Hi Bill,

    Another update:  I was able to reslove SSL handsack issue. And can now assure that the trust between keycloak server and aerogear client is established. 

    I am still running into an issue whereby upon login the adapter expects a cookie and does not find it?  Does aerogear team have to enhance anything to obtain this "state cookie"?? below is the debug trace from aerogear side.

Aerogear Log:
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmzSEldZpo58vUh2e3Ik9r6Yu8.75228531-4f07-4b99-9c4f-acd5abc111fd&state=322036a7-b0b6-40b7-852f-60aa592bce01
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.PreAuthActionsHandler] (default task-17) adminRequest https://XXX.XXX.XXX.XXX:8443/ag-push/index.html?code=IcrbsPykYJ5v8UeXHgmzSEldZpo58vUh2e3Ik9r6Yu8.75228531-4f07-4b99-9c4f-acd5abc111fd&state=322036a7-b0b6-40b7-852f-60aa592bce01
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.RequestAuthenticator] (default task-17) Account was not in session, returning null
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) there was a code, resolving
2014-11-17 07:40:21,804 DEBUG [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) checking state cookie for after code
2014-11-17 07:40:21,804 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-17) No state cookie

Regards,
Pratik Parikh




On Sat, Nov 15, 2014 at 1:39 PM, Pratik Parikh <pratik.p.parikh@gmail.com> wrote:
Hi Bill,

    My goal is get liveoak, aerogear and keycloak working on different servers.  LiveOak uses Keycloak and Aerogear.  Following are the steps i took.

    1) Install Keycloak on one server with self signed certificate.  It is accessible via https://XXX.XXX.XXX.XXX:8443/auth.  Worked
    2) Installed AreoGear on another server with self signed certificate.  It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push.  Worked
    3) Imported attached  JSON in as a new aerogear realm in keycloak.   Worked
    4) Updated Keycloak to use MongoDB. Worked
    5) Update application aerogear with keycloak.json restarted wildfly server. Updated application under AreoGear to use https://XXX.XXX.XXX.XXX:8443/ag-push/* as a redirect uri. Worked.
    6) Restarted both the wildfly servers.
    7) After restart tried to login to https://XXX.XXX.XXX.XXX:8443/ag-push/ forwarded me to https://XXX.XXX.XXX.XXX:8443/auth login page.  Successfull login was achieved.
    8) PROBLEM: After login redirect to https://XXX.XXX.XXX.XXX:8443/ag-push/ where by i get error "No state cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator line 116 because the adapter can not find a cookie with name "OAuth_Token_Request_State" in HTTP.

   Troubleshooting Try 1.
   1) updated aerogear to use 1.0.1.Beta1 Adapter.  Still works does not solve the problem same error.

   Troubleshooting Try 2.
   1) updated keycloak.json by adding "disable-trust-manager": true.  Still works does not solve the problem same error.
   
   Troubleshooting Try 3.  
   1) updated keycloak.json by adding "disable-trust-manager": false,"truststore": "/path","truststore-password": "password".  Still works doe not solve the problem.  I have a question is "truststore" a local path to the keycloak jks cert or this is a path to remote keycloak cert?  I copied the keycloak.jks and pointed to that locally using ${jboss.server.config.dir}/trustcerts/keycloak.jks? is this correct? After doing this i tried to invoke 

  https://XXX.XXX.XXXX.XXXX:8443/ag-push/rest/ping 

  Get the login screen

  then i get Forbidden with below exception:
  
  2014-11-15 18:31:13,664 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) failed to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) [jsse.jar:1.8.0_25]
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) [httpclient-4.2.1.jar:4.2.1]
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784) [httpclient-4.2.1.jar:4.2.1]
        at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116) [keycloak-adapter-core-1.0.4.Final.jar:]
        at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93) [keycloak-adapter-core-1.0.4.Final.jar:]
        at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256) [keycloak-adapter-core-1.0.4.Final.jar:]
        at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205) [keycloak-adapter-core-1.0.4.Final.jar:]
        at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68) [keycloak-adapter-core-1.0.4.Final.jar:]
        at org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82) [keycloak-undertow-adapter-1.0.4.Final.jar:]
        at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61) [keycloak-undertow-adapter-1.0.4.Final.jar:]
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.0.4.Final.jar:]
        at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.0.4.Final.jar:]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

      Please help i feel like i am very close just missing something simple.


Regards,
Pratik Parikh

On Fri, Nov 14, 2014 at 9:34 AM, Pratik Parikh <pratik.p.parikh@gmail.com> wrote:
Hi Bill,

    My goal is get liveoak, aerogear and keycloak working on different servers.  LiveOak uses Keycloak and Aerogear.  Following are the steps i took.

    1) Install Keycloak on one server with self signed certificate.  It is accessible via https://XXX.XXX.XXX.XXX:8443/auth.  Worked
    2) Installed AreoGear on another server with self signed certificate.  It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push.  Worked
    3) Imported attached  JSON in as a new aerogear realm in keycloak.   Worked
    4) Updated Keycloak to use MongoDB. Worked
    5) Update application aerogear with keycloak.json restarted wildfly server. Updated application under AreoGear to use https://XXX.XXX.XXX.XXX:8443/ag-push/* as a redirect uri. Worked.
    6) Restarted both the wildfly servers.
    7) After restart tried to login to https://XXX.XXX.XXX.XXX:8443/ag-push/ forwarded me to https://XXX.XXX.XXX.XXX:8443/auth login page.  Successfull login was achieved.
    8) PROBLEM: After login redirect to https://XXX.XXX.XXX.XXX:8443/ag-push/ where by i get error "No state cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator line 116 because the adapter can not find a cookie with name "OAuth_Token_Request_State" in HTTP.

   Troubleshooting Try 1.
   1) updated aerogear to use 1.0.1.Beta1 Adapter.  Still works does not solve the problem same error.

   Troubleshooting Try 2.
   1) updated keycloak.json by adding "disable-trust-manager": true.  Still works does not solve the problem same error.
   
   Troubleshooting Try 2.  Still have not done but will do today is 
   1) updated keycloak.json by adding "disable-trust-manager": false,"truststore": "/path","truststore-password": "password".  Will report back shortly.

Regards,
Pratik Parikh

On Fri, Nov 14, 2014 at 8:46 AM, Bill Burke <bburke@redhat.com> wrote:
Can you explain your problem again?  I think I am misunderstanding what
problems you are having.  You linked this message:

http://lists.jboss.org/pipermail/keycloak-user/2014-November/001170.html

We do not support OIDC scope param, but you can limit the application's
scope in the admin console.

On 11/13/2014 10:28 PM, Pratik Parikh wrote:
> Hi Bill,
>
>      Is this because both of my server (keycloak and aerogear are
> https).  Do i need to establish trust between them?
>
> Regards,
> Pratik Parikh
>
> On Thu, Nov 13, 2014 at 8:18 PM, Pratik Parikh
> <pratik.p.parikh@gmail.com <mailto:pratik.p.parikh@gmail.com>> wrote:
>
>     Hi Bill,
>
>          Thanks i turned the scope off under the application but that
>     did not help.  Could you please help us understand what is going
>     on.  I am trying to look the code but seems like it is going to take
>     be a bit to figure it out.  It seems like HttpFacade.Cookies is
>     suppose to have state cookie which is contained in
>     KeycloakDeployment. I did try what you suggest was that not
>     correctly understood by me? I am new to keycloak but this is a great
>     project would like to understand it and use it to its fullest
>     extend. Can you help me get past this problem. Thanks in advance.
>
>     Regards,
>     --
>     Pratik Parikh
>     - Mantra - Keep It Simple and Straightforward
>
>
>
>
> --
> Pratik Parikh
> - Mantra - Keep It Simple and Straightforward
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



--
Pratik Parikh
- Mantra - Keep It Simple and Straightforward



--
Pratik Parikh
- Mantra - Keep It Simple and Straightforward



--
Pratik Parikh
- Mantra - Keep It Simple and Straightforward