5:53 a.m.
Good morning, I was evaluating this issue and was not that hard to
decouple UPS from Keycloak to permit people deploy their own KC
instance.
Changes required:
- Remove wildfly-adapter, once it already comes with KC. It doesn't make
sense on having it.
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-wildfly-adapter</artifactId>
</dependency>
- Decouple the AeroGear theme for Keycloak from auth-module
Now, I'm getting the following error: Failed to find LOGIN theme
aerogear, using built-in themes =E2=80=94 for a good reason.a
- Provide a separated profile for the "decoupled version": into this
way, it's up to our developers use the builtin version or decoupled.
As soon as I get a feedback on it. I will move forward with the changes,
just let me know what do you think.
--
abstractj
PGP: 0x84DC9914
6:18 a.m.
For a "decoupled version", how do you specify the keycloak host/port to UPS?
Does it involve "cracking open" the WAR to modify config, or is there a
system property?
On Fri, Nov 14, 2014 at 5:53 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Good morning, I was evaluating this issue and was not that hard to
decouple UPS from Keycloak to permit people deploy their own KC
instance.
Changes required:
- Remove wildfly-adapter, once it already comes with KC. It doesn't make
sense on having it.
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-wildfly-adapter</artifactId>
</dependency>
- Decouple the AeroGear theme for Keycloak from auth-module
Now, I'm getting the following error: Failed to find LOGIN theme
aerogear, using built-in themes =E2=80=94 for a good reason.a
- Provide a separated profile for the "decoupled version": into this
way, it's up to our developers use the builtin version or decoupled.
As soon as I get a feedback on it. I will move forward with the changes,
just let me know what do you think.
--
abstractj
PGP: 0x84DC9914
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
6:27 a.m.
Hi Ken, the goal is to make use of what already exists on KC. See
section 7.2.3
(http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/ch07.html#...)
On 2014-11-14, Ken Finnigan wrote:
For a "decoupled version", how do you specify the keycloak
host/port to UPS?
Does it involve "cracking open" the WAR to modify config, or is there a
system property?
On Fri, Nov 14, 2014 at 5:53 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
> Good morning, I was evaluating this issue and was not that hard to
> decouple UPS from Keycloak to permit people deploy their own KC
> instance.
>
> Changes required:
>
> - Remove wildfly-adapter, once it already comes with KC. It doesn't make
> sense on having it.
>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-wildfly-adapter</artifactId>
> </dependency>
>
> - Decouple the AeroGear theme for Keycloak from auth-module
>
> Now, I'm getting the following error: Failed to find LOGIN theme
> aerogear, using built-in themes =E2=80=94 for a good reason.a
>
> - Provide a separated profile for the "decoupled version": into this
> way, it's up to our developers use the builtin version or decoupled.
>
> As soon as I get a feedback on it. I will move forward with the changes,
> just let me know what do you think.
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
PGP: 0x84DC9914
6:36 a.m.
Hi Bruno,
I'm not super familiar with all the various bits of keycloak, but I think
that section covers securing the UPS WAR with keycloak.
I was wondering how UPS would need to be configured if the UPS WAR is on
one WildFly and keycloak is on another, with each on completely separate
machines? In particular, so that the Admin console knows where keycloak
resides to secure itself.
On Fri, Nov 14, 2014 at 6:27 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Hi Ken, the goal is to make use of what already exists on KC. See
section 7.2.3
(
http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/ch07.html#...
)
On 2014-11-14, Ken Finnigan wrote:
> For a "decoupled version", how do you specify the keycloak host/port to
UPS?
>
> Does it involve "cracking open" the WAR to modify config, or is there a
> system property?
>
> On Fri, Nov 14, 2014 at 5:53 AM, Bruno Oliveira <bruno(a)abstractj.org>
wrote:
>
> > Good morning, I was evaluating this issue and was not that hard to
> > decouple UPS from Keycloak to permit people deploy their own KC
> > instance.
> >
> > Changes required:
> >
> > - Remove wildfly-adapter, once it already comes with KC. It doesn't
make
> > sense on having it.
> >
> > <dependency>
> > <groupId>org.keycloak</groupId>
> > <artifactId>keycloak-wildfly-adapter</artifactId>
> > </dependency>
> >
> > - Decouple the AeroGear theme for Keycloak from auth-module
> >
> > Now, I'm getting the following error: Failed to find LOGIN theme
> > aerogear, using built-in themes =E2=80=94 for a good reason.a
> >
> > - Provide a separated profile for the "decoupled version": into this
> > way, it's up to our developers use the builtin version or decoupled.
> >
> > As soon as I get a feedback on it. I will move forward with the
changes,
> > just let me know what do you think.
> >
> > --
> >
> > abstractj
> > PGP: 0x84DC9914
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> >
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
PGP: 0x84DC9914
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
8:39 a.m.
I'm working on it. You can track the progress on that ticket, also the scenario you
mentioned will be deployed on OpenShift.
—
abstractj
PGP: 0x84DC9914
On Fri, Nov 14, 2014 at 9:37 AM, Ken Finnigan <ken(a)kenfinnigan.me> wrote:
Hi Bruno,
I'm not super familiar with all the various bits of keycloak, but I think
that section covers securing the UPS WAR with keycloak.
I was wondering how UPS would need to be configured if the UPS WAR is on
one WildFly and keycloak is on another, with each on completely separate
machines? In particular, so that the Admin console knows where keycloak
resides to secure itself.
On Fri, Nov 14, 2014 at 6:27 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
> Hi Ken, the goal is to make use of what already exists on KC. See
> section 7.2.3
> (
> http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/ch07.html#...
> )
>
> On 2014-11-14, Ken Finnigan wrote:
> > For a "decoupled version", how do you specify the keycloak host/port
to
> UPS?
> >
> > Does it involve "cracking open" the WAR to modify config, or is there
a
> > system property?
> >
> > On Fri, Nov 14, 2014 at 5:53 AM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
> >
> > > Good morning, I was evaluating this issue and was not that hard to
> > > decouple UPS from Keycloak to permit people deploy their own KC
> > > instance.
> > >
> > > Changes required:
> > >
> > > - Remove wildfly-adapter, once it already comes with KC. It doesn't
> make
> > > sense on having it.
> > >
> > > <dependency>
> > > <groupId>org.keycloak</groupId>
> > > <artifactId>keycloak-wildfly-adapter</artifactId>
> > > </dependency>
> > >
> > > - Decouple the AeroGear theme for Keycloak from auth-module
> > >
> > > Now, I'm getting the following error: Failed to find LOGIN theme
> > > aerogear, using built-in themes =E2=80=94 for a good reason.a
> > >
> > > - Provide a separated profile for the "decoupled version": into
this
> > > way, it's up to our developers use the builtin version or decoupled.
> > >
> > > As soon as I get a feedback on it. I will move forward with the
> changes,
> > > just let me know what do you think.
> > >
> > > --
> > >
> > > abstractj
> > > PGP: 0x84DC9914
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > >
>
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
8:39 a.m.
I'm working on it. You can track the progress on that ticket, also the scenario you
mentioned will be deployed on OpenShift.
—
abstractj
PGP: 0x84DC9914
On Fri, Nov 14, 2014 at 9:37 AM, Ken Finnigan <ken(a)kenfinnigan.me> wrote:
Hi Bruno,
I'm not super familiar with all the various bits of keycloak, but I think
that section covers securing the UPS WAR with keycloak.
I was wondering how UPS would need to be configured if the UPS WAR is on
one WildFly and keycloak is on another, with each on completely separate
machines? In particular, so that the Admin console knows where keycloak
resides to secure itself.
On Fri, Nov 14, 2014 at 6:27 AM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
> Hi Ken, the goal is to make use of what already exists on KC. See
> section 7.2.3
> (
> http://docs.jboss.org/keycloak/docs/1.1.0.Beta1/userguide/html/ch07.html#...
> )
>
> On 2014-11-14, Ken Finnigan wrote:
> > For a "decoupled version", how do you specify the keycloak host/port
to
> UPS?
> >
> > Does it involve "cracking open" the WAR to modify config, or is there
a
> > system property?
> >
> > On Fri, Nov 14, 2014 at 5:53 AM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
> >
> > > Good morning, I was evaluating this issue and was not that hard to
> > > decouple UPS from Keycloak to permit people deploy their own KC
> > > instance.
> > >
> > > Changes required:
> > >
> > > - Remove wildfly-adapter, once it already comes with KC. It doesn't
> make
> > > sense on having it.
> > >
> > > <dependency>
> > > <groupId>org.keycloak</groupId>
> > > <artifactId>keycloak-wildfly-adapter</artifactId>
> > > </dependency>
> > >
> > > - Decouple the AeroGear theme for Keycloak from auth-module
> > >
> > > Now, I'm getting the following error: Failed to find LOGIN theme
> > > aerogear, using built-in themes =E2=80=94 for a good reason.a
> > >
> > > - Provide a separated profile for the "decoupled version": into
this
> > > way, it's up to our developers use the builtin version or decoupled.
> > >
> > > As soon as I get a feedback on it. I will move forward with the
> changes,
> > > just let me know what do you think.
> > >
> > > --
> > >
> > > abstractj
> > > PGP: 0x84DC9914
> > > _______________________________________________
> > > aerogear-dev mailing list
> > > aerogear-dev(a)lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/aerogear-dev
> > >
>
> > _______________________________________________
> > aerogear-dev mailing list
> > aerogear-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
1:47 p.m.
Hi Burno,
I am working on this as well just from the setup side for below is where
i am stuck i don't know if this helps you or not. But if you find something
wrong in my approach please point me to it.
My goal is get liveoak, aerogear and keycloak working on different
servers. LiveOak uses Keycloak and Aerogear. Following are the steps i
took.
1) Install Keycloak on one server with self signed certificate. It is
accessible via https://XXX.XXX.XXX.XXX:8443/auth
<https://xxx.xxx.xxx.xxx:8443/auth>;. Worked
2) Installed AreoGear on another server with self signed certificate.
It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push
<https://xxx.xxx.xxx.xxx:8443/ag-push>;. Worked
3) Imported attached JSON in as a new aerogear realm in keycloak.
Worked
4) Updated Keycloak to use MongoDB. Worked
5) Update application aerogear with keycloak.json restarted wildfly
server. Updated application under AreoGear to use
https://XXX.XXX.XXX.XXX:8443/ag-push/*
<https://xxx.xxx.xxx.xxx:8443/ag-push/*> as a redirect uri. Worked.
6) Restarted both the wildfly servers.
7) After restart tried to login to https://XXX.XXX.XXX.XXX:8443/ag-push/
<https://xxx.xxx.xxx.xxx:8443/ag-push/> forwarded me to
https://XXX.XXX.XXX.XXX:8443/auth <https://xxx.xxx.xxx.xxx:8443/auth> login
page. Successfull login was achieved.
8) PROBLEM: After login redirect to
https://XXX.XXX.XXX.XXX:8443/ag-push/
<https://xxx.xxx.xxx.xxx:8443/ag-push/> where by i get error "No state
cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator
line 116 because the adapter can not find a cookie with name "
OAuth_Token_Request_State" in HTTP.
Troubleshooting Try 1.
1) updated aerogear to use 1.0.1.Beta1 Adapter. Still works does not
solve the problem same error.
Troubleshooting Try 2.
1) updated keycloak.json by adding *"disable-trust-manager": true*.
Still works does not solve the problem same error.
Troubleshooting Try 3.
1) updated keycloak.json by adding *"disable-trust-manager":
false,"truststore": "/path","truststore-password":
"password"*. Still
works doe not solve the problem. I have a question is "*truststore*" a
local path to the keycloak jks cert or this is a path to remote keycloak
cert? I copied the keycloak.jks and pointed to that locally using
${jboss.server.config.dir}/trustcerts/keycloak.jks?
is this correct? After doing this i tried to invoke
https://XXX.XXX.XXXX.XXXX:8443/ag-push/rest/ping
Get the login screen
then i get Forbidden with below exception:
2014-11-15 18:31:13,664 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) failed
to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
[jsse.jar:1.8.0_25]
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
[httpclient-4.2.1.jar:4.2.1]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_25]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Please help i feel like i am very close just missing something simple.
Regards,
Pratik Parikh
--
View this message in context:
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-AGPUSH-1047-Decoup...
Sent from the aerogear-dev mailing list archive at Nabble.com.
2:49 a.m.
Hi Bruno,
Another update: I was able to reslove SSL handsack issue. And can now
assure that the trust between keycloak server and aerogear client is
established.
I am still running into an issue whereby upon login the adapter expects
a cookie and does not find it? Does aerogear team have to enhance anything
to obtain this "state cookie"?? below is the debug trace from aerogear side.
Aerogear Log:
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-17) adminRequest
https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmz...
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-17) adminRequest
https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmz...
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.RequestAuthenticator]
(default task-17) Account was not in session, returning null
2014-11-17 07:40:21,804 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) there
was a code, resolving
2014-11-17 07:40:21,804 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) checking
state cookie for after code
2014-11-17 07:40:21,804 WARN
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) No state
cookie
Regards,
Pratik Parikh
--
View this message in context:
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-AGPUSH-1047-Decoup...
Sent from the aerogear-dev mailing list archive at Nabble.com.
8 a.m.
This might be required for you:
https://github.com/abstractj/aerogear-unifiedpush-server/commit/db7639566...
Let me know how it goes.
On 2014-11-17, Pratik Parikh wrote:
Hi Bruno,
Another update: I was able to reslove SSL handsack issue. And can now
assure that the trust between keycloak server and aerogear client is
established.
I am still running into an issue whereby upon login the adapter expects
a cookie and does not find it? Does aerogear team have to enhance anything
to obtain this "state cookie"?? below is the debug trace from aerogear side.
Aerogear Log:
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-17) adminRequest
https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmz...
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler]
(default task-17) adminRequest
https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmz...
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.RequestAuthenticator]
(default task-17) Account was not in session, returning null
2014-11-17 07:40:21,804 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) there
was a code, resolving
2014-11-17 07:40:21,804 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) checking
state cookie for after code
2014-11-17 07:40:21,804 WARN
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) No state
cookie
Regards,
Pratik Parikh
--
View this message in context:
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-AGPUSH-1047-Decoup...
Sent from the aerogear-dev mailing list archive at Nabble.com.
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
PGP: 0x84DC9914
7:43 a.m.
Good morning my friend, I can't confirm/deny without access to the
sources like the files you did the updates.
Here is what must be done to get UPS working in a separate server from
Keycloak (some steps are very similar with what you already did).
Note: I'm working to make it configurable on UPS, but if you are in a
rush, these steps might help.
1. docker run -it -p 8080:8080 -p 9090:9090 jboss/keycloak
2. Login on Keycloak
3. Add a new realm and import the JSON file from
servers/auth-server/src/main/webapp/WEB-INF/ups-realm.json
4. git clone https://github.com/abstractj/aerogear-unifiedpush-server.git
5. Change the files to the IP address where KC is located
(https://github.com/abstractj/aerogear-unifiedpush-server/commit/db7639566...)
5. cd aerogear-unifiedpush-server && git checkout strawman && mvn clean
install
6. Deploy on WildFly
All the steps here are necessary if you want to solve the problem right
now. Now I'm working on it to decouple UPS and these steps will be
configurable for the further releases.
On 2014-11-15, Pratik Parikh wrote:
Hi Burno,
I am working on this as well just from the setup side for below is where
i am stuck i don't know if this helps you or not. But if you find something
wrong in my approach please point me to it.
My goal is get liveoak, aerogear and keycloak working on different
servers. LiveOak uses Keycloak and Aerogear. Following are the steps i
took.
1) Install Keycloak on one server with self signed certificate. It is
accessible via https://XXX.XXX.XXX.XXX:8443/auth
<https://xxx.xxx.xxx.xxx:8443/auth>;. Worked
2) Installed AreoGear on another server with self signed certificate.
It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push
<https://xxx.xxx.xxx.xxx:8443/ag-push>;. Worked
3) Imported attached JSON in as a new aerogear realm in keycloak.
Worked
4) Updated Keycloak to use MongoDB. Worked
5) Update application aerogear with keycloak.json restarted wildfly
server. Updated application under AreoGear to use
https://XXX.XXX.XXX.XXX:8443/ag-push/*
<https://xxx.xxx.xxx.xxx:8443/ag-push/*> as a redirect uri. Worked.
6) Restarted both the wildfly servers.
7) After restart tried to login to https://XXX.XXX.XXX.XXX:8443/ag-push/
<https://xxx.xxx.xxx.xxx:8443/ag-push/> forwarded me to
https://XXX.XXX.XXX.XXX:8443/auth <https://xxx.xxx.xxx.xxx:8443/auth> login
page. Successfull login was achieved.
8) PROBLEM: After login redirect to
https://XXX.XXX.XXX.XXX:8443/ag-push/
<https://xxx.xxx.xxx.xxx:8443/ag-push/> where by i get error "No state
cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator
line 116 because the adapter can not find a cookie with name "
OAuth_Token_Request_State" in HTTP.
Troubleshooting Try 1.
1) updated aerogear to use 1.0.1.Beta1 Adapter. Still works does not
solve the problem same error.
Troubleshooting Try 2.
1) updated keycloak.json by adding *"disable-trust-manager": true*.
Still works does not solve the problem same error.
Troubleshooting Try 3.
1) updated keycloak.json by adding *"disable-trust-manager":
false,"truststore": "/path","truststore-password":
"password"*. Still
works doe not solve the problem. I have a question is "*truststore*" a
local path to the keycloak jks cert or this is a path to remote keycloak
cert? I copied the keycloak.jks and pointed to that locally using
${jboss.server.config.dir}/trustcerts/keycloak.jks?
is this correct? After doing this i tried to invoke
https://XXX.XXX.XXXX.XXXX:8443/ag-push/rest/ping
Get the login screen
then i get Forbidden with below exception:
2014-11-15 18:31:13,664 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) failed
to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
[jsse.jar:1.8.0_25]
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
[httpclient-4.2.1.jar:4.2.1]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_25]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]
Please help i feel like i am very close just missing something simple.
Regards,
Pratik Parikh
--
View this message in context:
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-AGPUSH-1047-Decoup...
Sent from the aerogear-dev mailing list archive at Nabble.com.
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
abstractj
PGP: 0x84DC9914
3454
days inactive
3457
days old
9 comments
3 participants
participants (3)
-
Bruno Oliveira -
Ken Finnigan -
Pratik Parikh