Hi,

it seems from the log, that you tried to put Kerberos (SpnegoAuthenticator) to the directAccessGrant flow, is it correct? This won't work. The implementation of SpnegoAuthenticator is supposed to work just for browser based flow when browser is supposed to send HTTP header with SPNEGO token like "Authorization: Negotiate your-spnego-kerberos-token" . 

It seems that to avoid similar confusions, we should have some filters (or authentication subtypes), which will allow to specify which authenticator is supposed to be used in which flow. I've created JIRA for that https://issues.jboss.org/browse/KEYCLOAK-3043 .

If I understand correctly your usecase, you sent username+password to direct grant authentication and you want Keycloak to verify the given username+password against Kerberos right? In this case, you can just use default directGrant flow without any changes. All you need to do is to check the flag " Use Kerberos For Password Authentication" in the configuration of your LDAP federation provider.

Marek


On 23/05/16 17:51, Gareth Healy wrote:
I am trying to hook up APIMan with KeyCloak using Kerberos and OAuth2. I am trying to get a token from key cloak using the following URL:

curl -X POST http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token  -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d 'password=Secret123' -d 'grant_type=password' -d 'client_id=mapper' -d 'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'

But, get an exception back:

2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) AUTHENTICATE CLIENT
2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default task-51) Using executions for client authentication: [de08b32a-a4a5-469c-91cc-0fbca51e1c2f, de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) client authenticator: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) client authenticator SUCCESS: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) Client mapper authenticated by client-secret
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: ADD on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) AUTHENTICATE ONLY
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) processFlow
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) check execution: direct-grant-validate-username requirement: REQUIRED
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) authenticator: direct-grant-validate-username
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) invoke authenticator.authenticate
2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,677 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-51) Using filter for LDAP search: (&(uid=admin)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-05-23 14:22:25,682 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-51) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid: afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin], gecos=[Administrator], sn=[Administrator], cn=[Administrator], createTimestamp=[20160520102908Z], modifyTimestamp=[20160523142225Z]}, readOnly attribute names: [createtimestamp, modifytimestamp] ]
2016-05-23 14:22:25,682 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) authenticator SUCCESS: direct-grant-validate-username
2016-05-23 14:22:25,682 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) check execution: direct-grant-validate-password requirement: DISABLED
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) execution is processed
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) check execution: auth-spnego requirement: ALTERNATIVE
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) authenticator: auth-spnego
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) invoke authenticator.authenticate
2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default task-51) Sending back WWW-Authenticate: Negotiate
2016-05-23 14:22:25,682 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default task-51) UT005023: Exception handling request to /auth/realms/freeipa/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalArgumentException: RESTEASY003715: path was null
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: RESTEASY003715: path was null
        at org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
        at org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
        at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
        at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
        at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
        ... 37 more

Looking in the code, i can see i am missing the "flowPath", but not sure where this should be set.

https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java#L137

https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L476

Can anyone point me in the right direction please.

--
Gareth Healy 
UKI Middleware Consultant 
Red Hat UK Ltd 
200 Fowler Avenue 
Farnborough, Hants 
GU14 7JP, UK 

Mobile: +44(0)7818511214 
E-Mail: gahealy@redhat.com 

Registered in England and Wales under Company Registration No. 03798903


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user