<div dir="ltr">So I&#39;m also in a similar situation here where our front-end team will not even consider looking into FTL theme engine that was used in keycloak. They will reject keycloak as a good solution unless we can reimplement the login screen in an entirely different technology. I&#39;m still trying to convince people that using the current theming engine is a better choice but I don&#39;t think we&#39;ll even be able to get there unless I can help them do a comparison of the two implementations. We don&#39;t currently care about registration, social auth, password reset, etc... through the login screen. Most of this will be done through the keycloak admin client by an administrator in our cases. This means I need a way to actually use the Login SPI to able to redirect to a login page hosted on a different server. Are there any suggestions of places where I could start looking at in order to implement a custom Login page hosted on a different server. The reason I specify different server (same tld domain) is I&#39;m also a bit worried about CORS issues (hopefully we&#39;ll be fine).<div><br></div><div><br></div><div>Thanks,</div><div>Jesse<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 12, 2016 at 1:43 AM,  <span dir="ltr">&lt;<a href="mailto:keycloak-user-request@lists.jboss.org" target="_blank">keycloak-user-request@lists.jboss.org</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send keycloak-user mailing list submissions to<br>
        <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
or, via email, send a message with subject or body &#39;help&#39; to<br>
        <a href="mailto:keycloak-user-request@lists.jboss.org">keycloak-user-request@lists.jboss.org</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:keycloak-user-owner@lists.jboss.org">keycloak-user-owner@lists.jboss.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than &quot;Re: Contents of keycloak-user digest...&quot;<br>
<br>
<br>
Today&#39;s Topics:<br>
<br>
   1. Re: Extending Themes via SPI (Stian Thorgersen)<br>
   2. Re: Failed to make identity provider oauth        callback:<br>
      javax.net.ssl.SSLHandshakeException (Marko Strukelj)<br>
   3. Re: Failed to make identity provider oauth        callback:<br>
      javax.net.ssl.SSLHandshakeException (Stian Thorgersen)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Fri, 12 Feb 2016 09:53:56 +0100<br>
From: Stian Thorgersen &lt;<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>&gt;<br>
Subject: Re: [keycloak-user] Extending Themes via SPI<br>
To: Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt;<br>
Cc: &quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
Message-ID:<br>
        &lt;<a href="mailto:CAJgngAfBrCv2B_A81Yc3sbBQbWz8O6JrXEa6SUWh8xG91EDDPg@mail.gmail.com">CAJgngAfBrCv2B_A81Yc3sbBQbWz8O6JrXEa6SUWh8xG91EDDPg@mail.gmail.com</a>&gt;<br>
Content-Type: text/plain; charset=&quot;utf-8&quot;<br>
<br>
No, you can create a theme that contains stylesheets and freemarker<br>
templates (if you need to change those) and deploy it to Keycloak. Please<br>
read<br>
<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html</a><br>
and take a look at the themes examples in our examples download.<br>
<br>
On 12 February 2016 at 09:47, Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt; wrote:<br>
<br>
&gt; Okay but what you are saying is done directly on the Keycloak source code<br>
&gt; which is then built and deployed, rather than extending classes and then<br>
&gt; deploying directly to a Keycloak instance?<br>
&gt;<br>
&gt; From: Stian Thorgersen &lt;<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>&gt;<br>
&gt; Reply-To: &quot;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&quot; &lt;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&gt;<br>
&gt; Date: Friday, February 12, 2016 at 6:29 PM<br>
&gt;<br>
&gt; To: Abdullah Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt;<br>
&gt; Cc: &quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
&gt; Subject: Re: [keycloak-user] Extending Themes via SPI<br>
&gt;<br>
&gt; There&#39;s a lot more to the login on Keycloak than a simple JSP page used<br>
&gt; for JEE form-based authentication. We have user registration, password<br>
&gt; recovery, OTP support, remember me, etc, etc..<br>
&gt;<br>
&gt; Take the look and feel (stylesheet) of your JSP login screen and apply it<br>
&gt; to Keycloak with a custom theme. That&#39;s the simplest, quickest and best<br>
&gt; option.<br>
&gt;<br>
&gt; On 12 February 2016 at 09:15, Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt; wrote:<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; We have internal front end libraries that works with JSP only. From the<br>
&gt;&gt; sounds of SPI, I thought that I could use JSP and our internal libraries<br>
&gt;&gt; instead of FreeMarker templates. Also because our JSP login screen is<br>
&gt;&gt; almost ready it wouldn?t take much time to just deploy it (that?s what I<br>
&gt;&gt; thought).<br>
&gt;&gt;<br>
&gt;&gt; From: Stian Thorgersen &lt;<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>&gt;<br>
&gt;&gt; Reply-To: &quot;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&quot; &lt;<a href="mailto:stian@redhat.com">stian@redhat.com</a>&gt;<br>
&gt;&gt; Date: Friday, February 12, 2016 at 5:54 PM<br>
&gt;&gt; To: Abdullah Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt;<br>
&gt;&gt; Cc: &quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;<br>
&gt;&gt; Subject: Re: [keycloak-user] Extending Themes via SPI<br>
&gt;&gt;<br>
&gt;&gt; What are you actually trying to achieve? We mainly support modifying the<br>
&gt;&gt; FreeMarker templates and stylesheets. Beyond that you may in theory be able<br>
&gt;&gt; to re-implement it all to replace FreeMarker with something else, but I<br>
&gt;&gt; don&#39;t see why you would want to and it would be a significant amount of<br>
&gt;&gt; work, and also maintenance.<br>
&gt;&gt;<br>
&gt;&gt; On 12 February 2016 at 07:08, Sarp Kaya &lt;<a href="mailto:akaya@expedia.com">akaya@expedia.com</a>&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;&gt; Hi all,<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; In regards to Extending Themes via SPI all I found is this documentation:<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/providers.html</a><br>
&gt;&gt;&gt;  and<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; &lt;<a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450</a>&gt;<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/themes.html#d4e2450</a><br>
&gt;&gt;&gt; I found it a little less describing.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; When I implement those two classes, where do I put the new implemented<br>
&gt;&gt;&gt; classes? How do I deploy them?<br>
&gt;&gt;&gt; Can I also use Spring mvc and JSP and few maven dependencies instead of<br>
&gt;&gt;&gt; freemarker?<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; I also tried to find an example to extend theme using SPI but there<br>
&gt;&gt;&gt; seems to be none. It would be really nice if you could provide a sample<br>
&gt;&gt;&gt; hello world.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Thank you very much,<br>
&gt;&gt;&gt; Sarp Kaya<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; keycloak-user mailing list<br>
&gt;&gt;&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt;&gt;&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; keycloak-user mailing list<br>
&gt;&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt;&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt;&gt;<br>
&gt;<br>
&gt;<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/dd16d2fc/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/dd16d2fc/attachment-0001.html</a><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Fri, 12 Feb 2016 10:04:04 +0100<br>
From: Marko Strukelj &lt;<a href="mailto:mstrukel@redhat.com">mstrukel@redhat.com</a>&gt;<br>
Subject: Re: [keycloak-user] Failed to make identity provider oauth<br>
        callback: javax.net.ssl.SSLHandshakeException<br>
To: Marek Posolda &lt;<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;<br>
Cc: &quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;,<br>
        LEONARDO NUNES &lt;<a href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a>&gt;<br>
Message-ID:<br>
        &lt;<a href="mailto:CA%2B1OW%2BgXfMSC%2BCiLo3vCSvxt0M5Gt9Qp_9TV7AiWcsfBW%2BDA9Q@mail.gmail.com">CA+1OW+gXfMSC+CiLo3vCSvxt0M5Gt9Qp_9TV7AiWcsfBW+DA9Q@mail.gmail.com</a>&gt;<br>
Content-Type: text/plain; charset=UTF-8<br>
<br>
When using &#39;truststore&#39; provider it is up to you to make sure to<br>
include all the certificates you trust. Configuration via<br>
-Djavax.net.ssl.trustStore works the same - no automatic inclusion of<br>
cacerts. But it sounds like a good usability feature to add a flag<br>
that would automatically include cacerts as well. The problem is - it<br>
happens occasionally that some CAs turn out not to be trustworthy, and<br>
blindly importing all cacerts exposes you to that risk.<br>
<br>
One detail to emphasize, with third party not-self-signed certificates<br>
it&#39;s important to include the CA certificate used to create the<br>
specific server certificate, rather than the server certificate<br>
itself. Facebook servers use different short-lived server certificates<br>
- and with two consecutive requests you may be presented with two<br>
different server certificates - but they are all issued by the same<br>
long-lived trusted CA.<br>
<br>
<br>
On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda &lt;<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt; wrote:<br>
&gt; Facebook certificate should be signed by trusted authority, so it works with<br>
&gt; default JDK truststore. At least for me it always works.<br>
&gt;<br>
&gt; Shouldn&#39;t truststore SPI use both provided file + default JDK truststore by<br>
&gt; default? We may have flag to disable default JDK truststore, but not sure if<br>
&gt; it&#39;s ever needed. Also shouldn&#39;t we rewrite SimpleHTTP to use Apache HTTP<br>
&gt; client provided by HttpClientProvider SPI?<br>
&gt;<br>
&gt; Marek<br>
&gt;<br>
&gt;<br>
&gt; On 11/02/16 15:23, Stian Thorgersen wrote:<br>
&gt;<br>
&gt; Does it work if you don&#39;t specify the truststore? That will use the default<br>
&gt; truststore provided by the JDK.<br>
&gt;<br>
&gt; Also, does your truststore contain the required CA certs? For Facebook to<br>
&gt; work it&#39;ll have to contain the required CA&#39;s for their certs<br>
&gt;<br>
&gt; On 11 February 2016 at 14:09, LEONARDO NUNES &lt;<a href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a>&gt;<br>
&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; Hi, i&#39;m getting the error below when I try to login with Facebook.<br>
&gt;&gt; I&#39;ve followed the instructions at<br>
&gt;&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore</a><br>
&gt;&gt; and<br>
&gt;&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337</a><br>
&gt;&gt;<br>
&gt;&gt; I was able to login with Facebook when trying at localhost. But at our<br>
&gt;&gt; development server we are getting this error.<br>
&gt;&gt;<br>
&gt;&gt; We are using EAP in domain mode.<br>
&gt;&gt;<br>
&gt;&gt; The truststore I placed inside of keycloak-server.json<br>
&gt;&gt; &quot;truststore&quot;: {<br>
&gt;&gt;         &quot;file&quot;: {<br>
&gt;&gt;             &quot;file&quot;: &quot;/home/soa/jboss/ssl/keycloak.jks&quot;,<br>
&gt;&gt;             &quot;password&quot;: &quot;keycloak123&quot;,<br>
&gt;&gt;             &quot;hostname-verification-policy&quot;: &quot;ANY&quot;,<br>
&gt;&gt;             &quot;disabled&quot;: false<br>
&gt;&gt;         }<br>
&gt;&gt;     }<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; #######<br>
&gt;&gt;<br>
&gt;&gt; ERRO:<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; 2016-02-11 10:44:53,927 ERROR<br>
&gt;&gt; [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]<br>
&gt;&gt; (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth<br>
&gt;&gt; callback: javax.net.ssl.SSLHandshakeException:<br>
&gt;&gt; sun.security.validator.ValidatorException: PKIX path building failed:<br>
&gt;&gt; sun.security.provider.certpath.SunCertPathBuilderException: unable to find<br>
&gt;&gt; valid certification path to requested target<br>
&gt;&gt; at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)<br>
&gt;&gt; at<br>
&gt;&gt; org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)<br>
&gt;&gt; at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)<br>
&gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt;&gt; at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)<br>
&gt;&gt; [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)<br>
&gt;&gt; [keycloak-services-1.8.1.Final.jar:1.8.1.Final]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)<br>
&gt;&gt; at<br>
&gt;&gt; org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)<br>
&gt;&gt; [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at<br>
&gt;&gt; org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)<br>
&gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt;&gt; at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]<br>
&gt;&gt; Caused by: sun.security.validator.ValidatorException: PKIX path building<br>
&gt;&gt; failed: sun.security.provider.certpath.SunCertPathBuilderException: unable<br>
&gt;&gt; to find valid certification path to requested target<br>
&gt;&gt; at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.validator.Validator.validate(Validator.java:260)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)<br>
&gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt;&gt; ... 50 more<br>
&gt;&gt; Caused by: sun.security.provider.certpath.SunCertPathBuilderException:<br>
&gt;&gt; unable to find valid certification path to requested target<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at<br>
&gt;&gt; sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)<br>
&gt;&gt; [rt.jar:1.8.0_45]<br>
&gt;&gt; ... 56 more<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; --<br>
&gt;&gt; Leonardo Nunes<br>
&gt;&gt; ________________________________<br>
&gt;&gt; Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se<br>
&gt;&gt; voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem,<br>
&gt;&gt; n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar<br>
&gt;&gt; qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por<br>
&gt;&gt; engano, por favor avise imediatamente o remetente, respondendo o e-mail e em<br>
&gt;&gt; seguida apague-o. Agradecemos sua coopera??o.<br>
&gt;&gt;<br>
&gt;&gt; This message may contain confidential and/or privileged information. If<br>
&gt;&gt; you are not the addressee or authorized to receive this for the addressee,<br>
&gt;&gt; you must not use, copy, disclose or take any action based on this message or<br>
&gt;&gt; any information herein. If you have received this message in error, please<br>
&gt;&gt; advise the sender immediately by reply e-mail and delete this message. Thank<br>
&gt;&gt; you for your cooperation<br>
&gt;&gt;<br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; keycloak-user mailing list<br>
&gt;&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt;&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; keycloak-user mailing list<br>
&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; keycloak-user mailing list<br>
&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Fri, 12 Feb 2016 10:43:18 +0100<br>
From: Stian Thorgersen &lt;<a href="mailto:sthorger@redhat.com">sthorger@redhat.com</a>&gt;<br>
Subject: Re: [keycloak-user] Failed to make identity provider oauth<br>
        callback: javax.net.ssl.SSLHandshakeException<br>
To: Marko Strukelj &lt;<a href="mailto:mstrukel@redhat.com">mstrukel@redhat.com</a>&gt;<br>
Cc: &quot;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&quot; &lt;<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>&gt;,<br>
        LEONARDO NUNES &lt;<a href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a>&gt;<br>
Message-ID:<br>
        &lt;<a href="mailto:CAJgngAf4-aAyu_aONLOiYC9Ap0LmAur7U-yn2pP7H4o2LKHsrw@mail.gmail.com">CAJgngAf4-aAyu_aONLOiYC9Ap0LmAur7U-yn2pP7H4o2LKHsrw@mail.gmail.com</a>&gt;<br>
Content-Type: text/plain; charset=&quot;utf-8&quot;<br>
<br>
On 12 February 2016 at 10:04, Marko Strukelj &lt;<a href="mailto:mstrukel@redhat.com">mstrukel@redhat.com</a>&gt; wrote:<br>
<br>
&gt; When using &#39;truststore&#39; provider it is up to you to make sure to<br>
&gt; include all the certificates you trust. Configuration via<br>
&gt; -Djavax.net.ssl.trustStore works the same - no automatic inclusion of<br>
&gt; cacerts. But it sounds like a good usability feature to add a flag<br>
&gt; that would automatically include cacerts as well. The problem is - it<br>
&gt; happens occasionally that some CAs turn out not to be trustworthy, and<br>
&gt; blindly importing all cacerts exposes you to that risk.<br>
&gt;<br>
<br>
How about having a flag that is enabled by default that includes cacerts<br>
from Java? I&#39;d actually think that update from CA certs are more likely<br>
going to happen by updating Java rather than manually maintaining a<br>
truststore.<br>
<br>
<br>
&gt; One detail to emphasize, with third party not-self-signed certificates<br>
&gt; it&#39;s important to include the CA certificate used to create the<br>
&gt; specific server certificate, rather than the server certificate<br>
&gt; itself. Facebook servers use different short-lived server certificates<br>
&gt; - and with two consecutive requests you may be presented with two<br>
&gt; different server certificates - but they are all issued by the same<br>
&gt; long-lived trusted CA.<br>
<br>
<br>
&gt;<br>
&gt; On Fri, Feb 12, 2016 at 8:07 AM, Marek Posolda &lt;<a href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;<br>
&gt; wrote:<br>
&gt; &gt; Facebook certificate should be signed by trusted authority, so it works<br>
&gt; with<br>
&gt; &gt; default JDK truststore. At least for me it always works.<br>
&gt; &gt;<br>
&gt; &gt; Shouldn&#39;t truststore SPI use both provided file + default JDK truststore<br>
&gt; by<br>
&gt; &gt; default? We may have flag to disable default JDK truststore, but not<br>
&gt; sure if<br>
&gt; &gt; it&#39;s ever needed. Also shouldn&#39;t we rewrite SimpleHTTP to use Apache HTTP<br>
&gt; &gt; client provided by HttpClientProvider SPI?<br>
&gt; &gt;<br>
&gt; &gt; Marek<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; On 11/02/16 15:23, Stian Thorgersen wrote:<br>
&gt; &gt;<br>
&gt; &gt; Does it work if you don&#39;t specify the truststore? That will use the<br>
&gt; default<br>
&gt; &gt; truststore provided by the JDK.<br>
&gt; &gt;<br>
&gt; &gt; Also, does your truststore contain the required CA certs? For Facebook to<br>
&gt; &gt; work it&#39;ll have to contain the required CA&#39;s for their certs<br>
&gt; &gt;<br>
&gt; &gt; On 11 February 2016 at 14:09, LEONARDO NUNES &lt;<a href="mailto:leo.nunes@gjccorp.com.br">leo.nunes@gjccorp.com.br</a>&gt;<br>
&gt; &gt; wrote:<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; Hi, i&#39;m getting the error below when I try to login with Facebook.<br>
&gt; &gt;&gt; I&#39;ve followed the instructions at<br>
&gt; &gt;&gt;<br>
&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#truststore</a><br>
&gt; &gt;&gt; and<br>
&gt; &gt;&gt;<br>
&gt; <a href="http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337" rel="noreferrer" target="_blank">http://keycloak.github.io/docs/userguide/keycloak-server/html/server-installation.html#d4e337</a><br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; I was able to login with Facebook when trying at localhost. But at our<br>
&gt; &gt;&gt; development server we are getting this error.<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; We are using EAP in domain mode.<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; The truststore I placed inside of keycloak-server.json<br>
&gt; &gt;&gt; &quot;truststore&quot;: {<br>
&gt; &gt;&gt;         &quot;file&quot;: {<br>
&gt; &gt;&gt;             &quot;file&quot;: &quot;/home/soa/jboss/ssl/keycloak.jks&quot;,<br>
&gt; &gt;&gt;             &quot;password&quot;: &quot;keycloak123&quot;,<br>
&gt; &gt;&gt;             &quot;hostname-verification-policy&quot;: &quot;ANY&quot;,<br>
&gt; &gt;&gt;             &quot;disabled&quot;: false<br>
&gt; &gt;&gt;         }<br>
&gt; &gt;&gt;     }<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; #######<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; ERRO:<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; 2016-02-11 10:44:53,927 ERROR<br>
&gt; &gt;&gt; [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]<br>
&gt; &gt;&gt; (ajp-/192.168.162.73:8008-1) Failed to make identity provider oauth<br>
&gt; &gt;&gt; callback: javax.net.ssl.SSLHandshakeException:<br>
&gt; &gt;&gt; sun.security.validator.ValidatorException: PKIX path building failed:<br>
&gt; &gt;&gt; sun.security.provider.certpath.SunCertPathBuilderException: unable to<br>
&gt; find<br>
&gt; &gt;&gt; valid certification path to requested target<br>
&gt; &gt;&gt; at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.ssl.Handshaker.process_record(Handshaker.java:904)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1282)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1257)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:124)<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:228)<br>
&gt; &gt;&gt; at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at java.lang.reflect.Method.invoke(Method.java:497) [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt; org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:107)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:154)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)<br>
&gt; &gt;&gt; [resteasy-jaxrs-2.3.8.SP4-redhat-2.jar:]<br>
&gt; &gt;&gt; at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)<br>
&gt; &gt;&gt;<br>
&gt; [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)<br>
&gt; &gt;&gt; [keycloak-services-1.8.1.Final.jar:1.8.1.Final]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.event(JBossWebContext.java:91)<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.modcluster.container.jbossweb.JBossWebContext$RequestListenerValve.invoke(JBossWebContext.java:72)<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)<br>
&gt; &gt;&gt; [jboss-as-web-7.4.3.Final-redhat-2.jar:7.4.3.Final-redhat-2]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at<br>
&gt; org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)<br>
&gt; &gt;&gt; [jbossweb-7.4.10.Final-redhat-1.jar:7.4.10.Final-redhat-1]<br>
&gt; &gt;&gt; at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; Caused by: sun.security.validator.ValidatorException: PKIX path building<br>
&gt; &gt;&gt; failed: sun.security.provider.certpath.SunCertPathBuilderException:<br>
&gt; unable<br>
&gt; &gt;&gt; to find valid certification path to requested target<br>
&gt; &gt;&gt; at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.validator.Validator.validate(Validator.java:260)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)<br>
&gt; &gt;&gt; [jsse.jar:1.8.0_45]<br>
&gt; &gt;&gt; ... 50 more<br>
&gt; &gt;&gt; Caused by: sun.security.provider.certpath.SunCertPathBuilderException:<br>
&gt; &gt;&gt; unable to find valid certification path to requested target<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at<br>
&gt; &gt;&gt;<br>
&gt; sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)<br>
&gt; &gt;&gt; [rt.jar:1.8.0_45]<br>
&gt; &gt;&gt; ... 56 more<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; --<br>
&gt; &gt;&gt; Leonardo Nunes<br>
&gt; &gt;&gt; ________________________________<br>
&gt; &gt;&gt; Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se<br>
&gt; &gt;&gt; voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta<br>
&gt; mensagem,<br>
&gt; &gt;&gt; n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou<br>
&gt; tomar<br>
&gt; &gt;&gt; qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem<br>
&gt; por<br>
&gt; &gt;&gt; engano, por favor avise imediatamente o remetente, respondendo o e-mail<br>
&gt; e em<br>
&gt; &gt;&gt; seguida apague-o. Agradecemos sua coopera??o.<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; This message may contain confidential and/or privileged information. If<br>
&gt; &gt;&gt; you are not the addressee or authorized to receive this for the<br>
&gt; addressee,<br>
&gt; &gt;&gt; you must not use, copy, disclose or take any action based on this<br>
&gt; message or<br>
&gt; &gt;&gt; any information herein. If you have received this message in error,<br>
&gt; please<br>
&gt; &gt;&gt; advise the sender immediately by reply e-mail and delete this message.<br>
&gt; Thank<br>
&gt; &gt;&gt; you for your cooperation<br>
&gt; &gt;&gt;<br>
&gt; &gt;&gt; _______________________________________________<br>
&gt; &gt;&gt; keycloak-user mailing list<br>
&gt; &gt;&gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; &gt;&gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; _______________________________________________<br>
&gt; &gt; keycloak-user mailing list<br>
&gt; &gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt;<br>
&gt; &gt; _______________________________________________<br>
&gt; &gt; keycloak-user mailing list<br>
&gt; &gt; <a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
&gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
&gt;<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <a href="http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/cf9f6d0b/attachment.html" rel="noreferrer" target="_blank">http://lists.jboss.org/pipermail/keycloak-user/attachments/20160212/cf9f6d0b/attachment.html</a><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
<br>
End of keycloak-user Digest, Vol 26, Issue 66<br>
*********************************************<br>
</blockquote></div><br></div></div></div>