8:25 a.m.
No, the versions were not changed, as far as I know. But I’ll check it.
Thanks!
On 5 Dec 2017, at 11:29, Marek Posolda <mposolda(a)redhat.com>
wrote:
Today, I've tested something and actually simulated the issue, which is very similar
to your issue with the keys/providers. The stacktrace was almost the same.
In my case, it was caused by the fact that I messed things a bit and
"downgrade" the Keycloak to use the database, which was using the newer Keycloak
before. In details what I did was:
- Start Keycloak 3.4.1 with clean MySQL DB
- Stopped Keycloak 3.4.1
- Started older Keycloak version 3.3.0 against the same MySQL DB, which was previously
used for 3.4.1.
The fact it is broken is, that in 3.4.1 were added some new implementations of providers,
which are saved in DB as ComponentModels. When you start the older 3.3.0 version, the
ComponentModel is read from DB, which references new provider implementations, which
don't yet exists in 3.3.0. Hence it blows and throws the stacktrace below.
Could it be the case, that you messed things in similar manner and started older version
of KC against "new" DB?
Marek
On 05/12/17 13:44, Marcelo Miura wrote:
> Actually that’s because it’s been running for one year and just now it started with
the issues. Just trying to figure out what was the cause.
> Could this keys / providers missing has something to do with the direct grant
authentication flow issue?
>
>
>> On 5 Dec 2017, at 06:16, Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
>>
>> Are you actually using 2.4.0.CR1? That's old and unsupported, maybe you
actually wanted to use 3.4.0.CR1? "hmac-generated" was added in 2.5.5.
>>
>> On 4 December 2017 at 18:40, Marcelo Miura <marcelo.miura(a)gdcommunity.co.uk
<mailto:marcelo.miura@gdcommunity.co.uk>> wrote:
>> Thanks for your answers.
>>
>> http://localhost:8080/auth/admin/master/console/#/server-info/providers
<http://localhost:8080/auth/admin/master/console/#/server-info/providers>
>> On keys I see the following:
>> rsa
>> java-keystore
>> rsa-generated
>> On the COMPONENT table of the keycloak db, I could see 2 records related to
hmac-generated. I removed both in attempt to fix the problem (it’s happening on my dev
server). On production I do not see those records and it's currently working fine.
>> Then, I tried to created the provider rsa again, so the old provider appeared
back. Then I deleted the providers that I created and the error related to the keys is not
showing anymore.
>> But I’m still facing the authentication issue by Direct Grant.
>>
>> On my local server I do not have this issue.
>> Version used: 2.4.0.CR1
>>
>>
>>> On 4 Dec 2017, at 14:34, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
>>>
>>> Does this happen when you start latest Keycloak from clean state? Or did you
migrate from some previous version?
>>>
>>> Marek
>>>
>>> On 04/12/17 14:57, Marcelo Miura wrote:
>>>> Hi,
>>>>
>>>> I’m using Direct Grant to authenticate with an admin user to be able to
create new users into Keycloak and be able to reset user passwords.
>>>>
>>>> But for some reason, the authentication is not working anymore. It’s
returning that the user credentials are invalid, as follows:
>>>> {
>>>> "error": "invalid_grant",
>>>> "error_description": "Invalid user credentials"
>>>> }
>>>>
>>>> But when logging in into the Admin Console, the credentials are working
fine.
>>>>
>>>> Keycloak log:
>>>>
>>>> 2017-11-30 20:22:31,631 WARN [org.keycloak.events] (default task-29)
type=LOGIN_ERROR, realmId=master, clientId=admin, userId=null, ipAddress=xxx.xx.xx.xx
error=invalid_user_credentials, auth_method=openid-connect, grant_type=password,
client_auth_method=client-secret, username=admin
>>>> 2017-11-30 20:22:31,631 WARN [org.keycloak.services] (Brute Force
Protector) KC-SERVICES0053: login failure for user <userid> from xxx.xx.xx.xx
>>>>
>>>> *replaced some values as required by the client
>>>>
>>>> Not sure if it’s related but on the last days when accessing the realm
settings - keys, it was displaying an error: "Error! An unexpected server error has
occurred” and the tabs Active and Providers didn’t show any keys.
>>>> Keycloak log:
>>>>
>>>> 2017-11-30 20:20:52,033 ERROR [org.keycloak.keys.DefaultKeyManager]
(default task-24) Failed to load provider <provider id>:
java.lang.NullPointerException
>>>> at
org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:133)
>>>> at
org.keycloak.keys.DefaultKeyManager.getPublicKey(DefaultKeyManager.java:70)
>>>> at
org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:688)
>>>> at
org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:64)
>>>> at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:175)
>>>> at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
>>>> at sun.reflect.GeneratedMethodAccessor371.invoke(Unknown Source)
>>>> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>> at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>>
>>>> 2017-11-30 20:20:52,038 ERROR [io.undertow.request] (default task-24)
UT005023: Exception handling request to /auth/admin/realms/master/components:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.IllegalArgumentException: No such provider 'hmac-generated'
>>>> at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>>> at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>> at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>> Caused by: java.lang.RuntimeException:
java.lang.IllegalArgumentException: No such provider 'hmac-generated'
>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:69)
>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:39)
>>>> at
org.keycloak.models.utils.StripSecretsUtils.strip(StripSecretsUtils.java:39)
>>>> at
org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:815)
>>>> at
org.keycloak.services.resources.admin.ComponentResource.getComponents(ComponentResource.java:118)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>> at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>>>> at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>>> at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>> ... 37 more
>>>> Caused by: java.lang.IllegalArgumentException: No such provider
'hmac-generated'
>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentFactory(ComponentUtil.java:81)
>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:56)
>>>> ... 55 more
>>>>
>>>>
>>>> But when I check the keycloak database, seems that the key and provider
are there.
>>>> Any thoughts?
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>
>>>
>>
>>
>