10:55 a.m.
Ok, I understand your thoughts.
So I’ll probably find some issues if I ran a newer version of keycloak on the same
database if I try to upgrade it?
On 5 Dec 2017, at 18:16, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
As "hmac-generated" was introduced in 2.5.5 there is no way you would have that
in the DB unless you have imported data from a newer Keycloak or have ran a newer Keycloak
against the DB.
We also will not support you on any issues in Keycloak unless you use the latest version.
We simply don't have capacity to do that in the free community version.
On 5 December 2017 at 15:25, Marcelo Miura <marcelo.miura(a)gdcommunity.co.uk
<mailto:marcelo.miura@gdcommunity.co.uk>> wrote:
No, the versions were not changed, as far as I know. But I’ll check it.
Thanks!
> On 5 Dec 2017, at 11:29, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
>
> Today, I've tested something and actually simulated the issue, which is very
similar to your issue with the keys/providers. The stacktrace was almost the same.
>
> In my case, it was caused by the fact that I messed things a bit and
"downgrade" the Keycloak to use the database, which was using the newer Keycloak
before. In details what I did was:
> - Start Keycloak 3.4.1 with clean MySQL DB
> - Stopped Keycloak 3.4.1
> - Started older Keycloak version 3.3.0 against the same MySQL DB, which was
previously used for 3.4.1.
>
> The fact it is broken is, that in 3.4.1 were added some new implementations of
providers, which are saved in DB as ComponentModels. When you start the older 3.3.0
version, the ComponentModel is read from DB, which references new provider
implementations, which don't yet exists in 3.3.0. Hence it blows and throws the
stacktrace below.
>
> Could it be the case, that you messed things in similar manner and started older
version of KC against "new" DB?
>
> Marek
>
> On 05/12/17 13:44, Marcelo Miura wrote:
>> Actually that’s because it’s been running for one year and just now it started
with the issues. Just trying to figure out what was the cause.
>> Could this keys / providers missing has something to do with the direct grant
authentication flow issue?
>>
>>
>>> On 5 Dec 2017, at 06:16, Stian Thorgersen <sthorger(a)redhat.com
<mailto:sthorger@redhat.com>> wrote:
>>>
>>> Are you actually using 2.4.0.CR1? That's old and unsupported, maybe you
actually wanted to use 3.4.0.CR1? "hmac-generated" was added in 2.5.5.
>>>
>>> On 4 December 2017 at 18:40, Marcelo Miura
<marcelo.miura(a)gdcommunity.co.uk <mailto:marcelo.miura@gdcommunity.co.uk>>
wrote:
>>> Thanks for your answers.
>>>
>>> http://localhost:8080/auth/admin/master/console/#/server-info/providers
<http://localhost:8080/auth/admin/master/console/#/server-info/providers>
>>> On keys I see the following:
>>> rsa
>>> java-keystore
>>> rsa-generated
>>> On the COMPONENT table of the keycloak db, I could see 2 records related to
hmac-generated. I removed both in attempt to fix the problem (it’s happening on my dev
server). On production I do not see those records and it's currently working fine.
>>> Then, I tried to created the provider rsa again, so the old provider appeared
back. Then I deleted the providers that I created and the error related to the keys is not
showing anymore.
>>> But I’m still facing the authentication issue by Direct Grant.
>>>
>>> On my local server I do not have this issue.
>>> Version used: 2.4.0.CR1
>>>
>>>
>>>> On 4 Dec 2017, at 14:34, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
>>>>
>>>> Does this happen when you start latest Keycloak from clean state? Or did
you migrate from some previous version?
>>>>
>>>> Marek
>>>>
>>>> On 04/12/17 14:57, Marcelo Miura wrote:
>>>>> Hi,
>>>>>
>>>>> I’m using Direct Grant to authenticate with an admin user to be able
to create new users into Keycloak and be able to reset user passwords.
>>>>>
>>>>> But for some reason, the authentication is not working anymore. It’s
returning that the user credentials are invalid, as follows:
>>>>> {
>>>>> "error": "invalid_grant",
>>>>> "error_description": "Invalid user
credentials"
>>>>> }
>>>>>
>>>>> But when logging in into the Admin Console, the credentials are
working fine.
>>>>>
>>>>> Keycloak log:
>>>>>
>>>>> 2017-11-30 20:22:31,631 WARN [org.keycloak.events] (default task-29)
type=LOGIN_ERROR, realmId=master, clientId=admin, userId=null, ipAddress=xxx.xx.xx.xx
error=invalid_user_credentials, auth_method=openid-connect, grant_type=password,
client_auth_method=client-secret, username=admin
>>>>> 2017-11-30 20:22:31,631 WARN [org.keycloak.services] (Brute Force
Protector) KC-SERVICES0053: login failure for user <userid> from xxx.xx.xx.xx
>>>>>
>>>>> *replaced some values as required by the client
>>>>>
>>>>> Not sure if it’s related but on the last days when accessing the
realm settings - keys, it was displaying an error: "Error! An unexpected server error
has occurred” and the tabs Active and Providers didn’t show any keys.
>>>>> Keycloak log:
>>>>>
>>>>> 2017-11-30 20:20:52,033 ERROR [org.keycloak.keys.DefaultKeyManager]
(default task-24) Failed to load provider <provider id>:
java.lang.NullPointerException
>>>>> at
org.keycloak.keys.DefaultKeyManager.getProviders(DefaultKeyManager.java:133)
>>>>> at
org.keycloak.keys.DefaultKeyManager.getPublicKey(DefaultKeyManager.java:70)
>>>>> at
org.keycloak.services.managers.AuthenticationManager.verifyIdentityToken(AuthenticationManager.java:688)
>>>>> at
org.keycloak.services.managers.AppAuthManager.authenticateBearerToken(AppAuthManager.java:64)
>>>>> at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:175)
>>>>> at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
>>>>> at sun.reflect.GeneratedMethodAccessor371.invoke(Unknown Source)
>>>>> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>> at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>>
>>>>> 2017-11-30 20:20:52,038 ERROR [io.undertow.request] (default task-24)
UT005023: Exception handling request to /auth/admin/realms/master/components:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.IllegalArgumentException: No such provider 'hmac-generated'
>>>>> at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>>>>> at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>> at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>>>> at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>> at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>>> at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>>>> at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>> at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>>> at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>>> at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>>> at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>>>> at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>>> at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>>> at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>>> at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>>> at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>>> at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at io.undertow.server.handlers.Pr
<http://io.undertow.server.handlers.pr/>edicateHandler.handleRequest(Pr...
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>> at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>> at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>>> at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>>> at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>> at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>> at java.lang.Thread.run(Thread.java:745)
>>>>> Caused by: java.lang.RuntimeException:
java.lang.IllegalArgumentException: No such provider 'hmac-generated'
>>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:69)
>>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:39)
>>>>> at
org.keycloak.models.utils.StripSecretsUtils.strip(StripSecretsUtils.java:39)
>>>>> at
org.keycloak.models.utils.ModelToRepresentation.toRepresentation(ModelToRepresentation.java:815)
>>>>> at
org.keycloak.services.resources.admin.ComponentResource.getComponents(ComponentResource.java:118)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>>>> at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>> at java.lang.reflect.Method.invoke(Method.java:498)
>>>>> at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>>>>> at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>>>> at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>> at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>>> at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>> ... 37 more
>>>>> Caused by: java.lang.IllegalArgumentException: No such provider
'hmac-generated'
>>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentFactory(ComponentUtil.java:81)
>>>>> at
org.keycloak.models.utils.ComponentUtil.getComponentConfigProperties(ComponentUtil.java:56)
>>>>> ... 55 more
>>>>>
>>>>>
>>>>> But when I check the keycloak database, seems that the key and
provider are there.
>>>>> Any thoughts?
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
<mailto:keycloak-user@lists.jboss.org>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
<https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>>>
>>>>
>>>
>>>
>>
>