<div dir="ltr"><div><div><div>Hello Marek,<br><br></div>It looks like we've cornered the issue after all :-)<br><br></div>I managed to reproduce it on a relatively clean keycloak setup with the following steps:<br><br><br></div><div style="margin-left:40px"> 1. Create application app-dg that will be used to get tokens using direct access grants. <br> Accesstype: Public<br> Direct Grants Onlye: true<br> <br> 2. Create application app-test. <br> AccessType: Bearer only<br> <br> 3. Create application level role 'role-test' in app-test.<br> <br> 4. Create user user-test. Assign it application level role app-test:role-test and set his password to 'password'<br> <br> 5. Retrieve a token for user-test using direct access grants:<br> <br> $ curl -k -X POST <a href="http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token">http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token</a> -d "grant_type=password" -d "client_id=app-dg" -d "username=user-test" -d "password=password"<br> <br> And the token:<br> {<br> "jti": "f68e595e-d612-42a1-b4f2-0af2b32b7dd7",<br> "exp": 1441881384,<br> "nbf": 0,<br> "iat": 1441877784,<br> "iss": "<a href="http://127.0.0.1:8080/auth/realms/restcomm">http://127.0.0.1:8080/auth/realms/restcomm</a>",<br> "aud": "app-dg",<br> "sub": "067021e3-0fac-49dd-931b-1d26eb8ceb70",<br> "azp": "app-dg",<br> "session_state": "03903e0d-4748-4aba-bf5e-c0529757c13d",<br> "client_session": "7f8417c0-9fd0-4e65-a3d8-a9335cb1f704",<br> "allowed-origins": [],<br> "resource_access": {<br> "app-test": {<br> "roles": [<br> "role-test"<br> ]<br> },<br> "account": {<br> "roles": [<br> "view-profile",<br> "manage-account"<br> ]<br> }<br> },<br> "name": "",<br> "preferred_username": "user-test"<br> }<br><br></div><div style="margin-left:40px"> 6. Remove app-test<br></div><div style="margin-left:40px"> <br> 7. Try to retrieve a token once more and the error appears:<br> <br> 12:39:37,260 ERROR [io.undertow.request] (default task-17) UT005023: Exception handling request to /auth/realms/restcomm/protocol/openid-connect/token: java.lang.RuntimeException: request path: /auth/realms/restcomm/protocol/openid-connect/token<br> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)<br> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)<br> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)<br> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)<br> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)<br> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)<br> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)<br> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)<br> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)<br> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)<br> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)<br> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)<br> at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)<br> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)<br> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)<br> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)<br> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)<br> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)<br> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<br> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<br> at java.lang.Thread.run(Thread.java:745)<br> Caused by: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException<br> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<br> at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)<br> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)<br> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)<br> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)<br> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)<br> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)<br> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)<br> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)<br> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)<br> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)<br> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)<br> ... 29 more<br> Caused by: java.lang.NullPointerException<br> at org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353)<br> at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193)<br> at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412)<br> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358)<br> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113)<br> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br> at java.lang.reflect.Method.invoke(Method.java:606)<br> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)<br> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)<br> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)<br> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)<br> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)<br> ... 37 more<br></div><div><br>I rule i tried to make up is the following:<br><br><div style="margin-left:40px">"If for user Alice exists an active token with application roles for an application and this application is removed, you can't get a token for this user anymore" <br></div><br>Also note that in my tests i've increased realm 'Access token lifespan' to 60 min. Maybe having a short lifespan discards the token before making any damage and the exception is not thrown. Just guessing here...<br><br><br></div><div>I hope this helps<br><br><br></div><div>Regards<br><br></div><div>Orestis<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 4, 2015 at 11:54 AM, Orestis Tsakiridis <span dir="ltr"><<a href="mailto:orestis.tsakiridis@telestax.com" target="_blank">orestis.tsakiridis@telestax.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi Marek,<br><br></div>Hmmm, indeed, that happens after having deleted clients. But, i haven't defined any composite roles. The rest of the REST api operation i've used don't seem to trigger it. <br><br>But wait! i think you rung a bell. The clients i remove have their own application-level roles created and bound to them. They are not composite though in the strict sense of the term. Possibly the user that tries to get a token is also assigned these roles. Btw, is it proper practice to remove a client without removing its own application roles first?<br><br>Also, I'm using the default H2 DB setup. <br><br></div>I will try to reproduce and post my findings to this thread.<br><br></div><br>Thanks Marek<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888">Orestis<br></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 2, 2015 at 4:45 PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>It looks you deleted some client, but
his composite roles were not properly deleted. It might be a bug
though, but not sure. It will be cool if you can provide more
detailed steps to reproduce. Are you using default H2 DB or some
else?<br>
<br>
Thanks,<br>
Marek<div><div><br>
<br>
On 02/09/15 11:25, Orestis Tsakiridis wrote:<br>
</div></div></div>
<blockquote type="cite"><div><div>
<div dir="ltr">
<div>
<div>
<div>Hello,<br>
<br>
</div>
I'm experiencing a strange error while trying to retrieve a
token. Although initially the application may function
properly and tokens issued normally, something happens when
i use the Admin REST api that triggers the error. After that
no tokens can be issued and an NPE appears in the log.
Usually this happens after trying to drop some clients.<br>
<br>
</div>
<div>Btw, i'm using keycloak-1.4.0.Final.<br>
</div>
<div><br>
</div>
Here is the command i use to get the token:<br>
<br>
curl -k -X POST <a href="https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token" target="_blank">https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token</a>
-d "grant_type=password" -d "client_id=restcomm-identity-rest"
-d "username=otsakir" -d "password=...."<br>
<br>
</div>
And here is what i get in the logs:<br>
<div>
<div><br>
09:12:36,414 ERROR [io.undertow.request] (default task-4)
UT005023: Exception handling request to
/auth/realms/restcomm/protocol/openid-connect/token:
java.lang.RuntimeException: request path:
/auth/realms/restcomm/protocol/openid-connect/token<br>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)<br>
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)<br>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)<br>
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)<br>
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)<br>
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)<br>
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)<br>
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)<br>
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)<br>
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)<br>
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)<br>
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)<br>
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)<br>
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)<br>
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)<br>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<br>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<br>
at java.lang.Thread.run(Thread.java:745)<br>
Caused by: org.jboss.resteasy.spi.UnhandledException:
java.lang.NullPointerException<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)<br>
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)<br>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)<br>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)<br>
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)<br>
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)<br>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)<br>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)<br>
... 29 more<br>
Caused by: java.lang.NullPointerException<br>
at
org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353)<br>
at
org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193)<br>
at
org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412)<br>
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358)<br>
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113)<br>
at sun.reflect.GeneratedMethodAccessor204.invoke(Unknown
Source)<br>
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
at java.lang.reflect.Method.invoke(Method.java:606)<br>
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)<br>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)<br>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)<br>
... 37 more<br>
<br>
<br>
</div>
<div>Regards<br>
<br>
</div>
<div>Orestis<br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>