<div dir="ltr"><div>Sounds great.<br><br></div>Thanks Marek.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 14, 2015 at 9:28 AM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Thanks, I've created JIRA
<a href="https://issues.jboss.org/browse/KEYCLOAK-1842" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1842</a> . We will try to
reproduce and fix for 1.6 release.<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek</font></span><div><div class="h5"><br>
<br>
On 10/09/15 11:51, Orestis Tsakiridis wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Hello Marek,<br>
<br>
</div>
It looks like we've cornered the issue after all :-)<br>
<br>
</div>
I managed to reproduce it on a relatively clean keycloak setup
with the following steps:<br>
<br>
<br>
</div>
<div style="margin-left:40px"> 1. Create application
app-dg that will be used to get tokens using direct access
grants. <br>
Accesstype: Public<br>
Direct Grants Onlye: true<br>
<br>
2. Create application app-test. <br>
AccessType: Bearer only<br>
<br>
3. Create application level role 'role-test' in
app-test.<br>
<br>
4. Create user user-test. Assign it application
level role app-test:role-test and set his password to
'password'<br>
<br>
5. Retrieve a token for user-test using direct
access grants:<br>
<br>
$ curl -k -X POST <a href="http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token" target="_blank">http://127.0.0.1:8080/auth/realms/restcomm/protocol/openid-connect/token</a>
-d "grant_type=password" -d "client_id=app-dg" -d
"username=user-test" -d "password=password"<br>
<br>
And the token:<br>
{<br>
"jti":
"f68e595e-d612-42a1-b4f2-0af2b32b7dd7",<br>
"exp": 1441881384,<br>
"nbf": 0,<br>
"iat": 1441877784,<br>
"iss": "<a href="http://127.0.0.1:8080/auth/realms/restcomm" target="_blank">http://127.0.0.1:8080/auth/realms/restcomm</a>",<br>
"aud": "app-dg",<br>
"sub":
"067021e3-0fac-49dd-931b-1d26eb8ceb70",<br>
"azp": "app-dg",<br>
"session_state":
"03903e0d-4748-4aba-bf5e-c0529757c13d",<br>
"client_session":
"7f8417c0-9fd0-4e65-a3d8-a9335cb1f704",<br>
"allowed-origins": [],<br>
"resource_access": {<br>
"app-test": {<br>
"roles": [<br>
"role-test"<br>
]<br>
},<br>
"account": {<br>
"roles": [<br>
"view-profile",<br>
"manage-account"<br>
]<br>
}<br>
},<br>
"name": "",<br>
"preferred_username": "user-test"<br>
}<br>
<br>
</div>
<div style="margin-left:40px"> 6. Remove app-test<br>
</div>
<div style="margin-left:40px"> <br>
7. Try to retrieve a token once more and the error
appears:<br>
<br>
12:39:37,260 ERROR [io.undertow.request]
(default task-17) UT005023: Exception handling request to
/auth/realms/restcomm/protocol/openid-connect/token:
java.lang.RuntimeException: request path:
/auth/realms/restcomm/protocol/openid-connect/token<br>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)<br>
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)<br>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)<br>
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)<br>
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)<br>
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)<br>
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)<br>
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)<br>
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)<br>
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)<br>
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)<br>
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)<br>
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)<br>
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)<br>
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)<br>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<br>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<br>
at java.lang.Thread.run(Thread.java:745)<br>
Caused by:
org.jboss.resteasy.spi.UnhandledException:
java.lang.NullPointerException<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)<br>
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)<br>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)<br>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)<br>
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)<br>
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)<br>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)<br>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)<br>
... 29 more<br>
Caused by: java.lang.NullPointerException<br>
at
org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353)<br>
at
org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193)<br>
at
org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412)<br>
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358)<br>
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113)<br>
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)<br>
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
at
java.lang.reflect.Method.invoke(Method.java:606)<br>
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)<br>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)<br>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)<br>
... 37 more<br>
</div>
<div><br>
I rule i tried to make up is the following:<br>
<br>
<div style="margin-left:40px">"If for user Alice exists an
active token with application roles for an application and
this application is removed, you can't get a token for this
user anymore" <br>
</div>
<br>
Also note that in my tests i've increased realm 'Access token
lifespan' to 60 min. Maybe having a short lifespan discards
the token before making any damage and the exception is not
thrown. Just guessing here...<br>
<br>
<br>
</div>
<div>I hope this helps<br>
<br>
<br>
</div>
<div>Regards<br>
<br>
</div>
<div>Orestis<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Sep 4, 2015 at 11:54 AM,
Orestis Tsakiridis <span dir="ltr"><<a href="mailto:orestis.tsakiridis@telestax.com" target="_blank"></a><a href="mailto:orestis.tsakiridis@telestax.com" target="_blank">orestis.tsakiridis@telestax.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi Marek,<br>
<br>
</div>
Hmmm, indeed, that happens after having deleted
clients. But, i haven't defined any composite
roles. The rest of the REST api operation i've used
don't seem to trigger it. <br>
<br>
But wait! i think you rung a bell. The clients i
remove have their own application-level roles
created and bound to them. They are not composite
though in the strict sense of the term. Possibly the
user that tries to get a token is also assigned
these roles. Btw, is it proper practice to remove a
client without removing its own application roles
first?<br>
<br>
Also, I'm using the default H2 DB setup. <br>
<br>
</div>
I will try to reproduce and post my findings to this
thread.<br>
<br>
</div>
<br>
Thanks Marek<span><font color="#888888"><br>
<br>
</font></span></div>
<span><font color="#888888">Orestis<br>
</font></span></div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Sep 2, 2015 at 4:45
PM, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank"></a><a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>It looks you deleted some client, but his
composite roles were not properly deleted. It
might be a bug though, but not sure. It will
be cool if you can provide more detailed steps
to reproduce. Are you using default H2 DB or
some else?<br>
<br>
Thanks,<br>
Marek
<div>
<div><br>
<br>
On 02/09/15 11:25, Orestis Tsakiridis
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>
<div>
<div>Hello,<br>
<br>
</div>
I'm experiencing a strange error
while trying to retrieve a token.
Although initially the application
may function properly and tokens
issued normally, something happens
when i use the Admin REST api that
triggers the error. After that no
tokens can be issued and an NPE
appears in the log. Usually this
happens after trying to drop some
clients.<br>
<br>
</div>
<div>Btw, i'm using
keycloak-1.4.0.Final.<br>
</div>
<div><br>
</div>
Here is the command i use to get the
token:<br>
<br>
curl -k -X POST <a href="https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token" target="_blank"></a><a href="https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token" target="_blank">https://identity.restcomm.com/auth/realms/restcomm/protocol/openid-connect/token</a>
-d "grant_type=password" -d
"client_id=restcomm-identity-rest" -d
"username=otsakir" -d "password=...."<br>
<br>
</div>
And here is what i get in the logs:<br>
<div>
<div><br>
09:12:36,414 ERROR
[io.undertow.request] (default
task-4) UT005023: Exception handling
request to
/auth/realms/restcomm/protocol/openid-connect/token:
java.lang.RuntimeException: request
path:
/auth/realms/restcomm/protocol/openid-connect/token<br>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:73)<br>
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)<br>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)<br>
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)<br>
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)<br>
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)<br>
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)<br>
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)<br>
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)<br>
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)<br>
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)<br>
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)<br>
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)<br>
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)<br>
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)<br>
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)<br>
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<br>
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<br>
at
java.lang.Thread.run(Thread.java:745)<br>
Caused by:
org.jboss.resteasy.spi.UnhandledException:
java.lang.NullPointerException<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)<br>
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:149)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)<br>
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)<br>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)<br>
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)<br>
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:790)<br>
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)<br>
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)<br>
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:59)<br>
... 29 more<br>
Caused by:
java.lang.NullPointerException<br>
at
org.keycloak.protocol.oidc.TokenManager.addComposites(TokenManager.java:353)<br>
at
org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:193)<br>
at
org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:412)<br>
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:358)<br>
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:113)<br>
at
sun.reflect.GeneratedMethodAccessor204.invoke(Unknown
Source)<br>
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
at
java.lang.reflect.Method.invoke(Method.java:606)<br>
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)<br>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)<br>
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)<br>
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)<br>
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)<br>
... 37 more<br>
<br>
<br>
</div>
<div>Regards<br>
<br>
</div>
<div>Orestis<br>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>