[keycloak-user] Help getting External token to Internal Token Exchange right

Mon Aug 12 19:00:27 EDT 2019

Hello,

I've been struggling to get the
https://www.keycloak.org/docs/latest/securing_apps/index.html#external-token-to-internal-token-exchange
 working.
First, I tried on version 3.4, the first version to have this feature. In
my company, we're slowly updating our version of Keycloak, it is a bit old.

After some tries, I changed Keycloak version to 6.0.1 because I think it
will be easier for me get support from you.

I got same error in both versions. Below is described the scenario in 6.0.1:

Well, I want to get an external token, minted by another realm of my own
keycloak "connect", and exchange it to an internal token, of another realm
of my keycloak "emm".

To enable this feature and others as test, I included in standalone.conf:
JAVA_OPTS="$JAVA_OPTS -Dkeycloak.profile.feature.token_exchange=enabled
-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
-Dkeycloak.profile=preview -Dkeycloak.profile.feature.scripts=enabled"

This enabled the Permission tab as expected. However, after opening it,
when I click in "Permissions Enabled" to change the switch from off to on,
the message pops up "*Error!* An unexpected server error has occurred"
This happens in both Permissions tab, in client edit and IDP edit.

In the server log:

> 17:07:48,338 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-5) Uncaught server error: java.lang.NullPointerException
> at
> org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmResourceServer(MgmtPermissions.java:263)
> at
> org.keycloak.services.resources.admin.permissions.MgmtPermissions.findOrCreateResourceServer(MgmtPermissions.java:242)
> at
> org.keycloak.services.resources.admin.permissions.ClientPermissions.initialize(ClientPermissions.java:95)
> at
> org.keycloak.services.resources.admin.permissions.ClientPermissions.setPermissionsEnabled(ClientPermissions.java:198)
> at
> org.keycloak.services.resources.admin.ClientResource.setManagementPermissionsEnabled(ClientResource.java:658)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)

....
it continues, but has no other cause or information on the stack.

In version 3.4.2, the stack is:

> 16:43:34,740 ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> (default task-28) Uncaught server error: java.lang.NullPointerException
> at
> org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmResourceServer(MgmtPermissions.java:262)

...

I tried to run a curl to make the exchange and the error is the same as
above.

Additionally, I tried is to make the exchange with a Google IDP as in
https://www.mathieupassenaud.fr/token-exchange-keycloak/, using the Google
OAuth Playground. Same error again.

I hope someone can help me or point a resource, like a tutorial that covers
all steps and they work properly.

Best Regards and thank you in advance,
Leandro Del Sole