10:51 a.m.
I am trying to hook up APIMan with KeyCloak using Kerberos and OAuth2. I am
trying to get a token from key cloak using the following URL:
curl -X POST
http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d
"username=admin"
-d 'password=Secret123' -d 'grant_type=password' -d
'client_id=mapper' -d
'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'
But, get an exception back:
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
AUTHENTICATE CLIENT
2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default task-51)
Using executions for client authentication:
[de08b32a-a4a5-469c-91cc-0fbca51e1c2f, de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
client authenticator: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
client authenticator SUCCESS: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
Client mapper authenticated by client-secret
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: ADD on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
AUTHENTICATE ONLY
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
processFlow
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
check execution: direct-grant-validate-username requirement: REQUIRED
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
authenticator: direct-grant-validate-username
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
invoke authenticator.authenticate
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,677 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-51) Using filter for LDAP search: (&(uid=admin)(objectclass=person)) .
Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-05-23 14:22:25,682 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-51) Found ldap object and populated with the attributes. LDAP Object:
LDAP Object [ dn: uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid:
afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin],
gecos=[Administrator], sn=[Administrator], cn=[Administrator],
createTimestamp=[20160520102908Z], modifyTimestamp=[20160523142225Z]},
readOnly attribute names: [createtimestamp, modifytimestamp] ]
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
authenticator SUCCESS: direct-grant-validate-username
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
check execution: direct-grant-validate-password requirement: DISABLED
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
execution is processed
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
check execution: auth-spnego requirement: ALTERNATIVE
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
authenticator: auth-spnego
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
invoke authenticator.authenticate
2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default task-51)
Sending back WWW-Authenticate: Negotiate
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default task-51)
UT005023: Exception handling request to
/auth/realms/freeipa/protocol/openid-connect/token:
org.jboss.resteasy.spi.UnhandledException:
java.lang.IllegalArgumentException: RESTEASY003715: path was null
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: RESTEASY003715: path was null
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
at
org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Looking in the code, i can see i am missing the "flowPath", but not sure
where this should be set.
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
Can anyone point me in the right direction please.
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: gahealy(a)redhat.com
Registered in England and Wales under Company Registration No. 03798903
6:43 a.m.
Hi,
it seems from the log, that you tried to put Kerberos
(SpnegoAuthenticator) to the directAccessGrant flow, is it correct? This
won't work. The implementation of SpnegoAuthenticator is supposed to
work just for browser based flow when browser is supposed to send HTTP
header with SPNEGO token like "Authorization: Negotiate
your-spnego-kerberos-token" .
It seems that to avoid similar confusions, we should have some filters
(or authentication subtypes), which will allow to specify which
authenticator is supposed to be used in which flow. I've created JIRA
for that https://issues.jboss.org/browse/KEYCLOAK-3043 .
If I understand correctly your usecase, you sent username+password to
direct grant authentication and you want Keycloak to verify the given
username+password against Kerberos right? In this case, you can just use
default directGrant flow without any changes. All you need to do is to
check the flag " Use Kerberos For Password Authentication" in the
configuration of your LDAP federation provider.
Marek
On 23/05/16 17:51, Gareth Healy wrote:
I am trying to hook up APIMan with KeyCloak using Kerberos and
OAuth2.
I am trying to get a token from key cloak using the following URL:
curl -X POST
http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d
"username=admin" -d 'password=Secret123' -d
'grant_type=password'
-d 'client_id=mapper' -d
'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'
But, get an exception back:
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) AUTHENTICATE CLIENT
2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default
task-51) Using executions for client authentication:
[de08b32a-a4a5-469c-91cc-0fbca51e1c2f,
de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) client authenticator: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) client authenticator SUCCESS: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) Client mapper authenticated by client-secret
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: ADD on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) AUTHENTICATE ONLY
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) processFlow
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) check execution: direct-grant-validate-username
requirement: REQUIRED
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) authenticator: direct-grant-validate-username
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default
task-51) invoke authenticator.authenticate
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,677 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
(default task-51) Using filter for LDAP search:
(&(uid=admin)(objectclass=person)) . Searching in DN:
cn=users,cn=accounts,dc=example,dc=test
2016-05-23 14:22:25,682 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore]
(default task-51) Found ldap object and populated with the
attributes. LDAP Object: LDAP Object [ dn:
uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid:
afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin],
gecos=[Administrator], sn=[Administrator], cn=[Administrator],
createTimestamp=[20160520102908Z],
modifyTimestamp=[20160523142225Z]}, readOnly attribute names:
[createtimestamp, modifytimestamp] ]
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
task-51) authenticator SUCCESS: direct-grant-validate-username
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
task-51) check execution: direct-grant-validate-password
requirement: DISABLED
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
task-51) execution is processed
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
task-51) check execution: auth-spnego requirement: ALTERNATIVE
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
task-51) authenticator: auth-spnego
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default
task-51) invoke authenticator.authenticate
2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default
task-51) Sending back WWW-Authenticate: Negotiate
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default
task-51) UT005023: Exception handling request to
/auth/realms/freeipa/protocol/openid-connect/token:
org.jboss.resteasy.spi.UnhandledException:
java.lang.IllegalArgumentException: RESTEASY003715: path was null
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: RESTEASY003715:
path was null
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
at
org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Looking in the code, i can see i am missing the "flowPath", but not
sure where this should be set.
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
Can anyone point me in the right direction please.
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214 <tel:%2B44%280%297818511214>
E-Mail: gahealy(a)redhat.com <mailto:gahealy@redhat.com>
Registered in England and Wales under Company Registration No. 03798903
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
8:02 a.m.
Hi Marek,
Thanks for the clarification.
Cheers.
On Wed, May 25, 2016 at 12:43 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
Hi,
it seems from the log, that you tried to put Kerberos
(SpnegoAuthenticator) to the directAccessGrant flow, is it correct? This
won't work. The implementation of SpnegoAuthenticator is supposed to work
just for browser based flow when browser is supposed to send HTTP header
with SPNEGO token like "Authorization: Negotiate
your-spnego-kerberos-token" .
It seems that to avoid similar confusions, we should have some filters (or
authentication subtypes), which will allow to specify which authenticator
is supposed to be used in which flow. I've created JIRA for that
https://issues.jboss.org/browse/KEYCLOAK-3043 .
If I understand correctly your usecase, you sent username+password to
direct grant authentication and you want Keycloak to verify the given
username+password against Kerberos right? In this case, you can just use
default directGrant flow without any changes. All you need to do is to
check the flag " Use Kerberos For Password Authentication" in the
configuration of your LDAP federation provider.
Marek
On 23/05/16 17:51, Gareth Healy wrote:
I am trying to hook up APIMan with KeyCloak using Kerberos and OAuth2. I
am trying to get a token from key cloak using the following URL:
curl -X POST
http://localhost:29080/auth/realms/freeipa/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded" -d
"username=admin"
-d 'password=Secret123' -d 'grant_type=password' -d
'client_id=mapper' -d
'client_secret=027fbd51-135b-47d6-86cd-7ce541b38984'
But, get an exception back:
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
AUTHENTICATE CLIENT
2016-05-23 14:22:25,676 TRACE [org.keycloak.services] (default task-51)
Using executions for client authentication:
[de08b32a-a4a5-469c-91cc-0fbca51e1c2f, de3db156-dcc2-4346-bf3a-e56e8e10ed5f]
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
client authenticator: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
client authenticator SUCCESS: client-secret
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
Client mapper authenticated by client-secret
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: ADD on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
AUTHENTICATE ONLY
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
processFlow
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
check execution: direct-grant-validate-username requirement: REQUIRED
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
authenticator: direct-grant-validate-username
2016-05-23 14:22:25,676 DEBUG [org.keycloak.services] (default task-51)
invoke authenticator.authenticate
2016-05-23 14:22:25,676 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,677 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-51) Using filter for LDAP search: (&(uid=admin)(objectclass=person)) .
Searching in DN: cn=users,cn=accounts,dc=example,dc=test
2016-05-23 14:22:25,682 TRACE
[org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore] (default
task-51) Found ldap object and populated with the attributes. LDAP Object:
LDAP Object [ dn: uid=admin,cn=users,cn=accounts,dc=example,dc=test , uuid:
afc65b08-1e75-11e6-9645-02420a01010f, attributes: {uid=[admin],
gecos=[Administrator], sn=[Administrator], cn=[Administrator],
createTimestamp=[20160520102908Z], modifyTimestamp=[20160523142225Z]},
readOnly attribute names: [createtimestamp, modifytimestamp] ]
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
authenticator SUCCESS: direct-grant-validate-username
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
check execution: direct-grant-validate-password requirement: DISABLED
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
execution is processed
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
check execution: auth-spnego requirement: ALTERNATIVE
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
authenticator: auth-spnego
2016-05-23 14:22:25,682 DEBUG [org.keycloak.services] (default task-51)
invoke authenticator.authenticate
2016-05-23 14:22:25,682 TRACE [org.keycloak.services] (default task-51)
Sending back WWW-Authenticate: Negotiate
2016-05-23 14:22:25,682 TRACE
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-51) Adding cache operation: REPLACE on
7ad60b45-4e69-45a4-a995-ee65d9ee47ae
2016-05-23 14:22:25,683 ERROR [io.undertow.request] (default task-51)
UT005023: Exception handling request to
/auth/realms/freeipa/protocol/openid-connect/token:
org.jboss.resteasy.spi.UnhandledException:
java.lang.IllegalArgumentException: RESTEASY003715: path was null
at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:78)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalArgumentException: RESTEASY003715: path was
null
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:357)
at
org.keycloak.authentication.AuthenticationProcessor$Result.getActionUrl(AuthenticationProcessor.java:478)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.optionalChallengeRedirect(SpnegoAuthenticator.java:137)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.challengeNegotiation(SpnegoAuthenticator.java:121)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:65)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:789)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.buildResourceOwnerPasswordCredentialsGrant(TokenEndpoint.java:379)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.build(TokenEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor587.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Looking in the code, i can see i am missing the "flowPath", but not sure
where this should be set.
<https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
<https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
https://github.com/keycloak/keycloak/blob/1.9.x/services/src/main/java/or...
Can anyone point me in the right direction please.
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: <gahealy@redhat.com>gahealy(a)redhat.com
Registered in England and Wales under Company Registration No. 03798903
_______________________________________________
keycloak-user mailing
listkeycloak-user@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
--
Gareth Healy
UKI Middleware Consultant
Red Hat UK Ltd
200 Fowler Avenue
Farnborough, Hants
GU14 7JP, UK
Mobile: +44(0)7818511214
E-Mail: gahealy(a)redhat.com
Registered in England and Wales under Company Registration No. 03798903
3150
days inactive
3152
days old
2 comments
2 participants
participants (2)
-
Gareth Healy -
Marek Posolda