[keycloak-user] Permission tab missing, token exchange impossible

Geoffrey Cleaves geoff at opticks.io
Mon Nov 19 15:22:28 EST 2018


I guess you're putting me to the test, huh, Pedro? ;) So I figured it out.
Token exchange is also a preview feature, so I had to start the server with:
  -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
  -Dkeycloak.profile.feature.token_exchange=enabled

Then to get the token exchange right I had to use the resource server
client_id and secret.

Regards,
Geoffrey Cleaves

On Mon, 19 Nov 2018 at 16:57, Geoffrey Cleaves <geoff at opticks.io> wrote:

> Thanks, I've got the Permissions tab working but am now having trouble
> exchanging a token. Perhaps my thought process is incorrect.
>
> My idea was for the resource server to take the end user's auth token sent
> by the Javascript front end public client and exchange it for a token which
> would allow the resource server to list UMA permissions of that user. In
> other words, the end user logs into the SPA front end (via Keycloak of
> course) and then sees the UMA resources he is sharing.
>
> I set permissions for the public client to exchange token for resource
> server client as described in the docs
> <https://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange>.
> The starting client is the public client and the target client is the
> resource server.
> [image: Screen Shot 2018-11-19 at 16.45.51.png]
>
> The problem is that when I try to exchange the token Keycloak gives me
> different errors depending on how I send the token exchange request:
>
> grant_type: urn:ietf:params:oauth:grant-type:token-exchange
> audience: opticks-rs (resource server)
> requested_token_type: urn:ietf:params:oauth:token-type:refresh_token
> subject_token: End user's Bearer token received from SPA public client
>
> If I don't send client_id and client_secret I get a 400 Bad Request and
> "INVALID_CREDENTIALS: Invalid client credentials" error. I thought I could
> skip these fields as the subject_token would server as authentication.
> If I send cliend_id=opticks-rs and the client_secret, I get a 501 Not
> Implemented error:
>
> 15:49:43,491 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-10) Uncaught server error:
> javax.ws.rs.WebApplicationException: Feature not enabled
>
> at org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32)
>
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:658)
>
> at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190)
>
> at sun.reflect.GeneratedMethodAccessor770.invoke(Unknown Source)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:498)
>
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>
> at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>
> at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
> at
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>
> at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>
> at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>
> at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
> at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>
> at
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>
> at
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>
> at java.lang.Thread.run(Thread.java:748)
>
>
> If I set the client_id to the public-client-id and remove client_secret,
> since it is public and has none, I again get the 501 Not Implemented.
>
> Any help clearing this up is appreciated.
>
> On Mon, 19 Nov 2018 at 12:34, Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi,
>>
>> It is not a bug. We no longer enable tech preview features by default.
>> You need to enable the feature you want, such as admin fine grained
>> permissions, by passing a specific environment variable. Try to boot your
>> server using this system property:
>>
>>     - Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
>>
>> Docs are not reflecting these changes, created
>> https://issues.jboss.org/browse/KEYCLOAK-8865.
>>
>> Regards.
>> Pedro Igor
>>
>> On Mon, Nov 19, 2018 at 9:02 AM Geoffrey Cleaves <geoff at opticks.io>
>> wrote:
>>
>>> Hello. In Keycloak 4.6, the Permissions tab is gone. The documentation
>>> for
>>> allowing token exchange depends on the Permissions tab, is this a bug?
>>>
>>> [image: Screen Shot 2018-11-19 at 11.53.56.png]
>>>
>>> Somebody else is asking the same question:
>>>
>>> https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final
>>>
>>> Geoff
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2018-11-19 at 16.45.51.png
Type: image/png
Size: 62094 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181119/ce8b7f8b/attachment-0001.png 


More information about the keycloak-user mailing list