance as a localhost using the default H2
database backend, I have been successful at configuring SSO identity
providers across Keycloak realms, so that one primary realm acts as the
identity provider and the other realms are authenticating against that
primary realm using an IP link.

However, when I try to do the same thing in our cloud environment using a
Postgres database backend,  I am getting the generic "Invalid username or
password."  error which happens during the default first broker login
authorization sequence. I have some debugging info below. Can someone help
me understand what it is trying to tell me?

I believe that I have things configured exactly the same in both my
localhost and in the cloud instances, so I am struggling to understand the
source of the problem.

Any help is appreciated.

Thanks
Stephen



21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) processFlow
21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-review-profile requirement: DISABLED
21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) execution is processed
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-create-user-if-unique requirement:
ALTERNATIVE
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) authenticator: idp-create-user-if-unique
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) invoke authenticator.authenticate:
idp-create-user-if-unique
21:42:30,975 WARN  [org.keycloak.services] (default task-50)
KC-SERVICES0020: Email is null. Reset flow and enforce showing
reviewProfile page
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) RESET FLOW
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) AUTHENTICATE
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) AUTHENTICATE ONLY
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) processFlow
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-review-profile requirement: DISABLED
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) execution is processed
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-create-user-if-unique requirement:
ALTERNATIVE
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) authenticator: idp-create-user-if-unique
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) invoke authenticator.authenticate:
idp-create-user-if-unique
21:42:30,975 WARN  [org.keycloak.services] (default task-50)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException: Not found
serialized context in clientSession
    at
org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:66)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:264)
    at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:201)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843)
    at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714)
    at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:279)
    at
org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:713)
    at
org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:632)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)


21:42:30,976 WARN  [org.keycloak.events] (default task-50)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=experiment,
clientId=chassi-web-app, userId=null, ipAddress=172.17.0.1,
error=invalid_user_credentials, identity_provider=chassi-oidc,
auth_method=openid-connect, redirect_uri=http://localhost:3000/,
identity_provider_identity=abfa50e5-57ad-4b53-ab72-7cbd6fca8465,
code_id=60963d99-cf55-4e0a-8e28-df0ddacadf5f
21:4

More information about the keycloak-user mailing list