Hi,
it seems from the log, that you tried to put Kerberos (SpnegoAuthenticator) to the directAccessGrant flow, is it correct? This won't work. The implementation of SpnegoAuthenticator is supposed to work just for browser based flow when browser is supposed to send HTTP header with SPNEGO token like "Authorization: Negotiate your-spnego-kerberos-token" .
It seems that to avoid similar confusions, we should have some filters (or authentication subtypes), which will allow to specify which authenticator is supposed to be used in which flow. I've created JIRA for that https://issues.jboss.org/browse/KEYCLOAK-3043 .
If I understand correctly your usecase, you sent username+password to direct grant authentication and you want Keycloak to verify the given username+password against Kerberos right? In this case, you can just use default directGrant flow without any changes. All you need to do is to check the flag " Use Kerberos For Password Authentication" in the configuration of your LDAP federation provider.
Marek
On 23/05/16 17:51, Gareth Healy wrote:
I am trying to hook up APIMan with KeyCloak using Kerberos and OAuth2. I am trying to get a token from key cloak using the following URL:
curl -X POST http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin" -d 'password=Secret123' -d 'grant_type=password' -d 'client_id=mapper' -d 'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'
But, get an exception back:
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) AUTHENTICATE CLIENT2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default task-51) Using executions for client authentication: [de08b32a-a4a5-469c-91cc-0fbca51e1c2f, de3db156-dcc2-4346-bf3a-e56e8e10ed5f]2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) client authenticator: client-secret2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) client authenticator SUCCESS: client-secret2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) Client mapper authenticated by client-secret2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: ADD on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) AUTHENTICATE ONLY2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) processFlow2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) check execution: direct-grant-validate-username requirement: REQUIRED2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) authenticator: direct-grant-validate-username2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51) invoke authenticator.authenticate2016-05-23 14:22:25,676 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,677 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-51) Using filter for LDAP search: (&(uid=admin)(objectclass=person)) . Searching in DN: cn=users,cn=accounts,dc=example,dc=test2016-05-23 14:22:25,682 TRACE [org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default task-51) Found ldap object and populated with the attributes. LDAP Object: LDAP Object [ dn: uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid: afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin], gecos=[Administrator], sn=[Administrator], cn=[Administrator], createTimestamp=[20160520102908Z], modifyTimestamp=[20160523142225Z]}, readOnly attribute names: [createtimestamp, modifytimestamp] ]2016-05-23 14:22:25,682 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) authenticator SUCCESS: direct-grant-validate-username2016-05-23 14:22:25,682 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) check execution: direct-grant-validate-password requirement: DISABLED2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) execution is processed2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) check execution: auth-spnego requirement: ALTERNATIVE2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) authenticator: auth-spnego2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51) invoke authenticator.authenticate2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default task-51) Sending back WWW-Authenticate: Negotiate2016-05-23 14:22:25,682 TRACE [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-51) Adding cache operation: REPLACE on 7ad60b45-4e69-45a4-a995-ee65d9ee47ae2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default task-51) UT005023: Exception handling request to /auth/realms/freeipa/protocol/openid-connect/token: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalArgumentException: RESTEASY003715: path was nullat org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)at java.lang.Thread.run(Thread.java:745)Caused by: java.lang.IllegalArgumentException: RESTEASY003715: path was nullat org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)at org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:497)at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)... 37 more
Looking in the code, i can see i am missing the "flowPath", but not sure where this should be set.
Can anyone point me in the right direction please.--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: gahealy@redhat.com
Registered in England and Wales under Company Registration No. 03798903
_______________________________________________ keycloak-user mailing list keycloak-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user