[keycloak-user] Permission tab missing, token exchange impossible

Pedro Igor Silva psilva at redhat.com
Tue Nov 20 05:49:40 EST 2018 

Yeah, and you are passing the test :) I've submitted a PR with changes to
documentation.

Thanks.
Pedro Igor

On Mon, Nov 19, 2018 at 6:22 PM Geoffrey Cleaves <geoff at opticks.io> wrote:

> I guess you're putting me to the test, huh, Pedro? ;) So I figured it out.
> Token exchange is also a preview feature, so I had to start the server with:
>   -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
>   -Dkeycloak.profile.feature.token_exchange=enabled
>
> Then to get the token exchange right I had to use the resource server
> client_id and secret.
>
> Regards,
> Geoffrey Cleaves
>
> On Mon, 19 Nov 2018 at 16:57, Geoffrey Cleaves <geoff at opticks.io> wrote:
>
>> Thanks, I've got the Permissions tab working but am now having trouble
>> exchanging a token. Perhaps my thought process is incorrect.
>>
>> My idea was for the resource server to take the end user's auth token
>> sent by the Javascript front end public client and exchange it for a token
>> which would allow the resource server to list UMA permissions of that user.
>> In other words, the end user logs into the SPA front end (via Keycloak of
>> course) and then sees the UMA resources he is sharing.
>>
>> I set permissions for the public client to exchange token for resource
>> server client as described in the docs
>> <https://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange>.
>> The starting client is the public client and the target client is the
>> resource server.
>> [image: Screen Shot 2018-11-19 at 16.45.51.png]
>>
>> The problem is that when I try to exchange the token Keycloak gives me
>> different errors depending on how I send the token exchange request:
>>
>> grant_type: urn:ietf:params:oauth:grant-type:token-exchange
>> audience: opticks-rs (resource server)
>> requested_token_type: urn:ietf:params:oauth:token-type:refresh_token
>> subject_token: End user's Bearer token received from SPA public client
>>
>> If I don't send client_id and client_secret I get a 400 Bad Request and
>> "INVALID_CREDENTIALS: Invalid client credentials" error. I thought I could
>> skip these fields as the subject_token would server as authentication.
>> If I send cliend_id=opticks-rs and the client_secret, I get a 501 Not
>> Implemented error:
>>
>> 15:49:43,491 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
>> (default task-10) Uncaught server error:
>> javax.ws.rs.WebApplicationException: Feature not enabled
>>
>> at org.keycloak.utils.ProfileHelper.requireFeature(ProfileHelper.java:32)
>>
>> at
>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.tokenExchange(TokenEndpoint.java:658)
>>
>> at
>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190)
>>
>> at sun.reflect.GeneratedMethodAccessor770.invoke(Unknown Source)
>>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>
>> at java.lang.reflect.Method.invoke(Method.java:498)
>>
>> at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>
>> at
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>
>> at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>>
>> at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>
>> at
>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>
>> at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>
>> at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>
>> at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>
>> at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>
>> at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>
>> at
>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>
>> at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>
>> at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>
>> at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>
>> at
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>
>> at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>
>> at
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>
>> at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>
>> at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>
>> at
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>
>> at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>
>> at
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>
>> at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>
>> at
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>
>> at
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>
>> at
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>
>> at
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>
>> at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>
>> at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>
>> at
>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>
>> at
>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>
>> at
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>
>> at
>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>
>> at java.lang.Thread.run(Thread.java:748)
>>
>>
>> If I set the client_id to the public-client-id and remove client_secret,
>> since it is public and has none, I again get the 501 Not Implemented.
>>
>> Any help clearing this up is appreciated.
>>
>> On Mon, 19 Nov 2018 at 12:34, Pedro Igor Silva <psilva at redhat.com> wrote:
>>
>>> Hi,
>>>
>>> It is not a bug. We no longer enable tech preview features by default.
>>> You need to enable the feature you want, such as admin fine grained
>>> permissions, by passing a specific environment variable. Try to boot your
>>> server using this system property:
>>>
>>>     - Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
>>>
>>> Docs are not reflecting these changes, created
>>> https://issues.jboss.org/browse/KEYCLOAK-8865.
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Mon, Nov 19, 2018 at 9:02 AM Geoffrey Cleaves <geoff at opticks.io>
>>> wrote:
>>>
>>>> Hello. In Keycloak 4.6, the Permissions tab is gone. The documentation
>>>> for
>>>> allowing token exchange depends on the Permissions tab, is this a bug?
>>>>
>>>> [image: Screen Shot 2018-11-19 at 11.53.56.png]
>>>>
>>>> Somebody else is asking the same question:
>>>>
>>>> https://stackoverflow.com/questions/53367566/unable-to-setup-idp-token-exchange-in-keycloak-4-6-0-final
>>>>
>>>> Geoff
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2018-11-19 at 16.45.51.png
Type: image/png
Size: 62094 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20181120/25cfb099/attachment-0001.png

More information about the keycloak-user mailing list