6:38 p.m.
Hi
I'm implementing a solution as shown saml-broker-authentication, trying to
protect a war (spring-rest).
All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
tocken back from Keycloak , but when it returns back to the URL I was
initially hit, I get forbidden.
Anyone gone through this pain - any tips? Thank you.
John
6:46 a.m.
Further more:
I am seeing in keycloak logs:
07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-2) failed to turn code into token
07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-2) status from server: 403
This is happening after the handshake done with Idp and returned back to
keycloak oidc.
anyone has any tips.
Appreciate it.
Hi
I'm implementing a solution as shown saml-broker-authentication, trying to
protect a war (spring-rest).
All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
tocken back from Keycloak , but when it returns back to the URL I was
initially hit, I get forbidden.
Anyone gone through this pain - any tips? Thank you.
John
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
6:48 a.m.
This is happening in OAuthRequestAuthenticator.java
code snippet:
===
try {
// For COOKIE store we don't have httpSessionId and single
sign-out won't be available
String httpSessionId = deployment.getTokenStore() ==
TokenStore.SESSION ?
reqAuthenticator.changeHttpSessionId(true) : null;
tokenResponse =
ServerRequest.invokeAccessCodeToToken(deployment, code,
strippedOauthParametersRequestUri, httpSessionId);
} catch (ServerRequest.HttpFailure failure) {
log.error("failed to turn code into token");
log.error("status from server: " + failure.getStatus());
if (failure.getStatus() == 400 && failure.getError() != null) {
log.error(" " + failure.getError());
}
return challenge(403,
OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
===
Further more:
I am seeing in keycloak logs:
07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-2) failed to turn code into token
07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(default task-2) status from server: 403
This is happening after the handshake done with Idp and returned back to
keycloak oidc.
anyone has any tips.
Appreciate it.
> Hi
> I'm implementing a solution as shown saml-broker-authentication, trying
> to
> protect a war (spring-rest).
> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
> tocken back from Keycloak , but when it returns back to the URL I was
> initially hit, I get forbidden.
> Anyone gone through this pain - any tips? Thank you.
> John
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8:37 a.m.
For your application, does the security constraint require a role? My
guess is that the token does not have the role required by the security
constraint in your application.
On 10/5/16 7:48 AM, java(a)neposoft.com wrote:
This is happening in OAuthRequestAuthenticator.java
code snippet:
===
try {
// For COOKIE store we don't have httpSessionId and single
sign-out won't be available
String httpSessionId = deployment.getTokenStore() ==
TokenStore.SESSION ?
reqAuthenticator.changeHttpSessionId(true) : null;
tokenResponse =
ServerRequest.invokeAccessCodeToToken(deployment, code,
strippedOauthParametersRequestUri, httpSessionId);
} catch (ServerRequest.HttpFailure failure) {
log.error("failed to turn code into token");
log.error("status from server: " + failure.getStatus());
if (failure.getStatus() == 400 && failure.getError() != null) {
log.error(" " + failure.getError());
}
return challenge(403,
OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
===
> Further more:
> I am seeing in keycloak logs:
> 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
> (default task-2) failed to turn code into token
> 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
> (default task-2) status from server: 403
>
> This is happening after the handshake done with Idp and returned back to
> keycloak oidc.
>
> anyone has any tips.
> Appreciate it.
>
>
>> Hi
>> I'm implementing a solution as shown saml-broker-authentication, trying
>> to
>> protect a war (spring-rest).
>> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
>> tocken back from Keycloak , but when it returns back to the URL I was
>> initially hit, I get forbidden.
>> Anyone gone through this pain - any tips? Thank you.
>> John
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:01 p.m.
Yes, auth-constraint/role-name in web.xml.
I've tried creating Roles (same name as the app) at Realm level , as well
at 'client' level - no change, same error.
Any more clues - appreciate it.
For your application, does the security constraint require a role?
My
guess is that the token does not have the role required by the security
constraint in your application.
On 10/5/16 7:48 AM, java(a)neposoft.com wrote:
> This is happening in OAuthRequestAuthenticator.java
> code snippet:
> ===
> try {
> // For COOKIE store we don't have httpSessionId and single
> sign-out won't be available
> String httpSessionId = deployment.getTokenStore() ==
> TokenStore.SESSION ?
> reqAuthenticator.changeHttpSessionId(true) : null;
> tokenResponse =
> ServerRequest.invokeAccessCodeToToken(deployment, code,
> strippedOauthParametersRequestUri, httpSessionId);
> } catch (ServerRequest.HttpFailure failure) {
> log.error("failed to turn code into token");
> log.error("status from server: " + failure.getStatus());
> if (failure.getStatus() == 400 && failure.getError() !=
> null) {
> log.error(" " + failure.getError());
> }
> return challenge(403,
> OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null);
>
> ===
>
>> Further more:
>> I am seeing in keycloak logs:
>> 07:28:21,115 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>> (default task-2) failed to turn code into token
>> 07:28:21,117 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
>> (default task-2) status from server: 403
>>
>> This is happening after the handshake done with Idp and returned back
>> to
>> keycloak oidc.
>>
>> anyone has any tips.
>> Appreciate it.
>>
>>
>>> Hi
>>> I'm implementing a solution as shown saml-broker-authentication,
>>> trying
>>> to
>>> protect a war (spring-rest).
>>> All configured fine, Keycloak-saml-idp returns fine, am getting a OIDC
>>> tocken back from Keycloak , but when it returns back to the URL I was
>>> initially hit, I get forbidden.
>>> Anyone gone through this pain - any tips? Thank you.
>>> John
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3473
days inactive
3474
days old
4 comments
2 participants
participants (2)
-
Bill Burke -
java@neposoft.com