Hi Marko,

I use Keycloak 1.4.0.Final but it's the same with the latest one.

Here is the error that I get from the "KeycloakInstalled" adaptor but it's the same for at least the Jetty9.2 one:

//---------------------------------------------------------------------
Open the following URL in a browser. After login copy/paste the code back and press <enter>
https://sso.gnubila.fr/auth/realms/Tests/protocol/openid-connect/auth?response_type=code&client_id=pandora-web-service-client&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob

Code: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
    at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
    at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:122)
    at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:95)
    at org.keycloak.adapters.installed.KeycloakInstalled.processCode(KeycloakInstalled.java:232)
    at org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:168)
    at org.keycloak.adapters.installed.KeycloakInstalled.loginManual(KeycloakInstalled.java:147)
    at cmd_client.main(cmd_client.java:64)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 30 more
//---------------------------------------------------------------------

Best,
Jerome

Le 19/02/2016 15:12, Marko Strukelj a écrit :
What version of Keycloak are you using, and what have you tried so far?

It sounds like you've tried to not set "truststore", and it didn't work. What's the exception you get?


On Fri, Feb 19, 2016 at 2:41 PM, Jérôme Revillard <jrevillard@gnubila.fr> wrote:
Any advise for this please ?

Best,
Jerome


Le 17/02/2016 11:19, Jérôme Revillard a écrit :
Yes, it seems to be the case for the server, but not for the clients. See the trustore config description here: https://keycloak.github.io/docs/userguide/keycloak-server/html/ch08.html#adapter-config

Best,
Jerome

Le 17/02/2016 11:09, Bruno Oliveira a écrit :
I'm not sure if I got your question in the right way. But from my understanding Java truststore is the standard fall back.


On Wed, Feb 17, 2016 at 6:07 AM Jérôme Revillard <jrevillard@gnubila.fr> wrote:
Dear all,

I'm testing now a Keycloak server properly configured with https
configuration.
The server certificate is one which is already known by the default java
trustore.
Would it be possible to setup the keycloak.json adapter config to use
this default java trustore ?

Best,
Jerome

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user