[keycloak-user] Permission tab missing, token exchange impossible

Geoffrey Cleaves geoff at opticks.io
Mon Nov 19 10:57:22 EST 2018 

Thanks, I've got the Permissions tab working but am now having trouble
exchanging a token. Perhaps my thought process is incorrect.

My idea was for the resource server to take the end user's auth token sent
by the Javascript front end public client and exchange it for a token which
would allow the resource server to list UMA permissions of that user. In
other words, the end user logs into the SPA front end (via Keycloak of
course) and then sees the UMA resources he is sharing.

I set permissions for the public client to exchange token for resource
server client as described in the docs
<https://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange>.
The starting client is the public client and the target client is the
resource server.
[image: Screen Shot 2018-11-19 at 16.45.51.png]

The problem is that when I try to exchange the token Keycloak gives me
different errors depending on how I send the token exchange request:

grant_type: urn:ietf:params:oauth:grant-type:token-exchange
audience: opticks-rs (resource server)
requested_token_type: urn:ietf:params:oauth:token-type:refresh_token
subject_token: End user's Bearer token received from SPA public client

If I don't send client_id and client_secret I get a 400 Bad Request and
"INVALID_CREDENTIALS: Invalid client credentials" error. I thought I could
skip these fields as the subject_token would server as authentication.
If I send cliend_id=opticks-rs and the client_secret, I get a 501 Not
Implemented error:

15:49:43,491 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
(default task-10) Uncaught server error:
javax.ws.rs.WebApplicationException: Feature not enabled

at org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32)

at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:658)

at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190)

at sun.reflect.GeneratedMethodAccessor770.invoke(Unknown Source)

at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)

at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)

at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)

at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)

at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)

at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)

at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)

at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)

at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)

at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)

at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)

at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)

at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)

at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)

at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)

at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)

at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)

at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)

at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)

at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)

at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)

at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)

at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)

at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)

at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)

at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)

at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)

at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)

at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)

at java.lang.Thread.run(Thread.java:748)


If I set the client_id to the public-client-id and remove client_secret,
since it is public and has none, I again get the 501 Not Implemented.

Any help clearing this up is appreciated.

On Mon, 19 Nov 2018 at 12:34, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> It is not a bug. We no longer enable tech preview features by default. You
> need to enable the feature you want, such as admin fine grained
> permissions, by passing a specific environment variable. Try to boot your
> server using this system property:
>
>     - Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
>
> Docs are not reflecting these changes, created
> https://issues.jboss.org/browse/KEYCLOAK-8865.
>
> Regards.
> Pedro Igor
>
> On Mon, Nov 19, 2018 at 9:02 AM Geoffrey Cleaves <geoff at opticks.io> wrote:
>
>> Hello. In Keycloak 4.6, the Permissions tab is gone. The documentation for
>> allowing token exchange depends on the Permissions tab, is this a bug?
>>
>> [image: Screen Shot 2018-11-19 at 11.53.56.png]
>>
>> Somebody else is asking the same question:
>>
>> https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final
>>
>> Geoff
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2018-11-19 at 16.45.51.png
Type: image/png
Size: 62094 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181119/130a959e/attachment-0001.png

More information about the keycloak-user mailing list