Re: [keycloak-user] Kerberos token

Wednesday, 25 May 2016

Hi,

it seems from the log, that you tried to put Kerberos 
(SpnegoAuthenticator) to the directAccessGrant flow, is it correct? This 
won't work. The implementation of SpnegoAuthenticator is supposed to 
work just for browser based flow when browser is supposed to send HTTP 
header with SPNEGO token like "Authorization: Negotiate 
your-spnego-kerberos-token" .

It seems that to avoid similar confusions, we should have some filters 
(or authentication subtypes), which will allow to specify which 
authenticator is supposed to be used in which flow. I've created JIRA 
for that https://issues.jboss.org/browse/KEYCLOAK-3043 .

If I understand correctly your usecase, you sent username+password to 
direct grant authentication and you want Keycloak to verify the given 
username+password against Kerberos right? In this case, you can just use 
default directGrant flow without any changes. All you need to do is to 
check the flag " Use Kerberos For Password Authentication" in the 
configuration of your LDAP federation provider.

Marek

On 23/05/16 17:51, Gareth Healy wrote:
...
 I am trying to hook up APIMan with KeyCloak using Kerberos and
OAuth2. 
 I am trying to get a token from key cloak using the following URL:

     curl -X POST
     http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token
      -H "Content-Type: application/x-www-form-urlencoded" -d
     "username=admin" -d 'password=Secret123' -d
'grant_type=password'
     -d 'client_id=mapper' -d
     'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'

 But, get an exception back:

     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) AUTHENTICATE CLIENT
     2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default
     task-51) Using executions for client authentication:
     [de08b32a-a4a5-469c-91cc-0fbca51e1c2f,
     de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) client authenticator: client-secret
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) client authenticator SUCCESS: client-secret
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) Client mapper authenticated by client-secret
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: ADD on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) AUTHENTICATE ONLY
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) processFlow
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) check execution: direct-grant-validate-username
     requirement: REQUIRED
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) authenticator: direct-grant-validate-username
     2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
     task-51) invoke authenticator.authenticate
     2016-05-23 14:22:25,676 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,677 TRACE
     [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
     (default task-51) Using filter for LDAP search:
     (&(uid=admin)(objectclass=person)) . Searching in DN:
     cn=users,cn=accounts,dc=example,dc=test
     2016-05-23 14:22:25,682 TRACE
     [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
     (default task-51) Found ldap object and populated with the
     attributes. LDAP Object: LDAP Object [ dn:
     uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid:
     afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin],
     gecos=[Administrator], sn=[Administrator], cn=[Administrator],
     createTimestamp=[20160520102908Z],
     modifyTimestamp=[20160523142225Z]}, readOnly attribute names:
     [createtimestamp, modifytimestamp] ]
     2016-05-23 14:22:25,682 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
     task-51) authenticator SUCCESS: direct-grant-validate-username
     2016-05-23 14:22:25,682 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
     task-51) check execution: direct-grant-validate-password
     requirement: DISABLED
     2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
     task-51) execution is processed
     2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
     task-51) check execution: auth-spnego requirement: ALTERNATIVE
     2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
     task-51) authenticator: auth-spnego
     2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
     task-51) invoke authenticator.authenticate
     2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default
     task-51) Sending back WWW-Authenticate: Negotiate
     2016-05-23 14:22:25,682 TRACE
     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
     (default task-51) Adding cache operation: REPLACE on
     7ad60b45-4e69-45a4-a995-ee65d9ee47ae
     2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default
     task-51) UT005023: Exception handling request to
     /auth/realms/freeipa/protocol/openid-connect/token:
     org.jboss.resteasy.spi.UnhandledException:
     java.lang.IllegalArgumentException: RESTEASY003715: path was null
           at

org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
           at
     org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
           at

org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
           at
     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
           at
     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
           at

org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
           at

org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
           at

org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
           at
     io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
           at

io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
           at

org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
           at
     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
           at

io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
           at
     io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
           at

io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
           at

io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
           at

org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
           at
     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
           at

io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
           at

io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
           at
     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
           at

io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
           at

io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
           at

io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
           at

io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
           at

io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
           at

io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
           at
     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
           at

org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
           at
     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
           at
     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
           at

io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
           at

io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
           at

io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
           at

io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
           at
     io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
           at
     io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
           at
     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
           at
     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
           at java.lang.Thread.run(Thread.java:745)
     Caused by: java.lang.IllegalArgumentException: RESTEASY003715:
     path was null
           at
     org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
           at

org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
           at

org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
           at

org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
           at

org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
           at

org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
           at

org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
           at

org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
           at
     org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
           at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
           at

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
           at java.lang.reflect.Method.invoke(Method.java:497)
           at
     org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
           at

org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
           at
     org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
           at

org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
           at

org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
           at

org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
           at

org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
           at
     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
           ... 37 more

 Looking in the code, i can see i am missing the "flowPath", but not 
 sure where this should be set.

https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...

 Can anyone point me in the right direction please.

 -- 
 Gareth Healy
 UKI Middleware Consultant
 Red Hat UK Ltd
 200 Fowler Avenue
 Farnborough, Hants
 GU14 7JP, UK

 Mobile: +44(0)7818511214 <tel:%2B44%280%297818511214>
 E-Mail: gahealy(a)redhat.com <mailto:gahealy@redhat.com>

 Registered in England and Wales under Company Registration No. 03798903

 _______________________________________________
 keycloak-user mailing list
 keycloak-user(a)lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-user 

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] Kerberos token