2:59 p.m.
I finally figured out the issue and want to respond to my question in case
this helps anyone else. I had configured the client on the SSO IP realm
using a client template that had no mappers defined. I was able to fix the
login issue by simply recreating that client without a template so the
default mappers would be configured.
The error message above is pretty useless in finding something like this.
The end user login error response is completely opaque and the above error
in the logs, "Not found serialized context in clientSession" may be useful
to those that understand the internals of Keycloak, but it is kinda useless
for kaylocak users like myself for figuring out configuration issues. I
also have not been able to find any documentation on what client session
notes really are nothing that would have helped me understand that client
mapping data is considered serialized context in a client session.
On Fri, Nov 10, 2017 at 2:58 PM, Stephen Henrie <stephen(a)saasindustries.com>
wrote:
When running a Keycloak instance as a localhost using the default H2
database backend, I have been successful at configuring SSO identity
providers across Keycloak realms, so that one primary realm acts as the
identity provider and the other realms are authenticating against that
primary realm using an IP link.
However, when I try to do the same thing in our cloud environment using a
Postgres database backend, I am getting the generic "Invalid username or
password." error which happens during the default first broker login
authorization sequence. I have some debugging info below. Can someone help
me understand what it is trying to tell me?
I believe that I have things configured exactly the same in both my
localhost and in the cloud instances, so I am struggling to understand the
source of the problem.
Any help is appreciated.
Thanks
Stephen
21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) processFlow
21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-review-profile requirement: DISABLED
21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) execution is processed
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-create-user-if-unique requirement:
ALTERNATIVE
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) authenticator: idp-create-user-if-unique
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) invoke authenticator.authenticate:
idp-create-user-if-unique
21:42:30,975 WARN [org.keycloak.services] (default task-50)
KC-SERVICES0020: Email is null. Reset flow and enforce showing
reviewProfile page
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) RESET FLOW
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) AUTHENTICATE
21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor]
(default task-50) AUTHENTICATE ONLY
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) processFlow
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-review-profile requirement: DISABLED
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) execution is processed
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) check execution: idp-create-user-if-unique requirement:
ALTERNATIVE
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) authenticator: idp-create-user-if-unique
21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow]
(default task-50) invoke authenticator.authenticate:
idp-create-user-if-unique
21:42:30,975 WARN [org.keycloak.services] (default task-50)
KC-SERVICES0013: Failed authentication:
org.keycloak.authentication.AuthenticationFlowException:
Not found serialized context in clientSession
at org.keycloak.authentication.authenticators.broker.
AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:66)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
DefaultAuthenticationFlow.java:200)
at org.keycloak.authentication.AuthenticationProcessor.
authenticateOnly(AuthenticationProcessor.java:843)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(
AuthenticationProcessor.java:714)
at org.keycloak.authentication.DefaultAuthenticationFlow.
processResult(DefaultAuthenticationFlow.java:264)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
DefaultAuthenticationFlow.java:201)
at org.keycloak.authentication.AuthenticationProcessor.
authenticateOnly(AuthenticationProcessor.java:843)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(
AuthenticationProcessor.java:714)
at org.keycloak.services.resources.LoginActionsService.processFlow(
LoginActionsService.java:279)
at org.keycloak.services.resources.LoginActionsService.
brokerLoginFlow(LoginActionsService.java:713)
at org.keycloak.services.resources.LoginActionsService.
firstBrokerLoginGet(LoginActionsService.java:632)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
21:42:30,976 WARN [org.keycloak.events] (default task-50)
type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=experiment,
clientId=chassi-web-app, userId=null, ipAddress=172.17.0.1,
error=invalid_user_credentials, identity_provider=chassi-oidc,
auth_method=openid-connect, redirect_uri=http://localhost:3000/,
identity_provider_identity=abfa50e5-57ad-4b53-ab72-7cbd6fca8465,
code_id=60963d99-cf55-4e0a-8e28-df0ddacadf5f
21:4