Re: [keycloak-user] failed verification of token

Saturday, 15 November 2014

Hi Bill,

    My goal is get liveoak, aerogear and keycloak working on different
servers.  LiveOak uses Keycloak and Aerogear.  Following are the steps i
took.

    1) Install Keycloak on one server with self signed certificate.  It is
accessible via https://XXX.XXX.XXX.XXX:8443/auth
<https://xxx.xxx.xxx.xxx:8443/auth>;.  Worked
    2) Installed AreoGear on another server with self signed certificate.
It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push
<https://xxx.xxx.xxx.xxx:8443/ag-push>;.  Worked
    3) Imported attached  JSON in as a new aerogear realm in keycloak.
  Worked
    4) Updated Keycloak to use MongoDB. Worked
    5) Update application aerogear with keycloak.json restarted wildfly
server. Updated application under AreoGear to use
https://XXX.XXX.XXX.XXX:8443/ag-push/*
<https://xxx.xxx.xxx.xxx:8443/ag-push/*> as a redirect uri. Worked.
    6) Restarted both the wildfly servers.
    7) After restart tried to login to https://XXX.XXX.XXX.XXX:8443/ag-push/
<https://xxx.xxx.xxx.xxx:8443/ag-push/> forwarded me to
https://XXX.XXX.XXX.XXX:8443/auth <https://xxx.xxx.xxx.xxx:8443/auth> login
page.  Successfull login was achieved.
    8) PROBLEM: After login redirect to
https://XXX.XXX.XXX.XXX:8443/ag-push/
<https://xxx.xxx.xxx.xxx:8443/ag-push/> where by i get error "No state
cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator
line 116 because the adapter can not find a cookie with name "
OAuth_Token_Request_State" in HTTP.

   Troubleshooting Try 1.
   1) updated aerogear to use 1.0.1.Beta1 Adapter.  Still works does not
solve the problem same error.

   Troubleshooting Try 2.
   1) updated keycloak.json by adding *"disable-trust-manager": true*.
Still works does not solve the problem same error.

   Troubleshooting Try 3.
   1) updated keycloak.json by adding *"disable-trust-manager":
false,"truststore": "/path","truststore-password":
"password"*.  Still
works doe not solve the problem.  I have a question is "*truststore*" a
local path to the keycloak jks cert or this is a path to remote keycloak
cert?  I copied the keycloak.jks and pointed to that locally using
${jboss.server.config.dir}/trustcerts/keycloak.jks?
is this correct? After doing this i tried to invoke

  https://XXX.XXX.XXXX.XXXX:8443/ag-push/rest/ping

  Get the login screen

  then i get Forbidden with below exception:

  2014-11-15 18:31:13,664 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-6) failed
to turn code into token: javax.net.ssl.SSLPeerUnverifiedException: peer not
authenticated
        at
sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
[jsse.jar:1.8.0_25]
        at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
[httpclient-4.2.1.jar:4.2.1]
        at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
[httpclient-4.2.1.jar:4.2.1]
        at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116)
[keycloak-adapter-core-1.0.4.Final.jar:]
        at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93)
[keycloak-adapter-core-1.0.4.Final.jar:]
        at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256)
[keycloak-adapter-core-1.0.4.Final.jar:]
        at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205)
[keycloak-adapter-core-1.0.4.Final.jar:]
        at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
[keycloak-adapter-core-1.0.4.Final.jar:]
        at
org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
        at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
        at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
        at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
[undertow-core-1.0.15.Final.jar:1.0.15.Final]
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_25]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_25]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

      Please help i feel like i am very close just missing something simple.

Regards,
Pratik Parikh

On Fri, Nov 14, 2014 at 9:34 AM, Pratik Parikh <pratik.p.parikh(a)gmail.com&gt;
wrote:

...
 Hi Bill,

     My goal is get liveoak, aerogear and keycloak working on different
 servers.  LiveOak uses Keycloak and Aerogear.  Following are the steps i
 took.

     1) Install Keycloak on one server with self signed certificate.  It is
 accessible via https://XXX.XXX.XXX.XXX:8443/auth.  Worked
     2) Installed AreoGear on another server with self signed certificate.
 It is accessible via https://XXX.XXX.XXX.XXX:8443/ag-push.  Worked
     3) Imported attached  JSON in as a new aerogear realm in keycloak.
   Worked
     4) Updated Keycloak to use MongoDB. Worked
     5) Update application aerogear with keycloak.json restarted wildfly
 server. Updated application under AreoGear to use
 https://XXX.XXX.XXX.XXX:8443/ag-push/* as a redirect uri. Worked.
     6) Restarted both the wildfly servers.
     7) After restart tried to login to
 https://XXX.XXX.XXX.XXX:8443/ag-push/ forwarded me to
 https://XXX.XXX.XXX.XXX:8443/auth login page.  Successfull login was
 achieved.
     8) PROBLEM: After login redirect to
 https://XXX.XXX.XXX.XXX:8443/ag-push/ where by i get error "No state
 cookie" in AreoGear log, which is coming from OAuthRequestAuthenticator
 line 116 because the adapter can not find a cookie with name "
 OAuth_Token_Request_State" in HTTP.

    Troubleshooting Try 1.
    1) updated aerogear to use 1.0.1.Beta1 Adapter.  Still works does not
 solve the problem same error.

    Troubleshooting Try 2.
    1) updated keycloak.json by adding *"disable-trust-manager": true*.
 Still works does not solve the problem same error.

    Troubleshooting Try 2.  Still have not done but will do today is
    1) updated keycloak.json by adding *"disable-trust-manager":
 false,"truststore": "/path","truststore-password":
"password"*.  Will
 report back shortly.

 Regards,
 Pratik Parikh

 On Fri, Nov 14, 2014 at 8:46 AM, Bill Burke <bburke(a)redhat.com&gt; wrote:

> Can you explain your problem again?  I think I am misunderstanding what
> problems you are having.  You linked this message:
>
> http://lists.jboss.org/pipermail/keycloak-user/2014-November/001170.html
>
> We do not support OIDC scope param, but you can limit the application's
> scope in the admin console.
>
> On 11/13/2014 10:28 PM, Pratik Parikh wrote:
> > Hi Bill,
> >
> >      Is this because both of my server (keycloak and aerogear are
> > https).  Do i need to establish trust between them?
> >
> > Regards,
> > Pratik Parikh
> >
> > On Thu, Nov 13, 2014 at 8:18 PM, Pratik Parikh
> > <pratik.p.parikh(a)gmail.com <mailto:pratik.p.parikh@gmail.com>>
wrote:
> >
> >     Hi Bill,
> >
> >          Thanks i turned the scope off under the application but that
> >     did not help.  Could you please help us understand what is going
> >     on.  I am trying to look the code but seems like it is going to take
> >     be a bit to figure it out.  It seems like HttpFacade.Cookies is
> >     suppose to have state cookie which is contained in
> >     KeycloakDeployment. I did try what you suggest was that not
> >     correctly understood by me? I am new to keycloak but this is a great
> >     project would like to understand it and use it to its fullest
> >     extend. Can you help me get past this problem. Thanks in advance.
> >
> >     Regards,
> >     --
> >     Pratik Parikh
> >     - Mantra - Keep It Simple and Straightforward
> >
> >
> >
> >
> > --
> > Pratik Parikh
> > - Mantra - Keep It Simple and Straightforward
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

 --
 Pratik Parikh
 - Mantra - Keep It Simple and Straightforward

-- 
Pratik Parikh
- Mantra - Keep It Simple and Straightforward

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] failed verification of token