[keycloak-user] Logging for X509 authentication flow

Nalyvayko, Peter pnalyvayko at agi.com
Tue Mar 19 15:58:06 EDT 2019 

Raymond,
I assume you've followed the steps described in https://www.keycloak.org/docs/4.8/server_admin/,  "6.6. X.509 Client Certificate User Authentication"? Another suggestion is to double check your app OIDC configuration and make sure it is properly configured with a valid client id - the clientId in the error output looks suspicious.

My $0.02

From: Page, Raymond (Techical Solutions ) <Page_Raymond at ne.bah.com>
Sent: Tuesday, March 19, 2019 3:35 PM
To: Nalyvayko, Peter <pnalyvayko at agi.com>; keycloak-user at lists.jboss.org
Subject: Re: Logging for X509 authentication flow


I'm not sure if this makes a difference, but I have         <subsystem xmlns="urn:jboss:domain:logging:6.0"> not         <subsystem xmlns="urn:jboss:domain:logging:3.0">



I added the two new categories to the domain:logging:6.0, but I don't get any additional output. I'm speculating there might be an issue from undertow to keycloak, how do I log undertow?

________________________________
From: Nalyvayko, Peter <pnalyvayko at agi.com<mailto:pnalyvayko at agi.com>>
Sent: Tuesday, March 19, 2019 1:40:37 PM
To: Page, Raymond (Techical Solutions ); keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [External] RE: Logging for X509 authentication flow

Hey Raymond,

Edit standalone.xml and add the following configuration under <subsystem xmlns="urn:jboss:domain:logging:3.0">:

<logger category="org.keycloak.authentication.authenticators.x509">
                <level name="TRACE"/>
   </logger>
      <logger category="org.keycloak.services.x509">
                <level name="TRACE"/>
      </logger>

You will have to restart the service. Hope this helps

Cheers

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> On Behalf Of Page, Raymond (Techical Solutions )
Sent: Tuesday, March 19, 2019 12:22 PM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] Logging for X509 authentication flow

I'm trying to get keycloak working with Wildfly authenticating clients directly by X.509 and then using the authentication flow in keycloak to translate that to a local user.


Unfortunately, it's not working and I'm not getting useful logging out of keycloak to determine what's wrong with my configuration. To debug, I need to know that undertow is passing the certificate successfully to keycloak, that keycloak's X509-form authentication is receiving the proper identity, the identity extracted from the certificate for authentication comparison, what it's being compared to (is the CN or DN being regexed and is it being compared to the keycloak custom attribute that I specified). What I get from enabling debug logging that's not jboss modules loads is:

18:59:38,702 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=TEST, clientId=https://urldefense.proofpoint.com/v2/url?u=https-3A__auth.test.local&d=DwIFAg&c=f4NRRID3zFYDyClb0wZXwA&r=yeLEQINvwRAXDWbd2NzV35QcUqDZ1yGyoQ7icvyqdFI&m=lsFdkw7C0W2Q0epg-8JQHBtnTFVO_CgFtCIsV3F1VKw&s=JKoCFmC7JjhA420aR4_7iqrJFgBHONSmIdrdn-ewnS8&e=, userId=null, ipAddress=192.168.0.100, error=client_not_found


Can someone provide details on how to get debug logging for undertow and the X509-form-config authentication?


--
Raymond Page, CTR (US)
Automation Engineer, UoT
TIS CTR to Booz | Allen | Hamilton
page_raymond at ne.bah.com<mailto:page_raymond at ne.bah.com>
raymond.c.page15.ctr at mail.mil<mailto:raymond.c.page15.ctr at mail.mil>
C: (321) 549-7243<tel:(321)+549-7243>
W: (703) 679-8618<tel:(703)+679-8618>
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwIFAg&c=f4NRRID3zFYDyClb0wZXwA&r=yeLEQINvwRAXDWbd2NzV35QcUqDZ1yGyoQ7icvyqdFI&m=lsFdkw7C0W2Q0epg-8JQHBtnTFVO_CgFtCIsV3F1VKw&s=rrCwreQSq0e6yYMFjtj-TtmQjmbO3J2cCs5azwk-cTs&e=

More information about the keycloak-user mailing list