Getting error Didn't find publicKey for specified kid
by Ganga Lakshmanasamy
Hi,
We have migrated from keycloak 1.9 to 3.2 recently and we have our app
deployed in wildfly 10. The keycloak.json file is configured with the
bearer only client and we use angular js as front end. We get the below
error while trying to call REST apis with the bearer token.
*2017-10-10 13:20:04,644 ERROR
[org.keycloak.adapters.rotation.AdapterRSATokenVerifier] (default task-3)
Didn't find publicKey for kid: ZYQgZN0Duih0dG81_cNfvZYUDG78bZJ6y3CyVzich88*
*2017-10-10 13:20:04,644 ERROR
[org.keycloak.adapters.BearerTokenRequestAuthenticator] (default task-3)
Failed to verify token: org.keycloak.common.VerificationException: Didn't
find publicKey for specified kid*
* at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:47)*
* at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:55)*
* at
org.keycloak.adapters.rotation.AdapterRSATokenVerifier.verifyToken(AdapterRSATokenVerifier.java:37)*
* at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)*
* at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)*
* at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)*
Please help in resolving the error.
Regards,
Ganga Lakshmanasamy
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_c...>
Virus-free.
www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_c...>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
7 years, 3 months
health check
by Simon Payne
does keycloak have any endpoints to check for operational health of running
instance?
which endpoint are we using for purpose of monitoring health from the load
balancer?
thanks
Simon.
7 years, 3 months
Use Keycloak 2.5 Tomcat Adapter with RH-SSO 7.1?
by Lynne Lawrence
I feel sure that this question has already been answered but I have
searched and searched and cannot find it so please forgive me if I am being
redundant.
I am wondering: can the Keycloak 2.5 Tomcat adapter be used with the RH-SSO
7.1 server?
Thanks,
Lynne Lawrence
--
Lynne Lawrence
MACE | SNC
lynne.lawrence(a)macefusion.com
7 years, 3 months
UPDATE_PASSWORD won't go away for AD imported users...
by Adrian Matei
Hi Guys,
We've imported some Users from AD and they now have UPDATE_PASSWORD action
required, although this was not marked as *default_action*. The thing is
that we cannot click that away as admins - on top of that the
UPDATE_PASSWORD is not present in the USER_REQUIRED_ACTION table...
Any ideas? Would be very much appreciated...
Best regards,
Adrian
7 years, 3 months
GSS-API: Checksum failed
by Malte Finsterwalder
Hi there,
I try to connect my Keycloak Server to an Active Directory Server for
SSO on Windows clients.
I got it to work on one server which is accessible via HTTP.
Now I built up a new server with RedHat SSO and made it accessible via
HTTPS only with an SSL certificate from our own authority.
When I try to connect this server to out Active Directory, I always get
a "Checksum failed" Error Message (see stracktrace below).
Which Checksum is failing? Is this a problem of the keytab file? Of the
SSL communication? ...?
Any ideas what's actually failing and what can cause this?
Greetings,
Malte
java.security.PrivilegedActionException: GSSException: Failure
unspecified at GSS-API level (Mechanism level: Checksum failed)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at
org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:617)
at
org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
17 lines skipped for [javax.servlet, sun., org.jboss,
java.lang.reflect.Method]
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:209)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
level: Checksum failed)
7 lines skipped for [sun.]
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125)
... 61 more
Caused by: KrbException: Checksum failed
7 lines skipped for [sun.]
... 70 more
Caused by: java.security.GeneralSecurityException: Checksum failed
4 lines skipped for [sun.]
... 76 more
7 years, 3 months
simplesamlphp attribute is expected but missing
by Tiemen Ruiten
Hello,
I'm trying to authenticate Wordpress users with the help of the wp-saml-auth
plugin <https://wordpress.org/plugins/wp-saml-auth/> and the simplesamlphp
library. <https://simplesamlphp.org/> I'm not sure if this is an issue on
the Keycloak side or on the PHP side, hopefully someone can point me in the
right direction.
The redirect from the Wordpress login page to Keycloak is going fine, so I
login on the Keycloak page, but after the redirect back to Wordpress, I'm
getting this error:
"mail" attribute is expected, but missing, in SAML response. Attribute is
used to fetch existing user by "email". Please contact your administrator.
The user has an emailaddress and is coming from an AD federation. There is
a a user-attribute-ldap-mapper is setup that maps the User Model Attribute
'email' to LDAP attribute 'mail'. I tried setting up a User Property mapper
in the client that maps the property 'email' to SAML Attribute name 'email'
(also tested with 'mail'), but it didn't make a difference in the error
message.
What am I missing? Does the application need to request the SAML-attributes
explicitly? Is there a way to intercept the SAML-response in the browser?
--
Tiemen Ruiten
Systems Engineer
R&D Media
7 years, 3 months
can't resolve groups from multiple group mappers
by Tiemen Ruiten
Hello,
I'm testing with the following setup:
In our Active Directory, which is federated to Keycloak, we have a
container with 'access' groups (groups that are used to give access to
certain applications, akin to Keycloak roles) and a container for 'user'
groups (eg. sales, it, marketing etc.). Users are always only direct
members of a user group. The access groups can only have user groups as
members, never users.
In Keycloak, I have created two LDAP-group-mappers for both containers, but
unfortunately, none of the user groups show any members. Is this expected?
Using Keycloak 3.2.1 Final.
--
Tiemen Ruiten
Systems Engineer
R&D Media
7 years, 3 months
How to silently getting a new access token on Implicit Flow
by Marcel van Tongeren
Hi,
I am working on an Aurelia SPA with Keycloak as the identity server.
Since it is a web client, I'm using the Implicit variant of the OpenId Connect authorization flow.
Authentication works fine, but I'm having a problem with getting a new access token, without interupting the workflow of the user.
The documentation states that I can't use UpdateToken (because there is no refresh token in Implicit flow) and that I should redirect to the login page instead.
Currently, I'm calling keycloak.login({prompt:'none'}) to do the redirect, but the problem is that you will lose all the data that the user entered on the current page, because it has the same effect as a full page refresh.
Now, I had the impression that the hidden IFrame was supposed the handle this, but I get the feeling that it is not much help when using the Implicit flow...?
There is plenty of documentation about initial authentication, but I couldn't find anything about 'refreshing' the access token when using the Implicit flow.
Is there another way to do the redirect, maybe from the IFrame, so it is all handled behind the scenes?
Btw, at first the IFrame wasn't created at all, because Aurelia fully replaces its root element, which happens to be the body element by default.
After I configured Aurelia's root element to be a child div of the body element, the IFrame seems to be created correctly.
Best regards,
Marcel
7 years, 3 months
