2:20 p.m.
Hi Guys!!
I took latest master to verify the fix that Stian delivered to prevent usage of same
refresh token.My test code tries getting the access token + Refresh token through direct
access grant but fails due to NullPointer exception.Meanwhile I can continue to debug
further, but wanted to share the observation to you guys... Will post further if I get any
more details...
Environment details - I have user federation configured to LDAP and tried to login with a
user in ldap.
Caused by: java.lang.NullPointerException
at
org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.removeUser(DefaultCacheUserProvider.java:272)
at
org.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)
at
org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)
at
org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:163)
at
org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:265)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:116)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:724)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:357)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
3:08 a.m.
Does it work if you disable "Revoke Refresh Token" in token settings? When
that is off (default setting) there's no changes to the code.
On 15 October 2015 at 21:20, Kamal Jagadevan <j.kamal(a)ymail.com> wrote:
Hi Guys!!
I took latest master to verify the fix that Stian delivered to prevent
usage of same refresh token.
My test code tries getting the access token + Refresh token through direct
access grant but fails due to NullPointer exception.
Meanwhile I can continue to debug further, but wanted to share the
observation to you guys... Will post further if I get any more details...
Environment details - I have user federation configured to LDAP and tried
to login with a user in ldap.
Caused by: java.lang.NullPointerException
at
org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.removeUser(DefaultCacheUserProvider.java:272)
at
org.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)
at
org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)
at
org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:163)
at
org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:265)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:116)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:724)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:357)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:47 a.m.
In stacktrace there is:
at
org.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)
at
org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)
which means that your LDAP user is no longer valid - in other words he
wasn't found by Keycloak in LDAP. So this looks like LDAP problem rather
than issue related to refresh tokens.
Is your user still available in LDAP? If yes, then what are you using
for "UUID LDAP attribute" in LDAP federation provider settings page?
Does your LDAP users have this attribute available in LDAP? For example
if you use "entryUUID" in the admin console configuration, is this
attribute really available in LDAP for your LDAP users?
Marek
On 16/10/15 10:08, Stian Thorgersen wrote:
Does it work if you disable "Revoke Refresh Token" in token
settings?
When that is off (default setting) there's no changes to the code.
On 15 October 2015 at 21:20, Kamal Jagadevan <j.kamal(a)ymail.com
<mailto:j.kamal@ymail.com>> wrote:
Hi Guys!!
I took latest master to verify the fix that Stian delivered to
prevent usage of same refresh token.
My test code tries getting the access token + Refresh token
through direct access grant but fails due to NullPointer exception.
Meanwhile I can continue to debug further, but wanted to share the
observation to you guys... Will post further if I get any more
details...
Environment details - I have user federation configured to LDAP
and tried to login with a user in ldap.
Caused by: java.lang.NullPointerException
at
org.keycloak.models.cache.infinispan.DefaultCacheUserProvider.removeUser(DefaultCacheUserProvider.java:272)
at
org.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)
at
org.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)
at
org.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:163)
at
org.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:265)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:116)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:724)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:357)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
10:12 a.m.
Marek, You are right...it was an LDAP issue, after I added(deleting the older one) new
profile I no longer see this issue.
Thanks for your inputs.
ThanksKamal
From: Marek Posolda <mposolda(a)redhat.com>
To: stian(a)redhat.com; Kamal Jagadevan <j.kamal(a)ymail.com>
Cc: Keycloak-dev <keycloak-dev(a)lists.jboss.org>
Sent: Friday, October 16, 2015 4:47 AM
Subject: Re: [keycloak-dev] NPE while getting token through Direct Access Grant
In stacktrace there is:
atorg.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)
atorg.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)
which means that your LDAP user is no longer valid - in other words he wasn't found
by Keycloak in LDAP. So this looks like LDAP problem rather than issue related to refresh
tokens.
Is your user still available in LDAP? If yes, then what are you using for "UUID LDAP
attribute" in LDAP federation provider settings page? Does your LDAP users have this
attribute available in LDAP? For example if you use "entryUUID" in the admin
console configuration, is this attribute really available in LDAP for your LDAP users?
Marek
On 16/10/15 10:08, Stian Thorgersen wrote:
Does it work if you disable "Revoke Refresh Token" in token settings? When that
is off (default setting) there's no changes to the code.
On 15 October 2015 at 21:20, Kamal Jagadevan <j.kamal(a)ymail.com> wrote:
Hi Guys!!
I took latest master to verify the fix that Stian delivered to prevent usage of same
refresh token. My test code tries getting the access token + Refresh token through direct
access grant but fails due to NullPointer exception. Meanwhile I can continue to debug
further, but wanted to share the observation to you guys... Will post further if I get any
more details...
Environment details - I have user federation configured to LDAP and tried to login with
a user in ldap.
Caused by: java.lang.NullPointerException
atorg.keycloak.models.cache.infinispan.DefaultCacheUserProvider.removeUser(DefaultCacheUserProvider.java:272)
atorg.keycloak.models.UserFederationManager.deleteInvalidUser(UserFederationManager.java:113)
atorg.keycloak.models.UserFederationManager.validateAndProxyUser(UserFederationManager.java:135)
atorg.keycloak.models.UserFederationManager.getUserById(UserFederationManager.java:163)
atorg.keycloak.models.sessions.infinispan.ClientSessionAdapter.getAuthenticatedUser(ClientSessionAdapter.java:265)
atorg.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:116)
atorg.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:724)
atorg.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:357)
atorg.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
atsun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
atsun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
atorg.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
atorg.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
atorg.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
atorg.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:109)
atorg.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:135)
atorg.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
atorg.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3379
days inactive
3380
days old
3 comments
3 participants
participants (3)
-
Kamal Jagadevan -
Marek Posolda -
Stian Thorgersen