10:35 a.m.
Hi,
We have a standalone keycloak 1.0.4.Final appliance installation that supports SSL. I
understand that it uses Wildfly 8.1.0.Final as its core.
We have a Wildfly 8.0.0.Final Domain for testing with a number of cluster nodes all
running the same 8.0 Wildfly version with the keycloak 1.0.4.Final adapter installed. The
domain is fronted by Apache HTTP that supports SSL.
We are trying to deploy some web applications to the domain to authenticate against
keycloak. Things look good at first. Our apps redirect to our Active Directory Realm but
upon redirect we get 403 - Forbidden errors. Stack trace is below.
My question is could the problem be that we have two different versions of undertow core
and servlet jars between domain nodes and standalone keycloak? Should we upgrade out
testing domain to use 8.1.0.Final? Any thoughts are greatly appreciated! Also what about
Wildfly 8.2.0.Final. If I'm going to upgrade my domain I would like to possibly use
that. I could rebuild 1.0.4.Final using 8.2.0 artifacts?
Any help is greatly appreciated.
Thanks Patrick
This is the error we see on our domain controller node:
2014-12-03 07:48:08,718 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default
task-13) failed to turn code into token:
org.apache.http.conn.HttpHostConnectExceptionentity.testing.tomsawyer.com refused
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
[httpclient-4.2.1.jar:4.2.1]
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
[httpclient-4.2.1.jar:4.2.1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
[httpclient-4.2.1.jar:4.2.1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
[httpclient-4.2.1.jar:4.2.1]
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
[httpclient-4.2.1.jar:4.2.1]
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116)
[keycloak-adapter-core-1.0.4.Final.jar:]
at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205)
[keycloak-adapter-core-1.0.4.Final.jar:]
at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.0
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
[undertow-servlet-1.0.0.Final.jar:1.0
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.0.0.Final.jar:1
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method) [rt.jar:1.7.0_51]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
[rt.jar:1.7.0_51]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
[rt.jar:1.7.0_51]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
[rt.jar:1.7.0_51]
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) [rt.jar:1.7.0_51]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) [rt.jar:1.7.0_51]
at java.net.Socket.connect(Socket.java:579) [rt.jar:1.7.0_51]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618) [jsse.jar:1.7.0_51]
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
[httpclient-4.2.1.jar:4.2.1]
... 42 more
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
1:52 a.m.
Hi,
We use the latest version of WildFly for our distribution and will soon upgrade to
8.2.0.Final. I believe Keycloak should run fine on it. That being said there's no
reason your applications can't run on 8.0.0.Final with Keycloak itself on
8.1.0.Final.
From the stacktrace below it looks like there's a timeout from the
adapter trying to contact the server, so looks more like a networking issue to me.
----- Original Message -----
From: "Patrick V. Madden" <pmadden(a)tomsawyer.com>
To: keycloak-user(a)lists.jboss.org
Sent: Wednesday, 3 December, 2014 5:35:16 PM
Subject: [keycloak-user] failed to turn code into token error
Hi,
We have a standalone keycloak 1.0.4.Final appliance installation that
supports SSL. I understand that it uses Wildfly 8.1.0.Final as its core.
We have a Wildfly 8.0.0.Final Domain for testing with a number of cluster
nodes all running the same 8.0 Wildfly version with the keycloak 1.0.4.Final
adapter installed. The domain is fronted by Apache HTTP that supports SSL.
We are trying to deploy some web applications to the domain to authenticate
against keycloak. Things look good at first. Our apps redirect to our Active
Directory Realm but upon redirect we get 403 - Forbidden errors. Stack trace
is below.
My question is could the problem be that we have two different versions of
undertow core and servlet jars between domain nodes and standalone keycloak?
Should we upgrade out testing domain to use 8.1.0.Final? Any thoughts are
greatly appreciated! Also what about Wildfly 8.2.0.Final. If I'm going to
upgrade my domain I would like to possibly use that. I could rebuild
1.0.4.Final using 8.2.0 artifacts?
Any help is greatly appreciated.
Thanks Patrick
This is the error we see on our domain controller node:
2014-12-03 07:48:08,718 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-13) failed
to turn code into token:
org.apache.http.conn.HttpHostConnectExceptionentity.testing.tomsawyer.com
refused
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:190)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:640)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:479)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
[httpclient-4.2.1.jar:4.2.1]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:116)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:93)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:256)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:205)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:68)
[keycloak-adapter-core-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.UndertowKeycloakAuthMech.keycloakAuthenticate(UndertowKeycloakAuthMech.java:82)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:61)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.0
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
[undertow-servlet-1.0.0.Final.jar:1.0
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
[undertow-servlet-1.0.0.Final.jar:1
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
[keycloak-undertow-adapter-1.0.4.Final.jar:]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687)
[undertow-core-1.0.0.Final.jar:1.0.0.Final]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_51]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
[rt.jar:1.7.0_51]
at
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
[rt.jar:1.7.0_51]
at
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
[rt.jar:1.7.0_51]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
[rt.jar:1.7.0_51]
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
[rt.jar:1.7.0_51]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
[rt.jar:1.7.0_51]
at java.net.Socket.connect(Socket.java:579) [rt.jar:1.7.0_51]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618)
[jsse.jar:1.7.0_51]
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:549)
[httpclient-4.2.1.jar:4.2.1]
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
[httpclient-4.2.1.jar:4.2.1]
... 42 more
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
Cell: +1 (845) 416-4629
E-mail: pmadden@ tomsawyer.com
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3676
days inactive
3677
days old
1 comments
2 participants
participants (2)
-
Patrick V. Madden -
Stian Thorgersen