User can't revoke grants for a client without role in Account app
by GRMAN, Tomas
Hello,
Suppose we have a client defined with a scope = e.g. 1 role, requiring consent and a user with that role. Assume we don't want to provision users with this role (required implementation on the client side), we have to use a default realm role. The Account application then shows the client in the application screen, without the user giving any consent. Which is btw. perfectly understandable, as in this situation the screen shows only a information about available permissions. This would be quite OK, however with possibly several hundreds of clients, this table would get messy.
Another possibility is to have a client without any scopes defined (full scope is disabled) requiring consent too. If a user accepts the consent, no information is displayed in the application screen of the Account application, and as such the user is unable to revoke the grant.
We'd prefer to show only clients with accepted consents in the application screen, however I'm not sure whether the second possibility mentioned is a bug or feature. Shouldn't it be possible to revoke a grant although no scope (role) is defined?
Any help appreciated.
Tomas
8 years, 11 months
Reverse Proxy with SSL - Bad Request
by Kie, Jeremy, CYFD
Hello,
I've been searching for help with a problem I am encountering. I have reviewed a number of threads in the archive but none seem to provide enough help for our setup.
Keycloak 2.1.0.Final
Apache as a reverse proxy
When accessing the application - https://apps-test.simple.com/bacon I get redirected to our keycloak server, but the redirect_uri is set to http://apps-test.simple.com/bacon. When I login successfully, I get redirected, but it results in 400 - Bad Request. I see the following lines in the app server log file:
2016-11-15 09:49:02,827 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
2016-11-15 09:49:02,827 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 53/1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577
2016-11-15 09:49:02,827 WARN [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: 53%2F1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577
I did find this thread
http://lists.jboss.org/pipermail/keycloak-user/2016-January/004449.html
What we want to do is similar, but both the auth and site (thus redirect URI) use SSL. I'm not sure if this is giving us problems. Any help is greatly appreciated.
Regards,
Jeremy
P.S. Here is our reverse proxy config (slightly redacted)
Timeout 900
ErrorLog syslog
# Exclude all robots
<Location "/robots.txt">
SetHandler None
</Location>
Alias /robots.txt /srv/www/htdocs/robots.txt
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog /var/log/apache2/proxy_log proxy env=forwarded
CustomLog /var/log/apache2/access_log combined env=!forwarded
</IfModule>
<VirtualHost *:80>
ServerName apps-test.simple.com
RequestHeader set X-Forwarded-Proto "http"
RedirectMatch ^/$ https://apps-test.simple.com
UseCanonicalName On
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI}<https://%25%7bSERVER_NAME%7d/%25%7bREQUEST_URI%7d> [R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName apps-test.simple.com
SSLEngine on
SSLProxyEngine On
SSLProtocol -ALL +TLSv1
SSLCertificateKeyFile /etc/apache2/ssl.key/rsa_private_key_2015.pem
SSLCertificateFile /etc/apache2/ssl.crt/WC_simple_com_server_2015-16.crt
SSLCertificateChainFile /etc/apache2/ssl.crt/IntermediateCA-SHA2root.crt
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM
RequestHeader unset Range
RequestHeader unset Request-Range
ProxyRequests Off
ProxyPreserveHost On
RequestHeader add X-Forwarded-Ssl on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
RedirectMatch ^/$ https://apps-test.simple.com
<Location "/app1">
ProxyPass "!"
</Location>
<Location "/app2">
ProxyPass "!"
</Location>
<Location /auth/>
ProxyPass http://keycloak:8080/auth/
ProxyPassReverse http://keycloak:8080/auth/
ProxyPassReverseCookieDomain http://keycloak.simple.com http://apps-test.simple.com
ProxyPassReverseCookiePath / /auth/
</Location>
<Location /bacon/>
ProxyPass http://internal.simple.com:8080/bacon/
ProxyPassReverse http://internal.simple.com:8080/bacon/
ProxyPassReverseCookieDomain http://internal.simple.com https://apps-test.simple.com
ProxyPassReverseCookiePath / /bacon/
</Location>
</VirtualHost>
ServerSignature Off
ServerTokens Prod
TraceEnable off
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)
8 years, 11 months
NPE - logout
by java_os
Hi - nullppointer on logout call
2.2.1.Final and 2.3.0.Final - Nullpointer when logging out using
keycloak.js (setup: Ng(keycloak.js) -> Rest. Idp login through KC identity
brokering to saml).
Below is the stacktrace - how do I logout from the SAML bridge? login works.
------------read NPE at the bottom ---
Anyone experienced this? It's happening on logout:
11:32:55,052 ERROR [io.undertow.request] (default task-9) UT005023:
Exception handling request to
/auth/realms/EDITED/protocol/openid-connect/logout:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.NullPointerException
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:180)
at
org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:254)
at
org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:142)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Caused by: java.lang.NullPointerException
at java.net.URI$Parser.parse(URI.java:3042)
at java.net.URI.<init>(URI.java:588)
at java.net.URI.create(URI.java:850)
at
org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:89)
at
org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:78)
at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:178)
... 51 more
8 years, 11 months
automatic user cleanup with UserSessionProvider SPI
by schwartzbj17@gmail.com
Is there a way using one of the service provider interfaces to automatically delete users when the user session expires? I tried the UserSessionProvider, but am not sure how to install it and have Keycloak use it. I tried installing it in the providers folder to no avail. I tried installing it as a module to no avail. Anyone have a working example of this provider?
I’ve successfully built and installed other SPIs without issue, but those had working examples in the keycloak documentation and/or GitHub.
I’m using Keycloak 2.3.0.Final
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
8 years, 12 months
Keycloak custom theme auto selection
by Jagannadha Rekala
All,
Trying to see if there is a way I can select my custom theme as the login theme for my realm as soon as Keycloak starts. I know how to create the theme and manually select via administration console. I am looking for any help in terms of CLI instead of json config import or manual theme selection via Administration Console or if there is any better approach.
Thanks,
Jagan
8 years, 12 months
Is An IDP - Initiated SSO to Broker Possible?
by Josh Cain
Hi all,
I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
against the Keycloak broker service. However, it's failing every time
on the IdentityBrokerService.authenticated(..) method. I get the
following error on the console:
22:05:04,945 ERROR [org.keycloak.services] (default task-61)
staleCodeMessage
This method seems to think that clients should *always* visit the
Keycloak IDP before returning with a SAML assertion, a the failure to
retrieve an associated client session is causing a serious issue. I am
able to successfully use the identity brokering functions if I use an
SP-initiated flow, so I know the brokering piece is configured
correctly.
Is this a limitation in the current implementation, or do I have
something configured incorrectly?
--
Josh Cain | Software Applications Engineer
Identity and Access
Management
Red Hat
+1 256-452-0150
8 years, 12 months
How to configure an enterprise TLS secured mail server
by Aritz Maeztu
Hello everybody,
I'm trying to configure keycloak to send its e-mails using our company's
e-mail server. I have no problem doing it using a simple configuration
(just username and password, no encryption). However, our mail server
accepts TLS and we do use a custom certificate for it, but I don't know
how to make the keycloak server trust it (I know I have to add it to the
JVM trusted certificates, but how to do it in wildfly?). Every tuto I
read is for configuring wildfly itself to use the certificate and enable
SSL, but in this case wildfly would be the client. That's the error I
get while trying to send the e-mail (SSL handshake):
18:02:59,903 ERROR [org.keycloak.services] (default task-4)
KC-SERVICES0088: Fai
led to send execute actions email: org.keycloak.email.EmailException:
Failed to
template email
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:179)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:150)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExe
cuteActions(FreeMarkerEmailTemplateProvider.java:133)
at
org.keycloak.services.resources.admin.UsersResource.executeActionsEma
il(UsersResource.java:855)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
MethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
voker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHand
ler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(K
eycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60
)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandle
r.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.hand
leRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHan
dler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandle
r.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandle
r.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRe
quest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstrain
tHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleR
equest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandl
er.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleReque
st(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandl
er.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.han
dleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest
(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Se
rvletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servlet
InitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Se
rvletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:7
93)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.email.EmailException:
javax.mail.MessagingException: Cou
ld not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorExc
eption: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
at
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:127)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:185)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:177)
... 54 more
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorExc
eption: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
at
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2046)
at
com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:71
1)
at javax.mail.Service.connect(Service.java:366)
at javax.mail.Service.connect(Service.java:246)
at javax.mail.Service.connect(Service.java:267)
at
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:120)
... 56 more
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.Validator
Exception: PKIX path building failed:
sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested
target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1509)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1375)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403
)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387
)
at
com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java
:598)
at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:525)
at
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2041)
... 61 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find vali
d certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1491)
... 71 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to
find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
ilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:126)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 77 more
Any idea about this? Thanks!
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
8 years, 12 months
Backward compatibility of keycloak adapters
by Jitendra Chouhan
Hi,
We have sample apps those are integrated with Keycloak-2.2.1, now we are
migrating existing samples to keycloak-2.3.0.Final. We need to clarify few
points regarding backward compatibility of keycloak adapters.
We have Angular JS app and back-end app which uses keycloak JS and
keycloak-spring-security adapter respectively. These apps are working fine
with 2.2.1 in order to migrate from 2.2.1 and imported in 2.3.0 below
listed actions has been performed.
1. Upgraded keycloak JS and keycloak-spring-security adapters to 2.3.0.
2. Exported existing realm from 2.2.1 and imported in 2.3.0 instance of
keycloak.
3. We kept same keycloak.json file since we imported working configuration
from 2.2.1 into 2.3.0.(verified all configurations are same)
Upon verification found applications are working fine with 2.3.0 till key
is not rotated. After key rotation applications are not working. But if
download applications keycloak.json from 2.3.0 instance for apps,
everything works fine.
Does this means adapter is not backward compatible? As we know key rotation
feature has been introduced in 2.3.0, in reference documentation stated
likely adapter will query/refer public key and certificate from keycloak
server instance.
Our point, since we imported configuration from previous keycloak
version(key is same), If applications are upgraded their adapters to 2.3.0
and even kept old keycloak.json files in respective apps it should work(as
per expectation adapter should refer keys/certs from keycloak server).
Doesn't it make more sense keycloak-2.3 adapters should ignore(not read)
public-key defined in application keycloak.json file and always refer from
keycloak server. In this way application migration will be easier from one
to another version of keycloak?
Please do let me know if further information is needed.
Thanks,
Jitendra Chouhan
8 years, 12 months
