5:46 a.m.
oups. Added /auth at the end of my SSO URL and now Spring Boot + Keycloak
rocks in OpenShift.
On Wed, Dec 14, 2016 at 12:28 PM, Sebastien Blanc <sblanc(a)redhat.com> wrote:
URL from configuration is the one from the keycloak.json :
"auth-server-url" , looks like you forgot an /auth
On Wed, Dec 14, 2016 at 12:02 PM, Charles Moulliard <cmoullia(a)redhat.com>
wrote:
> The curl request works now but I'm getting this error when the token
> received will be checked by the SpringBoot Tomcat Adapter
>
> Request
>
> curl -sk -X POST https://secure-sso-sso.e8ca.en
> gint.openshiftapps.com/auth/realms/master/protocol/openid-connect/token
> -d grant_type=password -d username=admin -d client_secret=MYSECRET -d
> password=admin -d client_id=demoapp
>
> What "URL from configuration" refers to ?
>
> 2016-12-14 10:49:29.273 ERROR 1 --- [nio-8080-exec-6]
> o.k.a.BearerTokenRequestAuthenticator : Failed to verify token
>
> org.keycloak.common.VerificationException: Token audience doesn't match
> domain. Token issuer is https://secure-sso-sso.e8ca.en
> gint.openshiftapps.com/auth/realms/master, but URL from configuration is
> https://secure-sso-sso.e8ca.engint.openshiftapps.com/realms/master
> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:49)
> ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final]
> at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
> ~[keycloak-core-1.9.8.Final.jar!/:1.9.8.Final]
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
> authenticateToken(BearerTokenRequestAuthenticator.java:87)
> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
> at org.keycloak.adapters.BearerTokenRequestAuthenticator.
> authenticate(BearerTokenRequestAuthenticator.java:82)
> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
> at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65)
> ~[keycloak-adapter-core-1.9.8.Final.jar!/:1.9.8.Final]
> at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
> lve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:206)
> ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final]
> at org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve.auth
> enticate(KeycloakAuthenticatorValve.java:48)
> ~[keycloak-tomcat8-adapter-1.9.8.Final.jar!/:1.9.8.Final]
> at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:577)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorVa
> lve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
> ~[keycloak-tomcat-core-adapter-1.9.8.Final.jar!/:1.9.8.Final]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:528)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
> tractHttp11Processor.java:1100) [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
> .process(AbstractProtocol.java:687) [tomcat-embed-core-8.0.36.jar!
> /:8.0.36]
> at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1520)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1476)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [na:1.8.0_101]
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [na:1.8.0_101]
> at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> [tomcat-embed-core-8.0.36.jar!/:8.0.36]
> at java.lang.Thread.run(Thread.java:745) [na:1.8.0_101]
>
> Charles Moulliard
> Sr. Pr. Software Engineer @redhat
> cmoulliard(a)redhat.com | work: +31 205 65 12 84 <+31%2020%20565%201284> |
> mobile: +32 473 60 40 14 <+32%20473%2060%2040%2014>
> Twitter: @cmoulliard <http://twitter.com/cmoulliard> | blog:
> cmoulliard.github.io
> committer: apache camel, karaf, servicemix, hawtio, fabric8, drools,
> jbpm, deltaspike
>
> On Wed, Dec 14, 2016 at 8:56 AM, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> Your guess is correct. Or you can also use the much more complicated way
>> of using basic auth header for client id and secret, but let's not get into
>> that ;)
>>
>> On 14 December 2016 at 08:54, Sebastien Blanc <sblanc(a)redhat.com> wrote:
>>
>>> I guess "-d client_secret=my_secret" ? ;)
>>>
>>> On Wed, Dec 14, 2016 at 8:48 AM, Charles Moulliard <cmoullia(a)redhat.com
>>> > wrote:
>>>
>>>> How do I provide the client secret within the curl request ? An example
>>>> would be great ;-)
>>>>
>>>> On Wed, Dec 14, 2016 at 8:27 AM, Stian Thorgersen
<sthorger(a)redhat.com
>>>> >
>>>> wrote:
>>>>
>>>> > Error message is pretty self explanatory here - you're missing
the
>>>> client
>>>> > secret
>>>> >
>>>> > On 14 December 2016 at 08:17, Charles Moulliard
<cmoullia(a)redhat.com
>>>> >
>>>> > wrote:
>>>> >
>>>> >> Hi,
>>>> >>
>>>> >> Why do I get this error when I issue tthis curl request to get
a
>>>> token
>>>> >>
>>>> >> curl -sk -X POST
>>>> >> https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/re
>>>> >> alms/master/protocol/openid-connect/token
>>>> >> -d
>>>> >> <https://secure-sso-sso.e8ca.engint.openshiftapps.com/auth/r
>>>> ealms/master/protocol/openid-connect/token-d>
>>>> >> grant_type=password -d username=admin -d password=admin -d
>>>> >> client_id=demoapp
>>>> >>
>>>> >> {"error_description":"Client secret not provided
in
>>>> >>
request","error":"unauthorized_client"}
>>>> >>
>>>> >> Keycloak Version : 1.9.8
>>>> >> client_id: demoapp
>>>> >>
>>>> >> Do I have to set another filed instead of username/password
&
>>>> >> grant_type=password ?
>>>> >>
>>>> >> Regards,
>>>> >>
>>>> >> Charles
>>>> >> _______________________________________________
>>>> >> keycloak-user mailing list
>>>> >> keycloak-user(a)lists.jboss.org
>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >>
>>>> >
>>>> >
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>